Pinpoint 70-412 Answers 2021

NEW QUESTION 1
Your network contains an Active Directory domain named contoso.com.
The domain contains two servers named Server1 and Server2 that run Windows Server 2012 R2.
Server1 has the IP Address Management (IPAM) Server feature installed. Server2 has the DHCP Server server role installed.
A user named User1 is a member of the IPAM Users group on Server1.
You need to ensure that User1 can use IPAM to modify the DHCP scopes on Server2. The solution must minimize the number of permissions assigned to User1.
To which group should you add User1?

• A. DHCP Administrators on Server2
• B. IPAM ASM Administrators on Server1
• C. IPAMUG in Active Directory
• D. IPAM MSM Administrators on Server1

Answer: A

Explanation:
The user need rights to change DHCP not IPAM
C. Members of the DHCP Administrators group can view and modify any data at the DHCP server.
http://technet.microsoft.com/en-us/library/jj878348.aspx http://technet.microsoft.com/en-us/library/cc737716(v=ws.10).aspx

NEW QUESTION 2

You have two Hyper-V hosts named Server1 and Seiver2 that run Windows Server 2012 R2. Server1 is in a workgroup. Server2 is in a domain.
On Server1, you create a virtual machine named VM1.
You need to ensure that you can use live migration to move VM1 from Server1to Server2. What should you do first?

• A. Configure the Administrator account on Server1 and Server2 to use the same password.
• B. Create a hidden share named LiveMig$ on Server2.
• C. Add Server1 to a domain
• D. Modify the Integration Services settings of VM1.

Answer: D

NEW QUESTION 3
You have a failover cluster named Cluster1 that contains four nodes. All of the nodes run Windows Server 2012 R2.
You need to force every node in Cluster1 to contact immediately the Windows Server Update Services (WSUS) server on your network for updates.
Which tool should you use?

• A. The Add-CauClusterRole cmdlet
• B. The Wuauclt command
• C. The Wusa command
• D. The Invoke-CauScan cmdlet

Answer: A

Explanation:
The Add-CauClusterRole cmdlet adds the Cluster-Aware Updating (CAU) clustered role that provides the self-updating functionality to the specified cluster. When the CAU clustered role has been added to a cluster, the failover cluster can update itself on the schedule that is specified by the user, without requiring an external computer to coordinate the cluster updating process.
Incorrect:
Not B. The wuauclt utility allows you some control over the functioning of the Windows Update Agent. It is updated as part of Windows Update.
The following are the command line for wuauclt.
OptionDescription
/a /ResetAuthorization
Initiates an asynchronous background search for applicable updates. If Automatic Updates is disabled, this option has no effect.
/r /ReportNow
Sends all queued reporting events to the server asynchronously.
/? /h /help
Shows this help information.
Not D.
The Invoke-CauScan cmdlet performs a scan of cluster nodes for applicable updates and returns a list of the initial set of updates that would be applied to each node in a specified cluster.
Note: The Invoke-CauRun cmdlet performs a scan of cluster nodes for applicable updates and installs those updates via an Updating Run on the specified cluster.
Reference: Add-CauClusterRole
http://technet.microsoft.com/en-us/library/hh847235(v=wps.620).aspx

NEW QUESTION 4
Which of the following would you configure if you wanted to block computers running Windows 7 and earlier operating systems from consuming AD RMS-protected content?

• A. Trusted publishing domain
• B. Trusted user domain
• C. Exclusion policies
• D. Super Users

Answer: C

NEW QUESTION 5
Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.
The domain contains two organizational units (OUs) named OU1 and OU2 in the root of the domain.
Two Group Policy objects (GPOs) named GPO1 and GPO2 are created. GPO1 is linked to OU1.
GPO2 is linked to OU2. OU1 contains a client computer named Computer1. OU2 contains a user named User1.
You need to ensure that the GPOs Applied to Computer1areApplied to User1 when User1 logs on.
What should you configure?

