Server Pro Final Study Set - Part 3

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

You are a systems administrator for WestSim Corporation. As part of a new security initiative, the IT department has developed a custom application that reports the host name of all clients that try to access three sensitive servers in the accounting department. The application has been working for the last three months. The company expands and adds a new building with a LAN connection to the rest of the network. This building has its own subnet, 192.168.5.0. You create a scope on an existing DHCP server for this subnet. During a random check of the reporting software, you discover that the application reports the IP address but not the host name for clients on the new subnet. Everything works as designed for hosts on other subnets. You check the DNS database and find that none of the hosts on that subnet have an associated PTR record. What should you do? Add a HOSTS file to the server running the reporting software. Create a primary reverse lookup zone for subnet 192.168.5.0. Create a secondary reverse lookup zone for subnet 192.168.5.0. Manually create CNAME records for each host on the subnet. Manually create PTR records for each host on the subnet.

Create a primary reverse lookup zone for subnet 192.168.5.0. EXPLANATION You need to create a primary reverse lookup zone for the new subnet. The custom application uses the reverse lookup zone to find the host name for a given IP address. By default, Windows clients register their A (host) record, while the DHCP server registers the PTR (pointer) record. However, the reverse lookup zone must exist in the DNS database before the DNS server can create the PTR record. REFERENCES LabSim for Server Pro 2016, Section 9.3.

You are the administrator for the westsim.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective department OUs. Computers in the accounting department use a custom application. During installation, the application creates a local group named AcctMagic. This group is used to control access to the program. By default, the account used to install the application is made a member of the group. You install the application on each computer in the accounting department. All accounting users must be able to run the application on any computer in the department. You need to add each user as a member of the AcctMagic group. You create a domain group named Accounting and make each user a member of this group. You then create a GPO named Acct Software linked to the Accounting OU. You need to define the restricted group settings. What should you do? Create a restricted group named Accounting. Define the group as a member of the AcctMagic group. Create a restricted group named Accounting. Add the AcctMagic group as a member. Create a restricted group named AcctMagic. Add the Accounting domain group as a member. Create a restricted group named AcctMagic. Define the group as a member of the Accounting domain group.

Create a restricted group named AcctMagic. Add the Accounting domain group as a member EXPLANATION To configure the restricted groups settings: - Create the group named AcctMagic. The name of the group should correspond to the name of the local group whose membership you want to restrict. - Add the Accounting domain group as a member of the AcctMagic group. The AcctMagic group will have as its members only the users or groups that you explicitly define. REFERENCES LabSim for Server Pro 2016, Section 8.7.

You are the network administrator for Corpnet.com. A small group of software developers in your organization have to use Linux workstations. You are creating a share for these Linux users on your file server, which is named File1. How can you allow clients running Linux-based operating systems to connect to a share on File1? Create the share using Access-based Enumeration. Create the share using the Network File System (NFS). Create the share using Network Information Service (NIS). Create a storage space using thin provisioning

Create the share using the Network File System (NFS). EXPLANATION You should create the share using the Network File System (NFS). In order for a client with a Unix-based file system to connect to a share, it must be stored on a volume running the Network File System (NFS). The Network Information Service is used by UNIX/Linux systems to share a common set of user and group accounts. Thin provisioning allows you to provision a storage space at a higher capacity than the physical storage currently available. This allows more physical space to be added later without having to adjust the storage space. You must make sure the clients do not consume more space than is physically available, or the storage space will experience an outage. Access-based enumeration is used to ensure that clients can only see the resources to which they have adequate permissions to access. REFERENCES LabSim for Server Pro 2016, Section 10.4.

You are system administrator with hundreds of host workstations to manage and maintain. You need to enable hosts on your network to find the IP addresses of alphanumeric host names such as srv1.myserver.com. Which of the following would you use? Dynamic DNS (DDNS) server DHCP server DNS server HOSTS file

DNS server EXPLANATION Use a DNS server to provide hostname-to-IP address resolution. Using a HOSTS file would requires that you manually edit and maintain a very large file on every host in your part of the organization. A DHCP server can used to assign the address of the DNS server to each workstation after the DNS server is up and running. DDNS enables clients or the DHCP server to update records in the zone database after the DNS server is up and running. REFERENCES LabSim for Server Pro 2016, Section 9.1.

Your Active Directory network uses the internal DNS namespace private.westsim.com. Several other Active Directory domains also exist, which are children to the private.westsim.com domain. On the Internet, your company uses westsim.com for its public domain name. Your company manages its own DNS servers that are authoritative for the westsim.com zone. The private.westsim.com zone has been delegated to your company's Active Directory domain controllers, which are also DNS servers. Computers that are members of the private.westsim.com domain and all child domains must be able to resolve DNS names of Internet resources. However, to help secure your network, DNS queries for resources in the private.westsim.com domain and all child domains must never be sent to Internet DNS servers. Queries for Internet names must go first to your public DNS server that is authoritative for the westsim.com domain. You need to configure your company's DNS servers to meet these requirements. What should you do? (Choose two. Each correct choice is part of the solution.) Configure root hints to Internet DNS servers on all DNS servers that are authoritative for the private.westsim.com zone or any child zone. On all DNS servers that are authoritative for the private.westsim.com zone or any child zone, create a forwarders list. Forward to DNS servers that are authoritative for the parent zone. Delete root hints to Internet DNS servers on all DNS servers that are authoritative for the private.westsim.com zone or any child zone. Delete root hints to Internet DNS servers on all DNS servers that are authoritative for the westsim.com zone. On all DNS servers that are authoritative for the westsim.com zone or any child zone, create a forwarders list. Forward to DNS servers that are authoritative for the child zone.

Delete root hints to Internet DNS servers on all DNS servers that are authoritative for the private.westsim.com zone or any child zone. On all DNS servers that are authoritative for the private.westsim.com zone or any child zone, create a forwarders list. Forward to DNS servers that are authoritative for the parent zone. EXPLANATION To prevent private.westsim.com DNS servers from contacting Internet DNS servers directly, delete root hints to Internet servers on all DNS servers that are authoritative for the private.westsim.com zone or any child zone. Instead, forward all unresolved DNS requests to parent zone DNS servers. Requests that get forwarded to westsim.com DNS servers will not be related to the private namespace. Therefore, it is safe to configure root hints to Internet DNS servers on these DNS servers. REFERENCES LabSim for Server Pro 2016, Section 9.2.

Your company uses westsim.com as its public Internet domain name. Your private network has a single Active Directory domain named westsim.local. All westsim.local authoritative DNS servers are configured to forward DNS requests across a firewall to external westsim.com authoritative DNS servers. Based on your security policy, the westsim.local authoritative DNS servers are not to contact other computers across the firewall. You manage all DNS servers that are authoritative for the westsim.com and westsim.local DNS domains. All client computers are members of the westsim.local Active Directory domain and are configured to use westsim.local authoritative DNS servers. Currently, all DNS servers have a root zone. Also, all DNS servers have the default configured cache.dns file in their %systemroot%\dns folder. Client computers on your network must resolve names in the Internet namespace and names in the westsim.local domain. You need to configure your company's DNS servers to meet these requirements. What should you do? (Select three. Each correct answer is part of the correct solution.) Reconfigure the cache.dns file on all westsim.local authoritative DNS servers so it contains names and IP addresses of all westsim.com authoritative DNS servers. Delete the cache.dns file on all westsim.com authoritative DNS servers. Delete the cache.dns file on all westsim.local authoritative DNS servers. Delete the root zone on all westsim.local authoritative DNS servers. Reconfigure the cache.dns file on all westsim.com authoritative DNS servers so it contains the names and IP addresses of all westsim.local authoritative DNS servers. Delete the root zone on all westsim.com authoritative DNS servers.

Delete the root zone on all westsim.local authoritative DNS servers. Delete the cache.dns file on all westsim.local authoritative DNS servers. Delete the root zone on all westsim.com authoritative DNS servers EXPLANATION To complete the configuration, take the following actions: - Delete the root zone on all westsim.local authoritative DNS servers. Otherwise, the server will not forward addresses (unless conditional forwarding is configured). There is no need to have a private root domain in this scenario. - Delete the root zone on all westsim.com authoritative DNS servers. Only root Internet servers should have a public root zone. - Delete the cache.dns file on all westsim.local authoritative DNS servers. The cache.dns file contains root hints (references to DNS servers that are authoritative for the root zone). Internal DNS servers cannot contact Internet root servers due to the firewall (nor should they, for security's sake). Therefore, the internal DNS servers should not have root hints. Do not reconfigure the cache.dns file on all westsim.local authoritative DNS servers so it contains the names and IP addresses of all westsim.com authoritative DNS servers. Doing so will make the westsim.com authoritative DNS servers appear as root servers to the internal DNS servers, which is an inappropriate configuration because the westsim.com servers do not host a root zone. Do not reconfigure the cache.dns file on all westsim.com authoritative DNS servers so it contains names and IP addresses of all westsim.local authoritative DNS servers. Doing so will make it impossible for the westsim.com authoritative DNS servers to resolve most Internet DNS names because they will not have access to the Internet root zone servers. REFERENCES LabSim for Server Pro 2016, Section 9.2.

You manage the DNS servers for the eastsim.com domain. You have a domain controller named DC1 that holds an Active Directory-integrated zone for the eastsim.com zone. You would like to configure DC1 to use forwarders and root name servers to resolve all DNS name requests for unknown zones. You edit the DNS server properties for DC1. On the Forwarders tab, you find that the Use root hints if no forwarders are available option is disabled. You also find that the entire Root Hints tab is disabled, and you are unable to add any root hint servers. How can you configure the server to use the Internet root name servers for name resolution? Create a stub zone for the root zone that points to the root servers. Delete the zone named . on DC1. Configure a conditional forwarder to forward requests to the root servers. Change the eastsim.com domain to a primary standard zone.

Delete the zone named . on DC1. EXPLANATION In this scenario, DC1 has been configured with a root zone. The root zone is named . (dot). When the server has a root zone, it will not (and cannot) use root hints because it thinks that it is a root server. Deleting the root zone allows you to configure the root hints options. You will not be able to configure a stub zone or conditional forwarders for the root zone because the server has a primary copy of the root zone. REFERENCES LabSim for Server Pro 2016, Section 9.2.

The C:\Shares\WidgetProject folder on your Windows server has been shared with network users. The server is a member of the westsim.com Active Directory domain. The westsim.com\Users group has been granted the following allow NTFS permissions: - Read and execute - List folder contents - Read The westsim.com\Research group has been granted the allow full control NTFS permission. In addition, the Everyone principal has been assigned the allow read share permission. The vhammer user accesses data in the folder through the network share from her Windows workstation. She is a member of the westsim.com\Users and westsim.com\Research groups. The vhammer user has also been assigned the deny read NTFS permission to the folder. What permissions does this user have to data in the folder? Deny read and change Allow read and execute, list folder contents, and read Allow full control Allow read Deny read

Deny read EXPLANATION The share permission for the folder is full control. The cumulative NTFS permission for the folder is deny read because a deny NTFS permission assignment overrides any allow permission assignments. The NTFS permissions are less permissive than the share permissions and are applied. Therefore, the user receives deny read access to the folder. REFERENCES LabSim for Server Pro 2016, Section 10.1.

Which of the following DNS components automatically creates and deletes host records when an IP address lease is created or released? Dynamic DNS Dynamic NAT DHCP Relay Forward lookup

Dynamic DNS EXPLANATION Dynamic DNS (DDNS) enables clients or the DHCP server to update records in the zone database automatically whenever an IP address lease is created or renewed. A forward lookup is the process of resolving a host name to an IP address. A DHCP relay is used to forward DHCP requests to a DHCP server in a different subnet. Dynamic NAT is used to automatically map internal IP addresses with a dynamic port assignment. REFERENCES LabSim for Server Pro 2016, Section 9.1.

You are the administrator for the corp.westsim.com domain. The network has two child domains, acct.corp.westsim.com and sales.corp.westsim.com. You need to configure DNS name resolution properties on the Srv2.sales.corp.westsim.com server. When a single label name is submitted for name resolution, you want the server to search using the following suffixes: - sales.corp.westsim.com - acct.corp.westsim.com - corp.westsim.com - westsim.com What should you do? Edit the DNS suffix search list policy to configure the custom search suffixes of acct.corp.westsim.com, corp.westsim.com, and westsim.com. On the DNS tab, configure a connection-specific suffix of acct.corp.westsim.com. Edit the DNS suffix search list policy to configure the custom search suffixes of sales.corp.westsim.com, acct.corp.westsim.com, corp.westsim.com, and westsim.com. On the DNS tab, enable Append parent suffixes of the primary DNS suffix. Configure an additional custom suffix of acct.corp.westsim.com.

Edit the DNS suffix search list policy to configure the custom search suffixes of sales.corp.westsim.com, acct.corp.westsim.com, corp.westsim.com, and westsim.com. EXPLANATION In this scenario, you will need edit the DNS suffix search list policy to configure custom suffixes for sales.corp.westsim.com, acct.corp.westsim.com, corp.westsim.com, and westsim.com. When you configure custom DNS suffixes, the primary and connection-specific suffixes are ignored. For this reason, configuring only acct.corp.westsim.com, corp.westsim.com, and westsim.com as suffixes will be insufficient to meet the requirements. Configuring only acct.corp.westsim.com as a custom suffix would mean that only that domain is searched. Configuring acct.corp.westsim.com as a connection-specific suffix would work only if you also enabled the Append parent suffixes of the primary DNS suffix option. REFERENCES LabSim for Server Pro 2016, Section 9.2.

You manage a company network with a single Active Directory domain running on two domain controllers. The two domain controllers are also DNS servers and hold an Active Directory-integrated copy of the zone used on the private network. The network has five subnets with DHCP servers delivering IP address and other configuration to host computers. All host computers run Windows 10. You want to ensure that all client computers use the DNS server for DNS host name resolution. Hosts should not be able to automatically discover DNS host names, even for computers on their own subnet. What should you do? Configure dynamic DNS (DDNS) on your DHCP servers. Configure one of your DNS servers as an authoritative DNS server. Configure the HOSTS file on each client with the IP address of the DNS server on the local subnet. Edit the default domain Group Policy object (GPO). Enable the Turn off Multicast Name Resolution policy.

