Server Pro Final Study Set - Part 2

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

You are the administrator of the westsim.com domain. Within the domain, you have OUs for the accounting, manufacturing, sales, and administration departments. You also have smaller OUs within each department OU, such as the ITAdmins OU in the Administration OU. You need to follow the principle of least privilege as you use the Delegation of Control wizard to complete the following: - Give one user in each OU the rights necessary to manage user accounts in their OU. - Give your assistants in the ITAdmins group rights to manage passwords for all users in the domain. Which of the following approaches can you use as you delegate control? (Select two. Each correct answer is part of the complete solution.) - Create a PasswordAdmin group in the ITAdmins OU. - Make your assistants members of the PasswordAdmin group. - In the westsim.com domain, delegate control to the PasswordAdmin group to perform password tasks. - Create a PasswordAdmin group in the ITAdmins OU. - Make your assistants members of the PasswordAdmin group. - Make the PasswordAdmin group a member of the Domain Admins group. - Create a UserAdmin group in each department OU. - Make the user in each OU a member of the UserAdmin group. - Make the UserAdmin group a member of the Domain Admins group. - Create a PasswordAdmin OU in the ITAdmins OU. - Make your assistants members of the PasswordAdmin OU. - In the westsim.com domain, delegate control to the PasswordAdmin OU to perform password tasks. - Create a UserAdmin group in each department OU. - Make the user in each OU a member of the UserAdmin group. - In each department OU, delegate control to the UserAdmin group to perform user account tasks in that OU. - Create a UserAdmin OU in each department OU. - Make the user in each OU a member of the UserAdmin OU. - In each department OU, delegate control to the UserAdmin OU to perform user account tasks.

- Create a UnderAdmin group in each department OU - Make the user in each OU a member of the USerAdmin group - In each department OU, delegate control to the UserAdmin group to perform user account tasks - Create a PasswordAdmin group in the ITAdmins OU - Make your assistants members of the PasswordAdmin group - In the westsim.com domain, delegate control to the PasswordAdmin group to perform password tasks REFERENCES LabSim for Server Pro 2016, Section 7.9.

You are the administrator for a network with two domains, westsim.com and branch.westsim.com. User accounts for the sales team are in both domains. You have a shared folder called Reports on the Sales1 server in the westsim.com domain. You also have a shared folder called Contacts on the Sales6 server in the branch.westsim.com domain. All sales users need access to both shared folders. What do you need to do to implement a group strategy to provide access to the necessary resources? - Create a global group in westsim.com. Add users from both domains. - Create a universal group in each domain. - Add the global group to the universal group in each domain. - Add each universal group to a domain local group. - Assign permissions to the domain local group. - Create a global group in each domain. Add users within each domain to the group. - Create a universal group in westsim.com. - Add the global groups from each domain to the universal group. - Add the universal group to domain local groups in each domain. - Assign permissions to the domain local groups. - Create a domain local group in each domain. Add users within each domain to the group. - Create a global group in westsim.com. - Add the domain local groups from each domain to the global group. - Assign permissions to the global group.

- Create a global group in each domain. Add users within each domain to the group - Create a universal group in westsim.com - Add the global groups from each domain to the universal group - Add the universal group to domain local groups in each domain - Assign permissions to the domain local groups REFERENCES LabSim for Server Pro 2016, Section 7.8.

You are the domain administrator for north.westsim.com, which is a child domain in westsim.com. You have a high-end color laser printer that is shared on a server in north.westsim.com. Because of the high price per page, you have removed the print permission from the Everyone group. You need to grant the print permissions to marketing users in the north.westsim.com, east.westsim.com, and west.westsim.com domains. What should you do? - In the North domain, create a universal group called All-Marketing. - Add the marketing users' accounts from all three domains to the group and assign the group the print permission. - In the North domain, create a Domain Local group called CLR-PRT. - In all three domains, create a global group named Marketing. - Add all three global groups to the North CLR-PRT group and assign the print permission to the group. - In all three domains, create a domain local group called CLR-PRT. - Add the East and West CLR-PRT groups to the North CLR-PRT group. - Assign the print permission to the North CLR-PRT group. - In all three domains, create a global group named Marketing. - Add the East and West Marketing groups to the North Marketing group. - Assign the print permission to the North Marketing group.

- In the north domain, create a domain local group called CLR-PRT - In all three domains, create a global group named Marketing - Add all three global groups to the north clr-prt group and assign the print permission to the group EXPLANATION The best solution would be to create a domain local group in the North domain called CLR-PRT and in all three domains create a global group named Marketing. Add all three global groups to the North CLR-PRT group and assign the print permission to the group. This follows Microsoft's recommended strategy of A-G-DL-P. Place Accounts into Global groups, which become members of Domain Local groups, which have the Permissions assigned. Using a universal group and adding user accounts directly to a universal group will work, but in a multiple-domain forest, this is not a best practice. In addition, since the resource is only located in one domain, universal groups are not recommended. Any time there is a membership change in a universal group, it requires replication to the global catalog servers. This does not happen when you modify the membership of domain local or global groups. Using a universal group in the North domain with individual members puts the burden of managing the membership on the North administrator. You can expand the best practice of A-G-DL-P to A-G-U-DL-P by creating global groups in each domain and adding them to the universal group. The other answers violate the group nesting rules and will not work. A global group can only contain accounts and global groups from its own domain. Domain local groups cannot be members of groups outside their own domains. REFERENCES LabSim for Server Pro 2016, Section 7.8.

Group Policies can be used to set the same notification levels at the domain level that can be set for local machines using the User Account Control (UAC) tool. You need to configure the Notify me only when programs try to make changes to my computer notification level using Group Policy. Which of the following Group Policies must be set to complete this configuration? - The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries. - The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled. - The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Elevate without prompting. The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is disabled. - The User Account Control: Run all administrators in Admin Approval Mode policy setting is disabled. - UAC is disabled. - The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent on the secure desktop. - The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled. - The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries. - The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is disabled. - The Behavior of the elevation prompt for standard users policy setting is set to Prompt for credentials.

- the behavior of the elevation prompt for administrators in Admin approval mode policy setting is set to Prompt for consent for non-Windows binaries. - The user account control : Switch to the secure desktop when prompting for elevation policy setting is enabled EXPLANATION Group Policies can be used to set the same notification levels at the domain level that can be set for local machines using the User Account Control (UAC) tool. Notification-level settings can be configured using the following policies: - Always notify - The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent on the secure desktop. - The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled. - Notify me only when apps try to make changes to my computer - The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries. - The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is enabled. - Notify me only when apps try to make changes to my computer (do not dim the desktop) - The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Prompt for consent for non-Windows binaries. - The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is disabled. - The Behavior of the elevation prompt for standard users policy setting is set to Prompt for credentials. - Never notify - The Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting is set to Elevate without prompting. The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is disabled. - The User Account Control: Run all administrators in Admin Approval Mode policy setting is disabled. - UAC is disabled. REFERENCES LabSim for Server Pro 2016, Section 8.6.

Virtualization is the ability to install and run multiple operating systems concurrently on a single physical machine. Windows virtualization includes several standard components. Drag the component on the left to the appropriate description on the right. (Each component can be used once, more than once, or not at all.) Drag Physical Machine Virtual Machine Virtual Hard Disk (VHD) Hypervisor Drop A file that resides within the host operating system and serves a storage device for the virtual machine. A thin layer of software that resides between the guest operating system and the hardware. The guest operating system that is a software implementation of a computer that executes programs. The host operating system that has hardware, such as storage devices, RAM, and a motherboard. Appears to be a self-contained and autonomous system. Allows virtual machines to interact with the hardware without going through the host operating system.

A file that resides within the host operating system and serves a storage device for the virtual machine Virtual Hard Disk (VHD) A thin layer of software that resides between the guest operating system and the hardware Hypervisor The guest operating system that is a software implementation of a computer that executes programs - Virtual Machine The host operating system that has hardware, such as storage devices, RAM and a motherboard Physical Machine Appears to be a self-contained and autonomous system Virtual Machine Allows virtual machines to interact with the hardware without going through the host operating system Hypervisor

Match each Active Directory component on the left with the appropriate description on the right. (Each component may be used once, more than once, or not at all.) Drag Tree Forest Domain Domain Controller Replication Drop A group of related domains that share the same DNS namespace. A collection of related domain trees. A server that holds a copy of the Active Directory database. The process of copying changes to the Active Directory database between domain controllers. A collection of network resources that share a common directory database. Can make changes to the Active Directory database.

A group of related domains that share the same DNS namespace Tree A collection of related domain trees Forest A server that holds a copy of the Active Directory database Domain Controller The process of copying changes to the Active Directory database between domain controllers Replication A collection of network resources that share a common directory database Domain Can make changes to the Active Directory database Domain Controller EXPLANATION In Active Directory: - A tree is a group of related domains that share the same contiguous DNS namespace. - A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS name spaces. - A domain is an administratively defined collection of network resources that share a common directory database and security policies. - A domain controller is a server that holds a copy of the Active Directory database that can be written to. Any domain controller can make changes to the Active Directory database. - Replication is the process of copying changes to Active Directory between the domain controllers. REFERENCES LabSim for Server Pro 2016, Section 7.1.

You need to add a new Windows server to an Active Directory domain. You intend to make this new server a domain controller. This server was installed with a server core deployment, so you'll need to install the Active Directory Domain Services role from the PowerShell console. From the drop-down list, select the name of the service you would enter to complete the following PowerShell command: Install-WindowsFeature ________________ AD-DS ActiveDirectory-Domains-Services AD-Domain-Services ActiveDirectory-DS Ad-domain-services

AD-Domain-Services EXPLANATION To install the Active Directory Domain Services role from the PowerShell command line, you enter the following command: Install-WindowsFeature AD-Domain-Services Remember that the name of the service, AD-Domain-Services, is case sensitive. REFERENCES LabSim for Server Pro 2016, Section 7.2.

You manage a network with a single Active Directory domain called westsim.com. You have just deployed an Azure AD domain controller in the Azure cloud. You have created a user account for yourself in the new Azure AD domain. You are now testing the configuration of the Azure AD domain from home by trying to join your home computer to this domain. Click on the option in the System menu in the Settings app that allows you to join your computer to the domain in Azure AD.

About (bottom) EXPLANATION From the System menu, in the Settings app, you would select the About option to get to the page from which you can join your computer to a domain in Azure AD. REFERENCES LabSim for Server Pro 2016, Section 7.10.

You manage a network with a single domain named eastsim.com. The network currently has three domain controllers. During installation, you did not designate one of the domain controllers as a global catalog server. Now you need to make the domain controller a global catalog server. Which tool should you use to accomplish this task? Active Directory Users and Computers or Active Directory Sites and Services Active Directory Sites and Services Active Directory Users and Computers Active Directory Domains and Trusts or Active Directory Sites and Services Active Directory Domains and Trusts

Active Directory Users and Computers or Active Directory Sites and Services EXPLANATION Use Active Directory Users and Computers or Active Directory Sites and Services to designate a global catalog server. REFERENCES LabSim for Server Pro 2016, Section 7.2.

You have added a new color printer to the network. You have only given certain users throughout the network permission to send print jobs to this printer. Some of these users are complaining that it takes a long time to find the new color printer in Active Directory to add it to their list of printers. What can you do to make this printer faster to find? Put the printer object in a generic container. Add a global catalog server. Add a database replication server. Add a resource sharing server.

Add a global catalog server EXPLANATION Adding a global catalog server to the network will facilitate faster searches for objects, such as printers, in Active Directory. Global Catalog (GC) is a database that contains a partial replica of every object from every domain within a forest. A server that holds a copy of this catalog is a global catalog server. Global Catalog facilitates faster searches because different domain controllers do not have to be referenced. Database replication and resource sharing are features of Active Directory. They are not hosted by any specific server. Putting the printer object in a generic container will not make it faster to find because, without a global catalog, user searches will still require that all domain controllers be referenced to find where the printer is in the Active Directory tree. REFERENCES LabSim for Server Pro 2016, Section 7.1.

You are the network administrator for westsim.com. The network consists of a single Active Directory domain. You are responsible for a server named HV1 that has the Hyper-V role installed. HV1 hosts a virtual machine that runs a custom web application that is in use 24 hours per day. The virtual machine has one hard drive that is hosted on a 127 GB expanding virtual hard drive (.vhdx). The server is running out of room. Management would like to upload 100 GB of new media files for use in the web application. You need to provide more storage space inside the virtual machine while minimizing downtime for the custom web application. What should you do? Edit the existing virtual hard drive (.vhdx) file. Add a new virtual hard drive (.vhdx) to a SCSI controller. Add a new virtual hard drive (.vhdx) to a new IDE controller. Add a new virtual hard drive (.vhdx) to the existing IDE controller.

Add a new virtual hard drive (.vhdx) to a SCSI controller EXPLANATION Add a new virtual hard drive (.vhdx) to a SCSI controller. Dynamic Virtual Machine Storage allows hot plug-in and hot removal of the storage on a SCSI controller of the virtual machine. Physical machines that support hot swapping of drives only do so on SCSI controllers, and the same is true of virtual machines. Therefore, you must add the new virtual hard drive (.vhdx) to a SCSI controller, which will allow you to add the new .vhdx without having to shut down the virtual machine, eliminating any downtime for the custom web app. Adding a new virtual hard drive (.vhd) to an IDE controller, whether the existing controller or a new one, would require a reboot of the virtual machine. Editing the existing file would allow you to convert the expanding virtual hard drive (.vhd) to a fixed size virtual hard drive, but would not increase the available space. Generally, conversion from a dynamically expanding .vhd to a fixed size .vhd is done for performance issues, since a fixed size .vhd does not require the processor to expand the .vhd as storage requirements increase. REFERENCES LabSim for Server Pro 2016, Section 6.3.

You are the administrator of a network with two Active Directory domains. Each domain currently includes 35 global groups and 75 domain local groups. You have been reading the Windows Server help files and have come to the conclusion that universal groups may be the answer to ease administrative management of these groups. You decide to incorporate universal groups. How can you make sure to not include changes to any group that will affect group member's assigned permissions? Add global groups to universal groups and then add those to domain local groups. Remove all members from the global groups and add them to universal groups. Add all global groups to a universal group named All Users. Add global groups to domain local groups and then add those to universal groups.

Add global groups to universal groups and then add those to domain local groups EXPLANATION Adding global groups to universal groups and then adding those to domain local groups is the most efficient solution for group management. Individual members can be added to universal groups but this causes a large member list, which is stored on Global Catalog servers. Active Directory supports three group scopes: domain local, global, and universal. REFERENCES LabSim for Server Pro 2016, Section 7.8.

You have created a group policy that prevents users in the accounting department from accessing records in a database that has confidential information. The group policy is configured to disable the search function for all users in the Accounting OU no matter which workstation is being used. After you configure and test the policy, you learn that several people in the Accounting OU have valid reasons for using the search function. These users are part of a security group named Managers. What can you do to prevent the Group Policy object (GPO) that you have configured from applying to members of the Managers group? Move members of the Managers group to their own OU beneath the Accounting OU. Enable Block Policy inheritance for the new OU. Add the Managers group to the GPO's discretionary access control list (DACL). Deny the apply Group Policy and read permissions to the Managers group. Make sure that the Managers group is not on the GPO's discretionary access control list (DACL). Add the Managers group to the Accounting OU's discretionary access control list (DACL). Deny the apply Group Policy and read permissions to the Managers group.

Add the Managers group to the GPO's discretionary access control list (DACL). Deny the apply Group Policy and read permissions to the Managers group. EXPLANATION Users must have the apply Group Policy and read permissions to a GPO for that GPO to be applied to the user. You can prevent a group from receiving a GPO by denying the group the required permissions to the GPO. By denying the permissions for the Managers group, you can prevent the GPO settings from applying to group members. REFERENCES LabSim for Server Pro 2016, Section 8.1.

For security testing purposes, you need to change the source MAC address in outgoing packets originating from a Hyper-V virtual machine. Click the option you would use in the virtual machine's settings to do this.

Advanced Features EXPLANATION To change the source MAC address in outgoing packets originating from a Hyper-V virtual machine, click Advanced Features under the network adapter in the virtual machine's settings and then mark Enable MAC address spoofing. Clicking Network Adapter virtual_switch_name in the virtual machine's Settings window allows you to enable bandwidth management. It's not necessary to add new hardware to the virtual machine to enable bandwidth management. Clicking Hardware Acceleration allows you to specify tasks that can be offloaded to the physical network adapter in the system. REFERENCES LabSim for Server Pro 2016, Section 6.4.

You are configuring a new external virtual switch in your Hyper-V host. The host has two physical network interfaces installed. You do not want the physical host to exclusively use one network interface and virtual machines running on the host to exclusively use the other. Click the option you would use to configure the virtual switch in this manner.

Allow management operating system to share this network adapter. EXPLANATION With two network adapters installed, both the physical host and the virtual machines running on the host can use the same adapter. To do this, under External network, select the adapter you wish to use and then select Allow host OS to share the network adapter. To prevent the physical host from using the adapter deselect Allow host OS to share the network adapter. The External network drop-down list is used to select a physical network adapter to be used by the virtual switch. The Enable single-root I/O virtualization (SR-IOV) option allows virtual machines to directly use the network adapter specified. The Enable virtual LAN identification for management operation system option allows you to configure the virtual switch to function on a specific VLAN. REFERENCES LabSim for Server Pro 2016, Section 6.4.

You are an administrator over several Windows servers. You also manage a domain in Active Directory. Your responsibilities include managing permissions and rights to make sure users can do their jobs while also keeping them from doing things they should not be doing. With Windows Server systems and Active Directory, the concepts of permissions and rights are used to describe specific and different kinds of tasks. Drag the concept on the left to the appropriate task examples on the right. (Each concept can be used more than once.) Drag Permissions Rights Drop Allow members of the Admins group to back up the files in the Marketing folder on the CorpFiles server. Assign members of the Admins group read-only access to the files in the Marketing folder on the CorpFiles server. Allow members of the Admins group to restore the files in the Marketing folder on the CorpFiles server. Assign members of the Marketing group read-write access to the files in the Marketing folder on the CorpFiles server. Allow members of the Admins group to log on locally to the CorpFiles server. Allow members of the Admins group to shut down the CorpFiles server. Allow members of the Marketing group to send print jobs to the Marketing color printer.

Allow members of the Admins group to back up the files in the Marketing folder on the CorpFiles server. Rights Assign members of the Admins group read-only access to the files in the Marketing folder on the CorpFiles server. Permissions Allow members of the Admins group to restore the files in the Marketing folder on the CorpFiles server. Rights Assign members of the Marketing group read-write access to the files in the Marketing folder on the CorpFiles server. Permissions Allow members of the Admins group to log on locally to the CorpFiles server. Rights Allow members of the Admins group to shut down the CorpFiles server. Rights Allow members of the Marketing group to send print jobs to the Marketing color printer. Permissions EXPLANATION With Windows Server systems and Active Directory, the concepts of permissions and rights are used to describe specific and different kinds of tasks. For example: - The following tasks require permissions because they deal with the ability to use, or have access to, objects such as files, folders, and printers: - Assign members of the Admins group read-only access to the files in the Marketing folder on the CorpFiles server. - Assign members of the Marketing group read-write access to the files in the Marketing folder on the CorpFiles server. - Allow members of the Marketing group to send print jobs to the Marketing color printer. - The following tasks require rights because they deal with the ability to perform actions on a computer, such as log on, shut down, back up, and restore: - Allow members of the Admins group to back up the files in the Marketing folder on the CorpFiles server. - Allow members of the Admins group to restore the files in the Marketing folder on the CorpFiles server. - Allow members of the Admins group to log on locally to the CorpFiles server. - Allow members of the Admins group to shut down the CorpFiles server. REFERENCES LabSim for Server Pro 2016, Section 8.5.

Match each Hyper-V virtual networking feature on the left with its appropriate description on the right. (Each description may be used once, more than once, or not at all.) Drag Storage Quality of Service (QoS) Trunking Port ACLs NIC Teaming Port Mirroring DHCP Guard Virtual Machine Queue (VMQ) Drop Allows a VM to see traffic from multiple VLANs Allows network traffic to be distributed across multiple CPU cores Controls the throughput of data to virtual disks Establishes rules that are applied to virtual switch ports Provides bandwidth aggregation Copies traffic from one switch port to another Prevents a VM from being used as a rogue DHCP server

Allows a VM to see traffic from multiple VLANs Trunking Allows network traffic to be distributed across multiple CPU cores Virtual Machine Queue (VMQ) Controls the throughput of data to virtual disks Storage Quality of Service (QoS) Establishes rules that are applied to virtual switch ports Port ACLs Provides bandwidth aggregation NIC Teaming Copies traffic from one switch port to another Port Mirroring Prevents a VM from being used as a rogue DHCP server DHCP Guard

Match each Active Directory component on the left with the appropriate description on the right. (Each component may be used once, more than once, or not at all.) Drag Organizational Unit Generic Container Global Catalog Attributes Schema Drop An object type that cannot be created, moved, renamed, or deleted. A database that contains a partial replica of every object from every domain. Facilitates faster searches. A type of container object that can be created by the administrator to simplify security administration. Identifies the types of objects that can exist in the tree. Information about an object, such as a user's name. Used to logically organize network resources within a domain.

An object that cannot be created, moved, renamed, or deleted Generic Container A database that contains a partial replica of every object from every domain Global Catalog Facilitates faster searches Global Catalog A type of container object that can be created by the administrator to simplify security administration Organizational Unit Identifies the types of objects that can exist in the tree Schema Information about an object, such as a user's name Attributes Used to logically organize network resources within a domain Organizational Unit EXPLANATION In Active Directory: - An organizational unit is like a folder that subdivides and organizes network resources within a domain to simplify security administration. An organizational unit is a container object that can be used to logically organize network resources. - Like OUs, generic containers are used to organize Active Directory objects. Generic container objects are created by default, but cannot be created, moved, renamed, or deleted by the administrator. They have very few editable properties. - Global Catalog is a database that contains a partial replica of every object from every domain within a forest. Global Catalog facilitates faster searches because different domain controllers do not have to be referenced. - Each object is composed of attributes, which contain information about the object, such as a user's name, phone number, and email address. - The schema identifies the object classes (the type of objects) that exist in the tree and the attributes of the object. REFERENCES LabSim for Server Pro 2016, Section 7.1.

You are in charge of managing the servers in your network. Recently, you have noticed that many of the domain member servers are being shut down. You would like to use auditing to track who performs these actions. What should you do to only monitor the necessary events and no others? (Select two. Each choice is a required part of the solution.) Audit successful account management events. Create a GPO to configure auditing. Link the GPO to the domain. Create a GPO to configure auditing. Link the GPO to the Computers container. Audit successful system events. Audit failed account management events. Audit failed system events.

Audit successful system events. Create a GPO to configure auditing. Link the GPO to the domain. EXPLANATION To track when the system shuts down, audit successful system events. System events auditing tracks system shutdown, restart, and the starting of system services. It also tracks events that affect security or the security log. To configure auditing, create a GPO and link it to the domain or OU. In this example, to audit member servers, link the GPO to the domain. By default, member servers are in the Computers container. However, you cannot link a GPO to this container. A better solution would be to create an OU with only the member servers and then link the GPO to that OU. Linking the GPO to the domain means that system events will be audited on all computers in the domain. You do not need to audit failed events because you are only interested in when the system actually shuts down, not when someone tried to shut it down but was unsuccessful. Account management auditing tracks changes to user accounts. Directory service access auditing tracks changes to Active Directory objects. REFERENCES LabSim for Server Pro 2016, Section 8.4.

