微软题库分析网站：

http://www.latesttest.com/2013-latest-mcsa-70-410-exam-questions-176-180-2.html

QUESTION 39

Your network contains an Active Directory domain named contoso.com. The domain contains a servernamed Server1. Server1 runs Windows Server 2012 and has the Hyper-V server role installed.On Server1, you create a virtual machine named VM1. When you try to add a RemoteFX 3D Video Adapterto VM1, you discover that the option is unavailable as shown in the following exhibit.

You need to add the RemoteFX 3D Video Adapter to VM1.What should you do first?

A.On Server1, run the Enable-VMRemoteFxPhysicalVideoAdapter cmdlet.

B.On Server1, install the Media Foundation feature.

C.On Server1, run the Add-VMRemoteFx3dVideoAdapter cmdlet.

D.On Server1, install the Remote Desktop Virtualization Host (RD Virtualization Host) role service.

Correct Answer: D

释疑：http://technet.microsoft.com/zh-CN/library/ff817604(v=ws.10).aspx

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 9

Your company has an Active Directory forest. Not all domain controllers in the forest are configured asGlobal Catalog Servers. Your domain structure contains one root domain and one child domain. You modifythe folder permissions on a file server that is in the child domain. You discover that someAccess Control entries start with S-1-5-21... and that no account name is listed.You need to list the account names. What should you do?

A.Move the RID master role in the child domain to a domain controller that holds the Global Catalog.

B.Modify the schema to enable replication of the friendlynames attribute to the Global Catalog.

C.Move the RID master role in the child domain to a domain controller that does not hold the GlobalCatalog.

D.Move the infrastructure master role in the child domain to a domain controller that does not hold theGlobal Catalog

翻译：公司有一个AD林，其中不是所有的DC都是GC。域环境由一个根域和一个子域组成。你在一台子域中的文件服务器上，更改了一个文件夹的权限。你发现该文件夹的访问控制列表中，出现了S-1-5-21的项（没有用户账户名被显示）。你需要恢复显示用户账户名，你应该怎么做？

释疑：每个域中，都应该包含唯一的

• Relative ID (RID) master
  
  

• Primary domain controller (PDC) emulator master
  
  

• Infrastructure master

基础结构主机不应该与GC放在一起，除非域中只有一台DC，或是所有的DC都是GC。因为当基础结构主机与GC在同一主机时，基础结构主机将不再复制其他域中账户和组权限等信息的变更。

http://technet.microsoft.com/en-us/library/cc773108(v=WS.10).aspx

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 47

Your network contains an Active Directory domain named contoso.com. The domain contains two serversnamed Server1 and Server2. Server1 runs Windows Server 2012. Server2 runs Windows Server 2008 R2Service Pack 1 (SP1) and has the DHCP Server server role installed. You need to manage DHCP onServer2 by using the DHCP console on Server1. What should you do first?

A.From Server Manager on Server2, enable Windows Remote Management.

B.From a command prompt on Server2, run winrm.exe.

C.From Server Manager on Server1, install a feature.

D.From the Microsoft Management Console on Server1, add a snap-in.

Correct Answer: A

释疑：winrm.exe就是windows remote management的缩写。选择B应该要改成winrm.exe quickconfig参数。

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 18

Your network contains an Active Directory domain named contoso.com. The domain contains a servernamed Server1 that runs Windows Server 2012 and has the Remote Access server role installed.A user named User1 must connect to the network remotely. The client computer of User1 requiresChallenge Handshake Authentication Protocol (CHAP) for remote connections. CHAP is enabled onServer1.You need to ensure that User1 can connect to Server1 and authenticate to the domain. What should you dofrom Active Directory Users and Computers?

A.From the properties of Server1, select Trust this computer for delegation to any service (Kerberos only).B.From the properties of Server1, assign the Allowed to Authenticate permission to User1.C.From the properties of User1, select Use Kerberos DES encryption types for this account.D.From the properties of User1, select Store password using reversible encryption.

