Certification Provider: Microsoft
Exam Name: Upgrading Your Skills to MCSA Windows Server 2012
Exam Code: 70-417
Official Exam Time: 120 mins
Number of questions in the Official Exam: 40-60 Q&As
Latest update time in our database: September 27,2023
70-417 Official Exam Topics:
  • Topic1 :  Plan for a server installation, plan for server roles, plan for a server upgrade, install Server Core, optimize resource utilization by using Features on Demand, migrate roles from previous versions of Windows Server
  • Topic2 : Configure servers /  Configure Server Core, delegate administration, add and remove features in offline images, deploy roles on remote servers, convert Server Core to/from full GUI, configure services, configure NIC teaming, install and configure Windows PowerShell Desired State Configuration (DSC)
  • Topic3 : Configure Hyper-V / Create and configure virtual machine (VM) settings
  • Topic4 :  Configure dynamic memory, configure smart paging, configure Resource Metering, configure guest integration services, create and configure Generation 1 and 2 VMs, configure and use enhanced session mode, configure RemoteFX /  Create VHDs and VHDX, configure differencing drives, modify VHDs, configure pass-through disks, manage checkpoints, implement a virtual Fibre Channel adapter, configure storage Quality of Service
  • Topic5 : Create and configure virtual networks /  Configure Hyper-V virtual switches, optimize network performance, configure MAC addresses, configure network isolation, configure synthetic and legacy virtual network adapters, configure NIC teaming in VMs
  • Topic6 :  Configure Data Collector Sets (DCS), configure alerts, monitor real-time performance, monitor VMs, monitor events, configure event subscriptions, configure network monitoring, schedule performance monitoring / Configure network services and access
  • Topic7 : Configure DirectAccess / Configure a network policy server infrastructure
  • Topic8 : Configure Network Access Protection (NAP) / Configure and manage Active Directory
  • Topic9 :  Transfer and seize operations master roles, install and configure a read-only domain controller (RODC), configure domain controller cloning / Maintain Active Directory
  • Topic10 : Configure file and storage solutions / Implement Dynamic Access Control (DAC)
  • Topic11 :  Configure user and device claim types, implement policy changes and staging, perform access-denied remediation, configure file classification, create and configure Central Access rules and policies, create and configure resource properties and lists / Implement business continuity and disaster recovery
  • Topic12 :  Configure Hyper-V Replica, including Hyper-V Replica Broker and VMs; configure multi-site clustering, including network settings, quorum, and failover settings; configure Hyper-V Replica extended replication; configure Global Update Manager; recover a multi-site failover cluster / Deploy and manage IP address management (IPAM)
  • Topic13 :  Install AD FS; implement claims-based authentication, including Relying Party Trusts; configure authentication policies; configure Workplace Join; configure multi-factor authentication /

Which two actions should you perform on Server1?

Your network contains an Active Directory domain named contoso.com. The domain contains a member server named Server1 that has the Active Directory Federation Services server role installed. All servers run Windows Server 2012.

You complete the Active Directory Federation Services Configuration Wizard on Server1.

You need to ensure that client devices on the internal network can use Workplace Join.

Which two actions should you perform on Server1? (Each correct answer presents part of the solution. Choose two.)
A . Run Enable AdfsDeviceRegistration -PrepareActiveDirectory.
B . Edit the multi-factor authentication global authentication policy settings.
C . Edit the primary authentication global authentication policy settings.
D . Run Set-AdfsProxyPropertiesHttpPort 80.
E . Run Enable-AdfsDeviceRegistration.

Answer: C, E

Explanation:

* To enable Device Registration Service

On your federation server, open a Windows PowerShell command window and type:

Enable-AdfsDeviceRegistration

Repeat this step on each federation farm node in your AD FS farm..

Enable seamless second factor authentication

Seamless second factor authentication is an enhancement in AD FS that provides an added level of access protection to corporate resources and applications from external devices that are trying to access them. When a personal device is Workplace Joined, it becomes a ‘known’ device and administrators can use this information to drive conditional access and gate access to resources.

To enable seamless second factor authentication, persistent single sign-on (SSO) and conditional access for Workplace Joined devices

In the AD FS Management console, navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the check box next to Enable Device Authentication, and then click OK.

Which settings should you configure?

HOTSPOT

Your network contains an Active Directory domain named contoso.com. Technicians use Windows Deployment Services {WDS) to deploy Windows Server 2012 R2. The network contains a server named Server1 that runs Windows Server 2012 R2. Server1 has the Hyper-V server role installed. You need to ensure that you can use WDS to deploy Windows Server 2012 R2 to a virtual machine named VM1.

Which settings should you configure? To answer, select the appropriate settings in the answer area.

Answer:

Explanation:

WDS Allows network-based installation of Windows operating systems, which reduces the complexity and cost when compared to manual installations. Thus you should configure the appropriate network settings.

References:

http://technet.microsoft.com/en-us/library/hh831764.aspx

What should you do first?

Your network contains two servers named Server1 and Server2. Both servers run Windows Server 2012 R2. On Server1, you create a Data Collector Set (DCS) named Data1.

You need to export Data1 to Server2.