• A. Item-level targeting
• B. Block Inheritance
• C. GPO links
• D. The Enforced setting

Answer: A

NEW QUESTION 6
You have a group Managed Service Account named Service01. Three servers named Server01, Server02, and Server03 currently use the Service01 service account.
You plan to decommission Server01.
You need to remove the cached password of the Service01 service account from Server01. The solution must ensure that Server02 and Server03 continue to use Service01.
Which cmdlet should you run?

• A. Set-ADServiceAccount
• B. Reset-ADServiceAccountPassword
• C. Remove-ADServiceAccount
• D. Uninstall-ADServiceAccount

Answer: B

Explanation:
We reset the password for the service.
The Reset-ADServiceAccountPassword cmdlet resets the service account password for
the local computer. This cmdlet needs to be run on the computer where the service account is installed.
Incorrect:
Not A: The Set-ADServiceAccount cmdlet cannot modify the password of the service.
Reference: Reset-ADServiceAccountPassword https://technet.microsoft.com/en-us/library/ee617201.aspx

NEW QUESTION 7
HOTSPOT
Your company has a primary data center and a disaster recovery data center.
The network contains an Active Directory domain named contoso.com. The domain contains a server named that runs Windows Server 2012 R2. Server1 is located in the primary data center.
Server1 has an enterprise root certification authority (CA) for contoso.com.
You deploy another server named Server2 to the disaster recovery data center.
You plan to configure Server2 as a secondary certificate revocation list (CRL) distribution point.
You need to configure Server2 as a CRL distribution point (CDP).
Which tab should you use to configure the required CDP entry? To answer, select the appropriate tab in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
To configure the CDP and AIA extensions on CA1
Etc.
uk.co.certification.simulator.questionpool.PList@cb55af0

NEW QUESTION 8
Your network contains an Active Directory forest named contoso.com. The forest contains three domains. All domain controllers run Windows Server 2012 R2.
The forest has a two-way realm trust to a Kerberos realm named adatum.com.
You discover that users in adatum.com can only access resources in the root domain of contoso.com.
You need to ensure that the adatum.com users can access the resources in all of the domains in the forest.
What should you do in the forest?

• A. Delete the realm trust and create a forest trust.
• B. Delete the realm trust and create three external trusts.
• C. Modify the incoming realm trust.
• D. Modify the outgoing realm trust.

Answer: D

Explanation:
* A one-way, outgoing realm trust allows resources in your Windows Server domain (the domain that you are logged on to at the time that you run the New Trust Wizard) to be accessed by users in the Kerberos realm.
* You can establish a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain. This trust relationship allows cross-platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations. Realm trusts can switch from nontransitive to transitive and back. Realm trusts can also be either one-way or two-way.
Reference: Create a One-Way, Outgoing, Realm Trust

NEW QUESTION 9
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2.
You plan to install the Active Directory Federation Services server role on Server1 to allow for Workplace Join.
You run nslookup enterprise registration and you receive the following results:

You need to create a certificate request for Server1 to support the Active Directory Federation Services (AD FS) installation.
How should you configure the certificate request?
To answer, drag the appropriate names to the correct locations. Each name may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Obtain a server SSL certificate from either a public certificate authority (CA) or from your organization's PKI subordinate CA that is trusted by a public certificate authority.
The server SSL certificate must have the following certificate attributes to be used with Workplace Join:
- Subject Name (CN): adfs1.contoso.com
- Subject Alternative Name (DNS): adfs1.contoso.com
- Subject Alternative Name (DNS): enterpriseregistration.contoso.com

NEW QUESTION 10
You want to enable key archiving on a CA.
You need to issue a certificate from a specific template to the user who will recover private keys.
Which certificate template will you use as the basis for this certificate?

• A. Kerberos authentication
• B. Code signing
• C. OCSP response signing
• D. Key recovery agent

Answer: D

NEW QUESTION 11
You have a server named Server1. A Microsoft Azure Backup of Server1 is created automatically every day.
You rename Server1 to Server2. you discover that backups are no longer created in Azure. You need to backup the server to Azure.
What should you do?