Correct Answer: D

释疑：

Set the value for Store password using reversible encryption to Disabled. If you use CHAP through remote access or IAS, or Digest Authentication in IIS, you must set this value to Enabled. This presents a security risk when you apply the setting by using Group Policy on a user-by-user basis because it requires opening the appropriate user account object in Active Directory Users and Computers.

http://technet.microsoft.com/en-us/library/hh994559.aspx

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 9

Your network contains multiple subnets. On one of the subnets, you deploy a server named Server1 that

runs Windows Server 2012. You install the DNS Server server role on Server1, and then you create astandard primary zone named contoso.com. You need to ensure that client computers can resolve single-label names to IP addresses. What should you do first?

A.Create a reverse lookup zone.

B.Convert the contoso.com zone to an Active Directory-integrated zone.

C.Configure dynamic updates for contoso.com.

D.Create a GlobalNames zone.

Correct Answer: D

释疑：GlobalNames Zone 的作用就是用来解析单标签域名。因为在IPv6的环境中不在支持Wins服务器，导致某些必须使用单标签域名的应用程序无法使用。http://technet.microsoft.com/en-us/library/cc731744.aspx

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 20

Your network contains a server named Server1 that runs Windows Server 2012. Server1 is a member of aworkgroup. You need to configure a local Group Policy on Server1 that will apply only to non-administrators.

Which tool should you use?

A.Server Manager

B.Group Policy Management Editor

C.Group Policy Management

D.Group Policy Object Editor

Correct Answer: D

释疑：http://www.sevenforums.com/tutorials/151415-group-policy-apply-specific-user-group.html

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

DHCP Guard

启用DHCP Guard的虚拟机，会想预控询问DHCP的合法列表。进而决定应该在交换的哪些端口上侦听DHCP 报文 。

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 17

Your network contains an Active Directory domain named contoso.com. All servers run Windows Server2012.Client computers run either Windows 7 or Windows 8.All of the computer accounts of the client computers reside in an organizational unit (OU) named Clients. AGroup Policy object (GPO) named GP01 is linked to the Clients OU. All of the client computers use a DNSserver named Server1.You configure a server named Server2 as an ISATAP router. You add a host (A) record for ISATAP to thecontoso.com DNS zone.You need to ensure that the client computers locate the ISATAP router.What should you do?

A.Run the Add-DnsServerResourceRecord cmdlet on Server1.

B.Configure the DNS Client Group Policy setting of GPO1.

C.Configure the Network Options Group Policy preference of GPO1.

D.Run the Set-DnsServerGlobalQueryBlockList cmdlet on Server1.

Correct Answer: D

翻译：在DNS服务器重添加了一条ISATAP的host（A）记录。怎样才能确保客户端可以定位ISATAP路由器。

释疑：默认设置dns不会解析在Set-DnsServerGlobalQueryBlockList 列表中出现的域名。并且默认global query block list不会包含ISATAP和WPAD的域名解析。（By default, the global query block list contains the following items: ISATAP and WPAD. ）

参考链接：

http://technet.microsoft.com/en-us/library/jj649857.aspx

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 41

Your network contains an Active Directory domain named contoso.com. All domain controllers run WindowsServer 2012. You create and enforce the default AppLocker executable rules. Users report that they can nolonger execute a legacy application installed in the root of drive C. You need to ensure that the users canexecute the legacy application. What should you do?

A.Modify the action of the existing rules.

B.Create a new rule.

C.Add an exception to the existing rules.

D.Delete an existing rule.

Correct Answer: B

翻译：当你创建执行了一条Applocker可执行默认规则时，用户报告不能运行C盘根目录下的旧版程序。要确保用户能运行该程序，你应该做什么？

释疑：

右边红框中的三条规则，即是默认可执行规则，所以除了该三条路径下，并且有用户权限的程序，才可以运行。

http://www.sevenforums.com/tutorials/7844-applocker-create-new-rules.html

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 45Your network contains two subnets. The subnets are configured as shown in the following table.

You have a server named Server2 that runs Windows Server 2012. Server2 is connected to LAN1. You runthe route print command as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that Server2 can communicate with the client computers on LAN2.What should you do?

A.Change the metric of the 10.10.1.0 route.

B.Set the state of the Teredo interface to disable.

C.Set the state of the Microsoft ISATAP Adapter #2 interface to disable.

D.Run route delete 172.23.2.0.

