2013 Latest MCSA 70-417 Exam Questions 16-20


You have a server named Server1 that has the Web Server (IIS) server role installed.
You obtain a Web Server certificate.
You need to configure a website on Server1 to use Secure Sockets Layer (SSL). To which store should you import the certificate?
To answer, select the appropriate store in the answer area.
Hot Area:
Correct Answer:
Section: Certificates
A computer certificate in the Personal store is required.

Your network contains an Active Directory forest named contoso.com.
All domain controllers currently run Windows Server 2008 R2.
You plan to install a new domain controller named DC4 that runs Windows Server 2012. The new domain controller will have the following configurations:
Schema master
Global catalog server
DNS Server server role
Active Directory Certificate Services server role
You need to identify which configurations cannot be fulfilled by using the Active Directory Installation
Which two configurations should you identify? (Each correct answer presents part of the solution. Choose two.)
A. Enable the global catalog server.
B. Install the Active Directory Certificate Services role. C. Transfer the schema master.
D. Install the DNS Server role.
Correct Answer: BC
Section: DC, AD, GPO & FSMO roles
AD Installation Wizard will automatically install DNS and allows for the option to set it as a global catalog server. ADCS and schema must be done separately.

Your network contains an Active Directory forest.
The forest contains two domains named contoso.com and corp.contoso.com. The forest contains four domain controllers.
The domain controllers are configured as shown in the following table.
All domain controllers are DNS servers.
In the corp.contoso.com domain, you plan to deploy a new domain controller named DC5.
You need to identify which domain controller must be online to ensure that DC5 can be promoted successfully to a domain controller. Which domain controller should you identify?
A. DC3
B. DC4
C. DC2
D. DC1
Correct Answer: C
Section: DC, AD, GPO & FSMO roles
Explanation/Reference: initial answer : DC3 => false my first answer was RID too.
as a DC requires a RID Master to get an account-identi?er pool so he can create accounts in AD.
but as we have only one choice and the the Domain Naming Master is explicitly designated as being required when promoting a DC i change the answer to DC2.
Managing RID Pool Depletion
Anytime you create a writable DC, it gets 500 new RIDs from the RID Master.
Domain Naming Master
Active Directory stores pointers to other domains in a CrossRef object located in a Partitions container in the Configuration naming context . This object contains attributes that describe the distinguished name, DNS name, the flat name and the name of the Domain naming context, along with the kind of trust relationship that binds the domain to the forest.
When you create a new domain in an existing forest, the new domain represents a separate naming context and a new CrossRef object must be created in a Partitions container . Only one domain controller in a forest, the Domain Naming Master, is allowed make changes to the Partitions container. This prevents two administrators from creating new domains with identical names during the same replication interval.
By default, the Domain Naming Master is the first domain controller in a forest, but the role can be transferred to any domain controller through the Active Directory Domains and Trusts snap-in. The Domain Naming Master should always reside in the root domain.
FSMO Roles in Active Directory in Windows 2008 Server
1. Forest Roles
Schema Master – As name suggests, the changes that are made while creation of any object in AD or changes in attributes will be made by single domain controller and then it will be replicated to another domain controllers that are present in your environment. There is no corruption of AD schema if all the domain controllers try to make changes. This is one of the very important roles in FSMO roles infrastructure.
Domain Naming Master – This role is not used very often, only when you add/remove any domain
controllers. This role ensures that there is a unique name of domain controllers in environment.
2. Domain Roles
Infrastructure Master – This role checks domain for changes to any objects. If any changes are found then it will replicate to another domain controller.
RID Master – This role is responsible for making sure each security principle has a different identifier. PDC emulator – This role is responsible for Account policies such as client password changes and time
synchronization in the domain