• A. From the Azure Management Portal, upload the Server2 certificae as a management certificate.
• B. On Server2, run the Start-OBRegistration cmdlet.
• C. On Server2, run the Add-WBBackupTarget cmdlet.
• D. From the Azure Management Portal, modify the configuration on the backup vault.

Answer: B

Explanation:
(https://azure.microsoft.com/pt-pt/documentation/articles/backup-azure-backup-faq)

NEW QUESTION 12
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The forest contains three Active Directory sites named SiteA, SiteB, and SiteC. The sites contain four domain controllers. The domain controllers are configured as shown in the following table.

An IP site link exits between each site.
You discover that the users in SiteC are authenticated by the domain controllers in SiteA and SiteB.
You need to ensure that the SiteC users are authenticated by the domain controllers in SiteB, unless all of the domain controllers in SiteB are unavailable.
What should you do?

• A. Create an SMTP site link between SiteB and SiteC.
• B. Create additional connection objects for DC3 and DC4.
• C. Decrease the cost of the site link between SiteB and SiteC.
• D. Create additional connection objects for DC1 and DC2.

Answer: C

Explanation:
By decreasing the site link cost between SiteB and SiteC the SiteC users would be authenticated by SiteB rather than by SiteA.

NEW QUESTION 13
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2. All servers run Windows Server 2012 R2.
Server1 and Server2 have the Network Load Balancing (NLB) feature installed. The servers are configured as nodes in an NLB cluster named Cluster1.
Port rules are configured for all clustered Applications.
You need to ensure that Server2 handles all client requests to the cluster that are NOT covered by a port rule.
What should you configure?

• A. Affinity-None
• B. Affinity-Single
• C. The cluster quorum settings
• D. The failover settings
• E. A file server for general use
• F. The Handling priority
• G. The host priority
• H. Live migration
• I. The possible owner
• J. The preferred owner
• K. Quick migration
• L. The Scale-Out File Server

Answer: G

Explanation:
Host Priorities
Each cluster host is assigned a unique host priority in the range of 1 to 32, where lower
numbers denote higher priorities. The host with the highest host priority (lowest numeric value) is called thedefault host. It handles all client traffic for the virtual IP addresses that is not specifically intended to be load-balanced. This ensures that server applications not configured for load balancing only receive client traffic on a single host. If the default host fails, the host with the next highest priority takes over as default host.
Reference: Network Load Balancing Technical Overview http://technet.microsoft.com/en-us/library/bb742455.aspx

NEW QUESTION 14
Which permission should you assign on a CA to a group of users that you want to allow to alter the list of recovery agents?

• A. Read
• B. Issue And Manage Certificates
• C. Manage CA
• D. Request Certificates.

Answer: C

NEW QUESTION 15
You have a server named Server1 that runs Windows Server 2012 R2. Windows Server 2012 R2 is installed on volume C.
You need to ensure that Safe Mode with Networking loads the next time Server1 restarts. Which tool should you use?

• A. The Msconfig command
• B. The Bootcfg command
• C. The Restart-Computer cmdlet
• D. The Restart-Server cmdlet

Answer: A

Explanation:
Use system config (Msconfig) to configure boot options.

Reference: System Configuration – aka MSCONFIG.

NEW QUESTION 16
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1.
Server1 runs Windows Server 2012 R2 and has the Hyper-V server role installed. Server1 hosts 10 virtual machines.
A virtual machine named VM1 runs Windows Server 2012 R2 and hosts a processor- intensive Application named App1.
Users report that App1 responds more slowly than expected.
You need to monitor the processor usage on VM1 to identify whether changes must be made to the hardware settings of VM1.
Which performance object should you monitor on Server1?

• A. Hyper-V Hypervisor Logical Processor
• B. Processor
• C. Hyper-V Hypervisor Root Virtual Processor
• D. Process
• E. Hyper-V Hypervisor Virtual Processor

Answer: E

NEW QUESTION 17
Your network contains one Active Directory domain named contoso.com. The forest functional level is Windows Server 2012. All servers run Windows Server 2012 R2. All client computers run Windows 8.1.
The domain contains 10 domain controllers and a read-only domain controller (RODC) named RODC01. All domain controllers and RODCs are hosted on a Hyper-V host that runs Windows Server 2012 R2.
You need to identify which security principals are authorized to have their password cached on RODC01.
Which cmdlet should you use?

