You have a group managed Service Account name Account01. Only three servers named Server01, Server02 and Server03 are allowed to use Account01 service account.
You plan to decommission Server01.
You need to prevent Server01 from using the Account01 service account. The solution must ensure that Server02 and Server03 continue to use the Account01 service account
What command should you run? To answer, select the appropriate options in the answer area.
Answer Area Account01
Remove-ADServiceAccount -DNSHostName Server01
Reset-ADServiceAccount -PrincipalsAllowedToReteriveMamagedPassword Server01$
Set-ADServiceAccount -SAMAccountNAme Server02,Server03
-Server Server02$,Server03$
Answer: pending
Set-ADServiceAccount -SAMAccountNAme Server02,Server03
0
0
I think its
Remove-ADServiceAccount
0
0
Remove-ADServiceAccount -DNSHostName Server01
0
0
Hi wish;
Are you sure about your answer ?
Thx
0
0
https://technet.microsoft.com/en-us/library/ee617190.aspx
0
0
ISnt it suppose to be uninstall-ADServiceaccount ?
anyway what is the final answer ?
0
0
Its first choice.
https://technet.microsoft.com/ru-ru/library/ee617190.aspx
The Remove-ADServiceAccount cmdlet removes an Active Directory service account. This cmdlet does not make changes to any computers that use the service account. After this operation, the service account is no longer hosted on the target computer but still exists in the directory.
0
0
But I’m not sure. We need uninstall account.
Note: Removing the service account is a different operation than uninstalling the
service account locally
0
0
It seems
Set-ADServiceAccount -SAMAccountNAme Server02,Server03 -Server Server02$,Server03$
will be correct
0
0
You would have to use the Service account for the SAM wouldn’t you ? as below
Would Set-ADServiceAccount -SAMAccountNAme Account01 -Server Server02$,Server03$
0
0
Yeah
Look like it because if you simply remove the cached password, or reset it, the password will probably repopulate because the server is still “allowed to retrieve password”?
That’s my guess.
So you would tell the gMSA that server1 is not allowed to retrieve the password, and only then can you perform one of the other obscure commands to either uninstall or remove the password.
0
0
The answer is Set-ADServiceAccount -SAMAccountName Server02,Server03
0
0
I took the test recently and was asked this question, but I don’t think the answers above are the actual answers. The answer should be:
Set-ADServiceAccount Account01 -PrincipalsAllowedToRetrieveManagedPassword Server02 Server03
My answer set had the server names with a $ in one answer, and without the $ in the other answer option (like Server2$ versus Server2). The answer without the $ was the correct one.
This is a question about *Group* MSA’s which are new to Server 2012:
https://technet.microsoft.com/en-us/library/jj128431.aspx
See Step 1 under “Decommissioning member hosts from an existing server farm”
2
0
Yeah I took the test a week ago and your reference link is correct.
Set-ADServiceAccount [-Name] -PrincipalsAllowedToRetrieveManagedPassword
Set-ADServiceAccount [-Name] ITFarm1 -PrincipalsAllowedToRetrieveManagedPassword Host1 Host3
1
0
is it set adserviceacvount or remove adservice account?
0
0
Thanks so much for your addition here, David and YR. So, sounds like the answer would like this:
Set-ADServiceAccount Account01 -PrincipalsAllowedToRetrieveManagedPassword Server02$ Server03$
Any corrections welcome.
0
0
Here’s the correct format of a line so ignore the $ signs in the example above: New-ADServiceAccount ITFarm1 -DNSHostName ITFarm1.contoso.com -PrincipalsAllowedToRetrieveManagedPassword ITFarmHosts -KerberosEncryptionType RC4, AES128, AES256 -ServicePrincipalNames http/ITFarm1.contoso.com/contoso.com, http/ITFarm1.contoso.com/contoso, http/ITFarm1/contoso.com, http/ITFarm1/contoso
reference:https://technet.microsoft.com/en-us/library/jj128431.aspx
0
0
Someone plz confirm the final answer, this is very confuzing π after reading all the posts im even less sure than ever π
0
0
https://technet.microsoft.com/en-us/library/jj128431.aspx
Decommissioning member hosts from an existing server farm
Step 1: Remove member host from gMSA
If using security groups for managing member hosts, remove the computer account for the decommissioned member host from the security group that the gMSAβs member hosts are a member of using either of the following methods.