You manage a group of 10 Windows workstations that are currently configured as a workgroup. Which are advantages you could gain by installing Active Directory and adding the computers to a domain? (Select two.) Centralized authentication Reduced need for specialized hardware Increased local control of workstation settings Centralized configuration control Decreased implementation cost

Centralized authentication Centralized configuration control EXPLANATION Installing an Active Directory database provides several advantages, such as: - Improved scalability - Centralized configuration control - Reduced data backup complexity - Centralized authentication - Centrally applied security settings - Some of the disadvantage of installing an Active Directory database include: - Increased cost - Specialized hardware and software - Increased planning time for implementation REFERENCES LabSim for Server Pro 2016, Section 7.1.

You need to create a snapshot of a virtual machine currently running on a Windows Server Hyper-V host. The server was installed using a Server Core installation, so you must do this from the command line within a PowerShell window. Which cmdlet should you use to do this? Checkpoint-VM Export-VMSnapshot Export-VM Dismount-VHD

Checkpoint-VM EXPLANATION The Checkpoint-VM cmdlet can be used within a PowerShell window to create a snapshot, or checkpoint, of a virtual machine on a Windows Server Hyper-V host. The Dismount-VHD cmdlet is used to dismount a virtual disk. The Export-VM cmdlet is used to export a virtual machine to a different storage device, such as a removable hard disk. The Export-VMSnapshot cmdlet is used to export a snapshot of a virtual machine to a different storage device, such as a removable hard disk. REFERENCES LabSim for Server Pro 2016, Section 6.2.

You need to configure the ENSERV16-VM03 server as a global catalog server. Where do you click in the Properties dialog to open the page that will allow you to select the global catalog option?

Click "NTDS Settings..." EXPLANATION If you are using the Active Directory Users and Computers tool, you can designate a global catalog server by opening the properties page for the server (shown in the question), and then selecting the NTDS Settings button to get to the page where you can select the Global Catalog option. REFERENCES LabSim for Server Pro 2016, Section 7.2.

When you originally deployed the AccServer virtual machine on your Windows Server 2012 R2 hypervisor, it stored accounting data from all departments in your organization. Therefore, it required a very large virtual disk. However, as your organization has grown, additional department-specific accounting servers have been deployed and much of the data that used to be stored on AccServer has migrated to them. Because the virtual hard disk file for the AccServer virtual machine is set to grow dynamically, the unused space in the file can be reclaimed on the physical hard drive in the Windows server. Click the option you would use in the Edit Virtual Hard Disk wizard to accomplish this without reducing the overall storage capacity of the virtual hard disk.

Compact EXPLANATION A virtual hard disk file that is configured to grow dynamically will increase in size as more space is required by the virtual machine. However, once physical disk blocks are allocated, a disk file does not reduce in size when data is deleted from it. To reduce the size of the disk file, you can use the Compact option in the Edit Virtual Hard Disk wizard. This reduces the size of the disk file without reducing the capacity of the virtual hard disk. The Convert option is used to convert an existing virtual hard disk to a new virtual hard disk using a different type and format. The Expand option expands the capacity of the virtual hard disk. The Shrink option reduces the overall storage capacity of the virtual hard disk itself. REFERENCES LabSim for Server Pro 2016, Section 6.3.

You currently manage a virtual machine named VM18 that has been installed on the Srv5 physical server. The virtual machine uses a single dynamic disk of 100 GB. You notice that the physical size of the virtual hard disk is 40 GB, but that the virtual machine reports only a total of 20 GB of files. You want to reduce the physical space used by the virtual hard disk. What should you do? In the virtual machine, defragment the hard disk. Convert the disk to a fixed disk with a smaller size. Create a differencing disk using the virtual machine's disk as the parent disk. Compact the disk.

Compact the disk EXPLANATION With a dynamically expanding disk, additional space is added to the .vhd file as necessary. However, when files are deleted from the virtual hard disk, the .vhd file does not shrink. Compacting the virtual disk removes any blank space from the virtual hard disk file. You can only compact a dynamically expanding disk. By design, fixed disks are always the size of the virtual hard disk capacity. Converting a dynamically expanding disk to a fixed disk makes it bigger; the resulting file consumes as much disk space as is allocated to the virtual hard disk. Microsoft does not provide any tools for shrinking a virtual disk (reducing the maximum size of a virtual disk). Compacting a dynamically expanding disk or converting a fixed disk to dynamically expanding will reduce the disk space used by the virtual disk, but does not reduce the maximum size of the virtual disk. REFERENCES LabSim for Server Pro 2016, Section 6.3.

You are the administrator of a network with a single Active Directory domain. The domain includes two domain controllers. Your company's security policy requires that locked out accounts are unlocked by administrators only. Upon reviewing the account lockout policy, you notice the account lockout duration of 99999. You need to configure your domain's account lockout policy to comply with your company's security policy. What should you do next? Configure Reset account lockout counter after as 0. Configure Account lockout duration as 1. Configure Account lockout duration as 0. Configure Reset account lockout counter after as 1.

Configure Account lockout duration as 0. EXPLANATION Configuring the Account lockout duration to 0 will require an administrator to unlock all accounts. This setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. REFERENCES LabSim for Server Pro 2016, Section 8.3.

You are an administrator for a company that uses Windows servers. In addition to Active Directory, you also provide file and print services, DHCP, DNS, and email services. There is a single domain and a single site. There are two member servers, one that handles file and print services only, and one database server. You are considering adding additional servers as business increases. Your company produces mass mailings for its customers. The mailing list and contact information provided to your company by its clients is strictly confidential. Because of the private information sometimes contained in the data (one of your clients is a hospital), and because of the importance of the data to your operation, the data can also be considered a trade secret. You want to ensure the data stored on your member servers is only accessed by authorized personnel for business purposes. You've set file permissions to restrict access, but you want to track the authorized users. How should you configure your security policy to track access to the data files? Configure object access auditing in a GPO and link it to the Domain Controllers OU. Configure object access auditing in a GPO and link it to the domain. Configure logon access auditing in a GPO and link it to the Domain Controllers OU. Configure object access on the database server. Configure system events auditing on the domain controllers.

Configure Object access auditing in a GPO and link it to the domain. EXPLANATION Because you are considering adding servers, it would be best if you implemented your security policy in a GPO so that it will be applied automatically when new computers are added. The category of auditing that you want is Object Access, and it should be applied to the domain so that it applies to all computers. Linking the GPO to the Domain Controllers OU would result in the policy being applied only to the domain controllers, not to the member servers where the sensitive data is stored. System events is the wrong category to audit, as is logon access. Applying the policy directly to the database server leaves your other servers unprotected, including any new ones that are implemented later. REFERENCES LabSim for Server Pro 2016, Section 8.4.

You are the network administrator for your company. Your network consists of two Active Directory domains, research.westsim.local and sales.westsim.local. Your company has two sites, Dallas and Houston. Each site has two domain controllers, one domain controller for each domain. Users in Houston who are members of the sales.westsim.local domain report slow performance when logging in and accessing files in Dallas. Users in Dallas do not report any problems logging in and accessing local resources. You want all users in Houston to experience adequate login and resource access response time. What should you do? Enable universal group membership caching in Houston. Decrease the site link cost between the two sites. Configure one of the domain controllers in Houston to be a global catalog server. Increase the replication frequency between the two sites.

Configure one of the domain controllers in Houston to be a global catalog server EXPLANATION Configure one of the domain controllers in Houston to be a global catalog server. A global catalog server needs to be contacted during login, so having a local global catalog server will speed up response time. A global catalog server also maintains universal group membership (which is, apparently, being used on the network described in the question). Group membership needs to be consulted during resource access, so this is another reason why having a local global catalog server will speed up response time. Enabling universal group membership caching would not help in this situation because the domain in question is a Windows 2000 Native mode domain. The domain must be in Windows Server 2003 functional level for universal group membership caching to take effect. Changing the replication frequency or modifying the site link cost will not affect logon response. Logon is slow because the logon requests must cross the WAN link. Using a global catalog server places the global catalog in the local site. REFERENCES LabSim for Server Pro 2016, Section 7.2.

Your network consists of a single Active Directory domain. The OU structure of the domain consists of a parent OU named HQ_West and the child OUs Research, HR, Finance, Sales, and Operations. You have created a Group Policy Object (GPO) named DefaultSec, which applies security settings that you want to apply to all users and computers. You have created a second GPO named HiSec, which has more restrictive security settings that you want to apply to the HR and research departments. Both GPOs use custom security templates. You also want to ensure that strong password policies are applied to all client computers. How should you link the GPOs to the OUs? (Select three. Each correct answer is part of the complete solution.) Link DefaultSec to each child OU. Configure password policies on a GPO linked to the HQ_West OU. Link HiSec to each child OU. Link HiSec to the HQ_West OU. Link HiSec to the HR and Research OUs. Configure password policies on a GPO linked to the domain. Link DefaultSec to the HQ_West OU.

Configure password policies on a GPO linked to the domain. Link DefaultSec to the HQ_West OU. Link HiSec to the HR and Research OUs. REFERENCES LabSim for Server Pro 2016, Section 8.2.

You are the security administrator for a large metropolitan school district. You are reviewing security standards with the network administrators for the high school. The school's computer center has workstations for anyone's use. All computers in the computer center are members of the Computer Center Computers global group. All workstations are currently located in the Computers container. The computer center computers have access to the Internet so users can perform research. Any user who uses these computers should be able to run Internet Explorer only. Other computers in the high school should not be affected. To address this security concern, you create a Group Policy object (GPO) named Computer Center Security. How can you configure and apply this GPO to enforce the computer center's security? Configure the Computer Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the domain and allow access to the Computer Center Computers group only. Configure the Computer Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the Computers container and allow access to the Computer Center Computers group only. Configure the User Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the Computers container and allow access to the Computer Center Computers group only. Configure the User Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the domain and allow access to the Computer Center Computers group only.

Configure the Computer Configuration node of the Computer Center Security GPO to restrict software to Internet Explorer only. Link the GPO to the domain and allow access to the Computer Center Computers group only. EXPLANATION To apply settings that apply to computers without regard to the user who is using them, you need to configure the Computer Configuration node of a Group Policy object (GPO). You also need to link the GPO to a domain, site, or organizational unit (OU) that contains the relevant computer accounts. Because the GPO is linked to the domain but should apply to computer center computers only, you need to filter access to the GPO so it applies to the Computer Center Computers group only. You cannot link GPOs to the Computers container because it is not an OU. Therefore, you should link the GPO to the domain in this scenario. REFERENCES LabSim for Server Pro 2016, Section 8.1.

You currently manage a virtual machine named VM12 that has been installed on the Srv5 physical server. The virtual machine uses a single fixed disk of 100 GB saved in the vdisk1.vhd file. Physical disk space on the server is getting low. When you run Disk Management within the virtual machine, you notice that only 30 GB of space is being used, but the vdisk1.vhd file occupies 100 GB. You want to reduce the physical size of the virtual hard disk. What should you do? Convert the disk to a dynamically expanding disk named vdisk2.vhd. Delete vdisk1.vhd, and change vdisk2.vhd's name to vdisk1.vhd. Create a differencing disk named vdisk2.vhd using vdisk1.vhd as the parent disk. Reconfigure the virtual server to use vdisk2.vhd instead of vdisk1.vhd. Convert the disk to a dynamically expanding disk named vdisk2.vhd. Compact the disk. Convert the disk to a fixed disk named vdisk3.vhd. Delete vdisk1.vhd and change vdisk3.vhd's name to vdisk1.vhd. Compact the disk.

Convert the disk to a dynamically expanding disk named vdisk2.vhd. Delete vdisk1.vhd, and change vdisk2.vhd's name to vdisk1.vhd. EXPLANATION Convert the disk to a dynamically expanding disk. A fixed disk reserves the entire amount of disk space on the physical disk. In this scenario, the disk uses 100 GB of physical disk space, even though the virtual machine only uses 30 GB. Converting the disk to a dynamically expanding disk reduces the size of the disk to use only the amount of used space. Compacting a disk removes extra space from a dynamically expanding disk—you cannot compact a fixed disk. When you convert a dynamically expanding disk to a fixed disk, the fixed disk takes up the entire disk space specified by the maximum disk size; compacting the dynamically expanding disk and then converting it to a fixed disk does not result in a smaller disk. Use a differencing disk to create a child installation from a parent installation. Take a snapshot to save the current state of a virtual machines. Using a differencing disk actually increases the amount of disk space used because the original fixed disk remains while changes are saved to the differencing disk and not the fixed disk (even though the fixed disk might have free space available). REFERENCES LabSim for Server Pro 2016, Section 6.3.

You are the administrator for ABC Corporation. The network has a single Active Directory domain called xyz.com. The Sales team has a shared folder on Srv1 that is used to hold sales contact information. You need to control access to this folder so that only members of the sales team can access the folder. You create a group called Sales and add all members of the sales team as members of the group. However, when you try to assign permissions to the shared folder, the Sales group you created does not show in the list of available objects. You check the properties of the group and find the details shown in the image. What do you need to do to assign permissions to the sales team? Convert the group to a security group. Assign permissions directly to each sales team member. Convert the group to a universal group. Delete the group. Recreate the group as a domain local group.

Convert the group to a security group EXPLANATION You need to convert the distribution group to a security group. Only security groups can be used to assign permissions. You could delete the group and create a new one, as long as you create a security group. However, this will take longer than just converting the existing group. While assigning permissions directly to users would grant the permissions, you should use groups whenever possible for assigning permissions. REFERENCES LabSim for Server Pro 2016, Section 7.8.

You are the administrator for a network with two domains, westsim.com and sales.westsim.com. You have a shared folder called Reports on the Sales1 server in the sales.westsim.com domain. The following two users need access to this shared folder: - Mark in the westsim.com domain - Mary in the sales.westsim.com domain You create a global group called Sales in westsim.com. You grant this group the necessary permissions to the Reports shared folder. You add Mark as a member of the group; however you are unable to add Mary as a group member. What should you do? (Select two. Each choice is a possible answer.) Convert the group to a universal group. Convert the group to a domain local group. Delete the existing group. Create a domain local group in westsim.com. Add Mark and Mary as members and assign permissions to the share. Delete the existing group. Create a domain local group in sales.westsim.com. Add Mark and Mary as members and assign permissions to the share. Delete the existing group. Create a global group in sales.westsim.com. Add Mark and Mary as members and assign permissions to the share.

Convert the group to a universal group Delete the exisiting group. Create a domain local group in sales.westsim.com. Add mary and mary as members and assign permissions to the share EXPLANATION To grant the necessary permissions, either of the following would work: Convert the group to a universal group. Universal groups can have members from any domain and can be used to assign permissions to resources in any domain. Create a domain local group in sales.westsim.com. Domain local groups can have members from any domain and can be used to assign permissions within the domain. If you use a domain local group in this scenario, the group must be in the sales.westsim.com domain. Using a global group would not work. Global groups can only contain members within the same domain. REFERENCES LabSim for Server Pro 2016, Section 7.8.

You are the administrator of a multi-domain Active Directory forest. You have a universal group called SalesExecs. This group has successfully been used as an email distribution group. Later, you try to assign the group permissions to a shared folder, but SalesExecs does not appear as a choice. What should you do? Convert the SalesExecs group from a universal group to a global group. Remove the email address from the SalesExecs group. Convert the SalesExecs group from a distribution group to a security group. Convert the SalesExecs group from a universal group to a domain local group. Create a global security group with the same membership.

Convert the salesexec group from a distribution group to a security group EXPLANATION You should convert the SalesExecs group from a distribution group to a security group. The reason SalesExecs does not appear on the list is because it is not a security group. Groups of the distribution type are not security principals and cannot be used to grant permissions. Creating a global security group with the same membership is not only extra work, but it may not be a complete solution if the membership includes accounts from multiple domains. Converting a universal group to a global group may be possible if the universal group does not contain members from multiple domains, but changing the group scope is not the problem. Converting a universal group to domain local group is also possible, but again, the problem is the type of group, not the group scope. The two group types are distribution and security, whereas universal, global and domain local are group scopes. REFERENCES LabSim for Server Pro 2016, Section 7.8.

You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. The company has a main office in New York and several international locations, including facilities in Germany and France. You have been asked to build a domain controller that will be deployed to the eastsim.com office in Germany. The network administrators in Germany plan to use Group Policy administrative templates to manage Group Policy in their location. You need to install the German version of the Group Policy administrative templates so they will be available when the new domain controller is deployed to Germany. What should you do? Copy the German .ADM files to the appropriate directory in the SYSVOL on a local domain controller. Copy the NTDS.dit file to the appropriate directory in the SYSVOL on a local domain controller. Copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller. Copy the German .ADMX files to the appropriate directory in the SYSVOL on a local domain controller.

Copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller. EXPLANATION You should copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller. The Group Policy administrative templates come in 34 different languages. When you have extracted the appropriate language, you copy the ADML files to the appropriate directory in the SYSVOL share on a local domain controller. They will then replicate to the other domain controllers in the domain. The appropriate directory would be PolicyDefinitions\LANGUAGE where LANGUAGE would be the appropriate code for the language being installed. For example, for the German language, the directory would be de-DE; for the French language, it would be fr-FR. ADM files were the older version of Administrative templates used in Windows Server 2003. Windows Server 2008 introduced ADMX files, which are based on XML coding. However, the language files are .ADML files. The NTDS.dit file is the file that contains the Active Directory database. It is located in the %systemroot%\NTDS folder on the domain controller. It should not be copied to the SYSVOL. REFERENCES LabSim for Server Pro 2016, Section 8.1.

You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the accounting, sales, and shipping departments. User and computer accounts for each department are in their respective OUs. Mary Hurd is a manager in the sales department. Mary is a member of the Managers global group. This group also has members from other organizational units. The Managers group has been given the read share permission to the Reports shared folder. Mary's user account (mhurd) has also been given the change share permission to the Reports shared folder. You need to create several new user accounts that have the same group membership and permission settings as the mhurd user account. How can you complete this configuration with the least amount of effort? Copy the mhurd user account. Assign the Managers group the read and change share permissions to the Reports shared folder. Copy the mhurd user account. Make the new user account a member of the Managers group. Assign the group the read and change share permissions to the Reports shared folder. Copy the mhurd user account. Make the new user account a member of the Managers group. Assign the new account the change share permission to the Reports shared folder. Copy the mhurd user account. Assign the new account the change share permission to the Reports shared folder. Copy the mhurd user account. Assign the new account the read and change share permissions to the Reports shared folder.

Copy the mhurd user account. Assign the new account the change share permission to the reports shared folder EXPLANATION To create additional user accounts similar to an existing account: - Copy the existing user account, assigning a new name and password. - Assign permissions to the new user account to match the existing account. When you copy a user account, group memberships are retained so you do not need to make the new account a member of any groups. Permissions granted to the original account are not copied. Therefore, you will need to manually assign any permissions. In this scenario, you would not want to assign additional permissions to the group because that would give other group members more permissions than they need. REFERENCES LabSim for Server Pro 2016, Section 7.5.

You have exported a virtual machine to a USB flash drive. You have just installed a new Hyper-V host, and you intend to build a lab environment consisting of several VMs on it. You plug the flash drive into the new host server and begin the import process. Partway through the process, the Import Virtual Machine wizard gives you several import types to choose from. Which of the following import types should you choose? Register the virtual machine in place (use the existing unique ID) Restore the virtual machine (use the existing unique ID) Copy the virtual machine (create a new unique ID)

Copy the virtual machine (create a new unique ID) EXPLANATION You should select the Copy the virtual machine (create a new unique ID) option. This option essentially creates a new virtual machine on this new host system. The VM will be named the same and have the same IP address settings, but its UID will be different than the one on the source system. If you select the Register the virtual machine in place (use the existing unique ID) option, the virtual machine will run from the place it is in, which is not ideal because it is currently stored on the USB flash drive, and you want to build a lab environment on this host system. You cannot select the Restore the virtual machine (use the existing unique ID) option because this machine was never on this new VM host system, so it can't be restored to it. REFERENCES LabSim for Server Pro 2016, Section 6.6.

You've just deployed a new Active Directory domain, as shown in the figure below. You now need to deploy Group Policy objects (GPOs) to apply configuration settings and enforce security policies. Click the container(s) to which a GPO can be applied.

Corp Domain Controllers EXPLANATION GPOs can be applied to organization units (OUs). In this scenario, GPOs can be assigned to the Corp and Domain Controllers OUs. Generic containers, which are created by default, are not OUs and cannot have GPOs assigned to them. A good practice is to move objects out of the default generic containers and into OUs where GPOs can be applied. REFERENCES LabSim for Server Pro 2016, Section 8.2.

You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. As you manage Group Policy objects (GPOs), you find that you often make similar user rights, security options, and Administrative Template settings in different GPOs. Rather than make these same settings each time, you would like to create some templates that contain your most common settings. What should you do? (Select two. Each choice is a possible solution.) Create starter GPOs. When creating new GPOs, select the appropriate starter GPO. Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, restore one of the backed up GPOs. Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs. Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import the settings from one of the backed up GPOs. Create custom .admx files with the necessary settings. Copy these files to the central store. After creating the GPO, import the settings from the .admx files.

Create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs. Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import the settings from one of the backed up GPOs. EXPLANATION Because the settings you want to copy include user rights and security options, you can copy an existing GPO or import settings from a backup of another GPO. Starter GPOs only contain administrative template settings, not other GPO settings, such as software installation, user rights, or security options. .admx files are templates that identify possible administrative template settings; the files do not contain specific settings. You can only restore a GPO to the same GPO that was backed up. REFERENCES LabSim for Server Pro 2016, Section 8.1.

Your organization has been using an in-house custom-developed application. The team that developed that application created a Group Policy template in the form of an ADMX file, which you have used to assign necessary rights to a group of users who use the application. Another group of users now needs to have the same rights. This group belongs to an OU that one of your assistants has full control management rights to. When your assistant tries to use the Group Policy template to assign rights to this group, she cannot find the template in Active Directory. What must you do to give your assistant access to this Group Policy template? Create a central store on the SYSVOL share and copy the ADMX file into it. Make your assistant a member of the Domain Admins group. Use security group filtering to allow your assistant to access the central store. Create a GPO that gives your assistant access rights to the central store.

Create a central store on the SYSVOL share and copy the ADMX file into it. EXPLANATION Since you're the only one who has used the Group Policy template, you will probably find it on your local computer in the Policy Definitions folder. No one else can access it unless they are using your computer. To remedy this situation, you can create a central store on the SYSVOL share and copy the ADMX file into it to give any administrator who uses Group Policy Management access to the template. Making your assistant a member of the Domain Admins group, using security group filtering, and creating a GPO won't change the fact that the ADMX file is only available on your computer. REFERENCES LabSim for Server Pro 2016, Section 8.2.

You manage a single domain named widgets.com. Organizational units (OUs) have been created for all company departments. Computer and user accounts have been moved into their corresponding department OUs. The CEO has requested the ability to send emails to managers and team leaders. He'd like to send a single email and have it automatically forwarded to all users in the list. Because the email list might change frequently, you do not want the email list to be used for assigning permissions. What should you do? Create a universal security group. For each user on the email list, make their user account a member of the group. Create an OU for the email list. Create contact objects in the OU. Add an email address to the OU. Create a contact object for each user on the email list. Create a security global group. Make all contact objects members of the group. Create a distribution global group. For each user on the email list, make their user account a member of the group.

Create a distribution global group. For each user on the email list, make their user account a member of the group EXPLANATION To create an email list, you can use either a distribution or security group. Use a distribution group when you do not want the group to be used for assigning permissions. Make user accounts or contact objects members of the group. An email sent to the group will be distributed to all group members. Because each user on the email list already has a user account, you do not need to create contact objects. Use contact objects to identify people outside of the organization. Contacts cannot be used for login. REFERENCES LabSim for Server Pro 2016, Section 7.8.