Edit the default domain group policy object (GPO). Enable the Turn off Multicast Name Resolution policy. EXPLANATION To prevent client computers from automatically resolving DNS host names on the local subnet, use a GPO to enable the Turn off Multicast Name Resolution policy. This disables Link-Local Multicast Name Resolution (LLMNR). For example, you can use Group Policy Management to edit the Default Domain policy by going to Computer Configuration\Administrative Templates\Network\DNS Client and enabling the Turn off Multicast Name Resolution policy. By default, all Windows clients (Vista and later) have LLMNR enabled. Configuring clients to get DNS server addresses from a DHCP server does not disable LLMNR. Configuring an authoritative DNS server will not disable LLMNR on the Windows clients. Configuring (DDNS) on your DHCP servers also does not not disable LLMNR on the Windows clients. The IP address of the DNS server should be assigned to the client systems by the DHCP server, not manually configured in the HOSTS file. REFERENCES LabSim for Server Pro 2016, Section 9.1.

The D:\ drive in your Windows server is formatted with NTFS. The Sales group on your computer has been given allow modify permissions to the D:\Sales folder. The Mary user account is a member of the Sales group. You want to accomplish the following: - Mary should not be allowed access to the D:\Sales\2013sales.doc file. - Mary should be able to read, write, and create new files in the D:\Sales folder. - Your solution should not affect the abilities of other Sales group members to access files in the D:\Sales folder. What should you do? Edit the properties for the file; assign Mary the deny full control permission. Edit the properties for the folder; assign Mary the deny full control permission. Edit the properties for the folder; assign the Sales group the deny full control permission. Remove Mary from the Sales group. Edit the properties for the file; assign the Sales group the deny full control permission.

Edit the properties for the file; assign Mary the Deny full control permission. EXPLANATION To prevent Mary from accessing the one file, assign the user account the deny full control permission to the file. Deny permissions override allow permissions. Because Mary is still a member of the Sales group, she will have access to the remaining files in the directory. Removing Mary from the group or denying permission to the folder would prevent her from accessing all files in the folder. Denying permissions for the group would affect all group members, not just the one user. REFERENCES LabSim for Server Pro 2016, Section 10.1.

You are the manager for Windows servers at your company. You have configured Windows Server Backup to take regular backups once per day and save those backups to an external disk. You find that users working on a new project are constantly overwriting files and asking you to restore older versions of files that exist on backups from as far back as a week ago. You would like to implement a solution that allows users to restore files without an administrator's help. What should you do? Configure a scheduled task to save backups to rewriteable DVDs in an automatic disc changer. Enable VSS on the volume that holds user data. Teach users how to recover files from the daily backups. Add the Indexing Service role service to the server

Enable VSS on the volume that holds user data. EXPLANATION Using Volume Shadow Copy Services (VSS) to take regular shadow copies of the user data is the best choice for this scenario because it is easy to use and eliminates the need to load media and restore individual files. VSS lets users restore previous versions of files without performing backups or restores. Snapshots of files are taken automatically, allowing you to revert back to older versions of specific files. Teaching users to use Windows Server Backup is neither a recommended nor practical solution. When saving backups to DVD, you cannot restore individual folders or files. Indexing Service is an indexing solution that provides faster searching of files for clients and applications that use Indexing Service. REFERENCES LabSim for Server Pro 2016, Section 10.2.

You are the server administrator for the westsim.com domain. You have a server named FS12 that holds a shared folder named Reports. Within this folder, subfolders have been created for each company department. All company employees have read access to the shared folder. The board of directors uses a subfolder in the shared folder named BoardReports for their reports. They would like this subfolder to only be visible to members of the board of directors and specific people that they authorize to see the folder and its contents. What should you do? Share the BoardReports folder. Configure share and NTFS permissions on the new shared folder. Add the Windows Search Service role service to FS12. Enable indexing on the Reports folder; disable indexing on the BoardReports folder. Enable access-based enumeration on the shared folder. Configure NTFS permissions on the BoardReports folder to control access. Add the File Server Resource Manager (FSRM) role service to FS12. Configure share permissions on the BoardReports folder.

Enable access-based enumeration on the shared folder. Configure NTFS permissions on the BoardReportsfolder to control access. EXPLANATION Enable access-based enumeration on the shared folder. Access-based enumeration filters the files and folders within the share and only shows those items that the user has NTFS permissions to access. Configure NTFS permissions on the contents of the shared folder to remove the read permission from Everyone or the Users group so that users without explicit access will not see the subfolder. Sharing the subfolder as a new share will not prevent the folder from being visible within the Reports share. Use the Windows Search service to allow client computers to perform fast file searches on the server. REFERENCES LabSim for Server Pro 2016, Section 10.2.

The image shows the current scavenging settings for the eastsim.com domain. As you check records in the zone, you find several records that have not been updated for 16 days or longer. You need to make sure that records are automatically removed if they have not been updated in the last 14 days. What should you do? Increase the refresh interval setting. Decrease the refresh interval setting. Enable automatic scavenging on the zone. Decrease the no-refresh interval setting.

Enable automatic scavenging on the zone EXPLANATION Based on the current settings, records are being marked as stale after 14 days have elapsed. However, stale records are not being removed. To remove stale records, you must manually initiate scavenging or enable automatic scavenging on the zone. The no-refresh interval specifies a time period where updates to DNS records are not allowed. After this time period, the record can be updated for the period of time specified by the refresh interval. In this example, after seven days the record can be updated, and after an additional seven days (14 days total), the record is marked as stale and is a candidate for scavenging. Scavenging only removes stale records that have not been updated after the refresh interval has expired. Decreasing the no-refresh interval or the refresh interval values will decrease the period of time before a record is marked as stale, but will not automatically initiate scavenging. REFERENCES LabSim for Server Pro 2016, Section 9.4.

You are setting up a new network in a single location with a single domain named eastsim.com. You install a DHCP server and configure it with a scope for the single subnet. You install a DNS server with a primary zone for the domain. What should you do to use dynamic updates to update DNS records in the zone automatically? Enable dynamic updates on all client computers. Enable dynamic updates on the eastsim.com zone. Convert the eastsim.com zone to an Active Directory-integrated zone. Configure the DHCP server to update DNS records for all clients.

Enable dynamic updates on the eastsim.com zone. EXPLANATION By default, primary zones are configured not to accept dynamic updates. You need to modify the zone properties to allow dynamic updates. After you configure the zone for dynamic updates, the default configuration of the clients and the DHCP server will allow them to happen. The default configuration for dynamic updates is: - Primary zones are not configured for dynamic updates. - Active Directory-integrated zones are configured to allow only secure updates. However, converting an existing zone retains the dynamic update settings of the zone. - Windows clients are configured for dynamic updates. - DHCP servers are configured to submit reverse lookup information for hosts to which it assigns addresses. - DHCP servers are configured to updated host name records only if the client requests it. REFERENCES LabSim for Server Pro 2016, Section 9.3.

You are the network administrator for a single domain with three subnets. Two subnets have all Windows 10 computers. The conference room uses the third subnet. Traveling salesmen come to the conference room and plug in their laptops to gain network access. You have configured a DHCP server to deliver configuration information to hosts on this subnet. DNS is configured for dynamic updates. Over time, you notice that the size of the DNS database continues to grow. It is beginning to have an adverse effect on DNS server performance. What should you do? Clear the DNS cache on the server. Enable scavenging of stale resource records on the zone and the DNS server. Enable scavenging of stale resource records on the DNS server. Compact the DNS zone file. Enable scavenging of stale resource records on the zone.

Enable scavenging of stale resource records on the zone and the DNS server EXPLANATION If hosts who register their host name with DNS using dynamic updates do not shut down normally, the corresponding host record might not get removed from the DNS database. This particularly happens when the network has a large number of mobile computers. To remove old records, enable scavenging of stale records on the zone properties and on the DNS server properties. Clearing the cache only removes temporary records, not dynamically-created records. Decreasing the TTL makes records eligible for removal sooner, but scavenging would still be necessary to actually remove the records. REFERENCES LabSim for Server Pro 2016, Section 9.3.

Which of the following is a task that you are not able to perform with the Volume Shadow Copy service (VSS)? Compare a file with a previous version of that file. Recover a previous version of a modified file. Recover deleted files or folders. Enable shadow copies on specific folders or files.

Enable shadow copies on specific folders or files. EXPLANATION Shadow copies are enabled on a volume, not specific folders or files. You can use VSS to: - Recover deleted files or folders. - Compare a file with a previous version of that file. - Recover a previous version of a modified file. REFERENCES LabSim for Server Pro 2016, Section 10.2.

You are the owner of the D:\Reports folder. Judith needs to be able to see the files and subfolders in the D:\Reports folder. Dalton needs to be able to do these same things and also delete folders. You need to assign the necessary NTFS permissions to the D:\Reports folder. What should you do? Grant read and execute to each. Grant list folder contents to Judith and full control to Dalton. Grant read and execute to Judith and modify to Dalton. Grant modify to each.

Grant Read & Execute to Judith; Modify to Dalton. EXPLANATION Always assign the most restrictive permission that will still allow the user to do the job. Read and execute is the minimum permission required to traverse folders (move through a folder to a subfolder), and modify is the minimum permission required to delete folders. Granting read and execute to each would let Judith traverse folders, but would not let Dalton delete them. Granting modify to each would let Judith traverse folders and Dalton delete folders, but it would also allow Judith to delete folders. REFERENCES LabSim for Server Pro 2016, Section 10.1.

You want to prevent users in your domain from running a common game on their machines. This application does not have a digital signature. You want to prevent the game from running even if the executable file is moved or renamed. You decide to create an AppLocker rule to protect your computer. Which type of condition should you use in creating this rule? Application Identity Path Publisher term-1 Hash

Hash EXPLANATION Use the hash condition when creating this rule to restrict the application from running on domain computers. A hash is a series of bytes with a fixed length that uniquely identifies a file. A hash rule will apply regardless of the file name or location. The file would have to be modified to bypass the rule. You could use a path rule to restrict a program by file name or directory path, but the rule would not prevent the application from running if it were moved or renamed. You cannot use the publisher condition because there is no digital signature. Application identity is not a rule enforcement condition in AppLocker. REFERENCES LabSim for Server Pro 2016, Section 8.8.

Listed below are several DNS record types. Match the record type on the left with its function on the right. (Record types may be used once or not at all.) Drag A CNAME DNAME MX NS PTR SOA SRV Drop Identify a domain controller. Identify a mail server. Map a host name to an IPv4 address. Map an IPv4 address to a host name.

Identify a domain controller. SRV Identify a mail server MX Map a host name to an IPv4 address. A Map an IPv4 address to a host name. PTR EXPLANATION Use DNS records as follows: - Use an SRV (service locator) record to identify servers that provide specific services, such as domain controllers. - Use an MX (mail exchange) record to identify email servers. - Use an A (host) record to map a host name to an IPv4 address. - Use a PTR (pointer) record to map an IP address to a host name. - Use a CNAME (alias) record to create alternate names for a host. The CNAME record points to the A (host) record. The CNAME record does not include the IP address of the host. - Use a DNAME (domain name redirection) record to create an alias for the entire domain. - Use an NS (name server) record to identify name servers that perform name resolution for the zone. - Use an SOA (start of authority) record to identify zone information, such as the serial number. REFERENCES LabSim for Server Pro 2016, Section 9.4.

You are a technical consultant for many businesses in your community. One of your clients, a small law firm, has a single Active Directory domain and two Windows servers. Both servers are configured as domain controllers while also serving as file and printer servers. This client is calling you on a regular basis because users are deleting or damaging their files. You must visit the client's site and restore the files from backup. Your client has asked you to create an alternate solution. What should you do? Mirror the system drive. Implement shadow copies on the relevant data. Enable incremental backups to a media other than tape. Train the users how to use the backup program.

Implement shadow copies on the relevant data. EXPLANATION Using shadow copies is the best choice for this scenario because it is easy to use and eliminates the need to load media and restore individual files. VSS lets users restore previous versions of files without performing backups or restores. Snapshots of files are taken automatically, allowing you to revert back to older versions of specific files. Backing up files to media other than tape is not a good solution because someone will still need to restore the individual files and use the backup program. Mirroring the system drive is also not a good option because the data is identical on each drive; this solution does not solve the problem. REFERENCES LabSim for Server Pro 2016, Section 10.2.

Your company's internal namespace is westsim.local. This domain has two additional child domains named support.westsim.local and research.westsim.local. Due to security concerns, your company's internal network is not connected to the Internet. Following are the DNS servers that you manage for your company: - Dns1, authoritative for . and westsim.local, IP address = 192.168.1.1 - Dns2, authoritative for support.westsim.local, IP address = 192.168.2.1 - Dns3, authoritative for research.westsim.local, IP address = 192.168.3.1 All internal DNS domains are Active Directory-integrated domains. You have configured Dns1 with appropriate delegation records for the child zones. How should you configure root hints for Dns2 and Dns3? Copy the Cache.dns file from Dns1 to Dns2 and Dns3. Edit the Cache.dns file on Dns1. Delete all entries in the file. In DNS Manager, edit the properties for Dns2 and Dns3. On the Root Hints tab, select the Copy from server option and specify 192.168.1.1 as the server to copy from. In DNS Manager, edit the properties for Dns2 and Dns3. On the Root Hints tab, remove all default root hints entries and then add an entry for Dns1.

In DNS Manager, edit the properties for Dns2 and Dns3. On the Root Hints tab, remove all default root hints entries and then add an entry for Dns1. EXPLANATION The Dns2 and Dns3 servers need a root hint to Dns1, which is an internal root zone server. You can configure root hints through the properties of a DNS server or by configuring the DNS server's Cache.dns file. Make sure to remove the default root hints entries to the Internet root servers. Copying root hints from another server adds to the existing root hints rather than replacing them. In addition, if you copied root hints from Dns1, Dns2 and Dns3 would have root hints to all root Internet servers. In this configuration, you want Dns2 and Dns3 to have a single root hint to Dns1. REFERENCES LabSim for Server Pro 2016, Section 9.2.

You are the network administrator of the westsim.com domain. You have several users in the Sales OU who use Windows laptop machines because they travel frequently. These laptops are all in the Computers OU along with the desktop computers used by other users in the Sales OU. The Computers OU is a child of the Sales OU. There is a service preference that need to be applied to the laptops that does not need to be applied to desktop computers. You configure a Group Policy preference for this service that you want to apply to just the laptops. You link this Group Policy to the Computers OU. Click on the Group Policy preferences Common option setting you would use to configure the preference to apply only to the laptop computers in the Computers OU.

