2017 August Microsoft Official New Released 70-411 Q&As in Lead2pass.com!
100% Free Download! 100% Pass Guaranteed!
70-411 dumps free share: Lead2pass presents the highest quality of 70-411 exam dump which helps candidates to pass the 70-411 exams in the first attempt.
Following questions and answers are all new published by Microsoft Official Exam Center: https://www.lead2pass.com/70-411.html
QUESTION 101
Your network is configured as shown in the exhibit. (Click the Exhibit button.)
Server1 regularly accesses Server2.
You discover that all of the connections from Server1 to Server2 are routed through Router1.
You need to optimize the connection path from Server1 to Server2.
Which route command should you run on Server1?
A. Route add -p 10.10.10.0 MASK 255.255.255.0 10.10.10.1 METRIC 50
B. Route add -p 10.10.10.0 MASK 255.255.255.0 172.23.16.2 METRIC 100
C. Route add -p 10.10.10.12 MASK 255.255.255.0 10.10.10.1 METRIC 100
D. Route add -p 10.10.10.12 MASK 255.255.255.0 10.10.10.0 METRIC 50
Answer: B
Explanation:
destination – specifies either an IP address or host name for the network or host.
subnetmask – specifies a subnet mask to be associated with this route entry. If subnetmask is not specified, 255.255.255.255 is used.
gateway – specifies either an IP address or host name for the gateway or router to use when forwarding.
costmetric – assigns an integer cost metric (ranging from 1 through 9,999) to be used in calculating the fastest, most reliable, and/or least expensive routes.
If costmetric is not specified, 1 is used.
interface – specifies the interface to be used for the route that uses the interface number. If an interface is not specified, the interface to be used for the route is determined from the gateway IP address.
http://support.microsoft.com/kb/299540/en-us
http://technet.microsoft.com/en-us/library/cc757323%28v=ws.10%29.aspx
QUESTION 102
Your network contains an Active Directory domain named adatum.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 is configured as a Network Policy Server (NPS) server and as a DHCP server.
You need to ensure that only computers that send a statement of health are checked for Network Access Protection (NAP) health requirements.
Which two settings should you configure?
(Each correct answer presents part of the solution. Choose two.)
A. The Called Station ID constraints
B. The MS-Service Class conditions
C. The Health Policies conditions
D. The NAS Port Type constraints
E. The NAP-Capable Computers conditions
Answer: CE
Explanation:
A. Used to designate the phone number of the network access server. This attribute is a character string. You can use pattern-matching syntax to specify area codes.
B. Restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method. To use the MS-Service Class attribute, in Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile.
C. The Health Policies condition restricts the policy to clients that meet the health criteria in the policy that you specify.
D. Allows you to specify the type of media used by the client computer to connect to the network. E. The NAP-capable Computers condition restricts the policy to either clients that are capable of participating in NAP or clients that are not capable of participating in NAP. This capability is determined by whether the client sends a statement of health (SoH) to NPS. http://technet.microsoft.com/en-us/library/cc753603.aspx
http://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc731560.aspx
QUESTION 103
Your network contains two Active Directory forests named adatum.com and contoso.com. The network contains three servers. The servers are configured as shown in the following table.
You need to ensure that connection requests from adatum.com users are forwarded to Server2 and connection requests from contoso.com users are forwarded to Server3.
Which two should you configure in the connection request policies on Server1?
(Each correct answer presents part of the solution. Choose two.)
A. The Authentication settings
B. The User Name condition
C. The Standard RADIUS Attributes settings
D. The Identity Type condition
E. The Location Groups condition
Answer: AB
Explanation:
A: A connection request policy profile is a set of properties that are applied to an incoming RADIUS message. A connection request policy profile consists of the following groups of properties:
/ Authentication
You can set the following authentication options that are used for RADIUS Access-Request messages:
// Authenticate requests on this server.
// Forward requests to another RADIUS server in a remote RADIUS server group. // Accept the connection attempt without performing authentication or authorization.
/ Accounting
/ Attribute manipulation
/ Advanced
B: * A connection request policy is a named rule that consists of the following elements:
/ Conditions
/ Profile
* The User-Name RADIUS attribute is a character string that typically contains a user account location and a user account name. The user account location is also called the realm or realm name, and is synonymous with the concept of domain, including DNS domains, Active Directory domains, and Windows NT 4.0 domains
Note:
* NPS as a RADIUS proxy
The default connection request policy is deleted, and two new connection request policies are created to forward requests to two different domains. In this example, NPS is configured as a RADIUS proxy. NPS does not process any connection requests on the local server. Instead, it forwards connection requests to NPS or other RADIUS servers that are configured as members of remote RADIUS server groups.
