微软题库分析网站:
http://www.latesttest.com/2013-latest-mcsa-70-410-exam-questions-176-180-2.html
QUESTION 39
Your network contains an Active Directory domain named contoso.com. The domain contains a servernamed Server1. Server1 runs Windows Server 2012 and has the Hyper-V server role installed.On Server1, you create a virtual machine named VM1. When you try to add a RemoteFX 3D Video Adapterto VM1, you discover that the option is unavailable as shown in the following exhibit.
You need to add the RemoteFX 3D Video Adapter to VM1.What should you do first?
A.On Server1, run the Enable-VMRemoteFxPhysicalVideoAdapter cmdlet.
B.On Server1, install the Media Foundation feature.
C.On Server1, run the Add-VMRemoteFx3dVideoAdapter cmdlet.
D.On Server1, install the Remote Desktop Virtualization Host (RD Virtualization Host) role service.
Correct Answer: D
释疑:http://technet.microsoft.com/zh-CN/library/ff817604(v=ws.10).aspx
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 9
Your company has an Active Directory forest. Not all domain controllers in the forest are configured asGlobal Catalog Servers. Your domain structure contains one root domain and one child domain. You modifythe folder permissions on a file server that is in the child domain. You discover that someAccess Control entries start with S-1-5-21... and that no account name is listed.You need to list the account names. What should you do?
A.Move the RID master role in the child domain to a domain controller that holds the Global Catalog.
B.Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.
C.Move the RID master role in the child domain to a domain controller that does not hold the GlobalCatalog.
D.Move the infrastructure master role in the child domain to a domain controller that does not hold theGlobal Catalog
翻译:公司有一个AD林,其中不是所有的DC都是GC。域环境由一个根域和一个子域组成。你在一台子域中的文件服务器上,更改了一个文件夹的权限。你发现该文件夹的访问控制列表中,出现了S-1-5-21的项(没有用户账户名被显示)。你需要恢复显示用户账户名,你应该怎么做?
释疑:每个域中,都应该包含唯一的
-
Relative ID (RID) master
-
Primary domain controller (PDC) emulator master
-
Infrastructure master
基础结构主机不应该与GC放在一起,除非域中只有一台DC,或是所有的DC都是GC。因为当基础结构主机与GC在同一主机时,基础结构主机将不再复制其他域中账户和组权限等信息的变更。
http://technet.microsoft.com/en-us/library/cc773108(v=WS.10).aspx
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 47
Your network contains an Active Directory domain named contoso.com. The domain contains two serversnamed Server1 and Server2. Server1 runs Windows Server 2012. Server2 runs Windows Server 2008 R2Service Pack 1 (SP1) and has the DHCP Server server role installed. You need to manage DHCP onServer2 by using the DHCP console on Server1. What should you do first?
A.From Server Manager on Server2, enable Windows Remote Management.
B.From a command prompt on Server2, run winrm.exe.
C.From Server Manager on Server1, install a feature.
D.From the Microsoft Management Console on Server1, add a snap-in.
Correct Answer: A
释疑:winrm.exe就是windows remote management的缩写。选择B应该要改成winrm.exe quickconfig参数。
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 18
Your network contains an Active Directory domain named contoso.com. The domain contains a servernamed Server1 that runs Windows Server 2012 and has the Remote Access server role installed.A user named User1 must connect to the network remotely. The client computer of User1 requiresChallenge Handshake Authentication Protocol (CHAP) for remote connections. CHAP is enabled onServer1.You need to ensure that User1 can connect to Server1 and authenticate to the domain. What should you dofrom Active Directory Users and Computers?
A.From the properties of Server1, select Trust this computer for delegation to any service (Kerberos only).B.From the properties of Server1, assign the Allowed to Authenticate permission to User1.C.From the properties of User1, select Use Kerberos DES encryption types for this account.D.From the properties of User1, select Store password using reversible encryption.