Item-level targeting EXPLANATION Item-level targeting is the option you would use to configure the service preference to apply only to the laptop computers in the Computers OU. You can use this option to target the preference only to portable computers. You can also use other criteria including, but not limited to, computer name, CPU speed, disk space, IP address range, language, operating system, and RAM. REFERENCES LabSim for Server Pro 2016, Section 8.9.

You've configured an NFS share on your Windows server to support Linux client systems already joined to your domain. Click the options in the NFS Advanced Sharing window you would use to allow these clients to connect to the share. (Select three.)

Kerberos v5 privacy and authentication [Krb5p] Kerberos v5 integrity and authentication [Krb5i] Kerberos v5 authentication [Krb5] EXPLANATION To allow Linux systems already joined to your domain to connect to an NFS share, select the three Kerberos authentication options. REFERENCES LabSim for Server Pro 2016, Section 10.4.

Your organization's IT department has developed a custom application that reports the host name of each client that tries to access three servers in the accounting department that store sensitive information. You do a random test and find that the program is not reporting the host names for some clients, even though it properly records their IP addresses. This is because the custom application submits reverse lookup requests to the DNS server to discover the host names for the specified IP addresses. As you investigate further, you learn that the clients whose host names could not be reported have static IP addresses and are on subnet 192.168.3.0. What should you do? Manually create an A record in the 3.168.192.in-addr.arpa zone for each host. Manually create a PTR record in the acct.westsim.com zone for each host. Manually create a PTR record in the 3.168.192.in-addr.arpa zone for each host. Manually create an A record in the acct.westsim.com zone for each host.

Manually create a PTR record in the 3.168.192.in-addr.arpa zone for each host. EXPLANATION In this example, the custom application cannot determine the host name for a given host because of a missing PTR record in the 3.168.192.in-addr.arpa reverse lookup zone. The application can find these records for other hosts because the DHCP server automatically creates the record when the IP address is assigned. Each of these hosts has a manually configured IP address, so the corresponding PTR records are not being created automatically. REFERENCES LabSim for Server Pro 2016, Section 9.4.

You have a folder on your Windows server that you would like to share with members of your development team. Users should be able to view and edit any file in the shared folder. You share the folder and give everyone full control permission to the shared folder. Users connect to the shared folder and report that they can open the files, but they cannot modify any of the files. What should you do? Create a group and make all user accounts members of the group. Grant full control share permissions to the group. Modify the NTFS permissions on the folder. Install Samba on your server and then configure permissions using Samba. Create new user accounts for each user and assign the necessary folder permissions.

Modify the NTFS permissions on the folder. EXPLANATION Access to shared folders on a Windows system are controlled through the combination of share and NTFS permissions. Even though the necessary share permissions have been granted, you need to verify that the NTFS permissions also allow access. Modifying users and groups will not affect the ability to access the files unless the NTFS permissions are also modified. Use Samba to share folders on a Linux system. REFERENCES LabSim for Server Pro 2016, Section 10.1.

You manage a Windows server. For the D:\Reports\Finances.xls file, you explicitly grant the Mary user account the Allow Modify NTFS permissions. You need to move the file from the existing folder to the D:\Confidential folder. You want to keep the existing NTFS permissions on the file. You want to accomplish this with the least amount of effort possible. What should you do? Copy the file to the new folder, run the icaclscommand, and then delete the original file. Move the file to the new folder. Copy the file to the new folder and then delete the original file. Run the icaclscommand and then delete the original file.

Move the file to the new folder. EXPLANATION When you move a file or folder to a different location on the same NTFS partition, NTFS permissions are retained. Copying the file removes any explicit permissions set on the file unless you use the xcopy or robocopy commands. Use the icacls command to configure NTFS permissions from the command prompt. While you could reconfigure the NTFS permissions after copying the file, that would require more effort than simply moving the file. REFERENCES LabSim for Server Pro 2016, Section 10.1.

Match each zone type on the left with the corresponding characteristics on the right. Each zone type may be used once, more than once, or not at all. Drag Primary Secondary Active Directory-integrated Drop Multiple servers hold read-write copies of the zone data The only writeable copy of the zone database A read-only copy of the zone database Initiates zone transfers The replication scope specifies domain controllers that can receive a copy of zone data

Multiple servers hold read write copies of the zone data Active Directory integrated The only writeable copy of the zone database Primary A read-only copy of the zone database Secondary Initiates zone transfers Secondary The replication scope specifies domain controllers that can received a copy of zone data Active Directory integrated EXPLANATION A primary zone contains the master copy of a zone database. - The primary zone is the only writeable copy of the zone database. - Changes to the zone can be made only to the primary zone database. - The server that holds the primary zone is called a primary server. A secondary zone is a read-only copy of the zone database. - Changes cannot be made to the records in a secondary zone. - A server that holds a secondary zone is called a secondary server. - Zone transfers are always initiated by the secondary zone. An Active Directory-integrated zone holds zone data in Active Directory. - Active Directory-integrated zones are multi-master zones, meaning that changes to the zone information can be made by multiple servers. Multiple servers hold read-write copies of the zone data. - Replication of zone data occurs during Active Directory replication. - Active Directory-integrated replication scopes allow you to specify the domain controllers that will have a copy of the zone data. REFERENCES LabSim for Server Pro 2016, Section 9.3.

You configured the IP address and DNS name of a new internal web server named WEB3. Your first test from a web browser on your workstation was successful. But when you came to work this morning, you were not able access WEB3 from the same workstation using the same browser. You get an error that this site cannot be reached. You have not changed the server's IP configuration since the successful test of the night before. You ping WEB3 using its IP address, and you get a response back. Next, you ping WEB3 using its fully qualified domain name (FQDN), and you get a message indicating that the host could not be found. What can you assume from this message? Something is wrong with connectivity somewhere in the network infrastructure. Name resolution is not working properly. Something is wrong with your workstation's IP configuration. Something is wrong with WEB3's IP configuration.

Name resolution is not working properly. EXPLANATION You can assume that name resolution is not working properly, which could be caused by: An incorrectly configured DNS server address. An unreachable DNS server. A misconfigured DNS server. A DNS server that is no longer functioning. A firewall issue that is blocking DNS traffic. A routing issue that is preventing requests from reaching the DNS server. The initially successfully ping test using the web server's IP address would eliminate the possibility that there are problems with your server or your workstation IP configuration. It would also eliminate the possibility there is something wrong with the network infrastructure. REFERENCES LabSim for Server Pro 2016, Section 9.5.

You are the network administrator of the westsim.com domain. You have several users who use Windows laptop machines because they travel frequently. When they are on the road, they need to use a VPN connection to access network resources in the domain. Click on the Group Policy preferences Control Panel setting you would use to configure these laptops with the correct VPN connection settings.

Network Options EXPLANATION In the Group Policy preferences Control Panel settings, you would select Network Options if you wanted configure all your users' laptops with the correct VPN connection settings. REFERENCES LabSim for Server Pro 2016, Section 8.9.

You've configured an NFS share on your Windows Server to support Linux client systems that are not joined to your domain. Click the option in the NFS Advanced Sharing window you would use to allow these clients to use anonymous access when connecting to the share.https://cdn.testout.com/_version_407/serverpro2017v4-en-us/en-us/questions/graphics/nfs_advanced_sharing_2.png

No server authentication [Auth_SYS] EXPLANATION Allow Linux systems that are not joined to your domain you must allow anonymous access by selecting the No server authentication option. REFERENCES LabSim for Server Pro 2016, Section 10.4.

Your company's Internet namespace is westsim.com, and your company's internal namespace is internal.westsim.com. Your network has two DNS servers, DNS1 and DNS2. DNS1 is configured with a root zone and is authoritative for the internal.westsim.com domain. DNS2 is authoritative for the westsim.com domain. All client computers are members of the internal.westsim.com domain and are configured to use DNS1 as the primary DNS server. Client computers on your internal network cannot resolve Internet DNS names. You verify that client computers can resolve internal DNS names successfully. You also verify that the internal DNS server is configured to forward all unresolvable DNS names to the company's Internet DNS server. You must keep your internal network as secure as possible while making sure that all client computers can resolve Internet DNS names successfully. What should you do? On an Active Directory domain controller, perform an authoritative restore of the root hints data. Then trigger the Update Server Data Files action on DNS1. On DNS2, copy the Cache.dns file from the DNS\Backup folder to the DNS folder. On DNS1, delete the . zone. On DNS1, copy the Cache.dns file from the DNS\Backup folder to the DNS folder. On DNS1, add root hints to Internet root DNS servers.

On DNS1, delete the . zone. EXPLANATION In this scenario, you need to delete the . zone on DNS1. A server with a root zone considers itself authoritative. Such a DNS server will not forward DNS queries (unless they are conditionally forwarded), and it will not use root hints to contact other DNS root servers. If a server is configured with a root zone, the root hints are not used. You cannot edit root hints in the DNS snap-in if the server hosts a root zone. REFERENCES LabSim for Server Pro 2016, Section 9.2.

Your network has a single domain named southsim.com. DNS data for the domain is stored on the following servers: - DNS1 holds the primary zone for southsim.com. - DNS2 and DNS3 hold secondary zones for southsim.com. All three DNS servers are located on domain controllers. The DNS zone for the domain is configured to allow dynamic updates. You want to allow client computers to send DNS updates to any of the three servers and allow any of the three servers to update DNS records in the zone. What should you do? On the primary zone, change the Dynamic Update option to allow only secure updates. On all three servers, change the zone type of the DNS zone to Active Directory-integrated. On the primary zone, change the settings to allow zone transfer to only the two secondary servers. On the primary zone, change the settings so that the two secondary servers are notified when the zone is updated.

On all three servers, change the zone type of the DNS zone to Active Directory-integrated. EXPLANATION In the current configuration, only the DNS1 server has a writeable copy of the zone database. To allow any DNS server to accept updates and make changes, convert all zones to Active Directory-integrated zones. Active Directory-integrated zones support multi-master updates (updates originating at any domain controller in the domain). Notifying secondary servers of zone changes reduces the time delay in updating the copy of the zone file stored on the secondary servers. Allowing zone transfers to only listed servers improves security by preventing unidentified servers from getting a copy of the zone information. Allowing only secure updates is only possible on an Active Directory-integrated zone. None of these options by themselves allow multiple servers to update the zone database. REFERENCES LabSim for Server Pro 2016, Section 9.3.

You are the DNS manager for the eastsim.com domain. You have a domain controller named DC1 that holds an Active Directory-integrated zone for the eastsim.com zone. Users have complained about multiple DNS name resolution errors. You have examined the configuration, but can't see anything wrong. To help identify the problem, you would like to track the DNS packets sent and received by the server. You would also like to filter by IP address. What should you do? On the DNS server, enable automatic scavenging. On the DNS server, enable debug logging. On the DNS server, configure the server for multibyte (UTF8) name checking. On the DNS server, enable event logging.

On the DNS server enable debug logging EXPLANATION Use debug logging on the DNS server to log packets based on direction (incoming or outgoing), transport protocol (UDP or TCP), packet type (request or response), or IP address. Debug information is saved to a file. Use event logging to log errors, warnings, and other events generated by the DNS server. Use scavenging to automatically remove outdated records from the database. REFERENCES LabSim for Server Pro 2016, Section 9.4.

You are the administrator for the corp.westsim.com domain. The network has two child domains, acct.corp.westsim.com and sales.corp.westsim.com. You need to configure DNS name resolution properties on the Srv2.sales.corp.westsim.com server. When an unqualified name is submitted for name resolution, you want the server to search using the following suffixes: - sales.corp.westsim.com - corp.westsim.com - westsim.com You want to configure the solution with the least amount of effort possible. What should you do? On the DNS tab, configure custom search suffixes of sales.corp.westsim.com, corp.westsim.com, and westsim.com. On the DNS tab, configure a connection-specific DNS suffix of sales.corp.westsim.com. Select Append parent suffixes of the primary and connection-specific DNS suffixes. On the DNS tab, configure custom DNS suffixes for corp.westsim.com and westsim.com. On the DNS tab, select Append parent suffixes of the primary DNS suffix.

On the DNS tab, select Append parent suffixes of the primary DNS suffix. EXPLANATION All that is required in this situation is to select the Append parent suffixes of the primary DNS suffix option. The primary suffix for the computer is sales.corp.westsim.com. By enabling parent suffixes, the computer will search all parent domains of the primary suffix in order (removing a domain for each subsequent search). Configuring custom search suffixes for sales.corp.westsim.com, corp.westsim.com, and westsim.com would work, but would require more effort than just enabling the parent suffixes. Configuring custom suffixes for corp.westsim.com and westsim.com would not work because when custom suffixes are used, neither the primary nor the connection-specific suffix is used. This would mean that sales.corp.westsim.com would never get searched. Configuring a connection suffix for sales.corp.westsim.com and enabling parent suffixes would work, but involves an unnecessary step because the computer already uses sales.corp.westsim.com as the primary suffix. REFERENCES LabSim for Server Pro 2016, Section 9.2.

Your company has an Internet domain of westsim.com. Your internal network has three Active Directory domains named westsim.local, support.westsim.local, and research.westsim.local. You install a server named SL-SRV1 as a member of the westsim.local domain. You configure SL-SRV1 with a static IP address of 192.168.0.23. You configure the server to dynamically register its DNS name. Clients in the support.westsim.local domain need to access the SL-SRV1 server. Some users in the support.westsim.local domain are accustomed to using the support.westsim.local suffix when accessing network resources. To accommodate these users, you want to dynamically register the name SL-SRV1.support.westsim.local in addition to the SL-SRV1.westsim.local name in DNS. What should you do? On the SL-SRV1 server, edit the advanced TCP/IP properties of the server's local area connection. Add a connection-specific suffix of support.westsim.local. Apply the changes and then run ipconfig /registerdns. On the SL-SRV1 server, edit the system properties. On the Computer Name tab, add support.westsim.local as a new DNS suffix. Apply the changes and then run ipconfig /registerdns. Configure the SL-SRV1 server to use DHCP. Then configure the network's DHCP server(s) to always update A and PTR records of DHCP clients. On the primary DNS server used by the SL-SRV1 server, create an alias record for SL-SRV1.support.westsim.local. Then, on SL-SRV1, run ipconfig /registerdns. On the SL-SRV1 server, edit the TCP/IP properties of the server's local area connection. Define an alternate configuration. Apply the changes and then run ipconfig /registerdns.