Your network contains an Active Directory domain named contoso.com.
The domain contains servers named Server1 and Server2 that run Windows Server 2012. Server1 has the IP Address Management (IPAM) Server feature installed.
You install the IPAM client on Server2.
You open Server Manager on Server2 as shown in the exhibit.
You need to manage IPAM from Server2. What should you do first?
A. On Server2, open Computer Management and connect to Server1.
B. On Server1, add the Server2 computer account to the IPAM ASM Administrators group. C. On Server2, add Server1 to Server Manager.
D. On Server1, add the Server2 computer account to the IPAM MSM Administrators group.
Correct Answer: C
Section: Remote Management & Server Core
in the exhibit, we can see that only one server is managed with Server Manager on Server2 (itself, as in a
Server, Server Manager always contains at least the server itself) :
ServerManager Console.
so we can be sure that Server1 is not added to Server2
so if we want to manage IPAM, we should add Server1 to Server2’s Server Manager
Step-by-Step: Configure IPAM to Manage Your IP Address Space
IP Address Management (IPAM) in Windows Server? 2012 is a framework for discovering, monitoring, managing and auditing IP address space on a corporate network. IPAM provides the following features:
Automatic IP address infrastructure discovery
Highly customizable IP address space display, reporting, and management
Configuration change auditing for DHCP and IPAM services
Monitoring and management of DHCP and DNS services
IP address lease tracking
IPAM security groups
The following local IPAM security groups are created when you install IPAM.
IPAM Users: Members of this group can view all information in server discovery, IP address space, and server management. They can view IPAM and DHCP server operational events, but cannot view IP address tracking information.
IPAM MSM Administrators: IPAM multi-server management (MSM) administrators have IPAM Users privileges and can perform IPAM common management tasks and server management tasks.
IPAM ASM Administrators: IPAM address space management (ASM) administrators have IPAM Users privileges and can perform IPAM common management tasks and IP address space tasks. (that’s a user group, not a computer group)
IPAM IP Audit Administrators: Members of this group have IPAM Users privileges and can perform IPAM
common management tasks and can view IP address tracking information.
IPAM Administrators: IPAM Administrators have the privileges to view all IPAM data and perform all
IPAM tasks.
2520Management%2520(IPAM)%2520in%2520Windows%2520Server%25208%2520Beta. docx&ei=5xXWUIzRAsaQhQeUz4GQCg&usg=AFQjCNGh5tHzxwcaU9vXDGmPUgtjfPvhnw&bvm=bv.1355
534169,d.d2k (download.microsoft.com)
Understand and Troubleshoot IP Address Management (IPAM) in Windows Server 8 Beta
If you are accessing the IPAM server remotely using ServerManager IPAM client RSAT, then you must be a member of the WinRMRemoteWMIUsers group on the IPAM server , in addition to being a member of the appropriate IPAM security group (or local Administrators group).
Installation Process C IPAM Client
Although the IPAM client feature is automatically installed on a Windows Server “8” Beta server, along with installation of the IPAM Server feature, this component can also be installed or uninstalled on its own. Click through the Add roles and features wizard screens to select Role or Feature Based Install and the target
server. On the Select Features screen, select Remote Server Administration Tools -> Feature
Administration Tools -> IP Address Management (IPAM) Client. Click Add Features when prompted. […]
In order for the IPAM client to connect to an IPAM server, you must ensure that the target IPAM
server is added to the Server Manager purview using the Add Servers wizard launched from the Manage menu. If both IPAM client and IPAM server are running on the same server, then by default the IPAM UI connects to the local IPAM server instance.