You are the domain administrator for a single domain forest. You have 10 file servers that are member servers running Windows Server. Your company has designed its top-level OU structure based on the 15 divisions for your company. Each division has a global security group containing the user accounts for division managers. You have folders on your file servers that all division managers should have permission to access. For some resources, all division managers will need full control. For others, they will only need read or change permissions. You need a group strategy that will facilitate the assignment of permissions but minimize administrative effort. What should you do? Create a global group called AllMgrs; make each of the existing division managers groups a member. Create a domain local group called AllMgrs; add each of the division managers user accounts to the group. Create a global group called AllMgrs; add each of the division managers user accounts to the group. Create a universal group called AllMgrs; make each of the existing division managers groups a member.

Create a global group called AllMgrs; make each of the existing division managers groups a member EXPLANATION You can nest a global group into another global group or create a universal group and add global groups as members. Either nesting strategy will allow you use one group rather than 15 when assigning permissions to all of your company's division managers. However, universal groups are not recommended or needed in a single domain environment. Adding all of the user accounts to a single global or domain local group will work but will require additional work, so it is not as efficient as taking advantage of group nesting. REFERENCES LabSim for Server Pro 2016, Section 7.8.

You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the Accounting, Sales, and Support departments. User and computer accounts for each department are in their respective OUs. The Support department has very high turnover. Nearly every week, you need to add new user accounts. All user accounts have the same department and fax number settings. Each user account must also have permission to the Orders shared folder. You want to create a template account to use when creating new accounts in the future. What should you do? (Select three. Each is a required part of the solution.) Create a group called Support. Make the template account a member of the Support group. Assign permissions for the group to the Orders shared folder. Lock the user account. In the user account, enable the User must change password at next logon option. Disable the user account. In the user account, enable the Account is sensitive and cannot be delegated option. Create a user account with the department and fax Number settings.

Create a group called support. make the template account a member of the support group. assign permissions for the group to the orders shared folder Disable the user account Create a user account with the department and fax number settings EXPLANATION To create a template account: Create a user account with the necessary settings. Disable the account to prevent it from being used to log on (you cannot manually lock an account). Make the account a member of any necessary groups. Assign permissions to groups rather than assigning permissions directly to the template user account. When you assign permissions to the user account, you will need to reassign those permissions after copying the account to create the new user. REFERENCES LabSim for Server Pro 2016, Section 7.5.

You are the network administrator of a network that spans two locations, Atlanta and Dallas. Your organization started in Atlanta, and that's where you installed your first Active Directory domain controller. The Dallas location was later added to the domain with its own domain controller. Atlanta and Dallas are connected using a dedicated WAN link. You have not used Active Directory Sites and Services to make any changes to the default sites configuration. Users in Dallas complain that logging on to the network often takes a long time. After monitoring the network traffic across the WAN link, you discover that users in Dallas are often authenticating to the domain controller in Atlanta. What is the first step in solving this problem? Create a Computer object in the Dallas OU. Configure the replication schedule for the DEFAULTIPSITELINK site link object to exclude morning hours. Create a new site object and move the server object for the Dallas domain controller into the new site. Create a new domain for the Dallas location.

Create a new site object and move the server object for the Dallas domain controller into the new site EXPLANATION The latency associated with authenticating in Dallas is being caused by the traffic spanning the WAN link to Atlanta. The first step to speeding up authentication is to create separate site objects for each location (the default site can be used for Atlanta). You can then associate the Dallas subnet with the Dallas site so that authentication requests are sent to the local domain controller. Configuring the replication schedule for the DEFAULTIPSITELINK site link object to exclude morning hours is also a good idea, but the Dallas site needs to be created first. Creating a new domain for the Dallas location is not the best option; domains should represent logical administrative boundaries and do not necessarily need to represent physical sites. REFERENCES LabSim for Server Pro 2016, Section 7.3.

You are planning a server virtualization implementation using Hyper-V. Your virtualization solution must meet the following requirements: - Both 32-bit and 64-bit operating systems will be installed as virtual machines. - You need to install six virtual machines. - All virtual machines must be able to communicate with each other. - Virtual machines should not be able to communicate with any other network devices. Virtual machines should not be able to communicate with the management operating system. What should you do? Create an internal network Create a private network Create an external network Create a wireless network

Create a private network EXPLANATION Use a private network to allow the virtual machines to communicate with each other and no other devices, including the management operating system. Use an internal network if the private network must include the management operating system. Use an external network if the virtual machines must communicate with other network devices. A wireless network is not a virtual machine network type. REFERENCES LabSim for Server Pro 2016, Section 6.4.

You get a call from a user one day telling you that his password no longer works. As you inquire about the reasons why the password doesn't work, he tells you that yesterday he got a call from an administrator asking for his user account password, which he promptly supplied. You know that a legitimate administrator would have never made this request. You are concerned that the impersonator might have contacted other users with the same request. To protect your network, you would like to reset all user account passwords and force users to change their passwords at next login. You want to accomplish this as quickly as possible. What should you do? (Select two. Each choice is a possible solution.) Run Ldifde to export user account information. Edit the .ldif file to modify the user account properties and passwords. Run Ldifde to modify the existing user accounts. Create a script that runs Dsmod. Specify the new password and account properties in the script. Run the script. Run Csvde to export user account information. Edit the .csv file to modify the user account properties and passwords. Run Csvde to modify the existing user accounts. In Active Directory Users and Computers, select all affected user accounts. Right-click the user accounts to reset the passwords and force the password change at next logon.

Create a script that runs Dsmod. Specify the new password and account properties in the script. Run the script Run Ldifde to export user account information. Edit the .ldif file to modify the user account properties and passwords. Run Ldifde to modify the existing accounts EXPLANATION To modify user account passwords in a bulk operation, you can use Ldifde or Dsmod. You cannot use Csvde to modify existing objects or set user account passwords for new objects. In Active Directory Users and Computers, you can right-click a single object to reset the password, but you cannot reset the password for multiple objects at once. REFERENCES LabSim for Server Pro 2016, Section 7.6.

You are the domain administrator for a single domain forest. Your company has based its top-level OU structure on the four divisions for your company, manufacturing, operations, marketing, and transportation. Each division has a global security group containing the user accounts for division managers. You want to have a single group that can be used when you need grant access to resources to all of your organization's managers. What should you do? (Choose two. Each selection is a complete solution.) Create a universal security group called AllMgrs and make each of the existing Division Manager groups a member. Create a universal distribution group called AllMgrs and make each of the existing Division Manager groups a member. Create a global distribution group called AllMgrs and make each of the existing division managers group a member. Create a domain local security group called AllMgrs and make it a member of the existing Division Manager groups. Create a domain local distribution group called AllMgrs and make it a member of the existing Division Manager groups. Create a global security group called AllMgrs and make each of the existing Division Manager groups a member.

Create a universal security group called AllMgrs and make each of the existing division manager groups a member Create a global security group called AllMgrs and make each of the existing division manager groups a member EXPLANATION You should create either a global security or universal security group and make the existing division manager groups a member. The existing groups are global security groups, and they can be a member of another global group in the same domain or a universal group in any domain. Groups of the distribution type cannot be used to grant permissions, and domain local groups cannot be a member of a global group. REFERENCES LabSim for Server Pro 2016, Section 7.8.

You are planning a server virtualization implementation using Hyper-V. Your virtualization solution must meet the following requirements: - Both 32-bit and 64-bit operating systems will be installed as virtual machines. - You need to install six virtual machines. - You will manage the services running on the virtual machines from a Windows computer. What should you do? Create an external network Create a physical network Create a private network Create an internal network

Create an external network EXPLANATION To allow the Windows computer to communicate with the virtual machines, you must configure an external network. Use a private network to allow the virtual machines to communicate with each other and no other devices, including the management operating system. Use an internal network if the private network must include the management operating system. A physical network is not a virtual machine network type. REFERENCES LabSim for Server Pro 2016, Section 6.4.

You are planning a server virtualization implementation using Hyper-V. Your virtualization solution must meet the following requirements: Both 32-bit and 64-bit operating systems will be installed as virtual machines. You need to install two virtual machines. Virtual machines must be able to communicate with each other. Virtual machines must be able to communicate with the host operating system. Virtual machines must not be able to communicate with other network devices. What should you do? Create a private network Create an internal network Create an external network Create a host network

Create an internal network EXPLANATION Use an internal network if the private network must include the management operating system. Use an external network if the virtual machines must communicate with other network devices. Use a private network to allow the virtual machines to communicate with each other and no other devices, including the management operating system. REFERENCES LabSim for Server Pro 2016, Section 6.4.

You are the network administrator for a company with a single Active Directory domain. The corporate office is located in Miami, and there are satellite offices in Boston and Chicago. There are Active Directory sites configured for all three geographic locations. The Default-First-Site-Name was renamed Miami. Each location has a single IP subnet configured and associated with the appropriate site. Each office has several domain controllers. The Boston office has recently expanded to three additional floors in the office building that they are in. The additional floors each have their own IP subnet and are connected by a router. The domain controllers for the Boston office are all located on one floor and are in the same subnet. You notice that the users working on the new floors in the Boston office are sometimes authenticating to domain controllers from other locations. You need to make sure that all authentication traffic over the WAN links is kept to a minimum. What should you do to the Active Directory Sites and Services configuration? Disable the Bridge all sites option in the properties of IP inter-site transports. Create subnet objects for the new floors in the Boston office and link them to the Boston site. Remove the DNS records for the domain controllers in the other sites from the Boston DNS servers. Create a new site for each new floor in the Boston office and move at least one of the domain controllers into each new site.

Create subnet objects for the new floors in the Boston office and link them to the Boston site. EXPLANATION You should create subnet objects for the new floors in the Boston office and link them to the Boston site. If the Active Directory Sites and Services configuration does not contain a subnet object that corresponds with the subnet a computer is in, Active Directory will not be able to restrict authentication traffic to a specific site. The new Boston IP subnets would need to be added to the site so authentication can be directed to local resources. Creating a new site for each new floor in the Boston office does not mirror, or represent, the physical structure of the network. Removing the DNS records for the domain controllers in the other sites from the Boston DNS servers or disabling the Bridge all sites option in the properties of IP inter-site transports would prevent the inter-site communications that need to take place in your Active Directory domain. REFERENCES LabSim for Server Pro 2016, Section 7.3.

You have decided to install multiple virtual servers. You install Hyper-V on a server that is running Windows Server 2016 Datacenter edition. You need to install the following virtual machines: - Four servers running the Windows Server 2008 R2 Standard edition (64-bit) - Three servers running the Windows Server 2012 R2 Datacenter edition (64-bit) - Three servers running the Windows Server 2016 Standard edition (64-bit) To conserve disk space, you decide to use parent and differencing disks. You need to create the virtual hard disks used by the virtual machines. What should you do? Create two fixed disks and ten differencing disks. Create one fixed disk and ten differencing disks. Create three fixed disks and seven differencing disks. Create two fixed disks and eight differencing disks. Create one fixed disk and nine differencing disks. Create three fixed disks and ten differencing disks.

Create three fixed disks and ten differencing disks. EXPLANATION When using parent and differencing disks, you create a parent installation for each operating system version or each computer with a similar configuration. In this scenario, you will need three parent installations. Each installation uses a fixed virtual hard disk. After you have created the parent installations, delete the virtual servers, but keep the virtual hard disks. Then create a virtual hard disk for each virtual server that is active. In this scenario, you will need a total of 10 installations, each using a differencing virtual hard disk. REFERENCES LabSim for Server Pro 2016, Section 6.3.

You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. As part of your security plan, you have analyzed the use of Internet Explorer in your organization. You have defined three different groups of users. Each group has different needs for using Internet Explorer. For example, one group needs ActiveX controls enabled, and you want to disable ActiveX for the other two groups. You would like to create three templates that contain the necessary settings for each group. When you create a GPO, you want to apply the settings in the corresponding template rather than manually set the corresponding Administrative Template settings for Internet Explorer. What should you do? Create three custom .admx files. Copy these files to the local workstation that you use to manage GPOs. Use the Add/Remove Templates... feature to add the necessary template when creating the GPO. Create three starter GPOs with the necessary settings. When creating the GPOs, select the starter GPO with the desired settings. Identify three GPOs with the necessary settings. Take a backup of these GPOs. After creating a new GPO, right-click the GPO and choose Restore from Backup.... Create three custom .admx files. Copy these files to the central store location. When creating the GPOs, select the necessary .admx file.

Create three starter GPOs with the necessary settings. When creating the GPOs, select the starter GPO with the desired settings. EXPLANATION Because all settings are stored in the Administrative Templates portion of the GPO, you can use starter GPOs. Create the starter GPOs with the necessary settings, and then use a starter GPO when creating the new GPO. Settings in the starter GPO will be copied into the new GPO. .admx files are templates that identify possible Administrative Template settings; the files do not contain specific settings. You can only restore a GPO to the same GPO that was backed up. To restore settings to a different GPO, import the settings from a backup. REFERENCES LabSim for Server Pro 2016, Section 8.1.

You have configured Active Directory Sites and Services to represent the physical layout of your network. As shown in the table below, each site has its own domain controller and subnet: Site Object Server Object Subnet Object Atlanta DC-ATL 192.168.1.0/24 Chicago DC-CHI 192.168.2.0/24 Denver DC-DEN 192.168.3.0/24 Phoenix DC-PHX 192.168.4.0/24 A user authenticates from a workstation with an IP address of 192.168.2.225 and a subnet mask of 255.255.255.0. Which domain controller is Active Directory going to send this authentication request to? DC-PHX DC-CHI DC-DEN DC-ATL

DC-CHI EXPLANATION Active Directory going to send this authentication request to the DC-CHI domain controller. Active Directory will recognize that a workstation with an IP address of 192.168.2.225 and a subnet mask of 255.255.255.0 belongs to the 192.168.2.0/24 subnet. The 192.168.2.0/24 object is associated with the Chicago site, which contains the DC-CHI server object. REFERENCES LabSim for Server Pro 2016, Section 7.3.

You are the administrator of the eastsim.com domain. Your Active Directory structure has organizational units (OUs) for each company department. You have assistants who help with resetting passwords and managing group membership. You also want your assistants to help create and delete user accounts. Which of the following tools can you use to allow your assistants to perform these additional tasks? Active Directory Administrative Center Active Directory Users and Computers Active Directory Account Manager Delegation of Control Wizard

Delegation of Control Wizard EXPLANATION Using the Delegation of Control wizard or the Authorization Manager console, you can delegate control of any part of an OU or object at any level. You can delegate control based on the types of administrative tasks that need to be completed, such as: - User account management, such as creation and deletion - Password management, such as resetting and forcing password changes - Group membership and permissions management REFERENCES LabSim for Server Pro 2016, Section 7.4.

Organizational units organize network resources. You can use the organizational model that best meets your needs. Drag the organizational model on the left to the appropriate example OU on the right. (Organizational models can be used once, more than once, or not at all.) Drag Physical location model Corporate structure model Object type model Hybrid model Drop Denver OU Printers OU Sales OU Engineering OU Brazil OU Brazil OU containing the Sales OU

Denver OU Physical Printers OU Object Sales OU Corporate Engineering OU Corporate Brazil OU Physical Brazil OU containing the Sales OU Hybrid EXPLANATION OUs are typically organized by the following models: - Physical location: organized by country, such as Brazil, or city, such as Denver. - Corporate or organizational structure: organized by corporate departments, such as HR, Sales, and IT. - Object type: organized by object type, such as user accounts, printers, or computers. - Hybrid: organized by combining models, such as physical location OUs containing organizational OUs. For example, a Brazil OU containing a Sales OU. REFERENCES LabSim for Server Pro 2016, Section 7.4.

You are the network administrator for an Active Directory forest with a single domain. The network has three sites with one domain controller at each site. You have created and configured sites in Active Directory Sites and Services, and replication is operating normally between sites. You configure two universal groups for use in securing the network. All users are members of one universal group or the other. After configuring the universal groups, users at sites 2 and 3 report slow login and slow access to the corporate database. Users at site 1 can log in and access the corporate database with acceptable performance. You want to improve login and resource access performance for users in sites 2 and 3. What should you do? Designate the domain controllers at sites 2 and 3 as global catalog servers. Place the sever object for all servers in site 1. Decrease the replication interval between sites 1 and 3. Change the IP address scheme so that all users are on the IP subnet of site 1.

Designate the domain controllers at sites 2 and 3 as global catalog servers EXPLANATION A global catalog server is responsible for handling login traffic and housing universal group membership. Designating a local global catalog server in each site would improve performance greatly. REFERENCES LabSim for Server Pro 2016, Section 7.2.

Which Hyper-V feature allows you to create read-only parent virtual hard disk files that are linked to child virtual hard disk files that contain only changes made to the parent disk? Differencing disks Pass-through disks Dynamically expanding VHD files Snapshots

Differencing disks EXPLANATION A differencing disk is a virtual hard disk file that is associated with another disk and contains only changes that have been made to the associated disk. The differencing disk is referred to as the child disk; the disk it is associated with is the parent disk. The parent disk remains unchanged. The child disk contains any changes to the parent disk. When you connect a physical hard disk to a virtual machine instead of a virtual hard disk file, the hard disk is referred to as a pass-through disk. A snapshot can be used to restore a virtual machine to a previous state. Dynamically expanding VHD files automatically increase in size as more storage space is consumed by the virtual machine. REFERENCES LabSim for Server Pro 2016, Section 6.3.

You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You want to only enable auditing that shows you the old and new values of the changed objects. Which directory service auditing subcategory should you enable? Directory Service Replication Detailed Directory Service Replication Directory Service Changes Directory Service Access

Directory Service Changes EXPLANATION Audit Directory Service Changes to record the old and new values for changed objects. Auditing the Directory Service Access sub-category records that a change has been made, but does not indicate the old and new values. REFERENCES LabSim for Server Pro 2016, Section 8.4.

When Active Directory is installed, several containers are created by default. Which default container would you be able to apply a Group Policy to? Builtin container Users container Domain Controllers OU Computers container

Domain Controllers OU EXPLANATION The Domain Controllers OU can have a Group Policy linked to it because it is an actual organizational unit. It is the default location for the computer accounts for domain controllers. The default containers are used by the operating system. They cannot be renamed or deleted or have Group Policy applied to them. REFERENCES LabSim for Server Pro 2016, Section 8.2.

You manage a single domain named widgets.com. Recently, you noticed that there have been several unusual changes to objects in the Sales OU. You would like to use auditing to keep track of those changes. You enable successful auditing of directory service access events in a GPO and link the GPO to the domain. After several days, you check Event Viewer, but you do not see any events listed in the event log indicating changes to Active Directory objects. What should you do? Link the GPO to the Sales OU. Edit the access list for the OU. Identify specific users and events to audit. Create a filter in Event Viewer that shows only Active Directory events. Create a custom view in Event Viewer that shows only Active Directory events.

Edit the access list for the OU. Identify specific users and events to audit. EXPLANATION When configuring directory service access auditing, you must enable auditing for the domain or OU and then identify the users and objects you want to audit. Simply enabling auditing using a GPO will be insufficient. Using a filter or a custom view in Event Viewer can help you find events that you are looking for. However, without enabling auditing for specific users and objects, no events will be shown. REFERENCES LabSim for Server Pro 2016, Section 8.4.

You are the network administrator for your company. Rodney, a user in the research department, shares a computer with two other users. One day, Rodney notices that some of his documents have been deleted from the computer's local hard drive. You restore the documents from a recent backup. Rodney now wants you to configure the computer so he can track all users who delete his documents in the future. You enable auditing of successful object access events in the computer's local security policy. Rodney then logs on and creates a sample document. To test auditing, you then log on and delete the document. However, when you examine the computer's security log, no auditing events are listed. How can you make sure an event is listed in the security log whenever one of Rodney's documents is deleted? Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Delete permission. Configure the local security policy to audit failed system events. Configure the local security policy to audit successful system events. Configure the local security policy to audit failed object access events. Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit failure of the Delete permission. Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Modify permission.

Edit the advanced security properties of the folder containing Rodney's documents. Configure an auditing entry for the Everyone group. Configure the entry to audit success of the Delete permission. EXPLANATION Object access events occur when a user accesses any object with its own access control list (such as a file, folder, registry key, or printer). In addition to enabling auditing of these types of events, you must also edit the properties of the specific objects you want to audit and define what type of access to the object you will audit. You configure auditing using special permissions (such as Delete) rather than the less advanced permissions (such as Modify, which includes the Delete special permission). In this scenario, you should audit the successful exercise of the permission. REFERENCES LabSim for Server Pro 2016, Section 8.4.

After configuring a password policy to require users to create strong passwords, you start to notice sticky notes stuck to monitors throughout the organization. The sticky notes often have strings of characters written on them that appear to be passwords. What can you do to prevent the security risk that this practice presents? Require users to change their passwords more often. Increase the minimum length for passwords. Reduce the limit on the number of failed login attempts. Educate users on how to create and remember strong passwords.

Educate users on how to create and remember strong passwords. EXPLANATION Educate users on how to create and remember strong passwords. Enforcing strict password restrictions might actually weaken network security if you do not educate users about proper procedures to take to protect logon credentials. If users do not understand the restrictions that have been implemented, they might try to circumvent these restrictions by writing down passwords. Take the following measures to educate users: - Tell users that they should not write down passwords or share logon credentials with other users. - Teach users how to construct and remember complex passwords. For example, for the password bw2Fs3d, users might create the following sentence: bob went 2 the "capital" Florist shop 3 times daily. - Educate users about social engineering tactics. Instruct them not to respond to requests for passwords from administrators or other seemingly trusted personnel. Implement policies that prevent administrators from asking for sensitive information. If you require users to change their passwords more often, reduce the limit on the number of failed login attempts, or increase the minimum length for passwords, you are likely to push more users to write their passwords down so they don't forget them. REFERENCES LabSim for Server Pro 2016, Section 8.3.

You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the accounting, sales, and shipping departments. User and computer accounts for each department are in their respective OUs. At 5:30 pm, you get a call from Mary Hurd, a user in the sales department, stating that she can't log in. You use Active Directory Users and Computers and see the information shown in the image. How can you make sure Mary can log in? Change Mary's account to never expire. Enable Mary's account. Change the login hours to extend past 5:30 pm. Unlock Mary's account. Reset the password for Mary's account.

Enable Mary's Account EXPLANATION You need to enable Mary's account. Accounts with a down arrow on the account are disabled and cannot be used for login. REFERENCES LabSim for Server Pro 2016, Section 7.5.

When you initially created your external virtual switch in Hyper-V Manager, you configured the virtual machines connected to directly use the Broadcom NetXtreme 57xx Gigabit Controller installed on the host instead of a virtual network adapter. You recently created a new Windows Server virtual machine on this host named DevSrv and connected its network adapter to the external virtual switch. You now want to enable the virtual machine to use the physical adapter on the host. Click the option you would use in the virtual machine's settings to do this.

Enable SR-IOV EXPLANATION To enable the virtual machine to directly use the physical network interface associated with an external virtual switch, click Hardware Acceleration under the network adapter in the virtual machine's configuration and then mark Single-root I/O virtualization. Marking Enable virtual machine queue creates a dedicated queue on a host's physical network adapter for each virtual network adapter that has requested a queue. Marking Enable IPsec task offload reduces some of the processor performance load associated with IPsec encryption algorithms. REFERENCES LabSim for Server Pro 2016, Section 6.4.

You are configuring a new external virtual switch in your Hyper-V host. You want the virtual machines running on the host to be able to use the physical network adapter installed in the system instead of virtual network interfaces. Click the option you would use to configure the virtual switch in this manner.