β’Method 1: Active Directory Users and Computers
β’Method 2: drsm
β’Method 3: Windows PowerShell Active Directory cmdlet Remove-ADPrincipalGroupMembership
0
0
Set-ADServiceAccount -Name Account01 -PrincipalsAllowedToRetrieveManagedPassword Server02 Server03
0
0
Set-ADServiceAccount [-Name] ITFarm1-PrincipalsAllowedToRetrieveManagedPassword Host1 Host2 Host3
(no $ signs)
0
0
Every question we can find
1)
Your network contains two Active Directory forests named contoso.com and adatum.com. All domain controllers run Windows 2012 R2.
The Adatum.com domain contains a Group Policy object (GPO) named GPO1. An Administrator from the Adatum.com back up to a USB flash drive.
You have a domain controller named dc1.contoso.com You insert USB flash drive in dc1.contoso.com.
You need to identify the domain-specific reference in GPO1
What should you do?
A) From the Migration Table Editor, click Populate from GPO.
B) From the Migration Table Editor, click Populate from Backup. <β Answer
C) From Group Policy Management, run the Group Policy Results Wizard.
D) From Group Policy Management, run the Group Policy Modelling Wizard.
βββββββββββββββββββββββββββββββ
2)
You deploy a windows Server Update (WSUS) server named Server01.
You need to prevent the WSUS service on Server01 from being updated automatically.
What should you do from the update service console?
A. From the Product and Classification options, modify the Products setting.
B. From the Automatic Approvals options, modify the advanced settings. <- Answer
C. From the Product and Classification options, modify the Classifications setting
D. From the Automatic Approvals options, modify the Default Automatic Approval rule.
βββββββββββββββββββββββββββββββββββββββββββββ
3)
You deploy a windows Server Update (WSUS) server named Server01.
You need to ensure that you can view update reports and computer reports on server01.
Which two components should you install? Each correct answer presents part of the solution.
A. Microsoft Report Viewer 2008 Redistributable Package <-Answer
B. Microsoft .Net Framework 2.0 <- Answer
C. Microsoft SQL Server 2008 R2 Builder 3.0
D. Microsoft XPS Viewer
E. Microsoft SQL Server 2012 reporting Services (SSRS)
βββββββββββββββββββββββββββββββββββββββββββββ
4)
You have a group managed Service Account name Account01. Only three servers named Server01, Server02 and Server03 are allowed to use Account01 service account.
You plan to decommission Server01.
You need to prevent Server01 from using the Account01 service account. The solution must ensure that Server02 and Server03 continue to use the Account01 service account
What command should you run? To answer, select the appropriate options in the answer area.
Answer Area Account01
Remove-ADServiceAccount -DNSHostName Server01
Reset-ADServiceAccount -PrincipalsAllowedToReteriveMamagedPassword Server01$
Set-ADServiceAccount -SAMAccountNAme Server02,Server03
-Server Server02$,Server03$ Unistall-Addsserviceaccount
Set-ADServiceAccount -Name Account01 -PrincipalsAllowedToRetrieveManagedPassword Server02 Server03
5)
Your Company is testing DirectAccess on Windows Server 2012 R2.
Users report that when they connect to the corporate network by using DirectAccess, access to Internet websites and Internet hosts is slow.
The users report that when they disconnect from DirectAccess, acces to the internet websites and the internet hosts is much faster.
You need to identify the most likely cause of the performance issue.
What should you identify?
A. DirectAccess uses a self-signed certificate.
B. The corporate firewall blocks TCP port 8080.
C. Force tunneling is enabled New-AdServiceAccount service01 βDNSHostName service01.contoso.com New-ADServiceAccount : Key does not exist
At line : 1 char : 1
+ New-ADServicAccount service01
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: {CN=service01,CN⦠=contoso,DC=com:String} [New-ADServiceAccount], ADException
+FullyQualifiedErrorId :
ActiveDirectoryserver : -2146893811,Microsoft. ActiveDirectory . Management . Commands . NewADServiceAccount
You need to create a Managed service Account.