Correct Answer: D
释疑:
Set the value for Store password using reversible encryption to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to Enabled. This presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.
http://technet.microsoft.com/en-us/library/hh994559.aspx
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 9
Your network contains multiple subnets. On one of the subnets, you deploy a server named Server1 that
runs Windows Server 2012. You install the DNS Server server role on Server1, and then you create astandard primary zone named contoso.com. You need to ensure that client computers can resolve single-label names to IP addresses. What should you do first?
A.Create a reverse lookup zone.
B.Convert the contoso.com zone to an Active Directory-integrated zone.
C.Configure dynamic updates for contoso.com.
D.Create a GlobalNames zone.
Correct Answer: D
释疑:GlobalNames Zone 的作用就是用来解析单标签域名。因为在IPv6的环境中不在支持Wins服务器,导致某些必须使用单标签域名的应用程序无法使用。http://technet.microsoft.com/en-us/library/cc731744.aspx
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 20
Your network contains a server named Server1 that runs Windows Server 2012. Server1 is a member of aworkgroup. You need to configure a local Group Policy on Server1 that will apply only to non-administrators.
Which tool should you use?
A.Server Manager
B.Group Policy Management Editor
C.Group Policy Management
D.Group Policy Object Editor
Correct Answer: D
释疑:http://www.sevenforums.com/tutorials/151415-group-policy-apply-specific-user-group.html
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DHCP Guard
启用DHCP Guard的虚拟机,会想预控询问DHCP的合法列表。进而决定应该在交换的哪些端口上侦听DHCP 报文 。
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 17
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server2012.Client computers run either Windows 7 or Windows 8.All of the computer accounts of the client computers reside in an organizational unit (OU) named Clients. AGroup Policy object (GPO) named GP01 is linked to the Clients OU. All of the client computers use a DNSserver named Server1.You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to thecontoso.com DNS zone.You need to ensure that the client computers locate the ISATAP router.What should you do?
A.Run the Add-DnsServerResourceRecord cmdlet on Server1.
B.Configure the DNS Client Group Policy setting of GPO1.
C.Configure the Network Options Group Policy preference of GPO1.
D.Run the Set-DnsServerGlobalQueryBlockList cmdlet on Server1.
Correct Answer: D
翻译:在DNS服务器重添加了一条ISATAP的host(A)记录。怎样才能确保客户端可以定位ISATAP路由器。
释疑:默认设置dns不会解析在Set-DnsServerGlobalQueryBlockList 列表中出现的域名。并且默认global query block list不会包含ISATAP和WPAD的域名解析。(By default, the global query block list contains the following items: ISATAP and WPAD. )
参考链接:
http://technet.microsoft.com/en-us/library/jj649857.aspx
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 41
Your network contains an Active Directory domain named contoso.com. All domain controllers run WindowsServer 2012. You create and enforce the default AppLocker executable rules. Users report that they can nolonger execute a legacy application installed in the root of drive C. You need to ensure that the users canexecute the legacy application. What should you do?
A.Modify the action of the existing rules.
B.Create a new rule.
C.Add an exception to the existing rules.
D.Delete an existing rule.
Correct Answer: B
翻译:当你创建执行了一条Applocker可执行默认规则时,用户报告不能运行C盘根目录下的旧版程序。要确保用户能运行该程序,你应该做什么?
释疑:
右边红框中的三条规则,即是默认可执行规则,所以除了该三条路径下,并且有用户权限的程序,才可以运行。
http://www.sevenforums.com/tutorials/7844-applocker-create-new-rules.html
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 45Your network contains two subnets. The subnets are configured as shown in the following table.
You have a server named Server2 that runs Windows Server 2012. Server2 is connected to LAN1. You runthe route print command as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that Server2 can communicate with the client computers on LAN2.What should you do?
A.Change the metric of the 10.10.1.0 route.
B.Set the state of the Teredo interface to disable.