Enable single-root I/O virtualization (SR-IOV) EXPLANATION The Enable single-root I/O virtualization (SR-IOV) option allows virtual machines to directly use the network adapter specified. In this example, virtual machines would load drivers for and use the Broadcom NetXtreme 57xx Gigabit Controller installed in the hypervisor host instead of a virtual network adapter. The External network drop-down list is used to select a physical network adapter to be used by the virtual switch. The Allow host OS to share the network adapter prevents the physical host from using the adapter used by the virtual switch. Selecting Private network isolates the virtual switch from the physical network. REFERENCES LabSim for Server Pro 2016, Section 6.4.

You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. From your workstation, you create a GPO that configures settings from a custom .admx file. You link the GPO to the Sales OU. You need to make some modifications to the GPO settings from the server console. However, when you open the GPO, the custom administrative template settings are not shown. What should you do? Install PowerShell on the server. Right-click the Security Settings node and select Import Policy.... On the Administrative Template node, right-click the node and choose Add/Remove Templates.... Browse and select the .admx file to add. Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location.

Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location. EXPLANATION When using .admx files, custom .admx files must be located on the local system or stored in Active Directory in the central store. If the central store is enabled, Group Policy Object Editor reads the .admx files from that location. The Security Settings node allows you to import a predefined security policy. The Administrative Template node allows you to add .adm template files. Powershell is installed on the server by default. REFERENCES LabSim for Server Pro 2016, Section 8.1.

You are the network administrator of a small network consisting of three Windows servers and 150 Windows workstations. Your network has a password policy in place with the following settings: - Enforce password history: 10 passwords remembered - Maximum password age: 30 days - Minimum password age: 0 days - Minimum password length: 8 characters - Password must meet complexity requirements: Disabled - Store password using reversible encryption: Disabled One day, while sitting in the cafeteria, you overhear a group of co-workers talk about how restrictive the password policy is and how they have found ways to beat it. When required to change the password, they simply change the password 10 times at the same sitting. Then they go back to the previous password. Your company has started a new security crackdown, and passwords are at the top of the list. You thought you had the network locked down, but now you see that you need to put an end to this practice. Users need to have passwords that are a combination of letters and numbers and do not contain a complete dictionary word. Users should not be able to reuse a password immediately. What should you do? (Choose two. Each answer is part of the solution.) Enable the Store password using reversible encryption setting. Schedule a meeting with the co-worker to explain the password policy in more detail and explain why it is in place. Enable the Password must meet complexity requirements setting. Enable the Minimum password age setting. Schedule a meeting with each co-worker's supervisor to explain that the co-worker is violating the corporate security policies.

Enable the Minimum password age setting Enable the password must meet complexity requirements. EXPLANATION Enable the Minimum password age setting. This will force the user to use the new password for whatever length of time you determine before changing it again. Also, enable the Password must meet complexity requirements setting. By enabling this setting, the user passwords cannot contain the user name, the user's real name, the company name, or a complete dictionary word. The password must also contain multiple types of characters, such as upper and lowercase letters, numbers, and symbols. REFERENCES LabSim for Server Pro 2016, Section 8.3.

You are the administrator for a small company that uses a Windows server to host a single domain. Mary Hurd, a user in the sales department, calls and reports that she is unable to log in using her computer (Sales1). You use Active Directory Users and Computers and see the screen shown in the image. What can you do to allow Mary to log in? Reset the computer account. Reset Mary's password. Unlock the user account. Enable the user account. Enable the computer account.

Enable the computer account EXPLANATION The down arrow on the computer icon in Active Directory Users and Computers indicates that the computer account is currently disabled. Before this computer account can be used, it must be re-enabled. Resetting the account clears the password and allows the account to be used by a new computer. You must rejoin the domain after resetting the account. However, in this case, resetting the account will not work until the computer is enabled. REFERENCES LabSim for Server Pro 2016, Section 7.7.

You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows Server domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. You are creating a security template that you plan to import into a GPO. You want to log all domain user accounts that connect to the member servers. What should you do to be able to check each server's log for the events? (Choose two. Each choice is a required part of the solution.) Link the GPO to the Member Servers OU. Enable the logging of account logon events. Enable the logging of system events. Link the GPO to the Domain Controllers OU. Enable the logging of object access events. Enable the logging of logon events.

Enable the logging of Logon events Link the GPO to the Member Servers OU. EXPLANATION The proper event to enable is the logon event. This event type will record when a network logon occurs, such as a domain user connecting to a share on the member server. Link the GPO to the Member Servers OU so that it applies to each member server. Account logon events for domain accounts will be recorded on the domain controllers, not the member servers. In short, account logon events are generated where the account lives; logon events are generated where the logon attempt occurs. If you wanted to audit when a domain user account was authenticated to the domain, you would enable the account logon event in a GPO linked to the Domain Controllers OU. Object access must be enabled for a computer before you can enable NTFS or printer auditing. System events record start-up and shutdown events on a computer. REFERENCES LabSim for Server Pro 2016, Section 8.4.

You are the security administrator for your organization. Your multiple domain Active Directory forest uses Windows servers for domain controllers and member servers. The computer accounts for your member servers are located in the Member Servers OU. Computer accounts for domain controllers are in the Domain Controllers OU. Computer accounts for workstations are located in the Workstations OU. You are creating a security template that you plan to import into a GPO. What should you do to log whenever a user is unable to log on to any computer using a domain user account? (Select two. Each choice is a required part of the solution.) Enable the logging of failed logon events. Link the GPO to the Member Servers and Workstations OU. Link the GPO to the Domain Controllers OU. Enable the logging of failed account logon events. Enable the logging of successful account logon events. Enable the logging of successful logon events.

Enable the logging of failed Account Logon events. Link the GPO to the domain controllers OU. EXPLANATION To audit unsuccessful logons: - Audit the Account Logon event. This event type will be recorded when an account is authenticated against an account database, such as Active Directory. In short, Account Logon events are generated where the account lives; in the case of domain accounts, this would be domain controllers. - Audit failed events. - Link the GPO to the Domain Controllers OU. Domain logon uses a domain controller for authentication. Link the GPO to the member servers and the Workstations OUs if you want to audit logon events for every computer. REFERENCES LabSim for Server Pro 2016, Section 8.4.

You need to view resource usage for a Hyper-V virtual machine named AccServer that is running on a Windows Server system. Before you can actually retrieve resource usage information, you first need to turn resource metering on for the virtual machine. Which PowerShell command can you use to do this? Get-VMBios AccServer Measure-VM -VMName AccServer Enable-VMEventing AccServer Enable-VMResourceMetering -VMName AccServer

Enable-VMResourceMetering -VMName AccServer EXPLANATION Resource metering measures the actual usage of assigned resources in a virtual machine, such as CPU, memory, and disk. Before you can use this feature, you must enable resource metering for the virtual machine you wish to analyze using the Enable-VMResourceMetering cmdlet. In this example, you would open PowerShell and enter: Enable-VMResourceMetering -VMName AccServer To actually view resource usage at the PowerShell prompt after resource metering has been enabled, you use the Measure-VM cmdlet. The Get-VMBios cmdlet retrieves the BIOS configuration of the virtual machine. The Enable-VMEventing cmdlet enables automatic refresh of Hyper-V information in the current Windows PowerShell session. REFERENCES LabSim for Server Pro 2016, Section 6.2.

You need to be able to access a partner organization's network using a VPN connection from within a Windows virtual machine running on a Windows server. However, the VPN connection requires a smart card for authentication. In order to connect, you need to redirect the smart card from the local physical hardware to the virtual machine. Click the option in the Hyper-V settings on the server you can use to enable this.

Enhanced Session Mode Policy EXPLANATION Enhanced Session mode allows you to redirect local resources to a virtual machine session. In Enhanced Session mode, you can redirect resources using a Remote Desktop Connection session using the virtual machine bus, eliminating the need for a network connection. Resources you can redirect to the virtual machine include: - Smart cards - Clipboard - USB devices - Audio - Printers To enable Enhanced Session mode, right-click the server in Hyper-V Manager, click Hyper-V Settings, and then select Allow enhanced session mode under Enhanced Session Mode Policy. REFERENCES LabSim for Server Pro 2016, Section 6.2.

You currently manage a virtual machine named VM12 that has been installed on the Srv5 physical server. The virtual machine uses a single fixed disk of 40 GB saved in the vdisk1.vhd file. The virtual machine is running out of free disk space. The virtual machine currently uses about 39.5 GB of the available disk space. You need to add more disk space to the virtual machine. What should you do? Create a new virtual disk and copy the contents from vdisk1.vhd to it. Configure VM12 to use the new virtual disk instead of vdisk1.vhd. Expand the vdisk1.vhd disk. Convert the disk to a dynamically expanding disk. Create a new virtual disk. Merge the new disk with vdisk1.vhd. Create a differencing disk using vdisk1.vhd as the parent. Configure VM12 to use the differencing disk instead of vdisk1.vhd.

Expand the vdisk1.vhd disk. EXPLANATION Expand a virtual disk to add more space to the disk. You can expand a fixed or a dynamically expanding disk. Both fixed and dynamically expanding disks have a limit on the amount of disk space that the disk uses. A dynamically expanding disk starts out small and expands up to the predefined limit. To allow the disk to go beyond the limit, expand the disk. You could also add space to a disk by adding a second virtual hard disk and then use Disk Management in the virtual machine to span the first volume onto the new virtual disk. Use a differencing disk to create child disks from a parent disk. The total disk space used by a differencing disk is equal to the maximum size of the parent disk—you cannot use a differencing disk to add space to a disk. When creating a new virtual disk, you can copy the contents from an existing physical disk. You cannot copy the contents of a virtual disk when creating a new virtual disk. REFERENCES LabSim for Server Pro 2016, Section 6.3.

You are the network administrator for Corpnet.com. You have two Windows servers named HV1 and HV2. Both servers have the Hyper-V role installed. HV1 has an Intel processor, and HV2 has an AMD processor. HV2 hosts a virtual machine named VM1. You build another server named HV3 and install the Hyper-V role. HV3 has an Intel processor. You need to move VM1 from HV2 to HV3 with the least amount of downtime. What should you do? Create a replica of VM1 on HV3 and then execute a planned failover. Perform a quick migration. Export VM1 on HV2 and then import it on HV3. Perform a live migration.

Export VM1 on HV2 and then import it on HV3 EXPLANATION You should Export VM1 on HV2 and then import it on HV3. Although an export and import of a virtual machine is not as fast as a quick migration or a live migration, both of these options require that the source host and the destination host use processors from the same manufacturer. Since HV2 has an AMD processor and HV3 has an Intel processor, you will need to transfer the virtual machine using an export and import. You use Hyper-V Replicas to provide fault tolerance for a virtual machine in the event that the active host fails. REFERENCES LabSim for Server Pro 2016, Section 6.6.

The Srv1 server runs Hyper-V and has several virtual servers installed. You would like to copy the VM4 virtual machine and create two new virtual machines running on Srv1. You are using the Hyper-V Manager console and want to complete the task with as little effort as possible. Which of the following procedures will let you create two virtual machines from the original VM4? Export VM4 to the C:\Export folder. Import the configuration choosing C:\Export as the path. Import the configuration a second time. Export VM4 to the C:\Export folder. Copy the C:\Export folder to C:\Export2. Import the configuration using C:\Export\VM4 as the path. Import the configuration again using C:\Export2\VM4 as the path. Export VM4 to the C:\Export folder. Copy the C:\Export folder to C:\Export2. Import the configuration using C:\Export as the path. Import the configuration again using C:\Export2 as the path. Export VM4 to the C:\Export folder. Import the configuration choosing C:\Export\VM4 as the path. Import the configuration a second time.

Export VM4 to the C:\Export folder. Copy the C:\Export folder to C:\Export2. Import the configuration using C:\Export\VM4 as the path. Import the configuration again using C:\Export2\VM4 as the path. EXPLANATION Use the Export and Import features in Hyper-V Manager to simplify moving virtual machines. Before importing the files, make a copy of the exported files if you need to import the files more than once. During the import, select the sub-folder that corresponds to the server name (C:\Export\VM4 or C:\Export2\VM4 in this scenario). Selecting the C:\Export or C:\Export2 folder will cause the import to fail. If you want to import the same set of files multiple times to create multiple virtual machines, you must make a copy of those files. Because the import function modifies the virtual machine files, once a set of files has been imported, the same files cannot be imported again. REFERENCES LabSim for Server Pro 2016, Section 6.6.

You are the network administrator for Corpnet.com. You have a file server named File1 that runs Windows Server. File1 is running low on disk space. You need to determine whether this volume should have deduplication enabled. Which of the following conditions would make File1 a good candidate for deduplication? (Select two.) File1 contains files that change often. File1 contains shared folders with user documents that are modified infrequently. File1 contains files that are constantly accessed by users. File1 contains system files. File1 contains virtual hard disk file storage for provisioning to hypervisors.

File1 contains shared folders with user documents that are modified infrequently. File1 contains virtual hard disk file storage for provisioning to hypervisors. EXPLANATION Volumes that contain user documents, virtual files, or software deployment files that contain data that is modified infrequently and read frequently are good candidates for deduplication. Volumes that contain files that change often and are constantly accessed by users or applications are not good candidates. Boot volumes and system volumes do not support deduplication. REFERENCES LabSim for Server Pro 2016, Section 5.5.

Data deduplication finds and removes duplicate information across files without compromising data integrity. The data deduplication optimization process uses a four-step process. Use the left/right arrow buttons to move the steps that are part of the data deduplication optimization process from the list on the left to the list on the right. Use the up/down arrows to put the steps into the correct order on the right. Duplicate chunks are identified. Corrupted chunks are eliminated. Corrupted chunks are fixed. Chunks are backed up for reference. Chunks are compressed and organized. Files are segmented into 32-128 KB chunks. Mirrored chunks replace corrupted chunks. One copy of each chunk is saved.

Files are segmented into 32-128 KB chunks Duplicate chunks are identified One copy of each chunk is saved Chunks are compressed and organized EXPLANATION The data deduplication optimization process is as follows: 1. Files are segmented into small variable-sized chunks that are 32-128 KB in size. 2. Duplicate chunks are identified. 3. A single copy of each chunk is then maintained. Redundant copies of the chunk are replaced with a reference to the single copy. 4. The chunks are compressed and then organized into special container files in the System Volume Information folder. The following tasks are part of the scrubbing process: - Corrupted chunks are fixed. - Chunks are backed up for reference. - Corrupted chunks are eliminated. - Mirrored chunks replace corrupted chunks. REFERENCES LabSim for Server Pro 2016, Section 5.5.

Which of the following container objects are Active Directory built-in containers? (Select four.) ManagedServiceAccounts Computers ForeignSecurityPrincipals Users Research Admins Sales Education Marketing

ForeignSecurityPrincipals ManagedServiceAccounts Users Computers EXPLANATION The following containers are examples of Active Directory built-in containers: - Computers - ForeignSecurityPrincipals - ManagedServiceAccounts - Users When a domain is installed, these containers are created by default. They cannot be created, moved, renamed, or deleted. REFERENCES LabSim for Server Pro 2016, Section 7.1.

Active Directory uses certain objects to represent the logical organization of a computer network and other objects to represent its physical structure. Drag the representation type on the left to the types of objects it uses on the right. (Representation types can be used more than once.) Drag Logical organization Physical structure Drop Forest Site Subnet Domain OU

Forest Logical Site Physical Subnet Physical Domain Logical OU Logical EXPLANATION Active Directory uses forests, trees, domains, and OUs to represent the logical organization of the network. Sites and subnets represent the physical layout of the network: - A site represents a group of well-connected networks (networks that are connected with high-speed links). - A subnet represents a physical network segment. Each subnet possesses its own unique network address space. REFERENCES LabSim for Server Pro 2016, Section 7.3.

You have configured a new GPO. You use a scoping method to prevent it from applying to a specific user using a specific computer. Which tool can you use to see if your scoping method is successful? Security Group Filtering Group Policy Results Group Policy Management Group Policy Modeling

Group Policy Results EXPLANATION Use Group Policy Results to launch the Group Policy Results wizard and determine how Group Policies are applied for a specified user and computer combination. Use Group Policy Modeling to launch the Group Policy Modeling wizard to simulate how the Group Policies will be applied. Group Policy Management is used to configure Group Policies. Security Group Filtering is the scoping method that can be used to prevent a GPO from applying to a specific user. REFERENCES LabSim for Server Pro 2016, Section 8.2.

Click on the menu option that allows you to verify that the virtual machine queue feature is enabled for a virtual machine.

Hardware Acceleration EXPLANATION If you want to verify that virtual machine queue is enabled, open the Settings page for the virtual machine and expand the Network Adapter menu option. Select Hardware Acceleration to view the following features: - Virtual machine queue - IPsec task offloading - Single-root I/O virtualization REFERENCES LabSim for Server Pro 2016, Section 6.5.

Match each default Active Directory object on the left with the appropriate description on the right. (Each object may be used once, more than once, or not at all.) Drag Domain container Builtin container Users container Computers container Domain Controller OU Drop Holds the default service administrator accounts The default location for new user accounts and groups The default location for domain controller computer accounts The root container to the hierarchy The default location for workstations when they join the domain

Holds the default service administrator accounts Builtin container The default location for new user accounts and groups User container The default location for domain controller computer accounts Domain controller OU The root container to the hierarchy Domain container The default location for workstations when they join the domain Computers container EXPLANATION When Active Directory is installed, the following containers and OU are created by default: - The Domain container, which is the root container to the hierarchy. - The Builtin container, which holds the default service administrator accounts. - The Users container, which contains the domain's predefined users and groups and is the default location for new user accounts and groups created in the domain. - The Computers container, which is the default location for new computer accounts created in the domain. - The Domain Controller OU, which is the default location for domain controller computer accounts. REFERENCES LabSim for Server Pro 2016, Section 7.4.

You are the network administrator for northsim.com. The network consists of a single Active Directory domain. The company has offices throughout the United States and internationally. You have two Windows servers named HV1 and HV2 that are located in the New York office. Both servers have the Hyper-V role installed. Both servers have quad core processors and 16 GB of RAM. HV1 hosts two virtual machines named APP1 and APP2: - APP1 hosts an application used heavily by users in New York. - APP2 hosts an application used heavily by users in London. During the day, you observe poor performance on APP1 due to a shortage of memory. During the evening, APP1 performs fine. However, APP2 experiences poor performance during peak business hours in London due to a shortage of memory. There are no empty slots to add memory to the server, and management does not have budget to upgrade HV1 for at least 6 months. You need to improve performance for APP1 and APP2 using the least amount of administrative effort. What should you do? Implement Dynamic Memory in the properties of APP1 and APP2. Increase the size of the page file on HV1. Install Integration Services in APP1 and APP2. Implement a failover cluster using HV1 and HV2. Make HV1 the active member for APP1. Make HV2 the active member for APP2.

Implement Dynamic Memory in the properties of APP1 and APP2 EXPLANATION Implement Dynamic Memory in the properties of APP1 and APP2. When you implement Dynamic Memory, Hyper-V treats memory as a shared resource that can be allocated automatically among running virtual machines. Dynamic Memory adjusts the amount of memory available to a virtual machine based on changes in memory demand and values that you specify. In this example, there is not enough RAM in the server to accommodate both APP1 and APP2. However, since both virtual machines have different peak times, enabling Dynamic Memory would allow the server to allocate more memory to each virtual machine during its peak hours. Integration Services provides a number of features that allow the virtual machine to interact with the host, including support for time synchronization, a heartbeat used to detect when a guest operating system becomes unresponsive, and drivers to support network and video integration. This would generally be used to address a problem with the video driver or network driver inside the virtual machine or to provide expanded connectivity between the host machine and the virtual machine. Implementing a failover cluster and moving one of the virtual machines could potentially resolve the problem if HV2 has enough spare resources to accommodate one of the virtual machines. However, this is a lot of effort based on too little information about HV2. Generally, a failover cluster is used to provide fault tolerance in case one of the servers fails, which was not part of the objective set forth in this question. Increasing the size of the paging file on HV1 may make more virtual memory available to HV1. However, the virtual memory in use on the host is not made available to the virtual machines. Their memory is allocated from the physical memory on the host, so this would not improve performance in the virtual machines. REFERENCES LabSim for Server Pro 2016, Section 6.2.

You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. How can you make the change with the least amount of effort? (Select two.) Create a GPO linked to the Directors OU. Configure the password policy in the new GPO. In Active Directory Users and Computers, select all user accounts in the Directors OU. Edit the user account properties to require the longer password. Create a group for the members of the Directors OU and then apply a granular password policy to the group. Create a new domain. Move the contents of the Directors OU to the new domain. Configure the necessary password policy on the domain. Implement a granular password policy for each user in the Directors OU.

Implement a granular password policy for each user in the Directors OU. Create a group for the members of the Directors OU and then apply a granular password policy to the group. EXPLANATION Use granular password policies to force different password policy requirements for different users or groups. Password and account lockout policies are enforced only in GPOs linked to the domain, not to individual OUs. Creating a new domain for the directors would require an unnecessary amount of effort. You cannot use the Active Directory Users and Computers tool to configure granular passwords; you must use the Active Directory Administrative Center for this task. REFERENCES LabSim for Server Pro 2016, Section 8.3.

You are the administrator of the eastsim.com domain, which has two domain controllers. Your Active Directory structure has organizational units (OUs) for each company department. You have assistant administrators who help manage Active Directory objects. For each OU, you grant one of your assistants Full Control over the OU. You come to work one morning to find that while managing some user accounts, the administrator in charge of the Sales OU has deleted the entire OU. You restore the OU and all of its objects from a recent backup. You want to configure the OU to prevent accidental deletion. You edit the OU properties, but can't find the Protect object from accidental deletion setting. What should you do so you can configure this setting? Log on as a member of the Domain Admins group. In Active Directory Users and Computers, select View > Advanced Features. Raise the domain functional level to Windows Server 2016. Use the Delegation of Control wizard to delegate control of the Sales OU to your user

In Active Directory Users and Computers, select View > Advanced Features. EXPLANATION To edit the Protect object from accidental deletion setting, in Active Directory Users and Computers select Advanced Features from the View menu. This feature does not depend on group membership. As administrator of the domain, you already have control of all OUs in your domain. REFERENCES LabSim for Server Pro 2016, Section 7.4.

You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the accounting, sales, and shipping departments. User and computer accounts for each department are in their respective OUs. You have hired a temporary worker named John Miller to work in the shipping department during the holidays. John should only be allowed to log on to the Ship01 workstation and no others. What should you do? Correct Answer: For the Ship01 computer account, add John Miller to the Managed By property. In the Default Domain Group Policy, configure the Limit number of connections setting to 1. For the Ship01 computer account, add John's user account to the permission list and grant the allowed to authenticate permission. For the Domain Computers group, add John's user account and deny the allowed to authenticate permission. In the Default Domain Group Policy, enable the Limit users to one remote session policy. In John's user account, add Ship01 to the Log On To list.

In John's user account, add Ship01 to the log on to list EXPLANATION To restrict the computers that a user can log on to, edit the user account and add the computer to the Log On To list. Configuring a connection limit in Group Policy or limiting remote sessions only affect Terminal Services logons. The Managed By property of a computer account does not control logon. You do not need to manually modify the Allowed to Authenticate property for a computer account. REFERENCES LabSim for Server Pro 2016, Section 7.5.

You are the network administrator for Corpnet.com. You have a file server named File1 that runs Windows Server. File1 is running low on disk space. You determine that a significant percentage of the data on File1 consists of duplicate files. You would like to remove duplicate data to free up space on File1. You do not want the solution to impact the users' ability to access duplicate data. What should you do? Implement active file screens. Create a new storage space and implement thin provisioning. Install and configure the Data Deduplication Role service. Install and configure the File Server Resource Manager (FSRM) Role service.