• A. Get-ADGroupMember
• B. Get-ADDomainControllerPasswordReplicationPolicy
• C. Get-ADDomainControllerPasswordReplicationPolicyUsage
• D. Get-ADDomain

Answer: B

Explanation:
The Get-ADDomainControllerPasswordReplicationPolicy gets the users, computers, service accounts and groups that are members of the applied list or denied list for a read- only domain controller's (RODC) password replication policy. To get the members of the applied list, specify the AppliedList parameter. To get the members of the denied list, specify the DeniedList parameter.
Example: Get from an RODC domain controller password replication policy the allowed accounts showing the name and object class of each:
Get-ADDomainControllerPasswordReplicationPolicy -Identity "FABRIKAM-RODC1" - Allowed | ft Name,ObjectClass
Reference: Get-ADDomainControllerPasswordReplicationPolicy https://technet.microsoft.com/en-us/library/ee617207.aspx

NEW QUESTION 18
Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active Directory Federation Services server role installed. All servers run Windows Server 2012.
You complete the Active Directory Federation Services Configuration Wizard on Server1. You need to ensure that client devices on the internal network can use Workplace Join. Which two actions should you perform on Server1? (Each correct answer presents part of
the solution. Choose two.)

• A. Run Enable-AdfsDeviceRegistration -PrepareActiveDirectory.
• B. Edit the multi-factor authentication global authentication policy settings.
• C. Run Enable-AdfsDeviceRegistration.
• D. Run Set-AdfsProxyProperties HttpPort 80.
• E. Edit the primary authentication global authentication policy settings.

Answer: CE

Explanation:
C. To enable Device Registration Service
On your federation server, open a Windows PowerShell command window and type: Enable-AdfsDeviceRegistration
Repeat this step on each federation farm node in your AD FS farm.
E. Enable seamless second factor authentication
Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a ‘known’ device and administrators can use this information to drive conditional access and gate access to resources.
To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices.
In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK.
Reference: Configure a federation server with Device Registration Service.

NEW QUESTION 19
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a DNS server named Server1. Server1 is configured to resolve single-label names for DNS clients.
You need to view the number of queries for single-label names that are resolved by Server1.
What command should you run?
To answer, select the appropriate options in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
* The Get-DnsServerStatistics cmdlet retrieves statistics of a Domain Name System (DNS) server. If the ZoneName parameter is specified, this cmdlet gets statistics for the zones specified by that parameter.
* To help network administrators migrate to DNS for all name resolution, the DNS Server role in Windows Server 2008 (and later) supports a specially named zone, called GlobalNames. By deploying a zone with this name, you can have the static, global records with single-label names, without relying on WINS. These single-label names typically refer to records for important, well-known and widely-used servers—servers that are already assigned static IP addresses and that are currently managed by IT-administrators using WINS.

NEW QUESTION 20
HOTSPOT
Your network contains an Active Directory domain named contoso.com. You have a Dynamic Access Control policy named Policy1.
You create a new Central Access Rule named Rule1.
You need to add Rule1 to Policy1.
What command should you run?
To answer, select the appropriate options in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
The Add-ADCentralAccessPolicyMember cmdlet adds central access rules to a central access policy in Active Directory.
Syntax: Add-ADCentralAccessPolicyMember [-Identity] <ADCentralAccessPolicy> [- Members] <ADCentralAccessRule[]>

NEW QUESTION 21
Your network contains one Active Directory domain named contoso.com. The domain contains the domain controllers configured as shown in the following table.

The functional level of the domain and the forest is Windows Server 2008. An administrator named Admin1 is a member of the Domain Admins group.
You need to ensure that Admin1 can deploy a Windows Server 2012 R2 domain controller to contoso.com.
What should you do?