What should you do?
A. Run Set-KDSConfiguration and then run New-ADServiceAccount βName βservice01β βDNSHostName service01.contoso.com <- Answer
B. Run New-AuthenticationPolicySilo, and then run New-ADServiceAccount β Name βservice01β β DNSHostName
C. Run New-ADServiceAccount β Name βservice01β β DNSHostName service01.contoso.com β RestrictToSingleComputer <β Answer
D. Run New-ADServiceAccount β Name βservice01β β DNSHostName service01.contoso.com β SAMAccountName service01.
βββββββββββββββββββββββββββββββββββββββββββββ
8)
ACL
Which command to list global object access auditing entries for file and folder on Server1 (Drop-Down)
First Down-Drop option Second Down-Drop option /type:File /view
auditpol.exe /get
can't remember /list
Get-ACL /resourceSACL
secedit.exe can't remember
auditpol.exe /resourceSACL
Refer, technet.microsoft.com/en-us/library/ff625687.aspx
βββββββββββββββββββββββββββββββββββββββββββββ
9)
FSMO roles (Hotspot)
You plan to transferring DC that holding FSMO roles.
You need to select which tools can use to transfer domain naming master role and Operations master roles.
Role need to transfer
Tool Domain naming master Operations master
AD Domains and Trust x
AD User and Computers x
Schmeca MMC
βββββββββββββββββββββββββββββββββββββββββββββ
10)
Server1 download update from microsoft update. You have Server2 that must syncronize update from Server1. Have firewall separate between Server1 and Server2.
Which port should to open on Server2 to syncronize ?
A. 80
B. 443
C. 3389
D. 8530 <β Answer
βββββββββββββββββββββββββββββββββββββββββββββ
11)
gMSA (Drag and Drop)
You have DC run Windows Server 2008 R2. You deploy new DC run Windows Server 2012 R2.
new DC have configured to running Load balance of application App1, show as below table
Server1 WS2012 R2 can't remember
Load Balance
Server2 WS2012 R2 can't remember
Load Balance
You need to use group Managed Services Accounts to identify on App1.
Need to drag-drop 3 process with correct in sequence steps.
Add-KdsRootKey
New-ADServiceAccount
Set-ADServiceAccount
Install-ADServiceAccount
Add modify to App1
Choose Add-KdsRootKey, New-ADServiceAccount, Add modify to App1
βββββββββββββββββββββββββββββββββββββββββββββ
13)
12)
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the File Server Resource Manager role service installed.
You need to configure Server1 to meet the following requirements:
β Ensure that old files in a folder named Folder1 are archived automatically to a folder named Archive1.
β Ensure that all JPG files can always be saved to a local computer, even when a file screen exists.
Which two nodes should you configure?
To answer, select the appropriate two nodes in the answer area.
File Screens β Here you can set a "file screen exception for JPG's"
File Management Tasks β Set a new task to archive data
βββββββββββββββββββββββββββββββββββββββββββββ
14)
Your network contains two servers named server1 and Server2. Both servers run the Windows Server 2012 R2.
On Server1, you create a Data Collector set (DCS) named Data1
You need to export Data1 to Server2.
A) Right-click Data1 and click Properties
B) Right-click Data1 and click Data manager
C) Right-click Data1 and click Export List
D) Right-click Data1 and click Save Template <β Answer
βββββββββββββββββββββββββββββββββββββββββββββ
15)
You have two Windows Server Update Services (WSUS) servers named Server1 and Server2. Server01 synchronizes from Microsoft Update. Server2 synchronizes updates from Server1.
Both servers are members of the same Active Directory domain.
You configure Server1 to require SSL for all WSUS metadata by using a certificate issued by an enterprise root certification authority (CA).
You need to ensure that Server2 synchronizes updates from Server1. What should you do on Server2?