Your network contains an Active Directory domain named contoso.com.
The domain contains a domain controller named DC1 and a member server named Server1. Server1 has the IP Address Management (IPAM) Server feature installed.
On DC1, you configure Windows Firewall to allow all of the necessary inbound ports for IPAM. On Server1, you open Server Manager as shown in the exhibit.
You need to ensure that you can use IPAM on Server1 to manage DNS on DC1. What should you do?
A. Modify the outbound firewall rules on Server1.
B. Add Server1 to the Remote Management Users group. C. Add Server1 to the Event Log Readers group.
D. Modify the inbound firewall rules on Server1.
Correct Answer: C
Section: Network (DNS, DHCP, NIC teaming, IPAM, VPN, NAP, DirectAccess…) Explanation
The exhibit shows (in the details tab) that firewall rules are OK for DNS management (DNS RPC Access
Status Unblocked)
But it shows too that Event log Access Status is blocked (which by the way blocks the IPAM Access
=> we should solve this by adding the Server1 computer account to the Event Log Readers group
Understand and Troubleshoot IP Address Management (IPAM) in Windows Server 8 Beta
(download.microsoft.com) IPAM Access Monitoring
IPAM Access Settings
RoleTypeAccess SettingFWRule Associated IPAM functional
Membership of ‘ DHCPDHCP Server (RPC)DHCP address spacesettinl
Users’ security group DHCP Server (RPCSS-In)and utilization data collecti(
Read access in the ‘DHCPRemote Service DHCP Service monitoring
Server’ service ACLManagement (RPC)
Remote Service
Management (RPC- EPMAP)
Membership of ‘Event Log Remote Event Log DHCP configuration event
Readers’ security group Management (RPC)monitoring
Remote Event Log
Management (RPC- EPMAP)
Creation of Network share File and Printer SharingDHCP lease event collection
‘dhcEaudit’ofthe DHCP(NB-Session-In)IP address tracking audit file location (default File and Printer Sharing
location for logs is(SMB-In)
) and read access on the
Read access in the domainDNS Service RPCDNS zone configuration
wide DNS ACL* (for DC co-
DNS Service RPC
located DNS servers)Endpoint Mapper
Membership of local Administrators group on DNS server (for DNS servers not co-Iocated
with DC)
Membership of ‘ Event Log Remote Event Log DNS zone event collection f
Readers’ security group Management (RPC)DNS zone monitoring
Read access in the ACLRemote Event Log stored in the DNS Management (RPC- ?.!D:.registry key PMAP)
Manual provisioning
F or ma nua I p rovision in g ens ure that the reguired access s ettings are appro priate!v configured on the
taruet s elVer manuallv
Verify Access
Verify that IPAM access status is listed as unblocked indicating that manual or GPO based provisioning is successfully complete.
For the IPAM access status value to be allowed, all of the access sub-states shown in the details pane should be marked as allowed. These access states are:
DNS RPC access status DHCP RPC access status Event log access status
DHCP audit share access status
Troubleshooting Access Issues
If any of the access sub-states for managed server roles is showing in the Blocked state, check that the corresponding setting is enabled on the target server. For details of access setting to sub-state mapping refer to the IPAM Access Monitoring section in this guide. For GPO based provisioning, the GPResultcommand line tool can be used to troubleshoot group policy update issues. The provisioning task setup by IPAM DHCP and DNS GPOs creates a troubleshooting log in the location %windir%temp named IpamDhcpLog.txt and IpamDnsLog.txt respectively.
IPAM – Unblock access to a DC?
The process to manually (not GPO based) unblock a DNS/DC server is:
1. Enable DNS RPC access by enabling the following inbound Firewall rules:
a) DNS Service (RPC)
b) DNS Service (RPC Endpoint Mapper)
2. Enable remote management access by enabling the following inbound Firewall rules:
a) Remote Service Management (RPC)
b) Remote Service Management (RPC-EPMAP)
3. Enable Remote Event Log Management RPC access by enabling the following inbound Firewall rules:
a) Remote Event Log Management (RPC)
b) Remote Event Log Management (RPC-EPMAP)
4. Add the IPAM machine acct to the Event Log Readers domain security group. See the example below. This view is from Active Directory Users and Computers contoso.com Builtin Event Log Readers:
Also, there should be a Details tab at the bottom that summarizes whether or not the correct firewall ports and the Event Log Access status are unblocked.

Download Ensurepass Latest 2013 MCSA 70-417 Real Exam Questions , help you to pass exam 100%.