Install and configure the Data Deduplication Role service. EXPLANATION You should install and configure the Data Deduplication Role service. Data Deduplication involves finding and removing duplication within data without compromising its fidelity or integrity. Essentially, it removes duplicate data from the hard drive and replaces the actual duplicated data with pointers to the single copy of the data. Users should not experience any delay or even be aware of the change. Once you have installed the Data Deduplication Role service, you can manage it through Server Manager using the File and Storage Services node. There you can schedule when Data Deduplication will run and define any folders or volumes that should be exempt. Note: Data Deduplication is not supported for the System or Boot partitions, and will only work on NTFS volumes. Windows Server 2012 R2 is supported on volumes formatted with the ReFS file system; previous versions of Windows Server are not. Thin provisioning allows you to provision a storage space at a higher capacity than the physical storage currently available. This allows more physical space to be added later without having to adjust the storage space. You must make sure the clients do not consume more space than is physically available, or the storage space will experience an outage. The File Server Resource Manager (FSRM) Role service can be used for a number of purposes, including producing storage reports that can identify large files, rarely used files, and duplicate files. It can also be used to allow you to implement file screens. File screens allow administrators to block certain types of files from being uploaded to servers. An active file screen prevents the file from being saved, while a passive file screen allows the file to be saved but logs an event to alert the administrator. REFERENCES LabSim for Server Pro 2016, Section 5.5.

You have completed the installation of the Active Directory Domain Services role on a new server. Now you want to promote this server to be a domain controller in an existing domain. The server was installed with a Server Core deployment, so you will need to make this server a domain controller in an existing domain from the PowerShell command line. Which of the following PowerShell cmdlets will you need to enter? (Select two. Each correct answer is part of the complete solution.) Install-ADDSForest Import-Module ADDSTools Install-ADDSDomainController Import-Module ADDSDeployment Install-ADDSDomain

Install-ADDSDomainController Import-Module ADDSDeployment EXPLANATION After installing the Active Directory Domain Services role on a server with a Server Core deployment, you promote the server to be a domain controller in an existing domain by entering the following commands: Import-Module ADDSDeployment: this must be imported in order to have the cmdlets available to promote the server to a domain controller. Install-ADDSDomainController: this cmdlet is used to promote a server to be a domain controller in an existing domain. The Install-ADDSForest cmdlet is used to install the first domain controller in a new forest. The Install-ADDSDomain cmdlet is used to install the first domain controller in a new child domain inside another domain. ADDSTools is not a valid Active Directory module. REFERENCES LabSim for Server Pro 2016, Section 7.2.

Software developers in your organization want to use Hyper-V to create virtual machines to test their new code. You need to add a virtual switch to the system. The virtual switch must allow communication between virtual machines running on the hypervisor, as well as with the hypervisor host itself. However, to contain the effects of bugs that may arise with the code being tested, you want to isolate the virtual machines from other hosts on the physical network. Click on the type of virtual switch you should create.

Internal EXPLANATION An internal virtual switch allows virtual machines on the hypervisor host to communicate with each other, as well as with the physical computer itself. However, they are isolated from the physical network that the hypervisor host is connected to. An external virtual switch allows virtual machines to access the physical network. A private virtual switch doesn't allow communications with the hypervisor host. REFERENCES LabSim for Server Pro 2016, Section 6.4.

Drag each Active Directory term on the left to its corresponding definition on the right. (Each component may be used once, more than once, or not at all.) Drag Tree Forest Domain Organizational Unit Object Drop Logical organization of resources Collection of network resources Collection of related domain trees Resource in the directory Group of related domains User or group of users

Logical organization of resources Organization Unit Collection of network resources Domain Collection of related domain trees Forest Resource in the directory Object Group of related domains Tree User or group of users Object EXPLANATION The Active Directory structure has the following components: - A tree is a group of related domains that share the same contiguous DNS namespace. - A forest is a collection of related domain trees. - A domain is an administratively-defined collection of network resources that share a common directory database and security policies. - An organizational unit is like a folder that subdivides and organizes network resources within a domain. - Within Active Directory, each resource, user, or group of users is represented by an object. REFERENCES LabSim for Server Pro 2016, Section 7.1.

You are consulting with the owner of a small network that has a Windows server functioning as a workgroup server. There are six Windows desktop computers. There is no Internet connectivity. The server contains possibly sensitive information, so the owner wants to make sure that no unauthorized access occurs. You suggest that auditing be configured so that access to sensitive files can be tracked. What can you do to make sure that the files generate audit results? (Choose three. Each correct answer is part of the required solution.) Make sure the files to be audited are on NTFS partitions. Make sure the properties on the Security log allow writes by all users. Make sure the Object Access auditing policy is configured for success and failure. Make sure the account you logged into has permission to read the security log. Make sure the correct users and groups are listed in the auditing properties of the files.

Make sure the correct users and groups are listed in the Auditing properties of the files. Make sure Object Access auditing policy is configured for success and failure. Make sure the files to be audited are on NTFS partitions. EXPLANATION First, file auditing requires that the files to be audited are on NTFS, not FAT, volumes. Next, the auditing properties require you to select which groups are going to be audited (in this case, Everyone is probably the correct entry). Finally, Object access auditing must be enabled in the local security policy, or no results will be generated. Since you have an administrative account, you can read the log. Users do not write into the Security log; the System does. There is no way to allow users to write into the Security log. REFERENCES LabSim for Server Pro 2016, Section 8.4.

You need to view resource usage for a Hyper-V virtual machine named AccServer that is running on a Windows Server system. Which PowerShell command can you use to do this? Get-VM AccServer Measure-VM -VMName AccServer Checkpoint-VM -VMName AccServer Get-VMIntegrationService AccServer

Measure-VM -VMName AccServer EXPLANATION Resource metering measures the actual usage of assigned resources in a virtual machine, such as CPU, memory, and disk. To view resource usage at the PowerShell prompt, you use the Measure-VM cmdlet followed by the name of the virtual machine you wish to analyze. In this example, you would open PowerShell and enter Measure-VM -VMName AccServer. The Get-VM cmdlet displays the virtual machine status. The Checkpoint-VM cmdlet creates a snapshot of the virtual machine. The Get-VMIntegrationService AccServer cmdlet displays the status of integration services installed on the virtual machine. REFERENCES LabSim for Server Pro 2016, Section 6.2.

You are managing a Windows Server 2016 virtual machine on a Hyper-V hypervisor host. Dynamic Memory is enabled in the virtual machine's configuration. The virtual machine will run several Web applications that are known to create system memory utilization spikes during heavy use. Because Dynamic Memory is enabled, you are concerned that memory could be unallocated from this virtual machine and reallocated to another, resulting in insufficient memory. You need to ensure that some physical RAM is held in reserve to prevent this from happening. Click the option you would use in the virtual machine's memory configuration to do this.

Memory buffer EXPLANATION The Memory Buffer setting under Dynamic Memory manages the memory assigned to the virtual machine compared to the amount of memory needed by the applications and services running on the virtual machine. Hyper-V uses the percentage specified along with the current demand for memory to reserve physical RAM in the system as a buffer. When a memory utilization spike occurs, the buffer will be dynamically added to the virtual machine as needed. The Startup RAM parameter specifies the memory required to start the virtual machine. The Minimum RAM parameter specifies the minimum amount of memory to be assigned to the virtual machine. The Maximum RAM parameter specifies the maximum amount of memory available to the virtual machine. The Memory weight slider determines how to distribute memory amount virtual machines. REFERENCES LabSim for Server Pro 2016, Section 6.2.

Virtualization offers several advantages for server administrators. As an administrator, your job can be made easier because of the several tasks you can perform on or with a virtual machine instead of on a physical machine. The advantages of virtualization can be organized into the categories listed on the left. Drag the advantage category on the left to the task that matches it on the right. (Each category can be used once, more than once, or not at all.) Drag Flexibility Testing Functions Server Consolidation Isolation Drop Move many physical servers onto a few host servers with many virtual machines. Verify updates and patches before rolling them out into the production environment. Create a sandboxed environment where malware can be executed with minimal risk to equipment and software. Move virtual machines between hypervisor hosts as needed. Create a lab environment that mirrors your production network to see how an application runs before putting it into production. Migrate an older operating system off of aging hardware and into a virtual machine.

Move many physical servers onto a few host servers with many virtual machines Server Consolidation Verify updates and patches before rolling them out into the production environment Testing Functions Create a sandboxed environment where malware can be executed with minimal risk to equipment and software Isolation Move virtual machines between hypervisor hosts as needed Flexibility Create a lab environment that mirrors your production network to see how an application runs before putting it into production Testing Functions Migrate an older operating system off of aging hardware into a virtual machine Server Consolidation

You are the network administrator of a network that spans three locations, Atlanta, Chicago, and Denver. Your organization started in Atlanta, and that's where you installed your first Active Directory domain controller. The Chicago and Denver locations were later added to the domain with their own domain controllers. These three locations each have their own subnet and are connected using dedicated WAN links. You have used Active Directory Sites and Services to change to the name of the Default-First-Site-Name to Atlanta, but that's all you've done so far. The IT manager wants you to continue configuring Active Directory Sites and Services to direct clients to local network resources for authentication. He does not want you to manage replication traffic at this time. Which of the following steps must you perform to complete this configuration? (Select three.) Move the Chicago and Denver server objects into their respective site objects. Create site objects for Chicago and Denver. Move the Chicago and Denver server objects to their respective subnet objects. Create subnet objects for Chicago, Denver, and Atlanta, and then link them to their respective sites. Configure inter-site transport links between Atlanta, Chicago, and Denver site objects. Create subnet objects for Chicago, Denver, and Atlanta, and then link them to their respective server objects. Create server objects for Chicago and Denver.

Move the Chicago and Denver server objects into their respective site objects Create site objects for Chicago and Denver Create subnet objects for Chicago, Denver and Atlanta, and then link them to their respective sites EXPLANATION At this point, your manager only wants you configure sites to direct clients to local network resources for authentication. He does not want you to manage replication traffic at this time. You must perform the following to complete this configuration: - Create site objects for Chicago and Denver. - Create subnet objects for Chicago, Denver, and Atlanta and then link them to their respective sites. Move the Chicago and Denver server objects to their respective site objects. - All the server objects were created when the servers were added to the domain, and then placed by default in the Default-First-Site-Name object. You have already changed the name of the Default-First-Site-Name to Atlanta and the Atlanta server is already in the Atlanta site object. You do not need to configure inter-site transport links between Atlanta, Chicago, and Denver site objects because your manager does not want you to manage replication traffic at this time. Subnet objects are linked to site objects, not to server objects. Server objects are placed inside site objects, not subnet objects. REFERENCES LabSim for Server Pro 2016, Section 7.3.

You are a domain administrator for a large multi-domain network. There are approximately 2,500 computers in your domain. Organizational Units (OUs) have been created for each department. Group Policy objects (GPOs) are linked to each OU to configure department-wide user and computer settings. While you were on vacation, another 20 computers were added to the network. The computers appear to be functioning correctly with one exception: the computers do not seem to have the necessary GPO settings applied. What should you do? Force the user to log out and restart the computer. Delete and recreate the computers' accounts. Re-apply the GPO to the OUs. Move the computer accounts from their current location to the correct OUs. Verify that the GPOs are linked to the correct OUs. Remove them from the domain and rejoin them.

Move the computer accounts from their current location to the correct OUs EXPLANATION By default, computers that are added to the domain from the workstation are added to the Computers built-in container. Policies cannot be linked to the default containers. Once the computer accounts have been moved to the correct OUs, the computer polices for that OU will become effective. None of the alternatives offered will move the computer accounts from the default location. Therefore, none of them will create the desired result. REFERENCES LabSim for Server Pro 2016, Section 7.7.

You are working in Hyper-V Manager on a system that hosts several Windows Server 2008 R2 virtual machines. You create snapshots of these virtual machines nightly as part of your disaster recovery plan. Users are complaining that they can no longer access the virtual servers. In Hyper-V Manager, they are identified as being in a Paused-Critical state. What should you do? (Select two. Each answer is a part of the overall solution.) Move the snapshot files to the new hard disk. Upgrade the virtual machines to Windows Server 2012 R2. Reconfigure the virtual machines to use the new drive as a pass-through disk. Revert the virtual machines to the most recent snapshot. Reboot the hypervisor system. Install a new physical hard disk in the hypervisor host.

Move the snapshot files to the new hard disk Install a new physical hard disk in the hypervisor host EXPLANATION After a virtual machine snapshot has been taken, the base virtual hard disk stops expanding and the snapshot file stores all new data that is written to the disk. Therefore, it is critical that there is adequate physical disk space available in the snapshot storage location. If the available hard disk space falls under 200 MB, all running virtual machines will be paused and marked Paused-Critical. An easy way to fix the issue in this scenario is to install an additional physical hard disk in the hypervisor host and then move the snapshots to the new disk. Upgrading the virtual machines to Windows Server 2012 R2 will not resolve the Paused-Critical state, nor will reverting them to a prior snapshot or rebooting the hypervisor host. When you connect a physical hard disk to a VM, the hard disk is referred to as a pass-through disk. This feature will not resolve the issue in this scenario. REFERENCES LabSim for Server Pro 2016, Section 6.3.

Click on the menu option that allows you to enable bandwidth management.

Network Adapter EXPLANATION If you want to enable bandwidth management on a virtual machine, open the Settings page for the virtual machine. From the virtual machine's Settings page, select the network adapter for which you want to enable bandwidth management. REFERENCES LabSim for Server Pro 2016, Section 6.5.

For most of the year, the AccSrv virtual machine is only lightly utilized. However, at quarter-end and at year-end, it is heavily utilized as accountants in your organization prepare reports and reconcile accounts. You need to ensure the virtual network adapter in this virtual machine has sufficient bandwidth available for these peak periods, so you decide to enable bandwidth management on the adapter. Click the option you would use in the virtual machine's settings to do this.

Network Adapter EXPLANATION To enable bandwidth management on the virtual machine's network interface, click Network Adapter virtual_switch_name in the virtual machine's settings window. In this example, the name of the external virtual switch is External. Then, in the Network Adapter screen, click Enable bandwidth management. It's not necessary to add new hardware to the virtual machine to enable bandwidth management. Clicking Hardware Acceleration allows you to specify tasks that can be offloaded to the physical network adapter in the system. Clicking Advanced Features allows you to configure advanced features, such as NIC Teaming. REFERENCES LabSim for Server Pro 2016, Section 6.5.

You are the network administrator for westsim.com. There is one main office and seven branch offices. You have been asked to create a script that can be used in the event of a disaster that destroys the entire network. The script must be able to recreate the company's Active Directory users, computers, and groups, as well as sites and subnet objects. Which command should you use in your script? New-ADObject Dsadd Dsmod Enable-ADOptionalFeature

New-ADObject EXPLANATION You should use the New-ADObject cmdlet. The New-ADObject cmdlet can be used to create Active Directory objects. The Dsadd command can be used to create new Active Directory users, computers, and groups, but cannot be used to create new sites and subnet objects. The Enable-ADOptionalFeature PowerShell cmdlet is used to enable Active Directory-optional features, such as the Active Directory Recycle Bin. The Dsmod command can be used to modify or move existing Active Directory objects. REFERENCES LabSim for Server Pro 2016, Section 7.6.

You want to implement Hyper-V so you can create a lab environment that mirrors your production network for testing applications before deploying them into your production environment. You're planning on having four virtual Windows Servers in this lab environment. You plan to use a file server already in production to create your first Hyper-V host system. You have a system with the following specifications and OS installed: - A 64-bit processor with second-level address translation (SLAT). - VM monitor mode extensions. - UEFI that supports virtualization with the following features: ~ Hardware-assisted virtualization with Intel VT. ~ Data Execution Prevention (DEP) enabled with Intel Execute Disable Bit (XD). - 64 GB RAM. - Windows Server 2016 Standard edition with the Server Core deployment. Is this system a good choice for hosting your lab environment? No, best practice suggests that the system should be a dedicated hypervisor host using the Windows Server 2016 Datacenter edition. No, best practice suggests that the system should be a dedicated hypervisor host using the Windows Server 2016 Datacenter edition with the Desktop Experience deployment. Yes, this system meets the best practice suggestions for a dedicated hypervisor host. No, best practice suggests that the system should be a dedicated hypervisor host with only the Hyper-V role installed.

No, best practice suggests that the system should be a dedicated hypervisor host with only the Hyper-V role installed. EXPLANATION This system is not a good choice for hosting your lab environment. Best practice suggests that the system should be a dedicated hypervisor host with only the Hyper-V role installed; this system is currently running the file server role. Hyper-V is supported by both the Windows Server 2016 Datacenter and Standard editions. Running virtual machines (VMs) significantly increases hardware resource utilization on the server. Accordingly, consider implementing the following best practices to maximize the system resources available for virtualization: - Consider implementing a dedicated hypervisor host by installing only the Hyper-V role on the server. No other roles should be installed. - Consider implementing Hyper-V on a Server Core installation. REFERENCES LabSim for Server Pro 2016, Section 6.1.

You want to implement Hyper-V so you can create a lab environment that mirrors your production network for testing applications before deploying them into your production environment. You're planning on having four virtual Windows servers in this lab environment. Your lab environment will need access to the physical network and the Internet. You plan to use hardware that you already have on hand to create your first Hyper-V host system. You have an unused system with the following specifications and OS installed: - A 64-bit processor with second-level address translation (SLAT) - VM monitor mode extensions - UEFI that supports virtualization with the following features: ~ Hardware-assisted virtualization with Intel VT ~ Data Execution Prevention (DEP) enabled with Intel Execute Disable Bit (XD) - 64 GB RAM - Windows Server 2016 Standard edition with the Server Core deployment - A single 1 Gbps network adapter Is this system a good choice for hosting the lab environment you plan to build? No. When guest systems need network access, best practice suggests that the Windows Server 2016 host system should use the Desktop Experience deployment. No. When guest systems need network access, best practice suggests that the host system should use Windows Server 2016 Datacenter edition. Yes. This system meets the best practice suggestions for hosting guest systems that need network access. No. When guest systems need network access, best practice suggests that a host should have its own network adapter and an additional network adapter for every four virtual machines.

No. When guest systems need network access, best practice suggests that a host should have its own network adapter and an additional network adapter for every four virtual machine. EXPLANATION No. When guest systems need network access, best practice suggests that a host should have its own network adapter and an additional network adapter for every four virtual machines. This host system only has one network adapter, which is likely to become a bottleneck if the virtual machines generate a lot of network traffic. Hyper-V is supported by both Windows Server 2016 Datacenter edition and Standard edition. Best practice suggests that a host system should use the Server Core deployment. REFERENCES LabSim for Server Pro 2016, Section 6.1.

The sales department in your organization needs you to deploy a new web-based contact management application for them. The application runs only on Windows Server 2008 R2. You don't have a budget for new hardware, but you do have unused licenses available for this operating system. You decide to create a new virtual machine on an existing Windows Server 2016 Hyper-V host in your network. You plan to configure the virtual machine as follows: - Specify a generation 2 virtual machine. - Create a 200 GB virtual SCSI hard disk (VHDX) for the system volume. - Create a 1 TB virtual SCSI hard disk (VHDX) for application data. - Create a virtual SCSI optical drive. - Install a 64-bit version of Windows Server 2008 R2. Will this configuration work? No. The system (boot) drive must be an IDE virtual disk. No. Windows Server 2008 R2 is not supported in generation 2 virtual machines. Yes. This configuration meets all requirements. No. Generation 2 virtual machines do not support SCSI virtual optical drives. No. Generation 2 virtual machines do not support VHDX virtual disk files.

No. Windows Server 2008 R2 is not supported in generation 2 virtual machines. EXPLANATION Windows Server 2008 R2 cannot be installed in a generation 2 Hyper-V virtual machine. Only the following guest operating systems are supported on generation 2 virtual machines: - Windows Server 2012 and later - 64-bit versions of Windows 8 and later Generation 2 virtual machines support booting from SCSI virtual hard disks. Virtual SCSI optical drives are also supported. Generation 2 virtual machines only support VHDX virtual disk files. VHD files are not supported. REFERENCES LabSim for Server Pro 2016, Section 6.2.

The sales department in your organization needs you to deploy a new web-based contact management application for them. The application runs on Windows Server 2012. You don't have a budget for new hardware, but you do have unused licenses available for this operating system. You decide to create a new virtual machine on an existing Windows Server 2016 Hyper-V host in your network. You created the virtual machine as follows: - Generation 1 virtual machine - 200 GB virtual IDE hard disk (VHDX) for the system volume - 1 TB virtual SCSI hard disk (VHDX) for application data - IDE virtual optical drive - Windows Server 2012 After several months in production, you decide that you would like to implement the Secure Boot feature in the virtual machine. You know this feature is only available on generation 2 virtual machines, so you decide to upgrade the virtual machine and then implement the new feature. Will this configuration work? No. Generation 2 virtual machines do not support VHDX virtual disk files. Yes. This configuration meets all requirements. No. Generation 2 virtual machines only support Windows Server 2012 R2 or Windows 8.1 as the guest operating system. No. You cannot change the generation of a virtual machine after it has been created. No. The system (boot) drive must be a SCSI virtual disk in a generation 2 virtual machine.

No. You cannot change the generation of a virtual machine after it has been created. EXPLANATION You cannot change the generation of a virtual machine once it has been created. In this scenario, a new generation 2 virtual machine would need to be created. Then the application and its data would need to be migrated from the original virtual machine to the new virtual machine. REFERENCES LabSim for Server Pro 2016, Section 6.2.

You want to implement Hyper-V so you can create a lab environment that mirrors your production network for testing applications before deploying them into your production environment. You're planning on having four virtual Windows servers in this lab environment. You plan to use hardware that you already have on hand to create your first Hyper-V host system. You have an unused system with the following specifications and OS installed: - A 64-bit processor with second-level address translation (SLAT). - VM monitor mode extensions. - UEFI that supports virtualization with the following features: ~ Hardware-assisted virtualization with Intel VT. ~ Data Execution Prevention (DEP) enabled with Intel Execute Disable Bit (XD). - 4 GB RAM. - Windows Server 2016 Standard Edition with the Desktop Experience deployment. Will this system allow you to create your lab environment? Yes. This system meets the minimum requirements for a Hyper-V host. No. You need Windows Server 2016 Datacenter Edition to support Hyper-V. No. You need more RAM to support four virtual machines. No. You need to use a Windows Server 2016 Standard or Datacenter Edition with the Server Core deployment.

No. You need more RAM to support four virtual machines. EXPLANATION This system does not meet the needs you have in creating a lab environment; you need more RAM to support four virtual machines. The system does meet the minimum requirements for creating a Hyper-V host system, but you also need enough physical RAM to support multiple virtual machines on top of the RAM needed by the host machine and Windows Server 2016 Standard Edition only allows for 2 guest machines. Each virtual machine you create will need memory to be allocated from the physical machine's RAM for use by the virtual machine. REFERENCES LabSim for Server Pro 2016, Section 6.1.

User Account Control (UAC) is a tool that generates an alert when a task or operation needs administrative privileges. You use the UAC settings in Control Panel to configure the sensitivity of UAC. Drag the UAC notification level on the left to the appropriate description of what it does on the right. Drag Always notify Notify me only when apps try to make changes to my computer Notify me only when apps try to make changes to my computer (do not dim the desktop) Never notify Drop The user is prompted only when programs try to make changes to the computer or Windows settings. The secure desktop is not displayed. A UAC prompt and the secure desktop are displayed for 150 seconds. The user cannot perform any other actions until they respond to the prompt. The user is prompted only when programs try to make changes to the computer or Windows settings. The secure desktop is displayed for 150 seconds. If logged on as a standard user, all actions requiring privilege elevation are automatically denied.