What should you do first?
A . Right-click Data1 and click Save template…
B . Right-click Data1 and click Export list…
C . Right-click Data1 and click Data Manager…
D . Right-click Data1 and click Properties.

Answer: A

Explanation:

Exporting Templates

To export a Data Collector Set you create as a template for use on other computers, open Windows Performance Monitor, expand Data Collector Sets, right-click the Data Collector Set you want to export, and click Save Template . Select a directory in which to store the XML file and click Save .

Reference: Create a Data Collector Set from a Template

What should you do?

DRAG DROP

Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server3. The network contains a standalone server named Server2. All servers run Windows Server 2012 R2.

The servers are configured as shown in the following table.

Server3 hosts an application named App1. App1 is accessible internally by using the URL https://app1.contoso.com. App1 only supports Integrated Windows authentication. You need to ensure that all users from the Internet are pre-authenticated before they can access App1.

What should you do? To answer, drag the appropriate servers to the correct actions. Each server may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer:

Explanation:

Web application proxy Active Directory Federation Services relaying party trust

Note:

Box 1: add a new relying party trust by using the AD FS Management snap-in and manually configure the settings on a federation server.

Box 2: When publishing applications that use Integrated Windows authentication, the Web Application Proxy server uses Kerberos constrained delegation to authenticate users to the published application.

Box 3-4: To publish a claims-based application

Which three actions should you perform in sequence?

DRAG DROP

Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1. All servers run Windows Server 2012 R2.

All domain user accounts have the Division attribute automatically populated as part of the user provisioning process. The Support for Dynamic Access Control and Kerberos armoring policy is enabled for the domain.

You need to control access to the file shares on Server1 based on the values in the Division attribute and the Division resource property.

Which three actions should you perform in sequence?

Answer:

Explanation:

* First create a claim type for the property, then create a reference resource property that points back to the claim. Finally set the classification value on the folder.

* Configure the components and policy

Which condition should you use?

Your network contains an Active Directory domain named contoso.com. The network contains a file server named Server1 that runs Windows Server 2012 R2.

You are configuring a central access policy for temporary employees.

You enable the Department resource property and assign the property a suggested value of Temp.

You need to configure a target resource condition for the central access rule that is scoped to resources assigned to Temp only.

Which condition should you use?
A . (Department.Value Equals "Temp")
B . (Resource.Department Equals "Temp")
C . (Temp.Resource Equals "Department")
D . (Resource.Temp Equals "Department")

Answer: B

Explanation:

http://technet.microsoft.com/fr-fr/library/hh846167.aspx

What should you create?

Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1. Server1 has the DHCP Server server role and the Network Policy Server role service installed.

Server1 contains three non-overlapping scopes named Scope1, Scope2, and Scope3. Server1 currently provides the same Network Access Protection (NAP) settings to the three scopes.

You modify the settings of Scope1 as shown in the exhibit. (Click the Exhibit button.)

You need to configure Server1 to provide unique NAP enforcement settings to the NAP non-compliant DHCP clients from Scope1.

What should you create?

A. A network policy that has the MS-Service Class condition

B. A connection request policy that has the Service Type condition

C. A network policy that has the Identity Type condition

D. A connection request policy that has the Identity Type condition

Answer: A

Explanation:

A. Restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method. To use the MS-Service Class attribute, in Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile.

http://technet.microsoft.com/en-us/library/cc731220(v=ws.10).aspx

Which three actions should you perform on DC10?

DRAG DROP

Your network contains an Active Directory forest named contoso.com.

Recently, all of the domain controllers that ran Windows Server 2003 were replaced by domain controllers that run Windows Server 2012 R2.

From Event Viewer, you discover SYSVOL journal wrap errors on a domain controller named dc10.contoso.com.

You need to perform a non-authoritative synchronization of SYSVOL on DC10.

Which three actions should you perform on DC10?

To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

Note:

Which condition should you use?

Your network contains an Active Directory domain named contoso.com. The network contains a file server named Server1 that runs Windows Server 2012 R2.

You are configuring a central access policy for temporary employees.

You enable the Department resource property and assign the property a suggested value of Temp.

You need to configure a target resource condition for the central access rule that is scoped to resources assigned to Temp only.

Which condition should you use?
A . (Department.Value Equals "Temp")
B . (Resource.Department Equals "Temp")
C . (Temp.Resource Equals "Department")
D . (Resource.Temp Equals "Department")

Answer: B

Explanation:

http://technet.microsoft.com/fr-fr/library/hh846167.aspx

What should you do?

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2.

In a remote site, a support technician installs a server named DC10 that runs Windows Server 2012 R2. DC10 is currently a member of a workgroup.

You plan to promote DC10 to a read-only domain controller (RODC).

You need to ensure that a user named ContosoUser1 can promote DC10 to a RODC in the contoso.com domain.

The solution must minimize the number of permissions assigned to User1.

What should you do?
A . From Active Directory Administrative Center, pre-create an RODC computer account.
B . FromDsmgmt, run the local roles command.
C . Join DC10 to the domain. Modify the properties of the DC10 computer account.
D . Join DC10 to the domain. Run dsmod and specify the /server switch.

Answer: A

Explanation:

A staged read only domain controller (RODC) installation works in two discrete phases: