[2017 New] Lead2pass 2017 New 70-414 Exam PDF Ensure 70-414 Certification Exam Pass Successfully (201-220)
Lead2pass 2017 September New Microsoft 70-414 Exam Dumps
100% Free Download! 100% Pass Guaranteed!
We are all well aware that a major problem in the IT industry is that there is a lack of quality study materials. Our exam preparation material provides you everything you will need to take a certification examination. Our Microsoft 70-414 Exam will provide you with exam questions with verified answers that reflect the actual exam. These questions and answers provide you with the experience of taking the actual test. High quality and value for the 70-414 Exam. 100% guarantee to pass your Microsoft 70-414 exam and get your Microsoft certification.
Following questions and answers are all new published by Microsoft Official Exam Center: https://www.lead2pass.com/70-414.html
QUESTION 201
An organization uses an Active Directory Rights Management Services (AD RMS) cluster names RMS1 to protect content for a project.
You uninstall AD RMS when the project is complete.
You need to ensure that the protected content is still available after AD RMS is uninstalled.
Solution: You run the following Windows PowerShell command:
Set-ItemProperty -Path <protected content>:\ -Name IsDecommissioned -Value $true – EnableDecommission
Does this meet the goal?
A. Yes
B. No
Answer: A
QUESTION 202
An organization uses an Active Directory Rights Management Services (AD RMS) cluster named RMS1 to protect content for a project. You uninstall AD RMS when the project is complete.
You need to ensure that the protected content is still available after AD RMS is uninstalled.
Solution: You add the backup service account to the SuperUsers group and back up the protected content. Then, you restore the content to a file server and apply the required NTFS permissions to the files.
Does this meet the goal?
A. Yes
B. No
Answer: B
QUESTION 203
You install the Service Manager Self-Service Portal on a server named CONTOSOSSP1.
Users report that they receive access denied messages when they try to connect to the portal. You must grant users the minimum required permissions.
You need to ensure that all users in the Contoso domain can access the Service Manager Self- Service Portal.
What should you do?
A. In Active Directory, create a new group named PortalUsers.
Add the PortalUsers group to the Contoso \Domain Users group, and then add the group to the local users group on CONTOSOSSP1.
B. Using the account that you used to install the Self-Service portal, grant the Contoso\Domain Users group Read permissions to the portal.
C. In Service Manager, create a new user role named PortalUsers.
Grant the PortalUsers role rights to all catalog items, and then add the Contoso\Domain Users Active Directory Domain Services group to the PortalUsers role.
D. Using the account that you used to install the Self-Serviceportal, grant the Contoso\Domain Users group Contribute permissions to the portal.
Answer: B
QUESTION 204
Your network contains multiple servers that run Windows Server 2012.
The network contains a Storage Area Network (SAN1) that only supports Fibre Channel connections. You have two failover clusters.
Only the member of FC2 can connect to SAN1.
You plan to implement 20 highly available virtual machines on FC1.
All of the virtual machines will be stored in a single shared folder.
You need to ensure that the VHD files of the virtual machines can be stored on the SAN1.
VHD files must be available from any node in FC2.
What should you do? (Each correct answer presents a complete solution. Choose all that apply.)
A. Configure the clustered File Server role of the File Server for general use.
B. Add the iSCSI Target Server cluster role.
C. Configure the clustered File Server role of the Scale-Out File Server for application data.
D. Add the Storage Services role service.
Answer: BC
QUESTION 205
You perform a Server Core Installation of Windows Server 2012 R2 on a server named Server1.
You need to add a graphical user interface (GUI) to Serverl.
Which tool should you use?
A. the ocsetup.exe command
B. the Install-Module cmdlet
C. the setup.cmd command
D. the dism.exe command
Answer: D
QUESTION 206
Your network contains one Active Directory domain named contoso.com.
The domain contains 10 domain controllers that run Windows Server 2012 R2.
You need to prevent several members of the Domain Admins group from logging on to the domain controllers.
Which two objects should you create and configure? Each correct answer presents part of the solution.
A. a user certificate
B. a Group Policy object (GPO) linked to the domain
C. a central access policy
D. an authentication policy
E. an authentication policy silo
Answer: DE
Explanation:
http://www.rebeladmin.com/2016/03/authentication-policies-and-authentication-policy-silos/
QUESTION 207
Your network contains servers that run only Windows Server 2012.
You have five storage pools. The storage pools are configured as shown in the following table.
You need to identify which storage pools can be used as clustered disk resources.
Which storage pools should you identify? (Each correct answer presents part of the solution. Choose all that apply.)
A. StoragePool1
B. StoragePool2
C. StoragePool3
D. StoragePool4
E. StoragePool5
Answer: AD
Explanation:
Storage Pool C has iSCSI mixed in the storage pool.
Case Study 7: Contoso Ltd Case D (QUESTION 208 – QUESTION 224)
Overview
Contoso, Ltd., is a manufacturing company that makes several different components that are used in automobile production. Contoso has a main office in Detroit, a distribution center in Chicago, and branch offices in Dallas, Atlanta, and San Diego. The contoso.com forest and domain functional level are Windows Server 2008 R2. All servers run Windows Server 2012 R2, and all client workstations run Windows 7 or Windows 8. Contoso uses System Center 2012 Operations Manager and Audit Collection Services (ACS) to monitor the environment. There is no certification authority (CA) in the environment.