Notify me only when apps try to make changes to my computer (do not dim the desktop) the user is prompted only when programs try to make changes to the computer or windows settings. the secure desktop is not displayed always notify a UAC prompt and the secure desktop are displayed for 150 seconds. The user cannot perform any other actions until they respond to the prompt Notify me only when apps try to make changes to my computer the user is prompted only when programs try to make changes to the computer or windows settings. the secure desktop is displayed for 150 seconds never notify if logged on as a standard user, all actions requiring privilege elevation are automatically denied EXPLANATION User Account Control (UAC) is a tool that generates an alert when a task or operation needs administrative privileges. You use the UAC settings in Control Panel to configure the sensitivity of UAC. Notification-level settings include the following: - Always notify - A UAC prompt and the secure desktop are displayed for 150 seconds. - The user cannot perform any other actions until they respond to the prompt, which will automatically deny the request after 150 seconds. - Notify me only when apps try to make changes to my computer - The user is prompted only when programs try to make changes to the computer or Windows settings. A UAC prompt and the secure desktop are displayed for 150 seconds. - The user cannot perform any other actions until they respond to the prompt, which will automatically deny the request after 150 seconds. - Notify me only when apps try to make changes to my computer (do not dim the desktop) - The user is prompted only when a program is trying to make changes to the computer or a program thatis not included with Windows attempts to modify Windows settings. - The secure desktop is not displayed. - Never notify - If logged on as an administrator, all actions are executed without UAC prompts or the secure desktop. - If logged on as a standard user, all actions requiring privilege elevation are automatically denied. REFERENCES LabSim for Server Pro 2016, Section 8.6.

You are the administrator for a network with a single Active Directory domain named widgets.local. The widgets.local domain has an organizational unit object for each major department in the company, including the information systems department. User objects are located in their respective departmental OUs. Users who are members of the Domain Admins group belong to the Information Systems department. However, not all employees in the Information Systems department are members of the Domain Admins group. To simplify employees' computing environment and prevent problems, you link a Group Policy object (GPO) to the widgets.local domain that disables the control panel for users. How can you prevent this Group Policy object from applying to members of the Domain Admins group? On the Group Policy object's access control list, deny the read permission for members of the Domain Admins group. Link the Group Policy object to each organizational unit rather than to the domain. On the Group Policy object's access control list, deny the apply Group Policy permission for members of the Domain Admins group. Configure the Information Systems OU to block policy inheritance. Link the Group Policy object to each organizational unit (except the Information Systems OU) rather than to the domain.

On the Group Policy object's access control list, deny the apply Group Policy permission for members of the Domain Admins group. EXPLANATION Because the Information Systems OU has users to which the GPO should apply as well as those to which the GPO should not apply, the GPO must be linked to the domain or each individual OU. Linking the GPO to the domain is a simpler solution than linking it to each individual OU, and is the best solution. Then, to prevent the Group Policy object from applying to members of the Domain Admins group, you need to deny that group the Apply Group Policy permission to the GPO. Do not deny the Read permission, or Domain Administrators will not be able to edit the GPO. REFERENCES LabSim for Server Pro 2016, Section 8.1.

You manage user accounts in the southsim.com domain. Each department is represented by an Organizational Unit (OU). Computer and user accounts for each department have been moved to their respective OUs. You want to control access to a new color printer named ColorMagic. To do this, you create the following groups: A domain local group named ColorMagic-DL A global group named Sales-GG You want all users in the sales department to have access to the new printer. What should you do? (Select three. Each choice is a required part of the solution.) On the Member Of tab for the ColorMagic-DL group, add the Sales-GG group. On the ColorMagic printer object, assign permissions to the Sales-GG group. On the Members tab for the ColorMagic-DL group, add all sales user accounts. On the Member Of tab for the Sales-GG group, add the ColorMagic-DL group. On the Members tab for the Sales-GG group, add all sales user accounts. On the ColorMagic printer object, assign permissions to the ColorMagic-DL group.

On the member of tab for the sales-gg group, add the colormagic-dl group on the colormagic printer object, assign permissions to the colormagic-dl group on the members tab for the sales-gg group, add all sales user accounts REFERENCES LabSim for Server Pro 2016, Section 7.8.

You are the network administrator for Corpnet.com. The network has two servers that run Windows Server. They are named HV1 and HV2. Both servers are running the Hyper-V role and are members of a cluster named Cluster1. HV1 hosts a virtual machine running a Windows server named VM1. HV1 is running low on space. You would like to transfer the .VHD file for VM1 to HV2 while you requisition additional space. VM1 must remain available while space is added to HV1. What should you do? Perform a storage migration. Perform a quick migration. Enable virtual machine monitoring. Perform a live migration.

Perform a storage migration EXPLANATION You should perform a storage migration. Windows Server allows you to move virtual machine storage while the virtual machine is still running. This is called a storage migration. Live migrations can be planned or unplanned. In the event of an unplanned live migration, the virtual machine is automatically transferred to another Hyper-V server when the server becomes unavailable. When you initiate a planned live migration, the cluster copies the memory being used by the virtual machine from the current node to another node so that the memory and state information is already in place for the virtual machine. Quick migrations also copy the memory, but cannot be used for an unplanned migration. Virtual machine monitoring is used to monitor services in the guest operating system and respond to outages. REFERENCES LabSim for Server Pro 2016, Section 6.6.

You need to add additional disk space to the AccServ virtual machine running on a Windows server. To accomplish this, you decide to create a pass-through disk. Click the option you would use in the virtual machine's settings screen to do this.

Physical hard disk EXPLANATION When you connect a physical hard disk to a VM, the hard disk is referred to as a pass-through disk. To accomplish this, select Physical hard disk in the virtual machine's settings and then select the disk you want to use from the drop-down list. Note that hard disk must be in an offline state before it can be used as a pass-through disk. Clicking New allows you to create a new virtual hard disk file. Selecting Edit allows you to compact, convert, expand, or shrink an existing virtual hard disk. Clicking Inspect allows you to view the properties of the current virtual hard disk. Clicking Browse allows you to select a different virtual hard disk file. REFERENCES LabSim for Server Pro 2016, Section 6.3.

You manage a network with a single Active Directory domain called westsim.com. You have just deployed an Azure AD domain controller in the Azure cloud so that remote users can authenticate to the westsim.com domain over the Internet. By default, replication is set to occur on this domain controller every 180 minutes. Your manager wants you to change this setting so that replication occurs every six hours. Which of the following must you perform to make it possible to configure replication on the Azure AD domain controller? Configure a VPN connection between the physical domain controllers and the Azure AD domain controller. Place the Azure AD domain controller in its own site. Deploy the Azure AD domain controller in its own domain. Deploy the Azure AD domain controller as a read-only domain controller.

Place the azure ad domain controller in its own site EXPLANATION To make it possible to configure replication on the Azure AD domain controller, you must place the Azure AD domain controller in its own site. The replication interval is set from the Active Directory Sites and Services tool. You can deploy the Azure AD domain controller as a read-only domain controller to reduce outbound traffic, but the domain controller must still be placed in its own site before you can configure the replication interval. Configuring a VPN connection between the physical domain controllers and the Azure AD domain controller will have no bearing on the replication interval. Deploying the Azure AD domain controller in its own domain will just make it more complicated to allow westsim.com domain users to log on to the domain. REFERENCES LabSim for Server Pro 2016, Section 7.10.

You are in charge of designing the Active Directory tree. You have a small company that has only one location. You have determined that you will have approximately 500 objects in your completed tree. Your company is organized with four primary departments, accounting, manufacturing, sales, and administration. Each area is autonomous and reports directly to the CEO. The managers in each department want to make sure that some management control of their users and resources remains in the department. Which of the following design plans will best meet these requirements? Plan 1 - Create an organizational unit object for each department - Use the Delegation of Control wizard to make the department managers members of the Administrators group. Plan 2 - Explain to the managers of each of the departments that best practices for an Active Directory tree of this size suggest that centralized administration is the most efficient method. - All network administration will remain within your department. Plan 3 - Create an organizational unit object for each department. - Train a member of each department to perform limited administrative duties. - Use the Delegation of Control wizard to give a member of each OU enough rights to perform the necessary administrative tasks only in the appropriate OU. Plan 4 - Create a local group. - Add a designated user from each department to the local group. - Make the local group a member of the Administrators domain local group, thus giving the designated users the ability to manage department resources no matter where the resources are in the tree.

Plan 3 - Create an OU object for each department - Train a member of each department for an admin task - Use Delegation Wizard for principle of least privilege for appropriate OU EXPLANATION Active Directory tree design can be impacted by many factors, including corporate politics. By using Plan 3 and creating four OUs, you have given each of the areas the desired autonomy. You can use the Delegation of Control wizard to give a trained administrator in each OU the ability to perform limited administrative tasks while giving yourself control over the remainder of the tree. REFERENCES LabSim for Server Pro 2016, Section 7.9.

You are the network administrator for your company. Your company has three standalone servers that run Windows Server. All servers are located in a single location. You have decided to create a single Active Directory domain for your network. Currently, each department has one employee designated as the department's computer support person. Employees in this role create user accounts and reset passwords for the department. As you design Active Directory, your goal is to allow these users to maintain their responsibilities while not giving them more permissions than they need. Which of the following design plans will best meet your goals? Plan 1 - Create an organizational unit (OU) structure where each department has its own OU. - Make each computer support user a member of the Domain Admins group. Plan 2 - Create an organizational unit (OU) structure where each department has its own OU. - Create a Computer Support global group that contains each computer support user. - Grant the Computer Support global group appropriate permissions to each departmental OU. Plan 3 - Create a domain for each department. - Make each computer support user a member of the Domain Admins group. Plan 4 - Create an organizational unit (OU) structure where each department has its own OU. - Use the Delegation of Control wizard to grant each computer support user appropriate permissions to their department OUs.

Plan 4 - Create department OUs - Use Delegation wizard to grant support user permissions to specific OU EXPLANATION Plan 4 is the best way to meet your goals. You can: - Create an organizational unit (OU) structure where each department has its own OU. - Use the Delegation of Control wizard to grant each computer support user appropriate permission to their department OU. Even better, you can create a global group for each department and add the department's computer support user or users to the group. You can then grant permission to the group rather than to the individual user accounts. This method will minimize administration as roles change over time. Do not add all department computer support users to the same group or all users will have the same permissions. Do not make the users a member of the Domain Admins group because this group has more permissions than are required. REFERENCES LabSim for Server Pro 2016, Section 7.9.

You manage a single domain named widgets.com. This morning, you noticed that a trust relationship you established with another forest has changed. You reconfigured the trust, but you want to be able to identify if this change happens again in the future. You want to configure auditing to track this event. Which auditing category should you enable? Object access events Policy change events Process tracking events System events Logon events

Policy change events EXPLANATION Audit policy change events to track changes to user rights, trust relationships, IPsec and Kerberos policies, or audit policies. Object access auditing tracks access to files, folders, or printers. Process tracking auditing records actions taken by applications. Process tracking auditing is used mainly for program debugging and tracking. System events auditing tracks system shutdown, restart, and the starting of system services. It also tracks events that affect security or the security log. Logon auditing tracks logon or log off on the local system or when a network connection is made to a system. REFERENCES LabSim for Server Pro 2016, Section 8.4.

You are the network administrator for westsim.com. The network consists of a single Active Directory domain. A user named Mary Merone is working on location in Africa. She called to report that her laptop had failed. The hardware vendor replaced the laptop, and now you need to join the new computer to the domain. However, there is no connectivity from the current location to the domain. You must ensure that the laptop is joined to the domain immediately, even if it cannot be physically connected to a domain controller. What should you do first? Prepare the computer to perform an offline domain join by creating an Active Directory account for the computer using the Djoin /provision command. Create a computer account using Active Directory Users and Computers, and then have the user run the Netsh command from an elevated command prompt. Prepare the computer to perform an offline domain join by creating a computer account using Active Directory Users and Computers. Prepare the computer to perform an offline domain join using the Djoin /RequestODJ command.

Prepare the computer to perform an offline domain join by creating an active directory account for the computer using the Djoin /provision command EXPLANATION You should prepare the computer to perform an offline domain join by creating an Active Directory account for the computer using the Djoin /provision command. Since the computer cannot be connected to the Active Directory domain, you must perform an offline domain join. To perform an offline domain join, use the following steps: 1. Use the djoin /provision /domain /machine /savefile .txt command to create an Active Directory account for the computer. This command must be run from an elevated command prompt on a computer that current has access to the domain. 2. Copy the .txt file to the computer that will be joining the domain offline. 3. Run the djoin /requestODJ /loadfile .txt /windowspath %SystemRoot% /localos command on the computer being joined to the domain. This command must be run from an elevated command prompt. 4. Reboot the computer joining the domain. After the computer reboots, it will be joined to the domain. You must create the computer account using the Djoin command. You cannot use Active Directory Users and Computers to create the computer account because you need to export the information to the .txt file that will be copied to the new machine. Active Directory Users and Computers can be used to pre-stage computer accounts for computers who will be joined to the domain by contacting a domain controller at the time they are joined. The Djoin /RequestODJ command is used at the computer joining the domain to complete the offline domain join. However, this is not the first step in the process. You would not use the Netsh command to join the domain. Netsh is used to configure networking components from the command line including TCP/IPv4, TCP/IPv6, and the Windows firewall. REFERENCES LabSim for Server Pro 2016, Section 7.7.

You have just ordered several laptop computers that will be used by members of the programming team. The laptops will arrive with Windows. You want the computer account for each new laptop to be added to the Developers OU in Active Directory. You want each programmer to join his or her new laptop to the domain. What should you do? Run the Delegation of Control wizard on the Developers OU. Allow the programmers to create a computer account and join computers to the domain. Grant the programmers permission to create computer accounts in the Developers OU. Have the programmers join the computer to the domain from the new laptops. Create a script that runs the dsadd and netdom utilities. Distribute the script to each programmer and instruct them to run the script from their new computers. Prestage the computer accounts in Active Directory. Grant the programmers the rights to join the workstation to the domain.

Prestage the computer accounts in active directory. grant the programmers the rights to join the workstation to the domain EXPLANATION To control where new computer accounts are created, prestage the computer accounts by creating them in Active Directory before the workstation is joined to the domain. When you join the workstation to the domain, it becomes associated with the computer account. If you do not prestage the computer account, the account is created in the Computers container. You can create computer accounts using dsadd. However, this command runs under the security context of the current user. Having programmers run this command will fail because they do not have permissions to create computer accounts in Active Directory. Granting permissions to create computer accounts but joining the workstation to the domain without prestaging the account creates the computer account in the Computers container, not a specific OU. REFERENCES LabSim for Server Pro 2016, Section 7.7.

Scoping allows you to target a given GPO to specific users and/or computers. Drag the scoping method on the left to the appropriate description on the right. (Methods can be used once, more than once, or not at all.) Drag Loopback Processing Block Inheritance Enforced Security Group Filtering Drop Prevents settings in GPOs linked to parent objects from being applied to child objects. Causes computer settings to be reapplied after user login. Prevents inheritance from being blocked for a specific GPO. Causes computer settings to take precedence over user settings.

Prevents settings in GPOs linked to parent objects from being applied to child objects Block Inheritance Causes computer settings to be reapplied after user login Loopback Processing Prevents inheritance from being blocked for a specific GPO Enforced Causes computer settings to take precedence over user settings Loopback Processing EXPLANATION These scoping methods can be used as follows: - Block Inheritance prevents settings in all GPOs linked to parent objects from being applied to child objects. - Enforced prevents inheritance from being blocked for a specific GPO. - Security Group Filtering is used to apply or not apply a GPO to just a specific user or group within an OU. - Loopback Processing causes computer settings to be reapplied after user login so that computer settings take precedence over user settings. REFERENCES LabSim for Server Pro 2016, Section 8.2.

The Srv1 server runs Hyper-V and has several virtual servers installed. Currently, most virtual servers are used for testing purposes. The physical system is running out of memory because of all of the virtual machines that are currently active. You want to stop three virtual machines to free up system resources. You want to stop the virtual machines so that all open applications are still open and running when they start again. What should you do? Save the virtual machine. Take a snapshot. Shut down the virtual machine. Turn off the virtual machine.

Save the virtual machine EXPLANATION The Save option suspends or pauses the virtual machine. This option is like using the Hibernate or Sleep options in the virtual machine. When you restart the machine, it is restored to its current active state. The Shut Down option shuts down the virtual machine as if you had chosen Shut Down from the Start menu. When you restart the virtual machine, it will reboot. The Turn Off option closes the virtual machine without saving any information. This option is like cutting the power to the virtual machine and should be used with caution, as it can make the operating system unstable. A snapshot saves the current machine state, but does not shut down the system. REFERENCES LabSim for Server Pro 2016, Section 6.2.

You have just started a new job as the administrator of the eastsim.com domain. The manager of the accounting department has overheard his employees joke about how many employees are using "password" as their password. He wants you to configure a more restrictive password policy for employees in the accounting department. Before creating the password policy, you open the Active Directory Users and Computers structure and see the following containers and OU: - eastsim.com - Builtin - Users - Computers - Domain Controllers Which steps must you perform to implement the desired password policy? (Select three. Each correct answer is part of the complete solution.) Create an OU in the Users container for the accounting employees. Create user objects for the accounting employees. Configure the password policy and link it to eastsim.com. Put the accounting employees user objects into the OU created for the accounting employees. Create an OU in eastsim.com for the accounting employees. Configure the password policy and link it to the accounting user's objects. Configure the password policy and link it to the OU created for the accounting employees.

Put the accounting employees user objects into the OU created for the accounting employees Configure the password policy and link it to the OU created for the accounting employees. Create an OU in eastsim.com for the accounting employees EXPLANATION To implement the desired password policy, you must perform the following steps in this order: - Create an OU in eastsim.com for the accounting employees. - Put the accounting employees user objects into the OU created for the accounting employees. - Configure the password policy and link it to the OU created for the accounting employees. At this point, no OUs have been created in Active Directory; only the default Containers and the default Domain Controllers OUs have been created. Group Policies, such as password policies, can only be linked to OUs. An OU for the accounting employee must be created and the accounting employees' user objects must be put in the OU, and then the password policy can be created and linked to the OU. Linking the password policy to eastsim.com will apply the password policy to all users, not just accounting employees. User objects already exist for the accounting employees, but Group Policies cannot be applied to user objects. OUs cannot be created in the Users container. REFERENCES LabSim for Server Pro 2016, Section 7.4.

You are considering implementing NIC Teaming in a virtual machine running in Hyper-V. The virtual machine is configured with 8 GB of system RAM, a 1 TB virtual hard disk file, and four virtual network adapters. You want to use all of the network adapters in the team to provide load balancing and failover. What should you do? Reconfigure the virtual machine with 16 GB (or more) of system RAM. Increase the size of the virtual disk file to 2 TB (or more). Reduce the number of virtual NICs in the team to two. Increase the number of virtual NICs in the team to five.

Reduce the number of virtual NICs in the team to two EXPLANATION Hyper-V supports only two adapters in a NIC team. In this scenario, two of the four virtual adapters can be included in the team. The RAM and hard disk file sizes specified in this scenario are adequate for NIC Teaming. REFERENCES LabSim for Server Pro 2016, Section 6.5.

You manage a network with a single Active Directory domain called westsim.com. Most of your users work from the office and access your on-premise domain controllers when they authenticate and use network resources. But you also have a few users who work remotely. Your company has just moved to Office365 and is using the cloud-hosted versions of Exchange and SharePoint for employees who work from home. You are considering using Azure AD to allow these employees to authenticate to the domain. Which of the following are advantages of deploying Azure AD? (Select two.) Remote users can run all the Active Directory-aware server applications that are available to on-premise users. Remote users can use any computer to gain single sign-on access to Exchange and SharePoint. Remote users' access to network resources can be managed through Group Policies already configured in your domain. Remote users can authenticate to the domain from any location that has Internet access. Remote users can have single sign-on access to Exchange and SharePoint.

Remote users can have single sign-on access to Exchange and SharePoint Remote users can authenticate to the domain from any location that has internet access EXPLANATION Deploying Azure AD offers the following advantages in relation to remote users: - They can have single sign-on access to Exchange and SharePoint. - They can authenticate to the domain from any location that has Internet access. However, Azure AD does not support Group Policy; any policies you want to apply to your remote users must be configured in Azure AD. Users can only authenticate from computers that have been joined to the domain. Many Active Directory-aware applications do not recognize Azure AD. REFERENCES LabSim for Server Pro 2016, Section 7.10.

You are the manager of the eastsim.com domain. Your Active Directory structure has organizational units (OUs) for each company department. Assistant administrators help you manage Active Directory objects. For each OU, you grant one of your assistants full control over the OU. You come to work one morning to find that while managing some user accounts the administrator in charge of the Sales OU has deleted the entire OU. You restore the OU and all of its objects from a recent backup. You want to make sure that your assistants can't delete the OUs they are in charge of. What should you do? (Select two. Each choice is a possible solution.) Remove full control permissions from each OU. Run the Delegation of Control wizard for each OU, granting permissions to perform the necessary management tasks. Edit the properties for each OU to prevent accidental deletion. Edit the properties for each OU. For the OU administrators, deny the delete all child objects permission. Edit the properties for each OU. For the OU administrators, grant full control permissions but apply the permissions to this object only. Edit the properties for each OU. For the OU administrators, allow all permissions, but deny full control permissions.

Remove full control permissions from each ou. run the delegation of control wizard for each ou, granting permissions to perform the necessary management tasks Edit the properties for each ou to prevent accidental deletion EXPLANATION To prevent the OUs from being deleted accidentally, edit the OU properties and select Protect object from accidental deletion. You can also prevent the administrators from being able to delete the OU by using the Delegation of Control wizard to grant permissions for only selected administrative tasks. Denying full control permissions will deny all permissions, meaning administrators will not be able to manage the OU at all. Applying full control permissions to the OU allows administrators to delete the OU. Denying the Delete all child objects permission means that administrators are not able to delete user objects within the OU. REFERENCES LabSim for Server Pro 2016, Section 7.9.

You are the administrator for a small network. You have approximately 50 users who are served by a single Windows server. You are providing Active Directory, DNS, and DHCP with this server. Your clients all use Windows workstations. Last week, an employee quit. A replacement has been hired and will be starting next Monday. The new user will need to have access to everything the previous user had, including document files held in the Home folder. You need to set up an account for the new user that all the access required. What should you do? Delete the existing account. Create a new account and take ownership of the old user's files. Create an account for the new user and copy the files to their new home folder. Create an account for the new user and transfer ownership of the files to the new account. Copy the existing account and then change the appropriate fields. Rename the existing account, changing the name fields to match the new employee.

Rename the existing account, changing the name fields to match the new employee EXPLANATION If the old user is gone and not coming back, and the new user needs access to everything the old user had, the quickest way to set things up is to rename the existing account and personalize it for the new user. Creating a new account is not necessary and involves extra administrative work. If you delete the existing account and take ownership of the user's files, then you would be able to access the files, but the new user would not be able to access them. REFERENCES LabSim for Server Pro 2016, Section 7.5.

You are the administrator for a large single-domain network. You have several Windows Server domain controllers and member servers. Your 3,500 client computers are Windows workstations. Today, one of your users has called for help. It seems that his computer is reporting that a trust cannot be established between his Windows computer and the domain controller. He is unable to log on to the domain. You examine the computer's account using Active Directory Users and Computers, and there is nothing obviously wrong. You need to allow this user to log on to the domain. What should you do? Rejoin the domain. Re-enable the computer account and rejoin the domain. Reset the computer account and rejoin the domain. Re-enable the computer account. Reset the computer account.