A. From the Update Services console, modify the Update Source and Proxy Server options.
B. From a command prompt, run wsusutil.exe configuresslproxy server2 443.
C. From a command prompt, run wsusutil.exe configuressl server1. <β Answer
D. From a command prompt, run wsusutil.exe configuresslproxy server1 443.
βββββββββββββββββββββββββββββββββββββββββββββ
16)
You have three Windows Server Update Services (WSUS) Servers named Server01 Server02 and Server03. Server01 synchronizes form Microsoft Update. You need to ensure that only Server02 and Server03 can Synchronize updates from Server01.
What should you do?
A) Modify %ProgramFiles%\Update Services\WebServices\Serversyncgwevservice\SimpleAuth.asmx
B) From the Update Services console, modify the Update Source and Proxy Server options.
C) From the Update Services console, modify the Automatic Approvals Options.
D) Modify %ProgramFiles%\Update Services\WebServices\Serversyncgwevservice\Web.config ^β Answer
βββββββββββββββββββββββββββββββββββββββββββββ
17)
You have a DNS server that runs Windows Server 2012 R2. The server hosts the zone for contoso.com and is accessible from the internet.
You need to create a DNS record for the Sender Policy Framework (SPF) to list that are authorized ti send email for contoso.com
Which type of record should you create?
A) Name Server (NS)
B) Mail.exchanger (MX)
C) Resource record signature (RRSIG)
D) Text (TXT) <β Answer
βββββββββββββββββββββββββββββββββββββββββββββ
18)
You have a group Managed Service Account named Service01, Three serverβs names Server01, Server02 and Server03 currently use Service01 Service account.
You plan to decommission Server01.
You need to remove the cached password of the Service01 service account from Server01.
The solution must ensure that Server02 and Server03 continues to use Service02.
A) Uninstall-ADServiceAccount
B) Set-ADServiceAccount
C) Remove- ADServiceAccount <β Answer
D) Reset-ADServiceAccountPassword
βββββββββββββββββββββββββββββββββββββββββββββ
19)
Create a starter gpo call Starter_GPO, and assign edit permission to a group Group1
Create a new gpo called GPO1
which the following answer is correct
A.*** in GPO1
B.change Administrative Template in GPO1
C.change the Group policy preference of Starter_GPO <β Answer
D.change the permission of Starter_GPO
βββββββββββββββββββββββββββββββββββββββββββββ
20)
One user needed a mapped drive but if they had it already you weren't to replace it.
Another user had a mapped drive. You need to update the UNC but not any other settings.
Options were
If X already exists, it must NOT make any changes
If Y already exists, change the UNC path, but leave the contents of it
Create, <β Answer
replace,
delete and
update <β- Answer
βββββββββββββββββββββββββββββββββββββββββββββ
β
21)
File1 has been encrypted by Contoso\admin1
File2 has been encrypted by Server1\admin1
File3 has been encrypted by Server1\administrator
You need to back up the DRA agents.
Who is the owner of each of the agents.
There is a selection of drop down boxes. You should to select one in every file
File1 : Contoso\admin
Contoso\administrator < Answer
Server1\admin1
Server1\administrator
File2 : Contoso\admin
Contoso\administrator
Server1\admin1
Server1\administrator < Answer
File3 : Contoso\admin
Contoso\administrator
Server1\admin1
Server1\administrator < Answer
https://technet.microsoft.com/en-us/library/cc512680.aspx
βββββββββββββββββββββββββββββββββββββββββββββ
22)
You have a windows Server update services (WSUS) server01 and Server02. Server01 synchronizes from Microsoft Update. Server02 Synchronizes updates from Server01. Both Servers are members of the same Active Directory domain.
You configure Server01 to require SSL for all WSUS metadata by using certificate issued by an enterprise root certification authority (CA)
You need to ensure that server02 synchronizes updates from Server01
What should you do?
A) From the update Services console, modify the Automatic Approvals options
B) From command prompt run wsusutil.exe configuredns server02.
C) From Internet Information Services (IIS) Manager, import certificate
D) From the update services console, modify the Update Source and Proxy Server Options. <β Answer
βββββββββββββββββββββββββββββββββββββββββββββ
23)
You have two Windows Server Update Services (WSUS) servers named Server01 and Server02. Server01 synchronizes from Microsoft Update. Server02 synchronizes updates from Server01. Both servers are members of the same Active Directory domain.