QUESTION 104
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2.
The domain contains a server named Server1 that has the Network Policy Server server role and the Remote Access server role installed. The domain contains a server named Server2 that is configured as a RADIUS server.
Server1 provides VPN access to external users.
You need to ensure that all of the VPN connections to Server1 are logged to the RADIUS server on Server2.
What should you run?
A. Add-RemoteAccessRadius -ServerNameServer1 -AccountingOnOffMsg Enabled – SharedSecret “Secret” -Purpose Accounting
B. Set-RemoteAccessAccounting -AccountingOnOffMsg Enabled -AccountingOnOffMsg Enabled
C. Add-RemoteAccessRadius -ServerName Server2 -AccountingOnOffMsg Enabled – SharedSecret “Secret” -Purpose Accounting
D. Set-RemoteAccessAccounting -EnableAccountingType Inbox -AccountingOnOffMsg Enabled
Answer: C
Explanation:
Add-RemoteAccessRadius
Adds a new external RADIUS server for VPN authentication, accounting for DirectAccess (DA) and VPN, or one-time password (OTP) authentication for DA.
AccountingOnOffMsg<String>
Indicates the enabled state for sending of accounting on or off messages.
The acceptable values for this parameter are:
Enabled.
Disabled. This is the default value.
This parameter is applicable only when the RADIUS server is being added for Remote Access accounting.
QUESTION 105
Hotspot Question
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2. Server1 has the Network Policy Server server role installed. Server2 has the DHCP Server server role installed. Both servers run Windows Server 2012 R2.
You are configuring Network Access Protection (NAP) to use DHCP enforcement.
You configure a DHCP scope as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that non-compliant NAP clients receive different DHCP options than compliant NAP clients.
What should you configure on each server?
To answer, select the appropriate options for each server in the answer area.
Answer:
Explanation:
The MS-Service Class condition restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method.
Server1: MS-Service class
Server options are standard for all scopes. Scope options override server options.
Server2: Scope options
QUESTION 106
Your network contains a Network Policy Server (NPS) server named Server1.
The network contains a server named SQL1 that has Microsoft SQL Server 2008 R2 installed.
All servers run Windows Server 2012 R2.
You configure NPS on Server1 to log c.
You need to ensure that the accounting data is captured if SQL1 fails.
The solution must minimize cost.
What should you do?
A. Implement Failover Clustering.
B. Implement database mirroring.
C. Run the Accounting Configuration Wizard.
D. Modify the SQL Server Logging properties.
Answer: C
Explanation:
In Windows Server 2008 R2, an accounting configuration wizard is added to the
Accounting node in the NPS console. By using the Accounting Configuration wizard, you can configure the following four accounting settings:
SQL logging only. By using this setting, you can configure a data link to a SQL Server that allows NPS to connect to and send accounting data to the SQL server.
In addition, the wizard can configure the database on the SQL Server to ensure that the database is compatible with NPS SQL server logging.
Text logging only. By using this setting, you can configure NPS to log accounting data to a text file.
Parallel logging. By using this setting, you can configure the SQL Server data link and database. You can also configure text file logging so that NPS logs simultaneously to the text file and the SQL Server database.
SQL logging with backup. By using this setting, you can configure the SQL Server data link and database. In addition, you can configure text file logging that NPS uses if SQL Server logging fails.
QUESTION 107
Your network contains an Active Directory domain named contoso.com. All servers run Windows Server 2012 R2. The domain contains two servers.
The servers are configured as shown in the following table.
All client computers run Windows 8 Enterprise.
You plan to deploy Network Access Protection (NAP) by using IPSec enforcement. A Group Policy object (GPO) named GPO1 is configured to deploy a trusted server group to all of the client computers.
You need to ensure that the client computers can discover HRA servers automatically.
Which three actions should you perform?
(Each correct answer presents part of the solution. Choose three.)
A. On DC1, create a service location (SRV) record.
B. On Server2, configure the EnableDiscovery registry key.
C. On all of the client computers, configure the EnableDiscovery registry key.
D. In a GPO, modify the Request Policy setting for the NAP Client Configuration.
E. On DC1, create an alias (CNAME) record.
Answer: ACD
Explanation:
Requirements for HRA automatic discovery
The following requirements must be met in order to configure trusted server groups on NAP client computers using HRA automatic discovery:
Client computers must be running Windows Vista?with Service Pack 1 (SP1) or Windows XP with Service Pack 3 (SP3).