Reset the computer account and rejoin the domain EXPLANATION The account isn't disabled, or you would have seen this in Active Directory Users and Computers. There must be a mismatch between the computer account password and the password the computer is trying to use. The solution is to reset the password, remove the computer from the domain, and rejoin the domain. This will ensure that both the domain controller and the client computer know the password. Resetting the computer account by itself will not accomplish this. If the account is not reset first, attempting to rejoin the domain will not accomplish this task either. REFERENCES LabSim for Server Pro 2016, Section 7.7.

You have a laptop that you use for remote administration from home and while traveling. The laptop has been joined to the domain using the name of AdminRemote. The processor in your laptop overheats one day, causing extensive damage. Rather than repair the computer, you purchase a new one. The computer arrives, and you edit the system properties and name it AdminRemote. When you try to join the computer to the domain, you receive an error message and are unable to proceed. What should you do? Reset the computer account in Active Directory. Edit the computer account properties in Active Directory. Grant your user account permissions to join the computer to the domain. Rename the computer and then join the domain. Delete the existing computer account in Active Directory. Rename the new computer account object in Active Directory to AdminRemote. On the laptop, run the netcom join command.

Reset the computer account in active directory EXPLANATION To successfully join the new computer to the domain using the existing computer account, you need to reset the computer account in Active Directory. Each computer has an automatically-generated password that is used to establish a secure channel between the workstation and Active Directory. When you try to add the new computer to the domain, the new computer does not have the computer password. Therefore, it cannot establish the communication channel using the existing computer account. Resetting the account resets the password in Active Directory and allows you to join the new computer to the domain using the existing account. To rename a computer account in Active Directory, you must remove the computer from the domain, rename the computer, and then rejoin the domain using the new computer name. Permissions to join a computer to a domain are configured on the domain or an OU, not on an existing computer account. In addition, as an administrator, you likely already have sufficient permissions to join the domain. Run the netcom join command to join a computer to a domain. However, this command by itself will not work until you reset the computer account. Run netdom reset to reset the computer account. REFERENCES LabSim for Server Pro 2016, Section 7.7.

Prior to installing Active Directory on your network, you set up a test network in your lab. You created several user accounts that correspond to actual network users. Now that your test is done, you'd like to move all user accounts from your test network to a new domain that you've just installed. You decide to use the Ldifde command to import the user accounts into the production domain. You want to set passwords for the new user accounts. How can you perform this task with the least amount of effort? Correct Answer: Run Ldifde to export the user accounts. Run Ldifde to import the user accounts. Run Ldifde to export the user accounts. Run Ldifde to import the user accounts. In Active Directory Users and Computers, edit each user account and reset the password. Run Ldifde to export the user accounts. Run Ldifde to import the user accounts. Edit the .ldif file to specify user account passwords. Run Ldifde to modify the existing accounts. Run Ldifde to export the user accounts. Edit the .ldif file to specify user account passwords. Run Ldifde to import the user accounts.

Run Ldifde to export the user accounts. Run ldifde to import the user accounts. Edit the .ldif file to specify user account passwords. Run LDifde to modify the existing accounts EXPLANATION When you export user accounts with Ldifde, passwords are not exported. You can change passwords for existing user accounts using a .ldif file, but you cannot create new user accounts with a password. To export user accounts and import them with a password, use the following process: 1. Export the user accounts. The unicodePwd field will be blank. 2. Import the user accounts to create the accounts. The user accounts will be disabled, and the user will be forced to change the password at next login. 3. Modify the .ldif file to change the operation to modify existing objects. Add a password for each user account and add entries to enable the account. 4. Run Ldifde using the file with the passwords to modify the existing user accounts. REFERENCES LabSim for Server Pro 2016, Section 7.6.

Data deduplication has three schedules configured by default. The optimization process runs every hour by default. Which of the following deduplication processes run once per week by default? (Select two.) Scrubbing Chunk mirroring Corruption logging Corruption fixing Garbage collection

Scrubbing Garbage collection EXPLANATION Data deduplication has three schedules configured by default. Optimization runs every hour, while Garbage Collection and Scrubbing run once a week. Data deduplication records corruption in a log file and mirrors chunks to be used when a chunk gets corrupted and needs to be fixed as part of its normal function. REFERENCES LabSim for Server Pro 2016, Section 5.5.

You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You would like to configure all computers in the Sales OU to prevent the installation of unsigned drivers. Which GPO category would you edit to make the necessary changes? User Rights Account Policies Security Options Restricted Groups

Security Options EXPLANATION Configure security options to control actions that everyone can perform, such as preventing the installation of unsigned drivers. Configure user rights to determine what actions a user can perform on a computer or domain. User rights settings identify users or groups with the corresponding privileges. Use restricted groups to limit the membership of specific security groups. Use account policies to control password and account lockout settings for all users. REFERENCES LabSim for Server Pro 2016, Section 8.1.

You manage a network with a single Active Directory domain called westsim.com. You have just deployed an Azure AD domain controller in the Azure cloud. You have created a user account for yourself in the new Azure AD domain. You are now testing the configuration of the Azure AD domain from home. You have successfully joined your home computer to this domain, so you are ready to make sure you can log on to the domain with your Azure AD user account. Which of the following steps do you need to perform to log on to the Azure AD user account? (Select two. Each correct answer is part of the complete solution.) Create a new Microsoft account using the Azure AD account credentials. Sign out as the local user. Select Other user and sign in using your westsim.com domain admin credentials. Select Other user and sign in using the Azure AD user account credentials.

Select Other user and sign in using the azure ad user account credentials Sign out as the local user EXPLANATION Since you are logging on to the Azure AD user account for the first time from a machine that you have just joined to the domain, you must complete the following: - Sign out as the local user. - Select Other user and sign in using the Azure AD user account credentials. This process will create and provision a new user account on the local machine. After completing this process, you can log on as this user as you would with a local account. Your domain admin credentials will not be the same as the credentials of the user account you created in the Azure AD domain. You do not need to create a new Microsoft account because the account already exists. REFERENCES LabSim for Server Pro 2016, Section 7.10.

You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify attempts to break into a computer by having the computer that denies the authentication attempt note the failed attempt in its security database. How can you create a policy that meets these requirements? Select Failure for Audit account logon events. Select Success for Audit account logon events. Select Failure for Audit logon events. Select Success for Audit logon events. Select Failure for Audit system events. Select Success for Audit system events.

Select failure for audit account logon events. EXPLANATION Audit policy settings are used to define which events will be noted in a computer's security log when they occur. Audit policy on Windows desktops is configured through local security policy or by distributing settings using a Group Policy object (if the computer is a member of an Active Directory domain). Each setting can be enabled to audit successful events, failed events, or both. When configuring an audit policy for a Windows computer, you will generally be concerned with the following types of events: - Account logon events occur when a computer authenticates (or fails to authenticate) an account from its database. In other words, these events are generated where the logon is authenticated. (In this scenario, you want to audit when a computer denies authentication, so this is what needs to be audited.) - Logon events occur when a user uses a computer to log on. In other words, these events are generated where the logon is performed. - Account management events occur when user or group objects are created, deleted, or edited in a computer's database. - System events occur when a computer restarts or shuts down or when an event that affects system security or the security log occurs. - Object access events occur when a user accesses any object with its own access control list (such as a file, folder, registry key, or printer). In addition to enabling auditing of these types of events, you must also edit the properties of the specific objects you want to audit and define what type of access to the object you will audit. - Policy change events occur when a computer's audit policies, user rights assignments, or trust policies change. - Privilege use events occur when a user exercises a user right defined in the computer's user rights assignments. A few user rights do not generate auditing events, such as backing up or restoring files. REFERENCES LabSim for Server Pro 2016, Section 8.4.

You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to change a user's group membership in a computer's local database. How can you create a policy that meets these requirements? Select Failure for Audit object access. Select Success for Audit object access. Select Failure for Audit system events. Select Success for Audit system events. Select Failure for Audit account management. Select Success for Audit account management.

Select failure for audit account management EXPLANATION Audit policy settings are used to define which events will be noted in a computer's security log when they occur. Audit policy on Windows desktops is configured through local security policy or by distributing settings using a Group Policy object (if the computer is a member of an Active Directory domain). Each setting can be enabled to audit successful events, failed events, or both. When configuring audit policy for a Windows computer, you will generally be concerned with the following types of events: - Account logon events occur when a computer authenticates (or fails to authenticate) an account from its database. In other words, these events are generated where the logon is authenticated. - Logon events occur when a user uses a computer to log on. In other words, these events are generated where the logon is performed. - Account management events occur when user or group objects are created, deleted, or edited in a computer's database. - System events occur when a computer restarts or shuts down a computer or when an event that affects system security or the security log occurs. - Object access events occur when a user accesses any object with its own access control list (such as a file, folder, registry key, or printer). In addition to enabling auditing of these types of events, you must also edit the properties of the specific objects you want to audit and define what type of access to the object you will audit. - Policy change events occur when a computer's audit policies, user rights assignments, or trust policies change. - Privilege use events occur when a user exercises a user right defined in the computer's user rights assignments. A few user rights do not generate auditing events, such as backing up or restoring files. REFERENCES LabSim for Server Pro 2016, Section 8.4.

You are the network administrator for your company. All computers are joined to a single Active Directory domain. Several computers store sensitive information. You are configuring security settings that will be distributed to all computers on your network. You want to identify denied attempts to manipulate files on computers that have been secured through NTFS permissions. How can you create a policy that meets these requirements? Select Failure for Audit object access. Select Success for Audit object access. Select Failure for Audit system events. Select Success for Audit system events. Select Failure for Audit account management. Select Success for Audit account management.

Select failure for audit object access. EXPLANATION Audit policy settings are used to define which events will be noted in a computer's security log when they occur. Audit policy on Windows desktops is configured through local security policy or by distributing settings using a Group Policy object (if the computer is a member of an Active Directory domain). Each setting can be enabled to audit successful events, failed events, or both. When configuring audit policy for a Windows computer, you will generally be concerned with the following types of events: - Account logon events occur when a computer authenticates (or fails to authenticate) an account from its database. In other words, these events are generated where the logon is authenticated. - Logon events occur when a user uses a computer to log on. In other words, these events are generated where the logon is performed. - Account management events occur when user or group objects are created, deleted, or edited in a computer's database. - System events occur when a computer restarts or shuts down a computer or when an event that affects system security or the security log occurs. - Object access events occur when a user accesses any object with its own access control list (such as a file, folder, registry key, or printer). In addition to enabling auditing of these types of events, you must also edit the properties of the specific objects you want to audit and define what type of access to the object you will audit. - Policy change events occur when a computer's audit policies, user rights assignments, or trust policies change. - Privilege use events occur when a user exercises a user right defined in the computer's user rights assignments. A few user rights do not generate auditing events, such as backing up or restoring files. REFERENCES LabSim for Server Pro 2016, Section 8.4.

You are the network administrator for your network. Your network consists of a single Active Directory domain. Your company recently mandated the following user account criteria: - User accounts must be deactivated after three unsuccessful logon attempts. - User account passwords must be at least 12 characters long. - User accounts must be manually reset by an administrator once they are locked out. You must make the changes to affect everyone in the domain. You are editing the Default Domain Group Policy object. What should you do? (Choose three. Each correct choice represents part of the solution.) Set Account lockout threshold to 0. Set Minimum password length to 12. Set Maximum password age to 3. Enable Password must meet complexity requirements. Set Account lockout duration to 0. Set Account lockout duration to 999. Set Reset account lockout counter after to 0. Set Account lockout threshold to 3.

Set Minimum password length to 12 Set account lockout duration to 0 Set account lockout threshold to 3 EXPLANATION To meet the company's requirements: - Set Minimum password length to 12. - Set Account lockout threshold to 3. - Set Account lockout duration to 0. Minimum password length configures how many characters a valid password must have. Account lockout threshold configures how many incorrect passwords can be entered before being locked out. Account lockout duration identifies how long an account will stay locked out once it has been locked. A value of 0 indicates that an administrator must manually unlock the account. Any other number indicates the number of minutes before the account will be automatically unlocked. The requirements do not provide enough information to configure maximum password age, reset account lockout counter after, or password must meet complexity requirements. REFERENCES LabSim for Server Pro 2016, Section 8.3.

You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the accounting, sales, and shipping departments. User and computer accounts for each department are in their respective OUs. Maria Hurd is going on a seven-week sabbatical and will not be in to work during that time. Which of the following can you perform to secure her user account to prevent it from being used to access network resources while she is away? (Select two.) Remove the user account from any groups. Remove any permissions assigned to the user account. Set an account expiration time for the last day Maria will be in the office. Change the password for the user account. Set the User cannot change password option. Disable the user account. Rename the user account.

Set account expiration time for the last day Maria will be in office Disable the user account EXPLANATION Disable user accounts for users who will be away for an extended period of time. Disabled accounts cannot be used for login. Changing the user account or renaming it will not prevent login. Hackers might still be able to use the account to log in and access resources. Removing groups and permissions will restrict what the user can do, but will not prevent login. In addition, when the user returns, you will need to redo any group memberships or permissions. REFERENCES LabSim for Server Pro 2016, Section 7.5.

You have not yet installed Active Directory Domain Services (ADDS) on a new Windows Server system. You are planning to use the computer as a domain controller in Active Directory. Which of the following steps is it recommended that you perform before you install the ADDS role? (Select two.) Install Desktop Experience. Install the DNS server role. Configure the computer name. Configure the server to use DHCP to get an IP address. Set the system time and time zone.

Set the system time and time zone Configure the computer name EXPLANATION Before you install the ADDS role on a new server, you should complete the following: - Configure the computer name - Set the system time and time zone - Configure a static IP address You should not configure a server to get its IP address from a DHCP server. Servers should have IP addresses that do not change. You can install the DNS server role if you choose to, but it is not required before the ADDS role is installed. You can also install the Desktop Experience if it is needed, but servers perform better without the overhead of the GUI. REFERENCES LabSim for Server Pro 2016, Section 7.2.

Active Directory uses two broad categories of objects to represent the various components of a network: - Network resources - Security principals Drag the category on the left to the object on the right that belongs to that category. (Categories can be used more than once.) Drag Network resource Security principal Drop Shared folder User Group Printer Computer account

Shared folder Network Resource User Security Principal Group Security Principal Printer Network Resource Computer Account Security Principal EXPLANATION Active Directory uses two broad categories of objects to represent the various components of a network: - Network resources, such as shared folders and printers. These objects represent network resources that users need access to. - Security principals, such as users, groups, and computer accounts. These objects represent entities that need access to network resources, but whose access to these resources needs to be secured by authentication and limited by permissions. REFERENCES LabSim for Server Pro 2016, Section 7.1.

Your organization has two sites that are members of the same Active Directory domain. Three domain controllers are deployed at each site. You have just installed three virtual domain machines in the Azure cloud and made them domain controllers in the same domain. The virtual domain machines in the Azure cloud will support your organization as it adds branch offices in various locations. You will not have to hire additional server administrators for the branch offices because users in these locations will be able to use these cloud-based domain controllers for authentication. You need to ensure that domain authentication and synchronization traffic remains secure in this deployment. Click the network segment(s) where a VPN connection will need to be used.

Site A to Azure VM Site B to Azure VM EXPLANATION A virtual private network (VPN) is required for secure communication between the corporate on-premises network and the VMs on Azure. In this scenario, you should configure VPN connections between the Azure cloud and the domain controllers at each site. REFERENCES LabSim for Server Pro 2016, Section 7.10.

Which Hyper-V feature found in Windows Server provides temporary memory that allows a virtual machine to restart even when there is not enough physical memory available? Dynamic Memory Resource Metering Smart Paging Resource Control

Smart Paging EXPLANATION Smart Paging allows a virtual machine to restart when there is not enough available memory to restart the virtual machine. It does this by implementing a temporary page file on the hypervisor host's hard disk drive. Smart Paging is used if the following conditions are true: - The virtual machine is being restarted. - There is no available physical memory. - No memory can be reclaimed from other virtual machines on the host. Dynamic Memory allows you to specify a range of memory that can be allocated to each virtual machine. Resource Metering measures the usage of assigned resources on a virtual machine. Resource Control allows you to configure each VM's usage of host resources. REFERENCES LabSim for Server Pro 2016, Section 6.2.

You need to enable data deduplication on your server's data volume. You add the Data Deduplication role service and then use the DDPEval.exe utility to analyze server volumes for data deduplication. Now you need to use Server Manager to configure data deduplication on the data volume. Which of the following steps are part of the configuration process? (Select three.) Specify the number of days that should elapse from the date of file creation until files are deduplicated. Specify the degree of optimization that should be enforced. Specify the amount of built-in redundancy to be used for critical metadata. Enable the scrubbing schedule. Specify the extensions of any file types that should not be deduplicated. Enable data deduplication. Enable the garbage collection schedule.

Specify the number of days that should elapse from the date of file creation until files are deduplicated. Specify the extensions of any file types that should not be deduplicated. Enable data deduplication EXPLANATION Using Server Manager, you configure data deduplication on a server data volume by completing the following: - Select Enable data deduplication. - Specify the number of days that should elapse from the date of file creation until files are deduplicated. -Specify the extensions of any file types that should not be deduplicated. - If necessary, manually specify any folders with files that should not be deduplicated. - Configure the deduplication schedule. - Apply the changes. The scrubbing and garbage collection schedules can be changed, but they do not need to be enabled. Data deduplication will run optimization every hour, but the degree of optimization is not a configurable setting. Data deduplication also provides built-in redundancy for critical metadata and frequently-used data chunks, but there are no configurable settings for this functionality. REFERENCES LabSim for Server Pro 2016, Section 5.5.

You want to use Hyper-V to create two virtual machines that each use a common parent installation. Listed below are the steps necessary to complete the configuration. Drag each required step from the list on the left to the spaces on the right. Use only the necessary steps to complete the configuration. Drag Create one differencing disk. Create one fixed disk. Create two differencing disks. Create two fixed disks. Create the virtual machine(s). Install the operating system. Make the disk(s) read only. Drop Step 1 Step 2 Step 3 Step 4 Step 5 Step 6

Step 1: Create one fixed disk Step 2: Create the virtual machine(s) Step 3: Install the operating system Step 4: Make the disk(s) read only Step 5: Create two differencing disks Step 6: Create the virtual machine(s)

You are configuring a NIC team that is being used for failover only and not bandwidth aggregation. Which NIC teaming configuration must you use? Switch-dependent teaming Switch-independent teaming Static teaming Link aggregation control protocol teaming

Switch-independent teaming EXPLANATION Switch-independent teaming allows adapters in a team to be connected to different switches. If the NIC team is being used for failover only and not bandwidth aggregation, the NIC team must be configured as switch-independent. Switch-dependent teaming requires adapters to be connected to the same switch. You can implement switch-dependent teaming in one of two ways: - Generic or static teaming requires that the switch and the host identify the links in the team. - Link Aggregation Control Protocol (LACP) teaming uses LACP to dynamically set the links between the host and the switch. REFERENCES LabSim for Server Pro 2016, Section 6.5.

You currently manage a virtual machine named VM18 that has been installed on the Srv5 physical server. The virtual machine runs Windows Server and a custom application. You receive an update to the application. You want to save the current state so if the update causes any problems, you can easily revert back to the state before the update was installed. What should you do? Make a backup of all of the files that are part of the virtual machine. Take a snapshot of the virtual machine. Create a differencing disk from the current virtual hard disk and then archive the differencing disk. Make a copy of the virtual machine configuration file.

Take a snapshot of the virtual machine. EXPLANATION A snapshot is a point-in-time capture of a virtual machine. When you take a snapshot, the current contents of memory are recorded, and a new virtual hard disk file is created. You can easily revert to the previous configuration by applying a snapshot. Applying a snapshot is a faster recovery method than restoring from backup. Saving the virtual machine configuration file will not save data saved on the hard disk or in the virtual machine's memory. While snapshots use differencing disks, the current configuration of the system is not saved in the differencing disk—only changes are saved to the differencing disk. REFERENCES LabSim for Server Pro 2016, Section 6.3.

You are the administrator for a domain named internal.widgets.com. This domain spans a single site (the Default-First-Site-Name site). You want to configure password and account lockout policies that Active Directory domain controllers will enforce. You have created a Group Policy object with the settings you want to apply. Most of the domain controllers are located in the Domain Controllers OU, although you have moved some domain controllers to a sub-OU called Secure Domain Controllers. Where should you link the Group Policy object that you created? The Default-First-Site-Name site. The internal.widgets.com domain. The Domain Controllers OU only. The Secure Domain Controllers OU only. Both the Domain Controllers OU and the Secure Domain Controllers OU.

The internal.widgets.com domain. EXPLANATION Domain controllers ignore account policy settings in GPOs that are not linked to the domain. To change a domain's account policy settings, use a GPO linked to the domain, such as the Default Domain Policy GPO. REFERENCES LabSim for Server Pro 2016, Section 8.3.

You manage a network with a single Active Directory domain called westsim.com. Organizational units have been created for the accounting, sales, and shipping departments. User and computer accounts for each department are in their respective OUs. At 5:30 pm, you get a call from Mary Hurd, a user in the Sales department, stating that she can't log in. You use Active Directory Users and Computers and see the information shown in the image. You need to make sure Mary can log in. What should you do? (Select three. Each answer is a possible solution.) Unlock Mary's account. Change the log in hours to extend past 5:30 pm. Enable Mary's account. Change Mary's account to never expire.

Unlock Mary's account Change the log in hours to extend past 5:30 pm Change Mary's account to never expire EXPLANATION Based on the graphic, you know that Mary's account is not disabled. Disabled accounts show a down arrow over the account. You must edit the user account to see if an account is locked or expired or if the login hours are outside of the login times. REFERENCES LabSim for Server Pro 2016, Section 7.5.

You are the administrator of a network with a single Active Directory domain. You need to create 75 user accounts in the domain Users container. You have a list of new user accounts that include an IP telephone number. The user accounts are available via an export from your company's HR application in the form of a comma-delimited file. You want to create the new accounts as quickly and easily as possible. What should you do? Create the new user accounts using Active Directory Users and Computers. Create the new user accounts with Dsadd user by parsing the .csv file. Use Csvde to import user accounts using the .csv file. Create the new user accounts with Dsadd contact by parsing the .csv file.

Use Csvde to import user account using the .csv file. EXPLANATION The easiest way to import the users is to use Csvde with the .csv file. You could also use Dsadd user, but you would have to manually create a script to parse the .csv file and run Dsadd for each entry. Csvde automatically creates user accounts based on fields in the .csv file. REFERENCES LabSim for Server Pro 2016, Section 7.6.

You manage user accounts in the southsim.com domain. Each department is represented by an organizational unit (OU). Computer and user accounts for each department have been moved to their respective OUs. When a new employee is hired in the sales department , you create the user account, add the user account to multiple groups, assign the user permissions to the sales contact database, and configure permissions to home and shared folders. Because of high turnover, you find that as users leave the organization, you spend several hours tracking down file ownership and reassigning permissions to other users. How can you simplify this process? Create a template user account. Use this account to create all new user accounts. Create a group for the sales employees. Assign permissions to groups rather than to users. Use a programming language to create a deprovisioning solution. Write scripts or routines that run automatically and reassign ownership and permissions when the user account is deleted. As users leave the company, disable the user accounts rather than deleting them.