Correct Answer: D

翻译：让server2能访问Lan2，我们需要做什么配置

释疑：目标网络172.23.2.0，默认网关不能设置成172.23.1.0，应该为172.23.1.1

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 24

Your network contains an Active Directory domain named contoso.com. The domain contains 500 serversthat run Windows Server 2012. You have a written security policy that states the following:

Only required ports must be open on the servers.All of the servers must have Windows Firewall enabled.Client computers used by Administrators must be allowed to access all of the ports on all of the servers.Client computers used by the Administrators must be authenticated before the client computers can accessthe servers.

You have a client computer named Computer1 that runs Windows 8. You need to ensure that you can useComputer1 to access all of the ports on all of the servers successfully. The solution must adhere to thesecurity policy.Which three actions should you perform? (Each correct answer presents part of the solution.Choose three.)

A.On Computer1, create a connection security rule

B.On all of the servers, create an outbound rule and select the Allow the connection if it is secureoption.

C.On all of the servers, create an inbound rule and select the Allow the connection if it is secureoption.

D.On Computer1, create an inbound rule and select the Allow the connection if it is secureoption.

E.On Computer1, create an outbound rule and select the Allow the connection if it is secureoption

F.On all of the servers, create a connection security rule

Correct Answer: ACF

翻译： 网络安全策略要求满足：

    在服务器上闭关所有不需要的端口。

    所有的服务器必须启用防火墙。

    管理员客户端允许访问所有的服务器端口。

    在管理员客户端访问服务器之前，客户端必须被认证。

释疑：

Connection security involves the authentication of two computers before they begin communications and the securing of information sent between two computers. Windows Firewall with Advanced Security uses Internet Protocol security (IPsec) to achieve connection security by using key exchange, authentication, data integrity, and, optionally, data encryption.

Note
Unlike firewall rules, which operate unilaterally, connection security rules require that both communicating computers have a policy with connection security rules or another compatible IPsec policy.

Connection security rules use IPsec to secure traffic while it crosses the network. You use connection security rules to specify that connections between two computers must be authenticated or encrypted. You might still have to create a firewall rule to allow network traffic protected by a connection security rule.

http://technet.microsoft.com/en-us/library/cc772017.aspx

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

QUESTION 49

Your network contains an Active Directory domain named contoso.com. The network contains a memberserver named Server1 that runs Windows Server 2012. Server1 has the DNS Server server role installedand has a primary zone for contoso.com. The Active Directory domain contains 500 client computers. Thereare an additional 20 computers in a workgroup. You discover that every client computer on the network canadd its record to the contoso.com zone. You need to ensure that only the client computers in the ActiveDirectory domain can register records in the contoso.com zone.What should you do first?

A.Move the contoso.com zone to a domain controller that is configured as a DNS server

B.Configure the Dynamic updates settings of the contoso.com zone

C.Sign the contoso.com zone by using DNSSEC

D.Configure the Security settings of the contoso.com zone.

Correct Answer: A

翻译：域contoso.com有一台成员服务器server1，server1安装了DNS角色，并创建了主DNS区域contoso.com。该域包含500台客户端。并且有20台客户端在工作组中。你发现网络中的每台客户端都可以将自己的记录加入contoso.com的DNS区域中。你需要确保仅仅在域中的客户端可以在contoso.com中注册他们的记录。你首先应该做什么？

释疑：将server1上的DNS区域contoso.com移动到域控制器上。也就是AD集成的DNS区域。
可以允许安全的DNS动态更新。

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

使用Server Manager工具，远程管理服务器，在被管理的服务器上，需要配置远程命令执行策略和更改防火墙例外规则。

1. 在 Windows PowerShell 会话中，键入以下内容，然后按 Enter。

   Set-ExecutionPolicy -ExecutionPolicy ( Restricted | AllSigned | RemoteSigned | Unrestricted )

   • Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.

   • AllSigned - Only scripts signed by a trusted publisher can be run.

   • RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.

   • Unrestricted - No restrictions; all Windows PowerShell scripts can be run.

   
   

2. 键入以下内容，然后按 Enter 启用所有必需的防火墙规则例外。

   Configure-SMRemoting.ps1 -force -enable

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hyper-V 3 Resource Metering（资源计量）