On the SL-SRV1 server, edit the advanced TCP/IP properties of the server's local area connection. Add a connection-specific suffix of support.westsim.local. Apply the changes and then run ipconfig /registerdns. EXPLANATION On the SL-SRV1 server, edit the advanced TCP/IP properties of the server's local area connection. Add a connection-specific suffix of support.westsim.local. Apply the changes and then run ipconfig /registerdns. In addition to the primary DNS suffix, the server's name using the connection-specific suffix will also be registered in DNS. The scenario indicates that the server is already configured to use dynamic registration, so Register this connection's addresses in DNS should already be enabled. Otherwise, you should enable it. You cannot add a DNS suffix by changing the computer's name using system properties or by creating an alternate TCP/IP configuration. Configuring the DHCP server to always update the A and PTR records of DHCP clients is another method for configuring dynamic DNS updates. However, the computer must first be configured with the appropriate name. Creating an alias record will also not configure dynamic DNS registration. REFERENCES LabSim for Server Pro 2016, Section 9.2.

You manage the DNS servers that are authoritative for the private.westsim.com zone. Two servers are authoritative for the zone. DNS1 hosts the primary DNS zone, and DNS2 holds a secondary copy of the zone. You have just manually created an A resource record for a new web server on your network that is configured with a static IP address. From your workstation, you open a browser and try to connect to the new web server. You get an error message stating that the web site is not found. You run ipconfig /all and find that your workstation is correctly configured to use the DNS1 server as its preferred DNS server. But, as you continue to troubleshoot the problem, you discover that you incorrectly typed the server's IP address while creating its A resource record. You correct the IP address in the A record and retry connecting to the web site. However, you get the same error on your workstation. What should you do? On DNS1, edit the zone properties and add DNS2 to the notify list. On DNS2, right-click the zone and select Reload from Master. On your computer, run ipconfig /flushdns. On DNS1, edit the zone properties and add DNS2 as a listed name server. On DNS1, right-click the zone and select Reload.

On your computer, run ipconfig /flushdns EXPLANATION To correct the problem, run ipconfig /flushdns on your computer. When you originally tried name resolution, your computer got the incorrect IP address information from the A record. After updating the A record, your computer still holds the incorrect IP address in its DNS cache, so it continues to use that address. Because your computer is configured to use DNS1, configuring replication from DNS1 to DNS2 would not correct the problem. Reloading the zone on DNS1 would have no effect because changes are automatically loaded from the zone database file as you make those changes using the DNS console. REFERENCES LabSim for Server Pro 2016, Section 9.5.

You configured the IP address and DNS name of a new internal web server named WEB3. Your first test from a web browser on your workstation was successful. But when you came to work this morning, you were not able access WEB3 from the same workstation using the same browser. You get an error message stating that this site cannot be reached. You have not changed the server's IP configuration since the successful test the night before. Which troubleshooting step should you try first to discover what the problem might be? Ping WEB3 using its fully qualified domain name (FQDN). Ping WEB3 using its IP address. Display your local DNS cache with the ipconfig /displaydnscommand. Clear your local DNS cache with the ipconfig /flushdnscommand.

Ping WEB3 using its IP address. EXPLANATION You should start by pinging WEB3 using its IP address. This tests the physical connection between your workstation and the server, as well as the IP configuration of the server. - If you get a response back, then you know basic network connectivity exists and the destination host is reachable. - If you do not get a response, then you know something is wrong with the host's IP configuration or the network infrastructure itself. After eliminating the possibility of connectivity issues, you can ping WEB3's FQDN to see if the DNS configuration is working properly. Your local DNS cache is probably not the issue since your first attempt to connect to WEB3 was successful and you haven't changed this server's IP address in the meantime. REFERENCES LabSim for Server Pro 2016, Section 9.5.

You have a folder on your Windows server that you would like members of your development team to access. You want to restrict network and local access to only specific users. All other users must not be able to view or modify the files in the folder. What should you do? (Select two. Each choice is a required part of the solution.) Configure share permissions. Configure both share and NTFS permissions. Place the files on an NTFS partition. Place the files on a FAT32 partition. Configure NTFS permissions.

Place files on an NTFS partition. Configure both share and NTFS permissions. EXPLANATION To control both local and network access, you will need to use both NTFS and share permissions. The folder must be located on an NTFS partition to be able to configure NTFS permissions. Configuring only NTFS permissions will not allow network access. Configuring only shared permissions with the files on a FAT32 partition will not control local access. REFERENCES LabSim for Server Pro 2016, Section 10.1.

Listed below are several DNS record types. Drag the record type on the left the appropriate function on the right. Drag A CNAME MX PTR AAAA Drop Provides alternate names to hosts that already have a host record. Points an IP address to a host name. Points a host name to an IPv6 address. Points a host name to an IPv4 address. Identifies servers that can be used to deliver mail.

Provides alternate names to hosts that already have a host record. CNAME Points an IP address to a host name. PTR Points a host name to an IPv6 address. AAAA Points a host name to an IPv4 address. A Identifies servers that can be used to deliver mail MX EXPLANATION Records are used to store entries for host names, IP addresses, and other information in the zone database. Below are some common DNS record types: - The A record maps an IPv4 (32-bit) DNS hostname to an IP address. This is the most common resource record type. - The AAAA record maps an IPv6 (128-bit) DNS hostname to an IP address. - The PTR record maps an IP address to a host name (it "points" to an A record). - The MX record identifies servers that can be used to deliver email. - The CNAME record provides alternate names (or aliases) to hosts that already have a host record. Using a single A record with multiple CNAME records means that when the IP address changes, only the A record needs to be modified. REFERENCES LabSim for Server Pro 2016, Section 9.1.

SRV02 holds a shared folder named Forecast for the Managers group. Maria is a member of the Managers group. You would like to grant the Managers group full control to the folder named Forecast, but limit Maria's access to read only. You have added the Managers group to the access list for the Forecast folder and granted Full Control access. You now need to limit Maria's access to the folder. What should you do? (Choose two. Each choice is a complete solution.) Remove Maria's account from the Managers group and grant change access. Add Maria's account to the Forecast share. Grant change access and deny full control. Add Maria's account to the Forecast share. Grant read access and deny full control. Add Maria to the NTFS permissions for the folder. Grant read access. Remove Maria's account from the Managers group and grant read access.

Remove Maria's account from the Managers group and grant read access. Add Maria to the NTFS permissions for the folder. Grant read access. EXPLANATION Add Maria's account to the NTFS permissions for the folder and grant read access. When NTFS and share permissions are used, the more restrictive of the two are the effective permissions. Alternatively, you could remove Maria from the group and grant her read share permissions. However, you would need to be careful that you were not affecting any other permissions by removing her from the group. If you granted Maria read permissions to the share and denied full control permissions, the deny on the folder would deny all permissions. REFERENCES LabSim for Server Pro 2016, Section 10.1.

You need to control access to the D:\Reports folder as follows: - Members of the Accounting group should be able to open and view all files, edit them, add new files, and rename and delete files. - Mary needs to be able to open and view files, but should not be able to modify the files, rename files, or delete them. Mary is a member if the Accounting group. You want to assign NTFS permissions taking the least amount of actions possible and affecting existing permissions as little as possible. What should you do? Remove Mary from the Accounting group. Assign allow read and execute, list folder contents, read, and write to the Accounting group. Assign Allow allow read and execute, list folder contents, and read to Mary. Remove Mary from the Accounting group. Assign allow read and execute, list folder contents, read, and modify to the Accounting group. Assign Allow allow read and execute, list folder contents, and read to Mary. Assign allow read and execute, list folder contents, read, and write to the Accounting group. For the Mary user account, deny the write permission. Assign allow read and execute, list folder contents, read, and modify to the Accounting group. For the Mary user account, deny the modify permission.

Remove Mary from the Accounting group. Assign allow read and execute, list folder contents, read, and modify to the Accounting group. Assign Allow allow read and execute, list folder contents, and read to Mary. EXPLANATION Assign Allow Read & execute, List folder contents, Read, and Modify to the Accounting group to allow group members to open, edit, add, rename, and delete files in the directory. As a member of the Accounting group, Mary receives the same permissions to the folder as the group. To prevent Mary from receiving the Modify permission, you will need to remove Mary from the group and grant her the necessary permissions. You cannot deny Mary the Modify permission, as this would also deny her other permissions (such as Read). When you deny the Write permission, only the Write permission is denied, but denying the Modify permission also denies all other permissions. REFERENCES LabSim for Server Pro 2016, Section 10.1.

You have a Windows server that is maintained by multiple administrators. Sally wants to access a file in the Reports folder. A group named Sales has been granted the full control permission to the Reports folder and all subfolders and files. You add Sally as a member of the Sales group, but she still cannot access the file that she needs. You want to let Sally access the Reports folder. What should you do? Remove Sally from any other groups that have been explicitly denied access to the Reports folder. Remove Sally from the Sales group and then add her to the Sales group again. Create a new group, give it rights to the Reports folder, and then add Sally to the group. Delete and recreate Sally's user account on the local computer.

Remove Sally from any other groups that have been explicitly denied access to the Reports folder. EXPLANATION If a user is a member of a group that has permission to access a folder but still cannot access the folder, the user could be explicitly denied access to the folder by virtue of membership in another group. REFERENCES LabSim for Server Pro 2016, Section 10.1.

You share a folder named Public and configure the following permissions. Share Permissions NTFS Permissions Everyone = Full Control Administrators = Full Control Sales = Modify Assistants = Deny Modify You receive a phone call from Sally, a member of the Sales group and Assistants group, claiming that she cannot save a file to the Public shared folder. You want to make sure that members of the Sales group (who are not members of the Assistants group) can save new files to the Public shared folder and access, update, and delete existing files in the Public share. You want to continue to ensure that members of the Assistants group cannot modify files in the Public shared folder even if they are members of the Sales group. However, you also want to let Sally update files in the Public share. What should you do? Grant the Sales group the allow full control NTFS permission. Remove the Assistants group from the access control list. Remove Sally from the Assistants group. Grant the Sales group the allow write NTFS permission. Grant the Sales group the allow modify NTFS permission. Tell Sally to log off and back on. Grant the Sales group the allow change shared folder permission.

Remove Sally from the Assistants group. EXPLANATION Deny permissions override allow permissions. Even though Sally is allowed to modify the contents of the folder through her membership in the Sales group, she cannot modify the contents of the folder because she is denied permissions through her membership in the Assistants group. One solution is to remove Sally from the Assistants group. Removing the Assistants group from the access control list would let all assistants who are also members of the Sales group modify the contents of the folder. REFERENCES LabSim for Server Pro 2016, Section 10.5.

You have decided to create a shared folder that will contain sensitive information about planned changes in the personnel structure. Most users will be denied access to the share, which is named REORG. You have successfully created the share and set appropriate permissions. However, management feels the effect of having this share on the server, which denies access to most users, is damaging morale. You need to keep the information available to the users who currently access it. What can you do to avoid having the REORG share listed when users view shares on the network? Remove the REORG share. Share the folder again as REORG$ with the same permissions as before. Encrypt the contents of the reorganization share. Rename the share as REORG$. Rename the folder as REORG$. Add the hidden attribute to the folder.

Remove the REORG share. Share the folder again as REORG$ with the same permissions as before. EXPLANATION A share name that ends with a dollar sign ($) is a hidden share and will not be displayed when users browse the network. However, shares can't be renamed, so the old share must be removed and a new hidden share must be created. Changing the properties of the folder won't change the properties of the share (except that changing the name or location of the folder will cause it to not be shared), so renaming the folder doesn't do what we want, and adding the hidden attribute doesn't, either. Encrypting the folder adds additional security to the files, but won't help hide the share. REFERENCES LabSim for Server Pro 2016, Section 10.3.

Mr. Yamashita needs to be able to modify the contents of the Promo share, a shared folder on one of your Windows servers. The share has been assigned the following permissions: User/Group Permission Telesales global group Allow read Training global group Deny full control Managers global group Allow change Mr. Yamashita user Allow change Mr. Yamashita is a member of each of these groups. How should you modify the share permissions to allow the necessary access? (Choose three. Each choice is a complete solution.) Change the permission for Mr. Yamashita's user account to allow full control. Remove Mr. Yamashita's user account from the Managers group. Change the Training group's permission to allow Read. Add Mr. Yamashita's user account to the Administrators group. Remove the Training group from the share. Remove Mr. Yamashita's user account from the Telesales group. Remove Mr. Yamashita's user account from the Training group.

Remove the Training group from the share. Remove Mr. Yamashita's user account from the Training group. Change the Training group's permission to allow Read. EXPLANATION The deny full control permission on the Training group prevents all of its members from accessing the share. Because Mr. Yamashita is a member of that group, he will be blocked. If you remove the Training group from the share's permission list, the Deny permission will no longer apply to anyone, and Mr. Yamashita can access the share using the remaining permissions. If you remove his account from the group, the permission will no longer apply to Mr. Yamashita, and he can access the share using the remaining permissions. If you change the permission for the Training group to allow read, he can use the remaining permissions to access the share. Removing Mr. Yamashita's user account from the other groups suggested will have no effect, nor will adding him to the Administrators group. REFERENCES LabSim for Server Pro 2016, Section 10.3.

You are the network administrator for Corpnet.com. A small group of software developers in your organization have to use Linux workstations. You are creating a share for these Linux users on your file server, which is named File1. Which feature must be installed on the Windows server to accomplish this? Client for NFS Active Directory Certificate Services Server for NFS BranchCache

Server for NFS EXPLANATION The Server for NFS role allows a Windows server to function as an NFS server. Once added to the Windows server, UNIX/Linux clients can mount NFS shares on the server. The Client for NFS feature allows a Windows system to function as an NFS client. Once added, Windows can mount NFS shares exported on a UNIX/Linux server. BranchCache WAN bandwidth optimization technology that copies content from main office servers and caches it at branch office locations, allowing client computers at branch offices to access the content locally rather than over the WAN. Active Directory Certificate Services is a server role that allows you to build a public key infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities for your organization. REFERENCES LabSim for Server Pro 2016, Section 10.4.

You are the network administrator of the westsim.com domain. You have several users who use Windows laptop machines because they travel frequently. These users have very sensitive information on their laptops, so you have been asked to take additional security measures with these machines. You install smart card readers on each laptop so that no one can access a lost or stolen laptop unless they also have the smart card. Click on the Group Policy preferences Control Panel setting you would use to configure these laptops so the Smart Card Reader service starts when the laptop is powered on.