Use a programming language to create a deprovisioning solution. Write scripts or routines that run automatically and reassign ownership and permissions when the user account is deleted EXPLANATION Deprovisioning is the process of removing access rights for users when they leave your organization. To simplify the process, deploy third-party tools or use a programming language or scripts to perform actions when the Active Directory user account is deleted. For example, you can delete the user account and automatically reassign permissions or file ownership with a single step. Using a template user account will simplify creating the account but does not affect the tasks required when deleting the account. Disabling an account does not reassign file ownership or permissions. Assigning permissions to groups is recommended; however, using groups does not allow you to easily modify ownerships of files. REFERENCES LabSim for Server Pro 2016, Section 7.5.

You are the administrator for the westsim.com domain, which has five domain controllers running Windows Server. The Active Directory structure is shown in the image. All user and computer accounts have been placed in the department OUs. Main offices are located in Orlando, with additional offices in Boston, New York, and Chicago. There are three departments within the company, sales, marketing, and accounting. Employees from each department are at each location. You want to appoint an employee in each department to help with changing passwords for users within their department. They should not be able to perform any other tasks. What should you do? Use the Delegation of Control wizard. Grant each user administrator permissions to modify passwords for the domain. Use the Delegation of Control wizard. Grant each user administrator all permissions for their department OU. Grant each user administrator Read and Change permissions to their department OU. Use the Delegation of Control wizard. Grant each user administrator permissions to modify passwords for their department OU.

Use the Delegation of Control wizard. Grant each user administrator permissions to modify passwords for their department OU EXPLANATION In this scenario, use the Delegation of Control wizard to grant each user administrator permissions to modify passwords for their department OU. This allows each administrator to only modify the passwords for user accounts within their department. Do not grant the administrators permissions to the domain, as this would allow them to modify passwords for all users, even those not in their department. Do not grant the Allow Change permission, as this would permit administrators to change many more properties than just the passwords for user objects. REFERENCES LabSim for Server Pro 2016, Section 7.9.

You are the administrator of a network with a single Active Directory domain. The domain currently includes 75 user accounts. You have been asked to add 50 additional accounts. Your Human Resources manager has an existing database of employees that can be imported to Active Directory. You would like to use an automated method for data import if possible. What should you do? (Select two. Each choice is a complete solution.) Use Active Directory Users and Computers. Use the Ldifde.exe utility. Use Active Directory Sites and Services. Use the Csvde.exe utility.

Use the Ldifde.exe utility Use the Csvde.exe utility EXPLANATION The Ldifde.exe and Csvde.exe utilities are both used to import and export data for Active Directory. Ldifde.exe creates, modifies, and deletes directory objects. You can also use Ldifde to export Active Directory user and group information to other applications or services and populate Active Directory with data from other directory services. Csvde.exe imports and exports data from Active Directory using files that store data in the comma-separated value (CSV) format. REFERENCES LabSim for Server Pro 2016, Section 7.6.

You are the network administrator for Corpnet.com. You have several virtual machines hosted on a VMware platform. You have installed a new Windows server that has the Hyper-V role installed. You need to migrate the VMware virtual machines to Hyper-V. What should you do? Use the Application Compatibility toolkit (ACT). Use the Disk2VHD tool. Use the Microsoft Virtual Machine Converter (MVMC) tool. Use the Microsoft Assessment and Planning (MAP) toolkit.

Use the Microsoft Virtual Machine Converter (MVMC) tool. EXPLANATION You should use the Microsoft Virtual Machine Converter (MVMC) tool. The Microsoft Virtual Machine Converter (MVMC) tool is a free tool that can be used to convert VMware-based virtual machines and virtual disks to Hyper-V-based virtual machines and virtual hard disks. The Microsoft Assessment and Planning (MAP) toolkit can be used to scan a network to determine which machines can be upgraded and/or converted to virtual machines. The Application Compatibility Toolkit (ACT) can be used to assess applications and determine whether they will be compatible with particular versions of the operating system and provides resources to help resolve incompatibility issues. The Disk2VHD tool can be used to convert an operating on a physical computer into a virtual machine. REFERENCES LabSim for Server Pro 2016, Section 6.6.

You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You have two OUs that contain temporary users, TempSales and TempMarketing. For all users within these OUs, you want to restrict what the users are able to do. For example, you want to prevent them from shutting down the system or accessing computers through a network connection. Which GPO category would you edit to make the necessary changes? User Rights Security Options Restricted Groups Account Policies

User Rights EXPLANATION Configure user rights to determine what actions a user can perform on a computer or domain. User rights settings identify users or groups with the corresponding privileges. Configure security options to control actions that everyone can perform. Use restricted groups to limit the membership of specific security groups. Use account policies to control password and account lockout settings for all users. REFERENCES LabSim for Server Pro 2016, Section 8.1.

You are the administrator of a network with a single Active Directory domain. Your domain contains three domain controllers and five member servers. Your security policy states that all accounts should be locked out after three unsuccessful logon attempts and that accounts must be reset only by an administrator. A GPO enforces these settings. You receive a call Monday morning from the help desk. There are seven users who are unable to log in to the domain. Upon further investigation, you notice all seven accounts have been locked out. You need to unlock the user accounts with the least amount of administrative effort while complying with your security policy. What should you do next? Change the Account lockout threshold value to 0. Using Active Directory Users and Computers, select Unlock Account for each account. Change the Account lockout duration value to 0. Change the Reset account lockout counter after value to 0. Using Active Directory Users and Computers, highlight all seven accounts and select Unlock Account.

Using Active Directory Users and Computers, select Unlock Account for each account EXPLANATION Using Active Directory Users and Computers, select Unlock Account for each account. This setting does not permit reset for more than one account at a time. This setting determines whether or not an account has been locked out. You should not change the GPO settings just to unlock an account. Because the account can only be unlocked by an administrator, the account lockout duration is already set to 0. REFERENCES LabSim for Server Pro 2016, Section 7.5.

You are the administrator of a network with a single Active Directory domain. You would like to create a script to distribute to the help desk support staff for their needs when creating domain user accounts. The help desk staff will input various user account values and these values will be used in the script. Which of the following commands should your script include? dsmod dsadd dsquery dsrm

dsadd EXPLANATION The dsadd command line utility supports the addition of new domain user accounts. REFERENCES LabSim for Server Pro 2016, Section 7.6.

You manage a network with a single Active Directory domain called westsim.com. Most of your users work from the office and access your on-premise domain controllers when they authenticate and use network resources, but you also have a few users who work remotely. Your company has just moved to Office365 and is using the cloud-hosted versions of Exchange and SharePoint for employees who work from home. You are considering using Azure AD to allow these employees to authenticate to the domain. Which of the following are options for deploying Azure AD? (Select two.) You can install Active Directory domain controllers on Windows Azure virtual machines in the cloud. You can move Active Directory domain controller VMs running on Hyper-V from your data center to the Azure cloud. You can deploy Active Directory domain controllers in your data center using Windows Azure Active Directory. You can install Windows Azure domain controller VMs using Hyper-V and upload them to the Azure cloud. You can deploy Active Directory domain controllers using the Windows Azure Active Directory SaaS cloud service.

You can deploy active directory domain controllers using the windows azure active directory saas cloud service You can install active directory domain controllers on windows azure virtual machines in the cloud EXPLANATION Azure AD can be deployed in two ways: - Implementing Active Directory domain controllers on Windows Azure virtual machines (VMs) in the cloud - Using the Windows Azure Active Directory SaaS cloud service Azure AD can only be deployed in the cloud hosted by Microsoft. Hyper-V cannot be used to install Windows Azure virtual machines. Virtual machines you may already be using as domain controllers cannot be moved to the Azure cloud. REFERENCES LabSim for Server Pro 2016, Section 7.10.

Click on the user right policy that is used to grant a user local access to the desktop of a Windows server.

allow log on locally EXPLANATION Rights are the ability to perform actions on a computer, such as log on, shut down, back up, and restore. For example, a user logging on to gain access to the desktop of a Windows server must have the Allow log on locally right. The Access this computer from the network user right determines which users and groups are allowed to connect to the computer over the network. The Allow log on through Remote Desktop Services right determines which users or groups have permission to log on as a Remote Desktop Services client. The Back up files and directories right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. REFERENCES LabSim for Server Pro 2016, Section 8.5.

You manage 20 Windows workstations in your domain network. You want to prevent the sales team members from making system changes. Whenever a change is initiated, you want to allow only those who can enter administrator credentials to be able to make the change. What should you do? Configure the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting in Group Policy to elevate without prompting. Enable the User Account Control: Run all administrators in Admin Approval Mode setting in Group Policy. Configure the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting in Group Policy to prompt for consent. Configure the User Account Control: Behavior of the elevation prompt for standard users setting in Group Policy to prompt for credentials. Configure the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting in Group Policy to prompt for credentials.

configure the user account control: behavior of the elevation prompt for standard users setting in group policy to prompt for credentials EXPLANATION Configure the User Account Control: Behavior of the elevation prompt for standard users policy to prompt for credentials. In this scenario, you need to prevent standard users (the sales team members) from making system changes unless they can provide administrator credentials. This means that you need to prompt standard users for credentials when system changes are initiated. Configuring prompts on administrator accounts will not affect the ability of standard users to perform system changes. Prompting for consent asks administrators for permission before performing tasks, but does not require supplying additional credentials. Running all administrators in Admin Approval mode enables or disables UAC. Enabling Running all administrators in Admin Approval mode enforces UAC on system changes, but does not, by itself, configure prompting for standard users or administrators. REFERENCES LabSim for Server Pro 2016, Section 8.6.

You manage several Windows workstations in your domain. You want to configure a GPO that will make them prompt for additional credentials whenever a sensitive action is taken. What should you do? Configure User Account Control (UAC) settings. Configure Windows Firewall with Advanced Security settings. Configure Restricted Groups settings. Configure User Rights Assignment settings.

configure user account control (UAC) settings EXPLANATION User Account Control (UAC) prompts the user for credentials or permission in an effort to minimize the dangers of unwanted actions or unintended software installations. Configure a GPO to enforce UAC settings on all client computers. REFERENCES LabSim for Server Pro 2016, Section 8.6.

You are the administrator of a network with a single Active Directory domain. The domain includes a user account named Bob Smith. You have been asked by the network security group to provide a listing of all the domain groups to which Bob Smith is a member. You would prefer to use a command line utility so that the output can be saved and printed. Which command should you use? dsquery dsrm dsadd dsget

dsget EXPLANATION The dsget command line utility returns the properties of an object while dsquery finds and returns a result set of objects based on property-based search criteria. dsget displays the various properties of a user in the directory. There are two variations of this command. The first variation allows you to view the properties of multiple users. The second variation allows you to view the group membership information of a single user. REFERENCES LabSim for Server Pro 2016, Section 7.6.

You manage a Windows server that is an Active Directory domain controller for your organization. You need to use command line tools to generate a list of all users in the domain and then view the value of the Office property of each user. Which command should you use? dsquery user -name * | dsget user -display -office ldifde -r "(objectClass=user)" -f c:\users.ldif csvde -f C:\users.csv dsget user -display -office

dsquery user -name * | dsget user -display -office EXPLANATION The dsquery user -name * | dsget user -display -office command uses piping to combine two commands together. The dsquery user -name * command generates a list of all users in the domain, which is then redirected by the pipe character (|) to the input of the dsget command. The dsget user -display -office command displays the value of the office property of each user sent to it from the dsquery command. The dsget user -display -office command doesn't specify which users whose office property should be displayed. The csvde -f C:\users.csv command exports all objects in the entire domain to a comma-separated file. While this file contains the information you need to view, it would be cumbersome to locate it manually. The ldifde -r "(objectClass=user)" -f c:\users.ldif command exports a list of every user in the domain to an LDIF file. This file also contains the information you need to view, but it must be located manually. REFERENCES LabSim for Server Pro 2016, Section 7.6.

Your network has a single Active Directory forest with two domains, eastsim.private and HQ.eastsim.private. The organizational units Accounting, Marketing, and Sales represent departments of the HQ domain. Additional OUs (not pictured) exist in both the eastsim.private and HQ.eastsim.private domains. All user and computer accounts for all departments company-wide are in their respective departmental OUs. You are in the process of designing Group Policy for the network. You want to accomplish the following goals: - You want to enforce strong passwords throughout the entire forest for all computers. All computers in both domains should use the same password settings. - The Accounting department has a custom software application that needs to be installed on computers in that department. - Computers in the marketing and sales departments need to use a custom background and prevent access to the Run command. You create the following three GPOs with the appropriate settings: Password Settings, Accounting App, and Desktop Settings. How should you link the GPOs to meet the design objectives? To answer, drag the label corresponding to the GPO to the appropriate boxes. Drag Accounting App Desktop Settings Password Settings Drop eastsim.private HQ.eastsim.private Accounting Marketing Sales

eastsim.private Password Settings HQ.eastsim.private Password Settings Accounting Accounting App Marketing Desktop Settings Sales Desktop Settings EXPLANATION To meet the requirements, link the GPOs as follows: - Link the Password Settings GPO to both the eastsim.private and HQ.eastsim.private domains. Password policies must be set in a GPO linked to a domain and apply only to the domain for which they are linked. You want the password settings to apply to both domains. - Link the Accounting App GPO to the Accounting OU. The GPO will apply only to computers in the Accounting OU. - Link the Desktop Settings GPO to both the Marketing and Sales OUs. Do not apply the GPO to the domain, as this would apply the settings to computers in the Accounting OU as well. REFERENCES LabSim for Server Pro 2016, Section 8.1.

You have been asked to troubleshoot a Windows workstation that is a member of your domain. The director who uses the machine said he is able to install anything he wants and change system settings on demand. He has asked you to figure out why User Account Control (UAC) is not being activated when he performs a sensitive operation. You verify that the director's user account is a standard user and not a member of the local Administrators group. You want the UAC prompt to show. What should you do? Set up a Group Policy that disables the installation of new hardware. Enable the Admin Approval mode for the Built-in Administrator account setting in the Group Policy. Check to see if UAC is configured for this account. Change the Behavior of the elevation prompt for administrators in Admin Approval Mode setting in the Group Policy to Prompt for consent. Enable the Run all administrators in Admin Approval Mode setting in the Group Policy .

enable the run all administrators in admin approval mode setting in the group policy EXPLANATION Enable the Run all administrators in Admin Approval Mode setting for UAC. This turns UAC on. Changing the Behavior of the elevation prompt for administrators in Admin Approval Mode setting to Prompt for consent only applies to administrator accounts and asks the administrator whether to continue or cancel the requested operation. UAC is not enabled on a per-account basis. It applies to all user accounts on the system, but individual settings in Group Policy can affect the UAC behavior for standard users versus administrators. The Admin Approval mode for the Built-in Administrator account setting controls UAC for only the Built-in administrator account. REFERENCES LabSim for Server Pro 2016, Section 8.6.

You need to use a PowerShell to generate a list of all Active Directory computer accounts located in just the Computers container (cn=Computers,dc=testoutdemo,dc=com). Which cmdlet should you use? get-aduser -filter * -SearchBase "cn=Computers,dc=testoutdemo,dc=com" get-adcomputer -filter * get-adcomputer -filter * -SearchBase "cn=Computers,dc=testoutdemo,dc=com" get-adcomputer -filter * "cn=Computers,dc=testoutdemo,dc=com"

get-adcomputer -filter * -SearchBase "cn=Computers,dc=testoutdemo,dc=com" EXPLANATION The get-adcomputer -filter * -SearchBase "cn=Computers,dc=testoutdemo,dc=com" command generates a list of all Active Directory computer accounts located in the Computers container (cn=Computers,dc=testoutdemo,dc=com). The get-aduser -filter * -SearchBase "cn=Computers,dc=testoutdemo,dc=com" command command generates a list of all Active Directory user accounts located in the Computers container (if there were any). The get-adcomputer -filter * "cn=Computers,dc=testoutdemo,dc=com"command omits the -SearchBase option, which is required to specify a context to search. The get-adcomputer -filter * command generates a list of all computer accounts in the entire directory, which will return more results than desired. REFERENCES LabSim for Server Pro 2016, Section 7.6.

You are the network administrator for westsim.com. The company is opening a new branch office in New York that will have 100 new users. All the information on the new accounts is contained in a file named branch.csv, which specifies a unique name and password for each user. You need to run a script to create the new accounts contained in the branch.csv file. The new accounts must be assigned the appropriate passwords as contained in the branch.csv file. Which commands should you run? (Select two. Each answer is a required part of the solution.) ldifde new-ADUser dsmod import-csv

import-csv new-ADUser EXPLANATION To create the new accounts contained in the branch.csv file, you need to start with the import-csv command and then specify the .csv file to be imported. The output can then be piped to the New-ADUser command to create new Active Directory users. The ldifde command imports, exports, modifies, and deletes objects in Active Directory using LDAP Data Interchange Format (LDIF) files. The dsmod command modifies or changes the properties of an object from the command line. REFERENCES LabSim for Server Pro 2016, Section 7.6.

You manage a Windows server that functions as your company's domain controller. You want to test a new network application in a lab environment prior to rolling it on to your production network. To make the test as realistic as possible, you want to export all Active Directory objects from your production domain controller and import them to a domain controller in the test environment. Which tools could you use to do this? (Select two. Each option is a complete solution.) ldifde dsadd dsget csvde ldp

ldifde csvde EXPLANATION You can use either the ldifde or csvde commands to export and then import Active Directory objects. The ldifde command can be used to import, export, modify, or delete objects in Active Directory using LDAP Data Interchange Format (LDIF) files. The csvde command can be used to export and import objects in Active Directory using comma-separated values (CSV) files. The ldp utility allows you to search for and view the properties of multiple Active Directory objects, but it can't be used to modify existing objects. The dsget command is used to display properties of an object in Active Directory. The dsadd command is used to add objects to Active Directory, but it isn't designed for large-scale import operations, such as the one described in this scenario. REFERENCES LabSim for Server Pro 2016, Section 7.6.

You manage a Windows server that functions as your company's domain controller. Your organization was recently acquired by a larger organization, and the company name has changed as a result. You need to modify the Company property of each user account in Active Directory. Which tools could you use to make this change? (Select two. Each option is a complete solution.) ldifde ldp dsmod csvde dsadd

ldifde dsmod EXPLANATION You can use either the ldifde or dsmod commands to make the change to all user accounts in Active Directory. The ldifde command can used to import, export, modify, or delete objects in Active Directory using LDAP Data Interchange Format (LDIF) files. The dsmod command is a Domain Services (DS) command-line tool that is built into Windows Server. It is used to modify an object in Active Directory. The csvde command can be used to import or export objects from Active Directory, but it can't be used to modify an existing object. The ldp utility allows you to search for and view the properties of multiple Active Directory objects, but it can't be used to modify existing objects. The dsadd command is used to add objects to Active Directory, but it can't be used to modify an existing object. REFERENCES LabSim for Server Pro 2016, Section 7.6.

You are managing rights on a standalone server. You want to make changes to the settings of the Restore Files and Directories policy. Which of the following is the tool you must use to make changes to this policy? Group Policy Management Editor User Rights Policy Editor Local Security Policy Editor Local Group Policy Editor

local group policy editor EXPLANATION Use the Local Group Policy Editor to manage rights on a standalone server. This tool allows you to make changes to the settings of policies, such as the Restore files and directories policy, pertaining to the local system only. You would use the Group Policy Management Editor program to make changes to the settings of policies that you want to apply to all computers in the domain. There are no tools called Local Security Policy Editor or User Rights Policy Editor. REFERENCES LabSim for Server Pro 2016, Section 8.5.

You have a laptop that you use for remote administration from home and while traveling. The laptop has been joined to the domain using the name of AdminRemote. The processor in your laptop overheats one day, causing extensive damage. Rather than repair the computer, you purchase a new one. The computer arrives, and you edit the system properties and name it AdminRemote. When you try to join the computer to the domain, you receive an error message and are unable to proceed. You want the new computer to be joined to the domain using the same name as the old computer. Which commands should you run? netdom reset and then netdom join netdom renamecomputer and then netdom join netdom join netdom add and then netdom join dsadd computer and then netdom join

netdom reset and then netdom join EXPLANATION To successfully join the new computer to the domain using the existing computer account, you need to reset the computer account in Active Directory. Run netdom reset to reset the computer account, and then run netdom join to join the computer to the domain. Use dsadd computer to create a new computer account in Active Directory. Use netdom renamecomputer to rename the workstation and the Active Directory computer account. Use netdom add to add a computer to a domain. REFERENCES LabSim for Server Pro 2016, Section 7.7.

You have a computer running Windows. Prior to installing some software, you turn off User Account Control (UAC), reboot the computer, and install the software. You turn UAC back on, but it does not prompt you before performing sensitive actions. You want the protection of UAC, but it is not working at all. What should you do? Uninstall the software and re-enable UAC. Reinstall the software. Reboot the machine. Enable UAC. Log in as an administrator and turn UAC off and then back on.

reboot the machine EXPLANATION Turning UAC on or off requires a system reboot before the settings are enabled. In this case, you need to reboot the machine after changing the UAC setting to get the change to take effect. Uninstalling the software, re-enabling UAC, and reinstalling the software requires extra effort and is unnecessary; however, during the installation, you can provide the necessary credentials, which leaves UAC turned on before and after reinstallation of the software. REFERENCES LabSim for Server Pro 2016, Section 8.6.

You want to give the TPlask user the right to log on to any of the domain controllers in your domain and gain access to the desktop. This user does not belong to any of the default groups that have the Allow log on locally right by default. Which of the following steps can you take to give the Allow log on locally right to this user? (Select two. Each correct answer is a complete solution.) Use Group Policy Management Editor to add the TPlask user account to the Allow log on locally policy. Use Active Directory Users and Computers to add the TPlask user account to the Administrators group. Use Local Group Policy Editor to add the TPlask user account to the Allow log on locally policy. Use Group Policy Management Editor to add the TPlask user account to the Administrators group. Use Active Directory Users and Computers to add the TPlask user account to the Power Users group.

use group policy management editor to add the TPlask user account to the allow log on locally policy use active directory users and computers to add the TPlask user account to the administrators group EXPLANATION You can give the TPlask user the right to log on to any of the domain controllers in your domain and perform administration tasks in two ways: - Use Group Policy Management Editor to add the TPlask user account to the Allow log on locally policy. - Use Active Directory Users and Computers to add the TPlask user account to the Administrators group. If you use the Local Group Policy editor, you will only give TPlask rights to log on to the local server. The Power Users group does not get the right to log on locally by default. You cannot use Group Policy Management Editor to add users to groups. REFERENCES LabSim for Server Pro 2016, Section 8.5.

Select the policy node you would choose to configure who is allowed to manage the auditing and security logs.

user rights assignment EXPLANATION User rights are the ability to perform an action on a computer, such as shutdown, back up, and restore. These rights can be controlled through the User Rights Assignment node in Group Policy. Examples of user rights that can be configured include: - Take ownership of files or other objects - Shut down the system - Force shutdown from a remote system - Perform volume maintenance tasks - Manage auditing and security log - Allow log on through Remote Desktop Services Audit Policy, Security Options, Event Log, and System Services are nodes in Group Policy that users must be granted rights to use through the User Rights Assignment node. REFERENCES LabSim for Server Pro 2016, Section 8.5.


Set pelajaran terkait

Masai giraffe. Mammals. Artiodactyla.*(photos)

View Set

Peds Exam 3 GU Practice Questions

View Set

Internship 2- Your Body Language May Shape Who YOU are Quiz

View Set

Chapter 6: Software Development Security

View Set

Where in the World: European Physical Features

View Set

Algebra Chapter 5 Test Review - Linear Functions

View Set

𝙀𝙑𝙀𝙍𝙔𝙈𝘼𝙉: GOOD DEEDS (463-521)

View Set