The HRA server must be configured with a Secure Sockets Layer (SSL) certificate. The EnableDiscovery registry key must be configured on NAP client computers.
DNS SRV records must be configured.
The trusted server group configuration in either local policy or Group Policy must be cleared.
http://technet.microsoft.com/en-us/library/dd296901.aspx
QUESTION 108
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Network Policy Server role service installed.
You plan to configure Server1 as a Network Access Protection (NAP) health policy server for VPN enforcement by using the Configure NAP wizard.
You need to ensure that you can configure the VPN enforcement method on Server1 successfully.
What should you install on Server1 before you run the Configure NAP wizard?
A. The Host Credential Authorization Protocol (HCAP)
B. A system health validator (SHV)
C. The Remote Access server role
D. A Computer certificate
Answer: D
Explanation:
A. Host Credential Authorization Protocol (HCAP) allows you to integrate your Microsoft Network Access Protection (NAP) solution with Microsoft Network Admission Control
B. System health validators (SHVs) define configuration requirements for NAP client computers.
C.
D. The NAP health policy server requires a computer certificate to perform PEAP-based user or computer authentication. After this certificate is acquired, a connection to AD CS is not required for as long as the certificate is valid.
http://technet.microsoft.com/en-us/library/cc732681.aspx
http://technet.microsoft.com/en-us/library/dd125396(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/hh831416.aspx
http://technet.microsoft.com/en-us/library/dd125301(v=ws.10).aspx
QUESTION 109
You deploy two servers named Server1 and Server2.
You install Network Policy Server (NPS) on both servers. On Server1, you configure the following NPS settings:
– RADIUS Clients
– Network Policies
– Connection Request Policies
– SQL Server Logging Properties
You export the NPS configurations to a file and import the file to Server2.
You need to ensure that the NPS configurations on Server2 are the same as the NPS configurations on Server1.
Which settings should you manually configure on Server2?
A. SQL Server Logging Properties
B. Connection Request Policies
C. RADIUS Clients
D. Network Policies
Answer: A
Explanation:
A. If SQL Server logging is configured on the source NPS server, SQL Server logging settings are not exported to the XML file. After you import the file on another NPS server, you must manually configure SQL Server logging.
B. Connection request policies are sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting.
C. A network access server (NAS) is a device that provides some level of access to a larger network. A NAS using a RADIUS infrastructure is also a RADIUS client, sending connection requests and accounting messages to a RADIUS server for authentication, authorization, and accounting.
D. Network policies are sets of conditions, constraints, and settings that allow you to designate who is authorized to connect to the network and the circumstances under which they can or cannot connect.
http://technet.microsoft.com/en-us/library/cc732059(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc753603.aspx
http://technet.microsoft.com/en-us/library/cc754033.aspx
http://technet.microsoft.com/en-us/library/cc754107(v=ws.10).aspx http://technet.microsoft.com/en-us/library/cc754123.aspx
QUESTION 110
You have a server named Server1 that has the Network Policy and Access Services server role installed.
You plan to configure Network Policy Server (NPS) on Server1 to use certificate-based authentication for VPN connections.
You obtain a certificate for NPS.
You need to ensure that NPS can perform certificate-based authentication.
To which store should you import the certificate? To answer, select the appropriate store in the answer area.
Answer:
Explanation:
http://technet.microsoft.com/en-us/library/dd314152(v=ws.10).aspx http://blog.instruosolutions.com/2012/10/10/configuring-microsoft-nps-server-2008-for-wireless- clientauthentication-ms-peap/
QUESTION 111
Your network contains a RADIUS server named Server1.
You install a new server named Server2 that runs Windows Server 2012 R2 and has Network Policy Server (NPS) installed.
You need to ensure that all accounting requests for Server2 are forwarded to Server1.
On Server2, you create a new remote RADIUS server group named Group1 that contains Server1.
What should you configure next on Server2?
To answer, select the appropriate node in the answer area.