Services EXPLANATION In the Group Policy preferences Control Panel settings, you would select Services if you wanted configure all your users' laptops to start the Smart Card Reader service when they are powered on. REFERENCES LabSim for Server Pro 2016, Section 8.9.

Sally is an employee in the sales department. Important documents are stored in the D:\SalesDocs folder on a Windows server. Sally is a member of the Domain Users and Sales groups. The SalesDocs folder has been shared, and the following permissions are currently assigned to the SalesDocs folder: NTFS Permissions Share Permissions Domain Users = Allow-Read Sales = Allow-Modify Domain Users = Allow-Read Sales = Allow-Change Sally needs to read and modify all files in the SalesDocs folder except StyleGuide.doc. Sally should be able to read StyleGuide.doc, but not modify it. What should you do? Remove Sally from the Sales group. Disable permissions inheritance on StyleGuide.doc. Set Sally's NTFS permission for StyleGuide.doc to deny write. Configure StyleGuide.doc to be a hidden file. Configure StyleGuide.doc to be a system file.

Set Sally's NTFS permission for StyleGuide.doc to deny write. EXPLANATION The best way to prevent Sally from modifying StyleGuide.doc without preventing authorized users from modifying it is to configure the NTFS permission for StyleGuide.doc to deny write for Sally. Removing Sally from the Sales group would no longer let Sally edit other documents in the SalesDocs folder. REFERENCES LabSim for Server Pro 2016, Section 10.5.

The image shows the current scavenging settings for the eastsim.com zone. Automatic scavenging has been configured on the zone to run every hour. You want to modify the existing settings so that DNS records are deleted within 10 days after they have not been refreshed. What should you do? Set the refresh interval to 3. Set the refresh interval to 10. Set the no-refresh interval to 10. Set the no-refresh interval to 1 and the refresh interval to 10.

Set the refresh interval to 3 EXPLANATION To configure the server so that resource records are deleted after they have not been refreshed for 10 days, change the no-refresh interval and the refresh interval so that the combined value is 10 days. In this scenario, the only valid option is to modify the refresh interval to three. The no-refresh interval identifies the period of time that a record is considered valid. When the no-refresh interval expires, the record can be updated. After the refresh interval expires, the record is considered stale and can be scavenged (removed). Note: The refresh interval should be longer than the refresh interval for individual records. By decreasing this value to three, you might need to decrease the refresh interval of individual records in the zone so they are updated within the refresh interval for the zone. REFERENCES LabSim for Server Pro 2016, Section 9.4.

SRV03 is a Windows server that holds the SalesDept folder. This folder contains documents specific to the sales department. You create two user groups: - The Sales group includes all members of the sales department. - The SalesAdmin group includes about ten members of the sales department who manage sales-related documents. You want the Sales group to have read only access to the content in the SalesDept folder. Members of the SalesAdmin group should have all permissions to the folder. No other users should have access. All access will be through the network. You want to assign as few permissions as possible. What should you do? Share the SalesDept folder. Grant read permissions to the Sales group and full control permissions to the SalesAdmin group. Share the SalesDept folder. Grant full control permission to the SalesAdmin group. Share the SalesDept folder. Grant full control permissions to the SalesAdmin group. Remove the Everyone group. Share the SalesDept folder. Grant read permissions to the Sales group. Remove the Everyone group. Share the SalesDept folder. Grant read permissions to the Sales group and full control permissions to the SalesAdmin group. Remove the Everyone group.

Share the SalesDept folder. Grant read permissions to the Sales group and full control permissions to the SalesAdmin group. Remove the Everyone group. EXPLANATION Share the SalesDept folder and grant read permissions to the Sales group and full control permission to the SalesAdmin group. Remove the Everyone group. You must remove the Everyone group to prevent everyone else from accessing the share because Everyone has read permissions by default. REFERENCES LabSim for Server Pro 2016, Section 10.3.

Your Windows server has a folder named D:\SalesDept. The D: drive is formatted with FAT32. You need to allow network access to the folder as follows: - Members of the Sales group should have read-only access to the content in the folder. - Members of the SalesAdmin group should be able to open, edit, and add new files to the folder. - No other users should have access. Members of the SalesAdmin group are also members of the Sales group. What can you do to configure the needed access while assigning as few permissions as possible? Share the SalesDept folder. Grant the read permission to the Sales group and the change permission to the SalesAdmin group. Share the SalesDept folder. Grant the read permission to the Sales group and the change permission to the SalesAdmin group. Remove Everyone from the access control list. Share the SalesDept folder. Grant the read permission to the Sales group and the full control permission to the SalesAdmin group. Remove Everyone from the access control list. Share the SalesDept folder. Grant the read permission to the Sales group and the full control permission to the SalesAdmin group.

Share the SalesDept folder. Grant the read permission to the Sales group and the change permission to the SalesAdmin group. Remove Everyone from the access control list. EXPLANATION Share the SalesDept folder and grant the read permission to the Sales group and the change permission to the SalesAdmin group. Remove Everyone from the access control list. You must remove Everyone to prevent everyone else from accessing the share (by default, Everyone has read permissions). Granting the full control permission to the SalesAdmin group would grant too many permissions, allowing users to modify permissions on the shared folder. REFERENCES LabSim for Server Pro 2016, Section 10.3.

Sally, a member of the sales department, is borrowing a laptop computer from her supervisor to do some work from home in the evenings. Sally contacts you and indicates that she cannot access the C:\Reports folder on the laptop. This folder contains documents that she needs to edit. You log on to the laptop as a domain administrator to check the folder's access control list. You are denied access to view the permissions. You contact Sally's supervisor to verify that Sally should receive access to the folder. Sally's supervisor indicates that Sally should be able to read, change, and delete documents in the folder, but that only the supervisor should be able to configure permissions. You need to grant Sally appropriate permissions to the C:\Reports folder. What should you do? (Choose two. Each correct choice is part of the solution.) Grant Sally the allow modify permission to the C:\Reports folder. Instruct Sally to take ownership of the C:\Reports folder. Grant your user account allow full control permission to the C:\Reports folder. Give Sally ownership to the C:\Reports folder. Grant Sally the allow full control permission to the C:\Reports folder. Take ownership of the C:\Reports folder.

Take ownership of the C:\Reports folder. Grant Sally the Allow Modify permission to the C:\Reports folder EXPLANATION It appears that Sally's supervisor has removed the default permissions that allow administrators full control to the C:\Reports folder. To change permissions for the folder, you first need to take ownership. You should then grant Sally the permissions she needs, but no more than she needs. In this case, she needs the allow modify permission. Giving Sally ownership over the folder would allow her to modify the permissions and could result in her having too many permissions to its contents. Granting Sally allow full control would give her too many permissions. REFERENCES LabSim for Server Pro 2016, Section 10.1.

An employee has quit under difficult circumstances. Unfortunately, the user had several files that are needed, and before the employee left, they assigned deny full control permission to domain users to all the files and folders. All users, including you, are now blocked from accessing these important files. You need to make these files available as quickly as possible. What should you do? Log on as an administrator and change the permission on the files. Restore the volume from backup and specify full control for everyone permissions on the restored files. Take ownership of the files and change the permissions. Log on as a local user with administrative authority. Local users are not members of the Domain Users group by default.

Take ownership of the files and change the permissions. EXPLANATION The owner of a file can always change the NTFS permissions, even when specifically denied access to the file itself. The Administrators group has the take ownership permission, which allows you to become the owner of the affected files, and from there, change the permissions. Simply logging on as Administrator will not allow you to change the permissions because Administrator is a member of Domain Users. Restoring from backup will allow you to remove the existing permissions, but is not the fastest way to do so. REFERENCES LabSim for Server Pro 2016, Section 10.1.

You manage a single domain running Windows Server. You have configured a restricted Group Policy as shown in the image. When this policy is applied, which action will occur? The Desktop Admins group will be made a member of the Backup Operators group. The Backup Operators group will be made a member of the Desktop Admins group. A new group called Desktop Admins will be created. Any other members of the Backup Operators group will be removed. Any other members of the Desktop Admins group will be removed.

The backup operators group will be made a member of the Desktop Admins group. EXPLANATION Use This group is a member of to defines one or more groups that the restricted group is to become a member of. Use this option to define membership in a restricted group by adding groups. It does not remove any members from the group. As a result, this option is the preferred method for defining membership in a restricted group. REFERENCES LabSim for Server Pro 2016, Section 8.7.

The Domain Name service is made up of several components. Drag each component on the left to its appropriate description on the right. (Each component may used once, more than once, or not at all.) Drag . (dot) domain Top-level domain (TDL) Fully qualified domain name (FQDN) Host name Records Authoritative server Drop The last part of a domain name (.com, .edu, .gov). Used to store entries for host names, IP addresses, and other information in the zone database. Also called the root domain, it denotes a fully qualified, unambiguous domain name. A DNS server that has a full and complete copy of all the records for a particular domain. Maps a DNS host name to an IPv4 (32-bit) address. Includes the host name and all domain names separated by periods.

The last part of a domain name (.com, .edu, .gov). Top-level domain (TDL) Used to store entries for host names, IP addresses, and other information in the zone Records Also called the root domain, it denotes a fully qualified, unambiguous domain name. . (dot) domain A DNS server that has a full and complete copy of all the records for a particular domain. Authoritative server Maps a DNS host name to an IPv4 (32-bit) address.-Records Includes the host name and all domain names separated by periods. Fully qualified domain name (FQDN) EXPLANATION The Domain Name Service includes, but is not limited to, the following components: . (dot) domain: also called the root domain, it denotes a fully qualified unambiguous domain name. Top-level domain (TDL): the last part of a domain name (.com, .edu, .gov). Fully qualified domain name (FQDN): includes the host name and all domain names separated by periods. Host name: the part of a domain name that represents a specific host. Records: used to store entries for host names, IP addresses, and other information in the zone database. For example, an A record maps a DNS hostname to an IPv4 (32-bit) address. This is the most common resource record type. Authoritative server: a DNS server that has a full and complete copy of all the records for a particular domain. REFERENCES LabSim for Server Pro 2016, Section 9.1.

You are the network administrator for westsim.com. The network consists of a single domain. The company has a file server named FS1 that hosts a share named SalesData for the sales department. You need to configure the SalesData share so that users will be allowed to view only the files and folders to which they have rights. What should you do? Create an additional share point named SalesData2 for the SalesData share and assign the deny-read share permission on the new share to the users who need limited access. Use File Server Resource Manager (FSRM) to enable Access-based Enumeration (ABE) on the SalesData share. Use the Disk Management console to create a new NTFS partition and then move the SalesData share to the new partition. Use the Shares panel in Server Manager to enable Access-based Enumeration (ABE) on the SalesData share.

Use the Shares panel in Server Manager to enable Access Based Enumeration (ABE) on the SalesData share. EXPLANATION You should use the Shares panel in Server Manager to enable Access-based Enumeration (ABE) on the SalesData share. Access-based Enumeration (ABE) is a feature that allows file servers to list only the files and folders to which users have access when browsing content on the file server. It is enabled using the Shares panel in Server Manager, which is enabled when you add the File Server Role service. You would use File Server Resource Manager (FSRM) to enable advanced disk quotas, such as quotas that affect a particular path on the file server or that have multiple warning levels. This utility can also provide storage reports and support for file screens, which allow administrators to regulate which file extensions are allowed to be saved on the server. You would only need to move the share to a new partition if you were running out of space on the old partition. Since users access files across the network and ABE is not enabled on a volume basis, there is no real reason to relocate the share. Creating an additional share point is generally done when you wish to apply multiple sets of share permissions to a single share. Users will be subject to the share permissions set on the share name they use to access the share. In general, it is considered best practice to leave the share permissions open and regulate user rights using NTFS permissions. REFERENCES LabSim for Server Pro 2016, Section 10.2.

Your Windows Server has two volumes, C: and D:. For the D:\Reports\Finances.xls file, you explicitly grant the Mary user account the allow modify NTFS permission. You need to move the file from the existing folder to the C:\Reports2 folder. You want to keep the existing NTFS permissions on the file. You want to accomplish this with the least amount of effort possible. What should you do? Using Windows Explorer, copy the file to the C:\Reports2 folder. Use the robocopy command to copy the file to the C:\Reports2 folder. Using Windows Explorer, move the file to the C:\Reports2 folder. Reconfigure the NTFS permissions on the file. Using Windows Explorer, move the file to the C:\Reports2 folder.

Use the robocopycommand to copy the file to the C:\Reports2 folder. EXPLANATION If you copy or move a file to a different NTFS partition, the explicit permissions will be removed. Use the robocopy or xcopy command line utilities to copy files while maintaining the NTFS permissions (even when copying between partitions). While you could reconfigure the NTFS permissions after moving the file, that would require more effort than simply copying the file with the NTFS permissions. REFERENCES LabSim for Server Pro 2016, Section 10.1.

Drag the DNS term on the left to the appropriate definition on the right. (Each term may be used once, more than once, or not at all.) Drag Forward lookup Reverse lookup Recursion Delegation Drop Uses the IP address to find the host name (or FQDN). Client computers submit a DNS request to the DNS server and wait for a complete response. The process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution. Uses the hostname (or the FQDN) to find the IP address.

Uses the IP address to find the host name (or FQDN). Reverse lookup Client computers submit a DNS request to the DNS server and wait for a complete response. Recursion The process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution. Recursion Uses the hostname (or the FQDN) to find the IP address. Forward lookup EXPLANATION Forward lookup: uses the host name (or the FQDN) to find the IP address. Reverse lookup: uses the IP address to find the host name (or FQDN). Recursion: the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution. Most client computers do not perform recursion; rather, they submit a DNS request to the DNS server and wait for a complete response. Many DNS servers will perform recursion. Delegation: the process by which a DNS server hands responsibility for the request to another DNS server. REFERENCES LabSim for Server Pro 2016, Section 9.2.

You want to use Restricted Groups to manage the membership of local groups on the domain member servers that you manage. You can define a restricted group in one of two ways: - Members of this group - This group is a member of The This group is a member of option is the preferred method for most use cases. Which of the following explains why this is the preferred method? Using the This group is a member of option does not remove existing members of the group if they are not part of the restricted group. Using the This group is a member of option to designate a group's membership makes it possible for new members to be added and removed from the group. When using the This group is a member of option at the domain level, the setting is not inherited by all computers in the domain, but only by the computers you target. Using the This group is a member of option allows you to create new groups with the Group Policy Management tool.