You configure Server01 to require SSL for all WSUS metadata by using a certificate issued by an enterprise root certification authority (CA).
You need to ensure that Server02 synchronizes updates from Server01.
What should you do on Server02?
A. From a command prompt, run wsusutil.exe configuresslproxy server02 443.
B. From a command prompt, run wsusutil.exe configuressl server01. <β Answer
C. From a command prompt, run wsusutil.exe configuresslproxy server01 443.
D. From the Update Services console, modify the Update Source and Proxy Server options.
βββββββββββββββββββββββββββββββββββββββββββββ
24)
you want to encypt a drive without TPM.
Allow enhanced PINs for startup
Allow network unlock at startup
Allow Secure Boot for integrity validation
Choose how BitLocker-protected operating system drives can be recovered
Configure minimum PIN length for startup
Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
Configure TPM platform validation profile for BIOS-based firmware configurations
Configure TPM platform validation profile for native UEFI firmware configurations
Configure use of hardware-based encryption for operating system drives
Configure use of passwords for operating system drives
Disallow standard users from changing the PIN or password
Enable use of BitLocker authentication requiring preboot keyboard input on slates
Enforce drive encryption type on operating system drives
Require additional authentication at startup <β Answer
Require additional authentication at startup (Windows Server 2008 and Windows Vista)
Reset platform validation data after BitLocker recovery
Use enhanced Boot Configuration Data validation profile
βββββββββββββββββββββββββββββββββββββββββββββ
25)
You network contains one Active Directory domain named contoso.com. The forest functional level is Windows Server 2012.
All servers run Windows Server 2012 R2. All client computer run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012 R2.
You need to identify whether deleted objects can be recovered from the Active Directory Recycle Bin.
Which cmdlet should you use?
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
Answer: E
βββββββββββββββββββββββββββββββββββββββββββββ
26)
You need to identify whether the members of the protected Users group will be prevented from authenticating by using NTLM.
Which cmdlet should you use?
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
Answer: D
βββββββββββββββββββββββββββββββββββββββββββββ
27)
You need to identify which user accounts were authenticated by RODC1. Which cmdlet should you use?
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
Answer: C
βββββββββββββββββββββββββββββββββββββββββββββ
28)
You need to identify whether the members of the protected Users group will be prevented from authenticating by using NTLM.
Which cmdlet should you use?
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
Answer: D
βββββββββββββββββββββββββββββββββββββββββββββ
29)
You need to identify which security principals are authorized to have their passwords cached on RODC1
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
Answer:C Get-ADDomainControllerPasswordReplicationPolicyUsage
βββββββββββββββββββββββββββββββββββββββββββββ
30)
You need to identify which domain controllers are authorized to be cloned using virtual domain controller cloning.
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
Answer :A Get-ADGroupMember
βββββββββββββββββββββββββββββββββββββββββββββ
31)
You need to identify which domain controller must be online when cloning a domain controller.
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
d: Get-ADDomain
βββββββββββββββββββββββββββββββββββββββββββββ
32)
Determine what domain controller needs to be online to promote a RODC.
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
D: Get-ADDomain
βββββββββββββββββββββββββββββββββββββββββββββ
33)
What accounts are allowed to replicate their password with the RODC?
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
C: Get-ADDomainControllerPasswordReplicationPolicy
βββββββββββββββββββββββββββββββββββββββββββββ
34)
You need to identify whose passwords can be stored, view stored passwords.
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
Get-ADDomainControllerPasswordReplicationPolicyUsage
β
35) You have a server named Server1 that runs Windows Server 2012 R2. You discover that the performance of Server1 is poor. The results of a performance report generated on Server1 are shown in the following table.
Counter | Value
Processor(Total)\% DPC Time 35
Processor(Total)\% Interupt Time 2
Processor(Total)\% User time 12
System\Processor Queue Length 6
Processor Information(_Total)\% 98
Processor Time
Memory\Available Bytes 7,341,024,329
Memory\ Pages/Sec 125
A. Driver malfunction
B. Insufficient ram,
C. Insufficient processors <β Answer
D. Excessive paging.
Processor\% Processor Time This measures the percentage of elapsed time the processor spends executing a non-idle thread.
If the percentage is greater than 85 percent, the processor is overwhelmed and the server may require a faster processor
System\Processor Queue Length This indicates the number of threads in the processor queue.
The server doesn't have enough processor power if the value is more than two times the number of CPUs for an extended period of time.
36)
Your network contains one Active Directory domain named contoso.com. The domain contains a file server named Server01 that runs Windows Server 2012 R2. Server01 has an operating system drive and a data drive. Server01 has a trusted Platform Module (TPM).
Which cmdlet should you run first?
A. Enable-TPMAutoProvisioning
B. Unblock-TPM
C. Install-WindowsFeature <- Answer
D. Lock-BitLocker
βββββββββββββββββββββββββββββββββββββββββββββ
37)
DFS Replication
What command do you user to replicate files
Robocopy.exe
What command do you user to replicate the database
ExportDFSRClone
βββββββββββββββββββββββββββββββββββββββββββββ
38)
Created admx File and copied to central store. Trying to edit settings a warning pops up: "An appropriate resource file could not be found for file \\domainname.com\sysvol\domainname.com\Policies\PolicyDefinitions\anyfile.admx (error = 2): The system cannot find the file specified" What is wrong?
ADML File is missing
βββββββββββββββββββββββββββββββββββββββββββββ
39)
You Create Service Account: Service NT\Service1. You see the Service1 Properties Popup. The question is: What kind of Account is the service Account used on the computer?
"virtual Account" ,
Which account is used when this Serviceaccount gets into Network? β If a service accesses the network while running as a virtual account, it accesses resources as the
βcomputer accountβ (DOMAIN\Computername$).
βββββββββββββββββββββββββββββββββββββββββββββ
40)
You have a group policy. You need to add a comment into the group policy. How do you do this?
You edit the GPO Object
0
1
Thanks Frank. Q18. Remove-ServiceAccount removes it from the directory. I think it should be Uninstall-ServiceAccount which removes it from one machine.
0
0
Yup, itΒ΄s Reomve serviceaccount… hereΒ΄s some explanation. http://mcsa.freeforums.net/thread/9/remove-cached-password-service01-serv
0
0
I am not sure if the options are complete. I think you have to deal with the
-principalsAllowedToRetrieveManagedPassword switch. If you remember this is the second step (?) when you create a GMSA. Anyway here is the technet:
https://technet.microsoft.com/en-ca/library/jj128431.aspx
Set-ADServiceAccount [-Name] ITFarm1-PrincipalsAllowedToRetrieveManagedPassword Host1 Host2 Host3
…. I would remove host1 or server 1 from the list
0
0
What is the right answer for question 33?
What accounts are allowed to replicate their password with the RODC?
A. Get-ADGroupMember
B. Get-ADDomainControllerPasswordReplicationPolicy
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
D. Get-ADDomain
E. Get-ADOptionalFeature
F. Get-ADAccountAuthorizationGroup
G. Get-ADAuthenticationPolicySlio
H. Get-ADAuthenticationPolicy
C: Get-ADDomainControllerPasswordReplicationPolicy
0
0
C. Get-ADDomainControllerPasswordReplicationPolicyUsage
Gets the Active Directory accounts that are authenticated by a read-only domain controller or that are in the revealed list of the domain controller.
https://technet.microsoft.com/en-us/library/ee617194.aspx
0
2
Not C it B c for authenticated not replicated
https://technet.microsoft.com/en-us/library/ee617207.aspx
2
0
You need to prevent Server01 from using the Account01 service account. The solution must ensure that Server02 and Server03 continue to use the Account01 service account
What command should you run?
Set-ADServiceAccount -Name Account01 -PrincipalsAllowedToRetrieveManagedPassword Server02 Server03
to remove the cached credentials for a gMSA named ITFarm1 type the following command, and then press ENTER:
Uninstall-ADServiceAccount ITFarm1
1
0
Looks like first you use option C “set-adserviceaccount”… then you would use the uninstall-adserviceaccount cmdlet.
Got this:
How do I deprovision a gMSA?