C.Set the state of the Microsoft ISATAP Adapter #2 interface to disable.
D.Run route delete 172.23.2.0.
Correct Answer: D
翻译:让server2能访问Lan2,我们需要做什么配置
释疑:目标网络172.23.2.0,默认网关不能设置成172.23.1.0,应该为172.23.1.1
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 24
Your network contains an Active Directory domain named contoso.com. The domain contains 500 serversthat run Windows Server 2012. You have a written security policy that states the following:
Only required ports must be open on the servers.All of the servers must have Windows Firewall enabled.Client computers used by Administrators must be allowed to access all of the ports on all of the servers.Client computers used by the Administrators must be authenticated before the client computers can accessthe servers.
You have a client computer named Computer1 that runs Windows 8. You need to ensure that you can useComputer1 to access all of the ports on all of the servers successfully. The solution must adhere to thesecurity policy.Which three actions should you perform? (Each correct answer presents part of the solution.Choose three.)
A.On Computer1, create a connection security rule
B.On all of the servers, create an outbound rule and select the Allow the connection if it is secureoption.
C.On all of the servers, create an inbound rule and select the Allow the connection if it is secureoption.
D.On Computer1, create an inbound rule and select the Allow the connection if it is secureoption.
E.On Computer1, create an outbound rule and select the Allow the connection if it is secureoption
F.On all of the servers, create a connection security rule
Correct Answer: ACF
翻译: 网络安全策略要求满足:
在服务器上闭关所有不需要的端口。
所有的服务器必须启用防火墙。
管理员客户端允许访问所有的服务器端口。
在管理员客户端访问服务器之前,客户端必须被认证。
释疑:
Connection security involves the authentication of two computers before they begin communications and the securing of information sent between two computers. Windows Firewall with Advanced Security uses Internet Protocol security (IPsec) to achieve connection security by using key exchange, authentication, data integrity, and, optionally, data encryption.
 Note |
|---|
| Unlike firewall rules, which operate unilaterally, connection security rules require that both communicating computers have a policy with connection security rules or another compatible IPsec policy. |
Connection security rules use IPsec to secure traffic while it crosses the network. You use connection security rules to specify that connections between two computers must be authenticated or encrypted. You might still have to create a firewall rule to allow network traffic protected by a connection security rule.
http://technet.microsoft.com/en-us/library/cc772017.aspx
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 49
Your network contains an Active Directory domain named contoso.com. The network contains a memberserver named Server1 that runs Windows Server 2012. Server1 has the DNS Server server role installedand has a primary zone for contoso.com. The Active Directory domain contains 500 client computers. Thereare an additional 20 computers in a workgroup. You discover that every client computer on the network canadd its record to the contoso.com zone. You need to ensure that only the client computers in the ActiveDirectory domain can register records in the contoso.com zone.What should you do first?
A.Move the contoso.com zone to a domain controller that is configured as a DNS server
B.Configure the Dynamic updates settings of the contoso.com zone
C.Sign the contoso.com zone by using DNSSEC
D.Configure the Security settings of the contoso.com zone.
Correct Answer: A
翻译:域contoso.com有一台成员服务器server1,server1安装了DNS角色,并创建了主DNS区域contoso.com。该域包含500台客户端。并且有20台客户端在工作组中。你发现网络中的每台客户端都可以将自己的记录加入contoso.com的DNS区域中。你需要确保仅仅在域中的客户端可以在contoso.com中注册他们的记录。你首先应该做什么?
释疑:将server1上的DNS区域contoso.com移动到域控制器上。也就是AD集成的DNS区域。
可以允许安全的DNS动态更新。
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
使用Server Manager工具,远程管理服务器,在被管理的服务器上,需要配置远程命令执行策略和更改防火墙例外规则。
-
在 Windows PowerShell 会话中,键入以下内容,然后按 Enter。
Set-ExecutionPolicy -ExecutionPolicy ( Restricted | AllSigned | RemoteSigned | Unrestricted )
-
Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.