• A. Raise the forest functional level.
• B. Run the Set-ADForestMode cmdlet.
• C. Raise the domain functional level.
• D. Run the adprep.exe command.
• E. Demote DC1 to a member server.
• F. Upgrade DC1 to Windows Server 2012.
• G. Add Admin1 to the Schema Admin Group.

Answer: DF

Explanation:
Adprep.exe commands run automatically as needed as part of the AD DS installation process on servers that run Windows Server 2012 or later. The commands need to run in the following cases:
* Before you add the first domain controller that runs a version of Windows Server that is later than the latest version that is running in your existing domain.
* Before you upgrade an existing domain controller to a later version of Windows Server, if that domain controller will be the first domain controller in the domain or forest to run that version of Windows Server.
Reference: Running Adprep.exe
https://technet.microsoft.com/en-us/library/dd464018(v=ws.10).aspx

NEW QUESTION 22
Your network contains an Active Directory domain named contoso.com.
You are creating a custom Windows Recovery Environment (Windows RE) image.
You need to ensure that when a server starts from the custom Windows RE image, a drive is mapped automatically to a network share.
What should you modify in the image?

• A. startnet.cmd
• B. Xsl-mApp1ngs.xml
• C. Win.ini
• D. smb.types.ps1xml

Answer: A

Explanation:
The best way to define what to start is using starnet.cmd. http://technet.microsoft.com/en-us/library/cc766521(v=ws.10).aspx

NEW QUESTION 23
HOTSPOT

You discover that when users connect to app1.contoso.com, they are connected frequently to a server that is not on their local subnet.
You need to ensure that when the users connect to app1.contoso.com, they connect to a server on their local subnet. The connections must be distributed across the servers that host app1.contoso.com on their subnet.
Which options should you select?

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 24
You work as an administrator at contoso.com. Contoso.com network consists of a single domain named contoso.com.
All servers on the contoso.com network have Windows Server 2012 R2 installed. Contoso.com has a server,named SERVER1,which has the AD DS, DHCP and DNS
server roles installed.
Contoso.com also has a server named SERVER2,which has the DHCP and Remote Access Server Role installed.
You have configured a server,which has the File and Storage Services Server role installed.to automatically acquire an IP address.
The server is named Server3.
You then create a filter on SERVER1.
Which of the following is a reason for this configuration?

• A. To make sure that SERVER1 issues Server3 an IP address.
• B. To make sure that SERVER1 does not issue SERVER3 an IP address
• C. To make sure that SERVER3 acquires a constant IP address from SERVER2 only.
• D. To make sure that SERVER3 is configured with a static IP address

Answer: B

Explanation:
A. MAC Address Filtering allows the ability to Deny a MAC addresses to be issued a IP from the DHCP server
B. Deny Filter would not allow SERVER1 to issue SERVER3 an IP.
C. A DHCP Reservation on SERVER2 would be needed for a constant IP.
D. QUESTION: states it is configure to automatically acquire IP http://technet.microsoft.com/en-us/library/cc779507(v=ws.10).aspx. http://technet.microsoft.com/en-us/library/ee941155(v=ws.10).aspx.

NEW QUESTION 25
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains two member servers named Server1 and Server2 that run Windows Server 2012 R2.
You configure a new failover cluster named Cluster1. Server1 and Server2 are nodes in Cluster1. You need to configure the disk that will be used as a witness disk for Cluster1.
How should you configure the witness disk?
To answer, drag the appropriate configurations to the correct location or locations. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Disk witness requirements include:
* Basic disk with a single volume
* Can be formatted with NTFS or ReFS

NEW QUESTION 26
You are emloyed as a network administrator at ABC.com.
Abc.com has an Active directory domain named ABC.com all servers on the ABC.com network have Windows Server 2012 R2.
The ABC.com domain has two Active Directory sites configured.
You want to make use of change notification configure replication between these Active Directory Sites.
You have opened DEFAULTIPSITELINK Properties to configure the necessary attribute. Which of the following is the attribute that needs to be configured?

• A. The revisiobn attribute
• B. The Options attribute
• C. The schedule attribute
• D. The proxyAddresses attribute

Answer: B

NEW QUESTION 27
......