OU Admins SHOULD delete unused gMSAs. When a gMSA is no longer used on a computer, OU Admins SHOULD remove that computer from the group allowed to retrieve that gMSA password and also remove the cached gMSA password from that computer.
To delete a gMSA, locate it within your delegated OU and delete it. An OU administrator is required to perform this task.
When a gMSA is no longer used on a computer
Go to the groups service, locate the group, and remove the UWWI computer as a member.
Go to the computer and run the following PowerShell commands:
Uninstall-ADServiceAccount
Test-AdServiceAccount
The last line should return False.
from here:
http://www.netid.washington.edu/documentation/groupManagedServiceAccounts.aspx
0
0
Also this:
https://gyazo.com/70434ed4491ce85f7b80573d03c9a831
Uninstall-adserviceaccount will uninstall the AD Service account from the computer or remove a CACHED gMSA from the computer.
Remove-adserviceaccount only removes a gMSA OBJECT.
So you need to run set-adsserviceaccount FIRST to basically omit Server1 from the “allowed to retrieve password” group and THEN uninstall-adserviceaccount.
0
0
Why not post the questions Ibecher
0
0
Because he wants money!
0
0
Uninstall-ADServiceAccount
https://technet.microsoft.com/en-us/library/ee617202.aspx
0
0
Answer is Uninstall-ADServiceAccount
Reference: https://technet.microsoft.com/en-us/library/ee617190.aspx
“Remove the cached gMSA credentials from the member host using Uninstall-ADServiceAccount or the NetRemoveServiceAccount API on the host system.”
The key to answer is remove the cached password from the server.
Set-ADServiceAccount will change the servers allowed to retrieve the password, but the password will remain cached on Server01.
Remove-ADServiceAccount will remove the account from the domain. Server02 and Server03 still need the account.
0
0
Uninstall-ADServiceAccount definitely removes the cached creds when run on the host system.
But there is a step before that using Set-ADServiceAccount if you were following a decommission procedure. I guess Uninstall-ADServiceAccount does answer the question though.
https://technet.microsoft.com/en-us/library/jj128431.aspx#BKMK_DecommMemberHosts
0
0
Passed my exam today. First of all, thank you for this amazing site and thank you all for your comments, actually the comments really helped me. just to let you all know I had 6 questions from wish1 list (It’s better to know all the 10 questions), and around 8 questions from which Frank has posted here, about 3 new questions and the rest from v5 and v6.Finally don’t forget to follow the comments and understand the questions cause in exam they changed some of the questions a bit, so don’t just memorize them.
Good luck
0
0
The question does not ask how to decommission Server01 or remove cached credentials, just to prevent Server01 from using the Account01 service account.This is obtained with:
Set-ADServiceAccount -Name Account01 -PrincipalsAllowedToRetrieveManagedPassword Server02 Server03
1
0
New 70-411 Exam Questions and Answers Updated Recently (6/May/2016):
NEW QUESTION 435
You have a server named Server1 that is a number of a domain named contoso.com. You view the properties of a service on Server1 as shown in the graphic.
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4351_thumb.png
Use the drop-down menus to select the answer choice that completes each statement. NOTE: Each correct selection is worth one point.
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4352_thumb.jpg
Answer:
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4353_thumb.jpg
Explanation:
Virtual accounts are “managed local accounts” that provide the following features to simplify service administration:
– No password management is required.
– The ability to access the network with a computer identity in a domain environment.
Virtual accounts require very little management. They cannot be created or deleted, nor do they require any password management. You must be a member of the Administrators group on the local computer to perform the following procedures. To configure a service to use a virtual account:
– Click Start, point to Administrative Tools, and then click Services.
– In the details pane, right-click the service that you want to configure, and then click Properties.
– Click the Log On tab, click This account, and then type NT SERVICE\ServiceName. When you are finished, click OK.
– Restart the service for the change to take effect.
READ MORE — technet.microsoft.com/en-us/library/dd548356%20(v=WS.10).aspx
NEW QUESTION 436
You have a Windows Server Update Services (WSUS) server named Server1. Server1 synchronizes from Microsoft Update. You plan to deploy a new WSUS server named Server2. Server2 will synchronize updates Server2 will be separated from Server1 by a firewall from Server1. You need to identify which port must be open on the firewall so that Server2 can synchronize the updates. Which port should you identify?