Using the This group is a member of option does not remove existing members of the group if they are not part of the restricted group EXPLANATION Using the This group is a member of option is the preferred option because it does not remove existing members of the group if they are not part of the restricted group. This way, any existing members of the group that are required by the system or for Active Directory will not be inadvertently removed (which can happen if you use the Member of this group option and can cause serious issues with your network). You cannot use the This group is a member of option to create new groups with the Group Policy Management tool. Groups can only be created using Active Directory management tools. When using the This group is a member of option at the domain level, the setting is inherited by all computers in the domain, not just by the computers you target; be sure to analyze how you want the policy to be applied before you create it. When using either of the options for defining restricted groups to designate a group's membership, no one can add members to the group or remove members from the group. A user can use other tools to change the group membership, but a refresh of the Group Policy settings will overwrite any changes made. REFERENCES LabSim for Server Pro 2016, Section 8.7.

You manage the branch office for your company network. The branch office has a single Active Directory domain, branch1.westsim.private. All computers in the branch office are members of the domain. The branch office consists of two subnets and 50 host computers. Each subnet has its own DHCP server, while a single server on Subnet2 is both the domain controller and DNS server. Dynamic updates are enabled on the DNS zone. On Subnet1, you have a shared printer attached to Wrk5. Only computers on Subnet1 use this shared printer. How can you most easily make sure that all hosts on Subnet1 will continue to connect to the shared printer by name, even if the DNS server becomes unavailable? Use DHCP to deliver the IP address of the shared printer to each client on Subnet1. Configure a static entry for the shared printer in the HOSTS file on each client in Subnet1. Edit the default domain GPO to enable the Turn off Multicast Name Resolution policy. View the settings in the Default Domain GPO to verify that theTurn off Multicast Name Resolution option is not enabled.

View the settings in the Default Domain GPO to verify that theTurn off Multicast Name Resolution option is not enabled. EXPLANATION In this scenario, you need to provide for DNS name resolution on the local subnet in the event that the DNS server fails. To make sure you can rely on the Link-Local Multicast Name Resolution feature (LLMNR), which is enabled on clients by default, verify that LLMNR has not been disabled. Enabling the Turn off Multicast Name Resolution policy in Group Policy disables Link-Local Multicast Name Resolution. DHCP servers can not be configured to deliver IP addresses of printers. Configuring a static entry for the shared printer in the HOSTS file on each client in Subnet1 would take too much of your time. REFERENCES LabSim for Server Pro 2016, Section 9.1.

You want to prevent users from running any file with a .bat or .vbs extension unless the file is digitally signed by your organization. How should you configure this rule in AppLocker? Create a script rule with a publisher condition. Create a script rule with a hash condition. Create an executable rule with a hash condition. Create an executable rule with a publisher condition.

create a script rule with a publisher condition EXPLANATION Use a script rule to control executing files with .ps1, .bat, .cmd, .vbs, and .js extensions. To allow only software that is digitally signed, use a publisher condition and specify your organization as the publisher to allow. Executable rules only apply to .exe and .com files. A hash rule uses the digital fingerprint of a file, not the digital certificate, to allow or deny access to the file. Each script would require its own hash value to allow the script based on the hash. REFERENCES LabSim for Server Pro 2016, Section 8.8.

You want to find out who has been running a specific game on the client computers. You do not want to prevent users from running the program, but instead want to log information when the file runs. The application is not digitally signed. How should you configure this rule in AppLocker? Create an executable rule with a path condition that identifies the file. Set the enforcement mode to enforce rules. Create an executable rule with a path condition that identifies the file. Set the enforcement mode to audit only. Create an executable rule with a publisher condition. Set the enforcement mode to audit only. Create an executable rule with a publisher condition. Set the enforcement mode to enforce rules.

create an executable rule with a path condition that identifies the file. Set the enforcement mode to audit only EXPLANATION Because the file is not digitally signed, you will need to use a hash or path condition in the executable rule. To log when the application runs without restricting users from running the application, edit the enforcement mode for the executable rules and choose Audit only. Using a publisher condition requires that the software be digitally signed. Choosing Enforce rules for the enforcement type would allow or deny running the software. REFERENCES LabSim for Server Pro 2016, Section 8.8.

Click on the tool you can use to configure Restricted Groups to control membership for groups that require high security.

group policy management EXPLANATION The Restricted Groups policy is configured from the Group Policy Management console. The Restricted Groups policy is a powerful tool that can be used to control membership for groups that require high security. The Active Directory Users and Computers tool can be used to create groups and to assign group memberships. Restricted Groups, however, is a tool for assigning group membership through group policy; this type of policy is configured used Group Policy Management. REFERENCES LabSim for Server Pro 2016, Section 8.7.

Mary is in charge of DNS administration for her network. The private network consists of a single Active Directory domain called private.westsim.com. DNS data is stored in an Active Directory-integrated zone. The sales department has just installed a web server called SalesWeb. This server will host an intranet site for use by the sales team. They want this server to be accessible using the URL sales.westsim.com. What should Mary do? Create a second A record in the private.westsim.com domain. Use Sales as the name. Identify the IP address of SalesWeb in the resource record. In the westsim.com domain, create a CNAME record called sales. Identify SalesWeb.private.westsim.com as the target. In the private.westsim.com domain, create a PTR record that identifies sales.westsim.com as the alternate URL for the SalesWeb server. Place HOSTS files on each workstation in the sales department. Create an entry with the IP address for SalesWeb that references the sales.westsim.com name.

in the westsim.com domain, create a CNAME record called sales. Identify SalesWeb.private.westsim.com as the target. EXPLANATION Use a CNAME record to provide an alternate, or alias, URL for a specific host if the URL points to a host that is not within the same domain. REFERENCES LabSim for Server Pro 2016, Section 9.4.

After reconfiguring the static address of an internal web server named WEB3, your computer can no longer connect to WEB3. However, other users are still able to connect to the same web server. You suspect that your computer still has the old IP address for WEB3 in its DNS cache. Which command can you use to verify that this is the case before clearing the DNS cache on your computer? ipconfig /renew ipconfig /displaydns ipconfig /flushdns ipconfig /release

ipconfig /displaydns EXPLANATION Running ipconfig /displaydns will display the contents of the DNS cache. Running ipconfig /flushdns will clear the DNS cache, which you will want to do if you see the old IP address in the DNS cache after running the ipconfig /displaydns command. Running ipconfig /release will remove the current IP configuration you received from the DHCP server. Running ipconfig /renew will contact the DHCP server to request a new IP configuration. REFERENCES LabSim for Server Pro 2016, Section 9.5.

You have created an NFS share on your file FS1 server in the corpnet.com domain. The path of the shared folder is C:\Shared\NFSShare. You are now testing the configuration by trying to mount it to the /mnt directory on your Linux workstation. Use the drop-down list to fill in the blank in the following to correctly enter the command that will mount this share. _______________ FS1.corpnet.com:/NFSShare /mnt -o nolock mount mount -t mount nfs mount -t nfs mount -nfsshare

mount -t nfs EXPLANATION You would enter the following command to mount the NFS share you configured on the FS1 server on your Linux workstation: mount -t nfs FS1.corpnet.com:/NFSShare /mnt -o nolock On Linux, you use the mount command with the -t nfs option to indicate that the file system type is NFS. REFERENCES LabSim for Server Pro 2016, Section 10.4.

Management is concerned that users are spending time during the day playing games and have asked you to create a restriction that will prevent all standard users and administrators from running the Games app. Click on the option you would use in Group Policy Management Editor to implement this restriction.

packaged app rules EXPLANATION Apps from the Windows store (also called packaged apps) are designed so that all the files within an app package share the same identity. With desktop applications, each file within the application could have its own separate identity, requiring AppLocker rules for each file. With packaged apps, it is possible to control the entire application by using a single AppLocker rule because all components within the app share the same identity. You create AppLocker rules for packaged apps using the Packaged app Rules node under Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker. The Software Restriction Policies, Executable Rules, Windows Installer Rules, and Script Rules nodes are all designed to create restrictions and rules for standard desktop applications. REFERENCES LabSim for Server Pro 2016, Section 8.8.

You would like to have better control over the applications that run on the computers in your domain, so you have decided to implement AppLocker. You have created default rules and an executable rule that only allows the company's accounting application to run. When you test these rules, you find that you can still run any program on your test client. What should you do? (Select two. Each correct answer is part of the solution.) Start the Application Information service on the client. Ensure that the enforcement mode for executable rules is set to Enforce rules. Start the Application Management service on the client. Start the Application Identity service on the client. Ensure that the enforcement mode for executable rules is set to Audit only.

start the application identity service on the client ensure that the enforcement mode for executable rules is set to enforce rules. EXPLANATION To ensure that AppLocker rules are being enforced on the client: - Start the Application Identity service on the client. This service is used to enforce AppLocker rules. - Set the enforcement mode for executable rules to Enforce rules. Setting the enforcement mode to Audit only allows you to monitor AppLocker events, but blocked software is still allowed to run. REFERENCES LabSim for Server Pro 2016, Section 8.8.

Recently, some users in your domain have downloaded and installed an open source program that contains malware. After download, the application is installed by running a program with a .msi extension. The file is not digitally signed. You have a copy of this open source program running on your server, and it did not install any malware. The users that got the malware likely obtained the program from a website they did not know was malicious. How can you prevent users from installing this software if it has been tampered with? Use AppLocker to create a Windows installer rule with a path condition. Use AppLocker to create an executable rule with a hash condition. Use AppLocker to create a packaged app rule with a hash condition. Use AppLocker to create a Windows installer rule with a publisher condition. Use AppLocker to create a Windows installer rule with a file hash condition.

use Applocker to create a windows installer rule with a file hash condition EXPLANATION To prevent users from installing this software if it has been tampered with, use AppLocker to create a Windows installer rule with a file hash condition. You can use your clean version of the installer program when creating the file hash condition. If a user downloads an installer file that has been tampered with, its file hash will not match, and AppLocker will prevent it from being installed. An executable rule would only apply to .exe and .com files. Using a path condition will not detect installer files that have been tampered with. A publisher condition cannot be used in this instance, since there is no digital signature. A packaged app rule would only apply to programs obtained from the Windows store. REFERENCES LabSim for Server Pro 2016, Section 8.8.

You are the network manager for the westsim.private domain. The SRV1 server runs all file and print services for the network. The DNS database has an A record that maps srv1.westsim.private to the IP address of 192.168.16.10. You want to create a PTR record that maps the IP address to the host name. Which zone should you create the record in? 16.168.192.ip4.arpa 192.168.16.ip4.arpa 192.168.16.in-addr.arpa 16.168.192.in-addr.arpa westsim.private

16.168.192.in-addr.arpa EXPLANATION To create a PTR record that maps an IP address to a host name, create the PTR record in the corresponding reverse lookup zone. For IPv4 addresses, the zone name will be the reverse of the subnet portion of the address (in this example, 16.168.192.in-addr.arpa). A records that map host names to IP addresses are created in the forward lookup zone (in this example, westsim.private). IPv6 pointer records are created in zones that end in ip6.arpa. REFERENCES LabSim for Server Pro 2016, Section 9.3.

You enter the ipconfig /all command and see, as a part of the results, the information shown in the image below. If you enter the nslookup command on this same system, which of the following do you expect to see as the address of the default server? 192.168.10.10 163.128.80.93 163.128.78.93 192.168.10.5

163.128.80.93 EXPLANATION Given the information shown, you should expect to see 163.128.80.93 as the address of the default server. Entering nslookup at the command line with no options, starts nslookup in interactive mode, which gives you the host name and IP address of the default DNS server. In this case, since 163.128.80.93 is listed as the first DNS server. It is the default server that nslookup will send name resolution requests to. 163.128.78.93 is the address of the alternate DNS server that is configured for this host. 192.168.10.10 is the IP address assigned to this host. 192.168.10.5 is the address of the default gateway router. REFERENCES LabSim for Server Pro 2016, Section 9.5.

You need to use the New Share wizard on a Windows server to create a new share for the C:\Shares\WidgetProject folder. Sales reps for your organization will connect to the share using Windows notebook systems. You want to configure the share so that Windows will hide the file or folder from users that do not have at least read permissions to a file or folder . Which option on the Settings screen should you enable? Encrypt data access Enable BranchCache on the file share Allow caching of share Access-based enumeration

Access-based enumeration EXPLANATION When Access-based enumeration is enabled, only the files and folders that a user has permissions to access are displayed. Users must have at least read permissions to a resource for it to be displayed. Enabling the Allow caching of share option in the Other Settings screen makes the contents of the share available to users when they are offline. Encrypt data access causes connections to the share to be encrypted. Enabling BranchCache on the share enables computers in a branch office to cache files downloaded from the share and then allows them to be available to other computers in the branch. REFERENCES LabSim for Server Pro 2016, Section 10.2.

You manage a network with Windows clients, multiple subnets, and Windows DNS servers. You want to be able to resolve a host name for a server on your network to its IPv4 address. What should you do? Add an NS record on the DNS server. Add an A record on the DNS server. Edit the Lmhosts file on the computer. Add a PTR record on the DNS server.

Add an A record on the DNS server. EXPLANATION The DNS server associates a host name with its IPv4 address using an A record. When a host name is used, the computer queries the DNS server and gets back the IP address that corresponds to the host name. The PTR record is used for reverse name resolution, where the client submits the IP address and gets the host name in response. The NS record identifies name servers that hold DNS records for a domain. The Lmhosts file is used for NetBIOS name resolution. REFERENCES LabSim for Server Pro 2016, Section 9.4.

On your Windows server, you share the D:\Reports folder using a share name Reports. You need to configure permissions on the shared folder as follows: - Members of the Accounting group should be able to view files but not be able to modify them. - Phil, a member of the Accounting group, needs to be able to open and edit files in the Shared folder. You need to assign the necessary permissions without assigning extra permissions beyond what is required and without affecting other access that might already be configured on the computer. You need to complete the task using the least amount of effort possible. What should you do? Remove Phil from the accounting group. Add the Accounting group and assign the read permission. Add the Phil user account and assign read/write permission. Add the Accounting group and assign the read permission. Add the Phil user account and assign read/write permission. Add the Accounting group and assign the read permission. Add the Phil user account and assign the owner permission. For every user in the accounting department, assign the read permission. For the Phil user account, assign the read/write permission.