-
AllSigned - Only scripts signed by a trusted publisher can be run.
-
RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.
-
Unrestricted - No restrictions; all Windows PowerShell scripts can be run.
-
-
键入以下内容,然后按 Enter 启用所有必需的防火墙规则例外。
Configure-SMRemoting.ps1 -force -enable
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Hyper-V 3 Resource Metering(资源计量)
可以记录和收集特定虚拟机所用的实体处理器、内存、磁盘和网络的使用情况。
To enable Hyper-V resource metering on hyper-v host HV01 run the following PowerShell commands:
Get-VM -ComputerName HV01 | Enable-VMResourceMetering
By default the collection interval for Hyper-v metering data is one hour to change this interval the following PowerShell command can be used “value used in the command below is one minute”:
Set-vmhost –computername HV01 –ResourceMeteringSaveInterval 00:01:00
To get all VMs metering data run the following PowerShell command:
Get-VM -ComputerName HV01 | Measure-VM
To get a particular VM “test01” metering data run the following PowerShell command:
Get-VM -ComputerName HV01 -Name “test01” | Measure-VM
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 97
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server
2012. The domain contains a server named Server1.
You install the Windows PowerShell Web Access gateway on Server1.
You need to provide administrators with the ability to manage the servers in the domain by using the
Windows PowerShell Web Access gateway.
Which two cmdlets should you run on Server1? (Each correct answer presents part of the solution. Choose two.)
A. Set-WSManQuickConfig
B. Set-WSManInstance
C. Add-PswaAuthorizationRule
D. Set-BCAuthentication
E. Install-PswaWebApplication
Correct Answer: CE
翻译:要启用PowerShell Web Access,哪两个cmdlet需要被启用。
释疑:Install-PswaWebApplication安装PSWA功能,Add-PswaAuthorizationRule授权可以访问的计算机和用户。
http://support.microsoft.com/kb/2773608/zh-tw
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 16
You have a server named Server 1 that runs Windows Server 2012. Server 1 has the Hyper-V server role installed.You have fixed-size VHD named Files.vhd.You need to make the contents in Files.vhd available to several virtual machines. The solution must meetthe following requirements:
*Ensure that if the contents are changed on any virtual machine, the changes are not reflected
*Minimize the amount of disk space used.
What should you do?
A.Create a fixed-size VHDX. Transfer the information from Files.vhd to the new VHDX file.
B.Convert Files.vhd to a dynamically expanding VHD?C.Create a dynamically expanding VHDX. Transfer the information from Files.vhd to the new VHDX file.
D.Create differencing VHDs that use Files.vhd as the parent disk.
Correct Answer: D
翻译:有一个固定大小的VHD虚拟磁盘文件,现在需要用该虚拟磁盘文件,创建几个虚拟机。需要满足以下条件:任何虚拟机的状态改变,不能改变原来的VHD虚拟磁盘文件,并且最小化服务器磁盘空间的使用量。
释疑:原VHD磁盘文件作为母盘,创建虚拟机差异磁盘
----------------------------------------------------------------------------------------
命令Remove-NetLbfoTeam移除服务器网卡绑定。
----------------------------------------------------------------------------------------
在powershell中查询域中安装xp系统的电脑
get-adcomputer -filter {operatingsystem -like "*xp*"}
----------------------------------------------------------------------------------------
QUESTION 27
Your network contains an Active Directory domain named adatum.com. The computer accounts for all member servers are located in an organizational unit (OU) named Servers. You link a Group Policy object(GPO) to the Servers OU.You need to ensure that the domain's Backup Operators group is a member of the local Backup Operatorsgroup on each member server. The solution must not remove any groups from the local Backup Operatorsgroups.What should you do?
A.Add a restricted group named adatum\Backup Operators. Add Backup Operators to the This group is amember of list
B.Add a restricted group named adatum\Backup Operators. Add Backup Operators to the Members of thisgroup list.