Answer:
Explanation:
Connection request policies are sets of conditions and settings that allow network administrators to designate which Remote Authentication Dial-In User Service (RADIUS) servers perform the authentication and authorization of connection requests that the server running Network Policy Server (NPS) receives from RADIUS clients. Connection request policies can be configured to designate which RADIUS servers are used for RADIUS accounting. http://technet.microsoft.com/en-us/library/cc753603.aspx
QUESTION 112
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 has the DHCP Server server role and the Network Policy Server role service installed. Server1 contains three non-overlapping scopes named Scope1, Scope2, and Scope3. Server1 currently provides the same Network Access Protection (NAP) settings to the three scopes.
You modify the settings of Scope1 as shown in the exhibit. (Click the Exhibit button.)
You need to configure Server1 to provide unique NAP enforcement settings to the NAP non- compliant DHCP clients from Scope1.
What should you create?
A. A network policy that has the MS-Service Class condition
B. A network policy that has the Identity Type condition
C. A connection request policy that has the Identity Type condition
D. A connection request policy that has the Service Type condition
Answer: A
Explanation:
Restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method. To use the MS-Service Class attribute, in Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile. http://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx
QUESTION 113
You have a server named Server1 that runs Windows Server 2012 R2. Server1 has the Remote Access server role installed.
You have a client named Client1 that is configured as an 802.1X supplicant.
You need to configure Server1 to handle authentication requests from Client1. The solution must minimize the number of authentication methods enabled on Server1.
Which authentication method should you enable?
To answer, select the appropriate authentication method in the answer area.
Answer:
Explanation:
Microsoft Windows uses EAP to authenticate network access for Point-to-Point Protocol (PPP) connections (dial-up and virtual private network) and for IEEE 802.1X-based network access to authenticating Ethernet switches and wireless access points (APs). http://technet.microsoft.com/en-us/library/bb457039.aspx
QUESTION 114
Your network contains an Active Directory domain named contoso.com. The domain contains a RADIUS server named Server1 that runs Windows Server 2012 R2.
You add a VPN server named Server2 to the network. On Server1, you create several network policies.
You need to configure Server1 to accept authentication requests from Server2.
Which tool should you use on Server1?
A. Connection Manager Administration Kit (CMAK).
B. Routing and Remote Access
C. Network Policy Server (NPS)
D. Set-RemoteAccessRadius
Answer: C
Explanation:
Forward requests to the following remote RADIUS server group . By using this setting, NPS forwards connection requests to the remote RADIUS server group that you specify. If the NPS server receives a valid Access-Accept message that corresponds to the Access-Request message, the connection attempt is considered authenticated and authorized. In this case, the NPS server acts as a RADIUS proxy.
http://technet.microsoft.com/en-us/library/cc753603.aspx http://www.youtube.com/watch?v=0_1GOBTL4FE
QUESTION 115
Hotspot Question
Your network contains an Active Directory domain named contoso.com.
The domain contains the users shown in the following table.
You have a Network Policy Server (NPS) server that has the network policies shown in the following table.
User1, User2, and User3 plan to connect to the network by using a VPN.
You need to identify which network policy will apply to each user.
What should you identify?
To answer, select the appropriate policy for each user in the answer area.
Answer:
Explanation:
When you configure multiple network policies in NPS, the policies are an ordered list of rules. NPS evaluates the policies in listed order from first to last. If there is a network policy that matches the connection request, NPS uses the policy to determine whether to grant or deny access to the user or computer connection.
Network policies are evaulated according to the processing order. Once a match is found, no further network policy is processed.
Policies are processed in this order:
– Policy2 (applies only to members of Group1)
– Policy1 (applies to all users during specified time slot)
– Policy3 (applies only to members of Group2)
Since policy1 will always apply (sunday 0:00 to saturday 24:00 = always), policy3 will never be evaluated.
Correct answer is :
User1: Policy2
User2: Policy1
User3: Policy1
https://technet.microsoft.com/en-us/library/cc732724(v=ws.10).aspx
QUESTION 116
Drag and Drop Question
Your network contains an Active Directory forest named contoso.com. The forest contains a Network Policy Server (NPS) server named NPS1 and a VPN server named VPN1.
VPN1 forwards all authentication requests to NPS1.
A partner company has an Active Directory forest named adatum.com.
The adatum.com forest contains an NPS server named NPS2.
You plan to grant users from adatum.com VPN access to your network.
You need to authenticate the users from adatum.com on VPN1.
What should you create on each NPS server?
To answer, drag the appropriate objects to the correct NPS servers. Each object may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Answer:
QUESTION 117
Hotspot Question
You have a server named LON-SVR1 that runs Windows Server 2012 R2. LON-SVR1 has the Remote Access server role installed. LON-SVRl is located in the perimeter network.