Add the Accounting group and assign the read permission. Add the Phil user account and assign read/write permission. EXPLANATION Assign the Accounting group the read permission and the Phil user account the read/write permission. While Phil is a member of the Accounting group, he will have the greater permissions assigned directly to his user account. Using simple sharing, you cannot designate a user as an Owner. Removing Phil from the Accounting group would still provide the necessary access, but might affect his abilities to other resources if he gains permissions from his membership in the Accounting group. Assigning each accounting member permissions would work as well, but would require more work to assign individual permissions. Instead, assign permissions to groups whenever possible. REFERENCES LabSim for Server Pro 2016, Section 10.3.

Which of the following describes an additional domain? Additional domains are managed by the Internet Corporation of Assigned Names and Numbers (ICANN). An additional domain has a full and complete copy of all the records for a particular domain. Additional domains are second-level domains with names registered to an individual or organization for use on the Internet. An additional domain represents a specific host. For example, "www" is the host name of www.example.com.

Additional domains are second-level domains with names registered to an individual or organization for use on the Internet. EXPLANATION Additional domains are second-level domains with names registered to an individual or organization for use on the Internet. These names are based on an appropriate top-level domain, depending on the type of organization or geographic location where a name is used. Yahoo.com and microsoft.com are examples of additional domains in your DNS structure. The host name is the part of a domain name that represents a specific host. For example, "www" is the host name of www.example.com. An authoritative server is a DNS server that has a full and complete copy of all the records for a particular domain. TDLs are the last part of a domain name (.com, .edu, .gov) and are managed by the Internet Corporation of Assigned Names and Numbers (ICANN). REFERENCES LabSim for Server Pro 2016, Section 9.1.

The C:\Shares\WidgetProject folder on your Windows server has been shared with network users. The server is a member of the westsim.com Active Directory domain. The westsim.com\Users group has been granted the following Allow NTFS permissions: - Read and execute - List folder contents - Read In addition, the Everyone principal has been assigned the following Allow share permissions: - Full Control - Change - Read The ksanders user is a member of the westsim.com\Users group. She accesses data in the folder through the network share from her Windows workstation. What permissions does this user have to data in the folder? Allow read Allow full control Allow read and execute, list folder contents, and read Allow read and change Deny read

Allow and execute, list folder contents, and read EXPLANATION The share permission for the folder is allow full control. The NTFS permissions are allow read and execute, list folder contents, and read. Because the NTFS permissions are less permissive than the share permissions, they are applied. REFERENCES LabSim for Server Pro 2016, Section 10.1.

The C:\Shares\WidgetProject folder on your Windows server has been shared with network users. The server is a member of the westsim.com Active Directory domain. The westsim.com\Users group has been granted the following Allow NTFS permissions: - Read and execute - List folder contents - Read The westsim.com\Administrators group has been granted the allow full control NTFS permission. In addition, the Everyone principal has been assigned the following allow share permissions: - Full Control - Change - Read The vhammer user is a member of the westsim.com\Users and the westsim.com\Administrators group. She accesses data in the folder through the network share from her Windows workstation. What permissions does this user have to data in the folder? Allow read and execute, list folder contents, and read Allow full control Allow read Deny read Allow read and change

Allow full control EXPLANATION The share permission for the folder is allow full control. The cumulative NTFS permission for the folder is allow full control. Therefore, the user receives allow full control access to the folder. REFERENCES LabSim for Server Pro 2016, Section 10.1.

The C:\Shares\WidgetProject folder on your Windows server has been shared with network users. The server is a member of the westsim.com Active Directory domain. The westsim.com\Users group has been granted the following allow NTFS permissions: - Write - Read and execute - List folder contents - Read In addition, the Everyone principal has been assigned the allow read share permission. The smarsden user is a member of the westsim.com\Users group. She accesses data in the folder through the network share from her Windows workstation. What permissions does this user have to data in the folder? Allow read and change Allow read Allow write, read & execute, list folder contents, and read Allow read & execute, list folder contents, and read Allow full control

Allow read EXPLANATION The share permission for the folder is allow read. The NTFS permissions are allow write, read and execute, list folder contents, and read. Because the share permissions are less permissive than the NTFS permissions, they are applied. REFERENCES LabSim for Server Pro 2016, Section 10.1.

The C:\Shares\WidgetProject folder on your Windows server has been shared with network users. The server is a member of the westsim.com Active Directory domain. The westsim.com\Users group has been granted the following allow NTFS permissions: - Write - Read and execute - List folder contents - Read In addition, the Everyone principal has been assigned the allow read share permission. The jmarshall user is a member of the westsim.com\Users group. She accesses data in the folder by using Remote Desktop to establish a remote access session on the server. What permissions does this user have to data in the folder? Allow read and execute, list folder contents, and read Allow full control Allow write, read and execute, list folder contents, and read Allow read Allow read and change

Allow write, read and execute, list folder contents, and read EXPLANATION Even though the share permission for the folder is allow read, only the NTFS permissions are applied because the user accesses the folder directly in the Remote Desktop session. The data is not accessed through the network share. The NTFS permissions are allow write, read and execute, list folder contents, and read. REFERENCES LabSim for Server Pro 2016, Section 10.1.

You manage a single domain running Windows Server. You have configured a restricted Group Policy as shown in the image. When this policy is applied, which actions will occur? (Select two.) The Backup Operators group will be made a member of the Desktop Admins group. Any other members of the Desktop Admins group will be removed. The Desktop Admins group will be made a member of the Backup Operators group. A new group called Desktop Admins will be created. Any other members of the Backup Operators group will be removed.

Any other members of the Backup Operators group will be removed. The desktop Admins group will be made a member of the Backup Operators group. EXPLANATION Using Members of this group identifies the individual members of a restricted group. All users or groups listed become members of the group. However, a user or group currently in the group whose name is not on the list is removed from group membership. REFERENCES LabSim for Server Pro 2016, Section 8.7.

You need to control access to the D:\Reports folder as follows: - Members of the Accounting group should be able to open and view all files, but not modify them. - Mary needs to be able to modify existing files in the folder and add new files to the folder, but should not be able to delete or rename files. Mary is a member if the Accounting group. You want to assign NTFS permissions taking the least amount of actions possible. What should you do? Assign allow read and execute, list folder contents, and read to the Accounting group. Assign allow modify to Mary. Remove Mary from the Accounting group. Assign allow read and execute, list folder contents, and read to the Accounting group. Assign allow modify to Mary. Remove Mary from the Accounting group. Assign allow read and execute, list folder contents, and read to the Accounting group. Assign allow write to Mary. Assign allow read and execute, list folder contents, and read to the Accounting group. Assign allow write to Mary.

Assign Allow Read & execute, List folder contents, and Read to the accounting group. Assign Allow Write to Mary. EXPLANATION Assign allow read and execute, list folder contents, and read to the Accounting group to allow group members to view and open files in the directory. Assign the write permission to Mary to allow her to modify existing files and add new files. As a member of the Accounting group, Mary will have all permissions assigned to the group plus the write permission assigned to her user account. The modify permission allows users to delete files in the directory in addition to reading and editing existing files. You do not need to remove Mary from the group before assigning her additional permissions; if you wanted fewer permissions for Mary, you would need to remove her from the group or, possibly, deny extra permissions. REFERENCES LabSim for Server Pro 2016, Section 10.1.

You are the network administrator for your company. A Windows server named Srv1 has a shared folder called SalesResearch that shares the F:\Sales\Research folder. This folder has three subfolders, Projects, Analysis, and Reports. Permission inheritance is enabled on F:\Sales\Research and all subfolders and files. Only the Administrators group and one designated employee have permission to each subfolder. Permissions are configured as follows: Resource Type of Permission Effective Permissions SalesResearch share Share Everyone: Allow-Full Control F:\Sales\Research NTFS Administrators: Allow-Full Control F:\Sales\Research\Analysis NTFS Anne: Allow-Modify Administrators: Allow-Full Control F:\Sales\Research\Projects NTFS Billy: Allow-Modify Administrators: Allow-Full Control F:\Sales\Research\Reports NTFS Gavin: Allow-Modify Administrators: Allow-Full Control Stan needs to read all of the documents within the SalesResearch share and its subfolders. Stan does not need to make changes to these documents. You need to give Stan appropriate permissions without giving him unnecessary permissions. What should you do? Disable permission inheritance on F:\Sales\Research. Configure the Read-only file attribute for F:\Sales\Research and all subfolders and files. Make Stan a member of the Administrators group. Assign Stan the allow read NTFS permission to F:\Sales\Research. Assign Stan the allow read share permission to SalesResearch.

Assign Stan the allow read NTFS permission to F:\Sales\Research. EXPLANATION Assigning Stan the allow read NTFS permission for F:\Sales\Research will let him read, but not modify, documents within the SalesResearch share. Because permission inheritance is enabled, Stan will also have the allow read NTFS permission for each subfolder. Assigning Stan the allow read share permission will not grant him the appropriate NTFS permissions. Making Stan a member of the Administrators group will give Stan too many permissions. REFERENCES LabSim for Server Pro 2016, Section 10.5.

You need to share a folder that contains data used by your accounting department. You want Phil, the manager of the department, to be able to add and remove files. You want members of the department to be able to connect to the share and see the files it contains, but you do not want them to have the ability to make changes. Everyone else in the company should be blocked from connecting to the share. There is a global group called Accounting that contains all the accounting department users, including Phil. You need to configure permissions on the share. What should you do? Assign allow change permissions for Phil, allow read for Accounting, and nothing else. Assign allow full control permissions for Phil, allow read for Accounting, and nothing else. Remove Phil from the accounting group and then assign allow change for Phil, allow read for Accounting, and nothing else. Assign allow change permission for Phil, Allow read for every user in the accounting department except Phil and assign nothing else. Assign allow full control permission for Phil, allow read for Accounting, and deny read for Domain Users.

Assign allow change permissions for Phil, allow read for Accounting, and nothing else. EXPLANATION Assign Phil Change share permissions to be able to add and remove files. Full Control will also allow him to do this, but it will also allow him to change the permissions on the share, which is probably a bad idea. The users in the accounting department need at least Read permission to see the files, but should not have Change or Full Control because this would allow them to change files, which they are not supposed to be able to do. Although it is common to assign Domain Admins Full Control to every share, in this case we were asked to block all other users. Everyone who isn't specifically given at least read permission is implicitly denied access, so it is not necessary to explicitly deny access to anyone in this case (and because Deny overrides Allow, and all user accounts are members of Domain Users, assigning Deny Read to Domain Users blocks all access for all users). It is not necessary to remove Phil from the Accounting group before assigning permissions; Allow Read and Allow Change combine to Allow Change, which is what we wanted him to have. REFERENCES LabSim for Server Pro 2016, Section 10.3.

You are configuring access for a shared folder on a Windows server. There is a global group called Appusers who need read-only access. However, there is a member of Appusers, jsmith, who should not have any access at all. How can you configure your share so that the members of Appusers have access but jsmith does not while creating the least disruption to your existing administrative structure? Remove jsmith from Appusers. Assign allow read permissions to Appusers. Assign allow read permissions for each user in Appusers except jsmith. Assign allow read permissions for Appusers and disable the account jsmith. Assign allow read permission to Appusers and assign deny read permissions to jsmith.

Assign allow read permission to Appusers and assign deny read permissions to jsmith. EXPLANATION Assign allow read to the Appusers group to give them read only access. To prevent jsmith from having access, assign the jsmith user deny read permissions. The deny permission assigned to the user overrides the allow permission assigned to the group. Although each of these choices will result in members of the group Appusers having access to the share and the user jsmith not having access, only one does so without producing unwanted side effects. If the account jsmith is disabled, that user will be unable to log in to the domain and will be unable to access any domain resources. If we assign read permissions to each user individually and membership in the group changes, the share permissions will not adjust accordingly (for example, if a user were removed from the Appusers group, they would still have access to the share). Removing jsmith from the group may remove the user's access to other resources that have been granted through the group. REFERENCES LabSim for Server Pro 2016, Section 10.3.

On your Windows server, you share the D:\Apps folder using the share name Apps. You need to configure permissions to the share as follows: - Members of the Appusers group should be able to open and view files in the shared folder. - User JohnS should not have any access to files in the shared folder. JohnS is a member of the Appusers group. You need to assign the necessary permissions without assigning extra permissions beyond what is required and without affecting other access that might already be configured on the computer. You need to complete the task using the least amount of effort possible. What should you do? Remove JohnS from Appusers. Assign allow read permissions to Appusers. Assign allow read permissions to Appusers and assign deny read permissions to JohnS. Assign allow read permission for all user accounts that are members of the Appusers group. Disable the JohnS account. Assign allow read permissions for each user in Appusers except JohnS.

Assign allow read permissions to Appusers and assign deny read permissions to JohnS. EXPLANATION Assign allow read to the Appusers group to give them read-only access. To prevent JohnS from having access, assign the JohnS user the deny read permission. The deny permission assigned to the user overrides the allow permission assigned to the group. Although each of these choices will result in members of the group Appusers having access to the share and the user JohnS not having access, only one does so without producing unwanted side effects. If the account JohnS is disabled, that user will be unable to log in to the domain and will be unable to access any domain resources. If we assign the read permission to each user individually and membership in the group changes, the share permissions will not adjust accordingly (for example, if a user were removed from the Appusers group, they would still have access to the share). Removing JohnS from the group may remove the user's access to other resources that have been granted through the group. REFERENCES LabSim for Server Pro 2016, Section 10.3.

You manage the intranet servers for EastSim Corporation. The company network has three domains: eastsim.com, asiapac.eastsim.com, and emea.eastsim.com. The main company website runs on the web1.eastsim.com server with a public IP address of 101.12.155.99. A host record for the server already exists in the eastsim.com zone. You want Internet users to be able to use the URL http://www.eastsim.com to reach the website. What type of DNS record should you create? A SRV CNAME PTR

CNAME EXPLANATION Use a CNAME (alias) record to create alternate names for a host. The CNAME record points to the A (host) record. The CNAME record does not include the IP address of the host. Other DNS records are used as follows: - Each host should be represented by a single A record. - Use CNAME records to register additional (alternate) host names. - Use a PTR record to provide IP address-to-host name resolution. - Use an NS (name server) record to identify name servers that perform name resolution for the zone. - Use an SOA (start of authority) record to identify zone information, such as the serial number. - Use an SRV (service locator) record to identify servers that provide specific services, such as domain controllers. REFERENCES LabSim for Server Pro 2016, Section 9.4.