C.Add a restricted group named Backup Operators. Add adatum\Backup Operators to the This group is amember of list.
D.Add a restricted group named Backup Operators. Add adatum\Backup Operators to the Members of thisgroup list.
选择:A
翻译:域中的成员服务器位于Servers OU中,一个GPO链接到该OU。需确保域备份操作组是每一个成员服务器本地备份操作组的成员。
释疑:增加一个受限制组adatum\Backup Operators,并把本地服务器的Backup Operators加入到组隶属于列表。
----------------------------------------------------------------------------------------
QUESTION 42
Your network contains an Active Directory domain named contoso.com. You log on to a domain controller by using an account named Admin1. Admin1 is a member of the Domain Admins group. You view the properties of a group named Group1 as shown in the exhibit. (Click the Exhibit button.) Group1 is located in an organizational unit (OU) named OU1. You need to ensure that you can modify the Security settings of Group1 by using Active Directory Users and Computers.What should you do from Active Directory Users and Computers?
A.From the View menu, select Users, Contacts, Groups, and Computers as containers.
B.Right-click OU1 and select Delegate Control
C.From the View menu, select Advanced Features.
D.Right-click contoso.com and select Delegate Control.
选择:C
翻译:你作为一个域管理员,需要修改域全局组安全设置,该怎么做?
释疑:你需要在Active Directory Users and Computers的菜单栏view中,选中“高级功能”
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 57
Your network contains an Active Directory forest named contoso.com. All domain controllers currently run Windows Server 2008 R2. You plan to install a new domain controller named DC4 that runs Windows Server 2012.
The new domain controller will have the following configurations:
Schema master
Global catalog server
DNS Server server role
Active Directory Certificate Services server role
You need to identify which configurations Administrators by using the Active Directory Installation Wizard. Which two configurations should you identify? (Each correct answer presents part of the solution. Choose
two.)
A. Transfer the schema master.
B. Enable the global catalog server.
C. Install the DNS Server role
D. Install the Active Directory Certificate Services role.
Correct Answer: AD
Explanation/Reference:
http://technet.microsoft.com/en-us/library/hh831457.aspx
AD Installation Wizard will automatically install DNS and allows for the option to set it as a global catalog server. ADCS and schema must be done separately.
翻译:你需要明确哪些配置由AD安装向导完成,哪些配置你自行安装。
释疑:GC角色和DNS角色可以由AD安装向导一起安装。
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
QUESTION 27Your network contains an Active Directory domain named contoso.com. The domain contains a servernamed Server1 that runs Windows Server 2012 and a server named Server2 that runs Windows Server2008 R2 Service Pack 1 (SP1). Both servers are member servers. On Server2, you install all of thesoftware required to ensure that Server2 can be managed remotely from Server Manager.You need to ensure that you can manage Server2 from Server1 by using Server Manager. Which two tasksshould you perform on Server2? (Each correct answer presents part of the solution. Choose two.)
A.Run the systempropertiesremote.execommand
B.Run the Enable-PsRemotingcmdlet.
C.Run the Enable-PsSessionConfigurationcmdlet
D.Run the Confiqure-SMRemoting.ps1script
E.Run the Set-ExecutionPolicycmdlet.
Correct Answer: DE
翻译:有两台服务器server1(windows server 2012)和server2(windows server 2008)。使用server1的服务器管理工具管理server2,此时server2已经安装了所有必要的软件(是指Framework 3.0 and .Net 4),除此之外,我们还去要在server2上做些什么?
释疑:由于PowerShell默认不开启脚本远程执行权限,故需要执行如下命令开启:
Run the Confiqure-SMRemoting.ps1script
Run the Set-ExecutionPolicycmdlet.
本文转自daniel8294 51CTO博客,原文链接:http://blog.51cto.com/acadia627/1323480,如需转载请自行联系原作者