The IPv4 routing table on LON-SVR1 is configured as shown in the following exhibit. (Click the Exhibit button.)
Your company purchases an additional router named Router1. Router1 has an interface that connects to the perimeter network and an interface that connects to the Internet. The IP address of the interface that connects to the perimeter network is 172.16.0.2.
You need to ensure that LON-SVR1 will route traffic to the Internet by using Router1 if the current default gateway is unavailable.
How should you configure the static route on LON-SVR1?
To answer, select the appropriate static route in the answer area.
Answer:
Explanation:
There is an additional default route needs to be used if the current default route is not available. If there are multiple routes to a destination, you can with the metric to prioritize the routes to be made. The metric defines a numerical measure of the quality of a connection when using a particular route. The lower the value of the metric, the higher the priority of the route. By metric example, higher bandwidth connections or lower cost compared to slower routes or expensive compounds may be preferred.
QUESTION 118
Your network contains an Active Directory domain named contoso.com. The domain contains client computers that run either Windows XP, Windows 7, or Windows 8. Network Policy Server (NPS) is deployed to the domain.
You plan to create a system health validator (SHV).
You need to identify which policy settings can be Applied to all of the Windows XP computers.
Which three policy settings should you identify?
(Each correct answer presents part of the solution. Choose three.)
A. A firewall is enabled for all network connections.
B. An antispyware application is on.
C. Automatic updating is enabled.
D. Antivirus is up to date.
E. Antispyware is up to date.
Answer: ACD
Explanation:
* System health agent (SHA) is a NAP component.
* System health agent (SHA)
A component that checks the state of the client computer to determine whether the settings monitored by the SHA are up-to-date and configured correctly. For example, the Windows Security Health Agent (WSHA) can monitor Windows Firewall, whether antivirus software is installed, enabled, and updated, whether antispyware software is installed, enabled, and updated, and whether Microsoft Update Services is enabled and the computer has the most recent security updates from Microsoft Update Services. There might also be SHAs (and corresponding system health validators) available from other companies that provide different functionality.
QUESTION 119
Your network contains an Active Directory domain named adatum.com.
You have a Group Policy object (GPO) that configures the Windows Update settings.
Currently, client computers are configured to download updates from Microsoft Update servers. Users choose when the updates are installed.
You need to configure all client computers to install Windows updates automatically.
Which setting should you configure in the GPO?
To answer, select the appropriate setting in the answer area.
Answer:
Explanation:
http://support.microsoft.com/kb/328010#method1
QUESTION 120
Your network contains an Active Directory domain named contoso.com. Network Access Protection (NAP) is deployed to the domain.
You need to create NAP event trace log files on a client computer.
What should you run?
A. Logman
B. Tracert
C. Register-EngineEvent
D. Register-ObjectEvent
Answer: A
Explanation:
You can enable NAP client tracing by using the command line. On computers running Windows Vista®, you can enable tracing by using the NAP Client Configuration console.
NAP client tracing files are written in Event Trace Log (ETL) format. These are binary files representing trace data that must be decoded by Microsoft support personnel. Use the –o option to specify the directory to which they are written. In the following example, files are written to %systemroot%\tracing\nap.
For more information, see Logman (http: //go.microsoft. com/fwlink/?LinkId=143549).
To create NAP event trace log files on a client computer
– Open a command line as an administrator.
– Type
logman start QAgentRt -p {b0278a28-76f1-4e15-b1df-14b209a12613} 0xFFFFFFFF 9 -o
%systemroot%\tracing\nap\QAgentRt. etl – ets.
Note: To troubleshoot problems with WSHA, use the following GUID: 789e8f15-0cbf-4402-
b0ed-0e22f90fdc8d.
– Reproduce the scenario that you are troubleshooting.
– Type logman stop QAgentRt -ets.
– Close the command prompt window.
http://technet. microsoft. com/en-us/library/dd348461%28v=ws.10%29. Aspx
Lead2pass is now offering Lead2pass 70-411 PDF dumps with 100% passing guarantee. Use Lead2pass 70-411 PDF and pass your exam easily. Download Microsoft 70-411 exam dumps and prepare for exam.
70-411 new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDa3U4ZC13WFVpS3M
2017 Microsoft 70-411 exam dumps (All 449 Q&As) from Lead2pass:
https://www.lead2pass.com/70-411.html [100% Exam Pass Guaranteed]