You are the network administrator for your company. You recently replaced the previous network administrator. The sales manager, Jim, calls you and reports that he cannot update a file in the \\ACCTSRV1\Reports share, which the previous network administrator created for him last Wednesday. Jim is a member of the Managers group, which should have full control of all files in the share. You examine the Reports share and the D:\Data\Reports folder on the server. Following is a summary of the current configuration: Folder D:\Data\Reports Shared as Reports NTFS Permissions Administrators (Allow-Full Control) Managers (Allow-Full Control) Everyone (Allow-Read) Share Permissions Everyone (Allow-Read) You need to give Jim the permissions intended for the Managers group and let him update files in the Reports share. What should you do? Assign Jim's user account the allow full control NTFS permission to D:\Data\Reports. Change the D:\Data\Reports NTFS permissions for the Everyone group to allow full control. Assign the Managers group the allow modify share permission to the Reports share. Change the Reports share permissions for the Everyone group to allow full control.

Change the Reports share permissions for the Everyone group to allow full control. EXPLANATION To simplify administration, keep the share permission that assigns the Allow Full Control permission to the Everyone group and then configure NTFS permissions to control access to files and folders in the share. Currently, appropriate NTFS permissions have been applied to the D:\Data\Reports folder, but share permissions limit everyone to reading data in the share. Assigning the Managers group the allow modify share permission would let Jim update files in the share, but it would still not allow full control to the Managers group. REFERENCES LabSim for Server Pro 2016, Section 10.5.

On your Windows server, you share the D:\Promo folder using the share name Promo. The share has been assigned the following permissions: User/Group Permission Telesales group Allow read Training group Deny full control Managers group Allow change Mary user Allow change The Mary user account is a member of the Training group. NTFS permissions allow all access. Mary needs to be able to edit documents in the shared folder but cannot. You need to modify the share permissions to allow her the necessary access. What should you do? (Choose two. Each choice is a possible solution.) Change the permission for the Mary user account to allow full control. Remove the Mary user account from the Managers group. Change the Training group permission to allow read. Remove the Mary user account from the Training group. Add the Mary user account to the Administrators group.

Change the Training group permission to allow read. Remove the Mary user account from the Training group. EXPLANATION The deny full control permission on the Training group prevents all of its members from accessing the share. Because Mary is a member of that group, she will be denied access. You can allow access for Mary by: - Removing the user account from the Training group. - Changing the permissions for the Training group to allow read. Mary would then have the cumulative permissions assigned to the group and to her user account. REFERENCES LabSim for Server Pro 2016, Section 10.3.

You are the network administrator for eastsim.com. The network consists of one Active Directory domain. Several users have received new computers to replace their older systems that were out of warranty. You are preparing to join the new computers to the domain. Your company has several limitations on what users can do with their workstations. For example, users are not allowed to use USB removable media devices or create any kind of executable files. You must make sure each new computer configuration is in compliance with these limitations, but you do not want to go from computer to computer to make the changes. Which of the following can you perform to meet these requirements with the least possible effort? Configure user experience right assignments in Group Policy. Configure Group Policy security options. Configure user rights assignments in Group Policy. Configure Group Policy preferences.

Configure Group Policy preferences. EXPLANATION To make sure each new computer is in compliance with the company limitations without having to go from computer to computer to make the changes, you can configure Group Policy preferences. User rights assignments and security options do not include options for disabling certain classes and types of devices, nor for restricting the types of files that can be created. Group Policy does not have a category of user experience right assignments. REFERENCES LabSim for Server Pro 2016, Section 8.9.

You are the network administrator for a small manufacturing company. You have ten regional sales people who travel extensively and have been provided Windows laptop computers. The mobile users have complained that, although they can take copies of important files with them into the field, occasionally they have been caught with out of date documents because no one told them the files had been updated. Additionally, some of these files need to be distributed to all the other sales staff. You need to address this problem and easily provide the appropriate access to these shared files. What should you do? Use NTFS permissions to control access. Create logon scripts to keep them synchronized. Set up RRAS. Require the users to dial in and access the files from the server every time they are accessed. Use Outlook to email the important files between users. Configure Offline Files for the folder that contains these files.

Configure Offline Files for the folder that contains these files. EXPLANATION The Offline Files feature does exactly what we want. It creates locally cached copies of files stored on the server and synchronizes changes made to the local copies. Creating scripts to do the same thing is possible, but would take a lot of work. Requiring dial-in access will create potentially large telephone charges and creates potential delays if large files are transferred. Emailing the files creates the same potential delay and would require that a mail server be provided. REFERENCES LabSim for Server Pro 2016, Section 10.3.

You are the systems administrator for WestSim Corporation. You have been assigned to set up a new branch office in Tulsa. The branch will be represented by a single domain. You install a single DNS server called TulsaDNS and configure a primary zone for the branch office domain. You test name resolution and find that hosts can only resolve names for hosts within the domain. You need to enable clients in the Tulsa location to resolve names for hosts in other domains within your private network. You would like to minimize traffic across the WAN link between the sites. What should you do? Configure TulsaDNS as a caching-only server. Configure network clients to use a DNS server located on the rest of the network. Configure TulsaDNS to use forwarders. Configure TulsaDNS with root hints.

Configure TulsaDNS to use forwarders. EXPLANATION Configure TulsaDNS to use forwarders. When TulsaDNS receives a request for a host name on another domain, it forwards the request to another DNS server. The TulsaDNS server submits a recursive request so that only the single request and response travels across the WAN link. Configuring TulsaDNS with root hints pointing to root servers on the rest of the network would enable name resolution. However, TulsaDNS would refer to the root zone servers and perform iterative queries to resolve all host names outside of its own domain. This would result in multiple requests crossing the WAN link to resolve a single host name. Configuring TulsaDNS as a caching-only server would increase WAN link traffic, as the domain for the Tulsa location would need to be placed on the other side of the WAN link. Name resolution requests for hosts within the domain in Tulsa would need to cross the WAN link once for each host until the server cached the host names of all other hosts. REFERENCES LabSim for Server Pro 2016, Section 9.2.

You are the network administrator for eastsim.com. The network consists of one Active Directory domain. You have been instructed to map a drive to a department share for all users. The company no longer uses login scripts, so you must ensure that the department share is mapped using Group Policy. What should you do? Configure a Folder Options policy in a GPO lined to each OU that contains users. Configure a Drive Maps policy in a GPO linked to the domain. Configure a Shortcuts policy in a GPO linked to the Computers container. Configure an Environment policy in a GPO linked to the Domain Controllers OU.

Configure a Drive Maps policy in a GPO linked to the domain EXPLANATION Configure a Drive Maps policy in a GPO linked to the domain. A Drive Maps policy allow you to manage network drive mappings without writing logon scripts. Group Policy preferences extend the functionality of Group Policy to allow administrators much greater functionality in configuring the user environment. Previously, many of the settings could only be set using logon scripts. Some examples of settings include mapping user drives, mapping printers, customizing the users' Start menu, and adding data to the environmental variables. For example: - An Environment policy manages user and system environment variables or updates the environment path. - A Shortcuts policy manages several types of shortcuts on multiple targeted users and computers. - A Folder options policy configures folder options and file extension associations. REFERENCES LabSim for Server Pro 2016, Section 8.9.

You would like to prevent users from running any software with .exe or .com extensions on computers in the domain unless they have been digitally signed. The rule should apply to all known and unknown software. How should you configure this rule in AppLocker? Configure an executable rule with a publisher condition. Configure an executable rule with a file hash condition. Configure an executable rule with a packaged app condition. Configure a Windows installer rule with a publisher condition.

Configure an executable rule with a publisher condition EXPLANATION To prevent running any unsigned software (with .exe and .com extensions), use AppLocker to create an executable rule with a publisher condition. Using AppLocker, you can create a single rule that applies to all software that is signed by any certificate. A Windows installer rule would only apply to installer files with .msi and .msp extensions. Using the file hash condition would use the digital fingerprint of the software, but would not require the software to be digitally signed. Packaged app is type of rule, not a condition, and would only apply to apps from the Windows store. REFERENCES LabSim for Server Pro 2016, Section 8.8.

You are a network engineer working for WestSim Corporation. The company has an Internet domain named westsim.com. The private network uses the namespace of private.westsim.com. Your company manages its own Domain Name System (DNS) servers that are authoritative for both of the company's name spaces. Your network consists of several subnets at multiple locations. Sites are connected with WAN links. www.private.westsim.com is an intranet web server that is commonly used throughout the company. You want to ensure that users can always access this server by name, even if an authoritative DNS server is not available. What should you do? Configure each client computer's LMHOSTS file with an entry for www.private.westsim.com. Configure each client computer's HOSTS file with an entry for www.private.westsim.com. Configure each client computer's alternate DNS server with the IP address of the company's public DNS server. Configure each client computer's alternate DNS server with the IP address of a second private DNS server.

Configure each client computer's HOSTS file with an entry for www.private.westsim.com. EXPLANATION Entries in a computer's HOSTS file are automatically loaded into the DNS cache and can be used to resolve DNS names when a DNS server is not available. One benefit of configuring a HOSTS file is to provide DNS name resolution fault tolerance if all DNS servers happen to go down. Configuring a HOSTS file for every client computer can be time consuming, although one way to ease the administrative burden is to create a single preconfigured hosts file and distribute it to all users. Configuring an alternate DNS server address for clients is a good idea, but this action will not help if all DNS servers happen to become unavailable as the alternate DNS server will also be unavailable. REFERENCES LabSim for Server Pro 2016, Section 9.1.

You are the server administrator for the Srv12 server. This server is running the File Services role and is used for user home folders. Each user has a folder that they can use for storing personal files. Management wants a solution that meets the following requirements: - Allow only the specified user to save files in their home folder. - User should not be allowed to view or edit files in other user's home folders. - The list of files and folders that users can view should show only the files that they have rights to access. What should you do? Configure share and NTFS permissions. Configure NTFS quotas and enforce size limits. Configure share and NTFS permissions with access-based enumeration. Configure volume shadow copies. Configure file caching on the user volume.

Configure share and NTFS permissions with access-based enumeration. EXPLANATION Use share and NTFS permissions with access-based enumeration. The only way to prevent users from saving, editing, or viewing files is by using permissions. For shared folders, you must use a combination of share and NTFS permissions. Access-based enumeration is a feature that hides shared folder content based on the NTFS permissions of the user. Users will only see the files to which they have the necessary permissions. Configuring share and NTFS permissions alone will not hide the files users don't have access to. Volume shadow copies will allow users to restore previous versions of files more easily. File caching allows user to work with files when they are not connected to the network. Use NTFS quotas to set size limits on an entire volume for specific users. REFERENCES LabSim for Server Pro 2016, Section 10.2.

You are visiting one of your company's branch offices to set up a new server and complete some general server management tasks. Employees in the branch office tell you they have been experiencing intermittent issues accessing a server in the home office. You send ICMP requests to the server at the home office from a workstation at the branch office using ping with the -t option. As it continues to send ping requests and receive replies, you find that the ping request times out every few minutes. You suspect that one of the routers between the branch office and the home office may be experiencing issues. Which troubleshooting tool can you use from a Windows workstation to see a map of the routers between the branch office and the home office? tracert nslookup ipconfig ping -route

tracert EXPLANATION You can use tracert to generate a map of routers between a local host and a destination host. IPConfig is a command you can use to display TCP/IP network configuration values and change DNS settings. NSLookup is a command for querying DNS. The ping utility does not have a -route option. REFERENCES LabSim for Server Pro 2016, Section 9.5.

The serial number contained within the Start of Authority (SOA) record for a DNS zone on the primary server has been incremented. What condition does this indicate? Information within the DNS zone on the primary server is stale and needs to be refreshed. Information within the DNS zone has been tampered with. The zone file has become corrupt and needs to be restored from backup. Information within the DNS zone has been changed, and secondary servers should initiate a zone transfer.

Information within the DNS zone has been changed, and secondary servers should initiate a zone transfer. EXPLANATION The serial number for the SOA record is incremented whenever there is a change to information in the DNS zone. This is used to trigger secondary servers for the zone to request a zone transfer from the primary server. REFERENCES LabSim for Server Pro 2016, Section 9.4.

You need to control access to the D:\Reports folder as follows: - Members of the Accounting group should be able to open and view all files, edit them, and add new files. They should not be able to delete or rename files. - Mary needs to be able to open and view files, but should not be able to modify the files. Mary is a member if the Accounting group. You want to assign NTFS permissions taking the least amount of actions possible and affecting existing permissions as little as possible. What should you do? Remove Mary from the Accounting group. Assign allow read and execute, list folder contents, read, and write to the Accounting group. Assign allow read and execute, list folder contents, and read to Mary. Assign allow read and execute, list folder contents, read, and modify to the Accounting group. For the Mary user account, deny the modify permission. Remove Mary from the Accounting group. Assign allow read and execute, list folder contents, read, and modify to the Accounting group. Assign allow read and execute, list folder contents, and read to Mary. Assign allow read and execute, list folder contents, read, and write to the Accounting group. For the Mary user account, deny the write permission.

assign allow read and execute, list folder contents, read, and write to the accounting group. for the Mary user account, deny the write permission EXPLANATION Assign allow read and execute, list folder contents, read, and write to the Accounting group to allow group members to open, edit, and add files in the directory. As a member of the Accounting group, Mary receives the same permissions to the folder as the group. To prevent Mary from editing files in the directory, you can simply deny Mary the write permission. This preserves the read and execute, list folder contents, and read permissions she receives from the Accounting group. Removing Mary from the group and assigning the appropriate permissions would work, but might also prevent her from having the necessary permissions she needs that she might have received to other resources as a member of the Accounting group. The modify permission includes all permissions except full control and allows users to delete and rename files. REFERENCES LabSim for Server Pro 2016, Section 10.1.


Set pelajaran terkait

Quiz 4 (drugs, alcohol, tobacco)

View Set

Math 25 Number Theory Midterm Review

View Set

Exam 1 Med Surgical stuff that most likely is going to be on exam

View Set

Maternity Final Exam practice questions

View Set

Unit 1: Communication and the 4 P's of Marketing

View Set

9. Other Health Insurance Concepts

View Set