A. 8530
B. 3389
C. 443
D. 80
Answer: A
Explantion:
WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. By default, these ports are configured as follows:
– On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS
– On WSUS 6.2 and later (at least Windows Server 2012), port 8530 for HTTP and 8531 for HTTPS The firewall on the WSUS server must be configured to allow inbound traffic on these ports
READ MORE — technet.microsoft.com/en-us/library/hh852346.aspx
NEW QUESTION 437
A technician installs a new server that runs Windows Server 2012 R2. During the installation of Windows Server Update Services (WSUS) on the new server, the technician reports that on the Choose Languages page of the Windows Server Update Services Configuration Wizard, the only available language is English. The technician needs to download updates in French and English. What should you tell the network technician to do to ensure that the required updates are available?
A. Complete the Windows Server Update Services Configuration Wizard, and then modify the update language on the server.
B. Uninstall all instances of the Windows Internal Database.
C. Change the update languages on the upstream server.
D. Change the System Local of the server to French.
Answer: C
Explanation:
Configure upstream servers to synchronize updates in all languages that are required by downstream replica servers.
You will not be notified of needed updates in the unsynchronized languages.
The Choose Languages page of the WSUS Configuration Wizard allows you to get updates from all languages or from a subset of languages. Selecting a subset of languages saves disk space, but it is important to choose all the languages that are needed by all the downstream servers and client computers of a WSUS server.
Downstream servers and client computers will not receive all the updates they need if you have not selected all the necessary languages for the upstream server. Make sure you select all the languages that will be needed by all the client computers of all the downstream servers.
You should generally download updates in all languages on the root WSUS server that synchronizes to Microsoft Update. This selection guarantees that all downstream servers and client computers will receive updates in the languages that they require.
To choose update languages for a downstream server:
If the upstream server has been configured to download update files in a subset of languages:
In the WSUS Configuration Wizard, click Download updates only in these languages (only languages marked with an asterisk are supported by the upstream server), and then select the languages for which you want updates.
READ MORE — technet.microsoft.com/en-us/library/hh328568(v=ws.10).aspx
NEW QUESTION 438
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question. Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs. You have a GPO named GPO1 that is linked to the domain. You need to configure GPO1 to apply settings to Group1 only. What should you use?
A. Dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gpedit. msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember
Answer: C
NEW QUESTION 439
β¦β¦
NEW QUESTION 440
Your network contains one Active Directory forest named contoso.com. You create a starter Group Policy object (GPO) named Starter_GPO1. From the Delegation tab of Starter_GPO1, you add a group named GPO_Admins and you assign the Edit settings permissions to the group. You create a new GPO named GPO1 from Starter_GPO1. You need to identity which action can he performed by the members of the GPO Admins group. What should you identify?
A. Modify the Delegation settings of Starter_GPO1.
B. Modify the Group Policy Preferences in Starter_GPO1.
C. Link a WMI filter to GPO1.
D. Modify the Administrative Templates in GPO1.
Answer: A
Explanation:
Permission rights applied to starter GPO objects are relative to the starter GPO objects only; they are not inherited from actual GPOs created from starter GPOs.
B is wrong because Starter GPOs do not have preferences, only Administrative Template policy settings.
READ MORE — technet.microsoft.com/en-us/library/cc753200.aspx
NEW QUESTION 441
……
P.S. These New 70-411 Exam Questions Were Just Updated From The Real 70-411 Exam, You Can Get The Newest 70-411 Dumps In PDF And VCE From β http://bitly.com/70-411-dumps-vce-pdf (447q)
Good Luck !!!
0
2
BTW, NEW 70-411 PDF Dumps from Google Drive for Free: https://drive.google.com/open?id=0B-ob6L_QjGLpfnVfbXEwbmlUa1paemdDc19zQ1JWdVpqU1poRlB2TnktaWlBUFhfQXNJZVU
0
0
439 is J. Set-GPPermission isn’t it?
0
0