Current Environment
The contoso.com domain contains the servers as shown in the following table:
Contoso sales staff travel within the United States and connect to a VPN by using mobile devices to access the corporate network. Sales users authenticate to the VPN by using their Active Directory usernames and passwords. The VPN solution also supports certification-based authentication.
Contoso uses an inventory system that requires manually counting products and entering that count into a database. Contoso purchases new inventory software that supports wireless handheld scanners and several wireless handheld scanners. The wireless handheld scanners run a third party operating system that supports the Network Device Enrollment Service (NDES).
Business Requirements
Security
The wireless handheld scanners must use certification-based authentication to access the wireless network.
Sales users who use mobile devices must use certification-based authentication to access the VPN. When sales users leave the company, Contoso administrators must be able to disable their VPN access by revoking their certificates.
Monitoring
All servers must be monitored by using System Center 2012 Operating Manager. In addition to monitoring the Windows operating system, you must collect security logs from the CA servers by using ACS, and monitor the services that run on the CA and Certificate Revocation List (CRL) servers, such as certification authority and web services.
Technical Requirements
CA Hierarchy
Contoso requires a two-tier CA hierarchy. The CA hierarchy must include a stand-alone offline root and two Active Directory-integrated issuing CAs: one for issuing certificates to domain-joined devices, and one for issuing certificates to non-domain-joined devices by using the NDES. CRLs must be published to two web servers: one in Detroit and one in Chicago.
Contoso has servers that run Windows Server 2012 R2 to use for the CA hierarchy.
The servers are described in the following table:
The IT security department must have the necessary permissions to manage the CA and CRL servers. A domain group named Corp-IT Security must be used for this purpose. The IT security department users are not domain admins.
Fault Tolerance
The servers that host the CRL must be part of a Windows Network Load Balancing (NLB) cluster. The CRL must be available to users in all locations by using the hostname crl.contoso.com, even if one of the underlying web servers is offline.
QUESTION 208
Drag and Drop Question
You need to configure access to the Certificate Revocation Lists (CRLs).
How should you configure the access? To answer, drag the appropriate protocol or servers to the correct network type. Each protocol or server may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Answer:
Explanation:
CRL is only accessible via HTTP, not HTTPS, both should be HTTP.
QUESTION 209
Hotspot Question
You plan to configure Windows Network Load Balancing (NLB) for a company.
You display following Network Load Balancing Manager window:
Use the drop-down menus to select the answer choice that answers each question based on the information presented in the graphic.
Answer:
QUESTION 210
Drag and Drop Question
You need to implement Windows Network Load Balancing (NLB).
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in correct order.
Answer:
QUESTION 211
Drag and Drop Question
You need to collect the required security logs.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
QUESTION 212
You need to automatically restart the appropriate web service on DETCRL01 and CHICRL01 if the web service is stopped.
Solution: You create a recovery task in SCOM and configure it to start the World Wide Web publishing service.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
Explanation:
The Internet Information Services (IIS) World Wide Web Publishing Service (W3SVC), sometimes referred to as the WWW Service, manages the HTTP protocol and HTTP performance counters.
The following is a list of the managed entities that are included in this managed entity:
* IIS Web Site
An Internet Information Services (IIS) Web site is a unique collection of Web pages and Web applications that is hosted on an IIS Web server. Web sites have bindings that consist of a port number, an IP address, and an optional host name or names.
* Active Server Pages (ASP)
https://technet.microsoft.com/en-us/library/cc734944(v=ws.10).aspx
QUESTION 213
You plan to allow users to run internal applications from outside the company’s network.
You have a Windows Server 2012 R2 that has the Active Directory Federation Services (AD FS) role installed. You must secure on-premises resources by using multi-factor authentication (MFA). You need to design a solution to enforce different access levels for users with personal Windows 8.1 or iOS 8 devices.
Solution: You install a local instance of MFA Server. You connect the instance to the Microsoft Azure MFA provider, and then run the following Windows PowerShell cmdlet.
Enable-AdfsDeviceRegistration
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
We must install AD FS Adapter, not register a host for the Device Registration Service.
Note: The Enable-AdfsDeviceRegistration cmdlet configures a server in an Active Directory Federation Services (AD FS) farm to host the Device Registration Service.
https://msdn.microsoft.com/en-us/library/azure/dn807157.aspx
QUESTION 214
An organization uses an Active Directory Rights Management Services (AD RMS) cluster named RMS1 to protect content for a project. You uninstall AD RMS when the project is complete.
You need to ensure that the protected content is still available after AD RMS is uninstalled.
Solution: You enable the decommissioning service by using the AD RMS management console. You grant all users the Read & Execute permission to the decommission pipeline.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
The proper procedure is:
Inform your users that you are decommissioning the AD RMS installation and advise them to connect to the cluster to save their content without AD RMS protection. Alternatively, you could delegate a trusted person to decrypt all rights- protected content by temporarily adding that person to the AD RMS super users group.
After you believe that all of the content is unprotected and saved, you should export the server licensor certificate, and then uninstall AD RMS from the server.
QUESTION 215
Your network contains an Active Directory domain named contoso.com.
Your company has an enterprise root certification authority (CA) named CA1.
You plan to deploy Active Directory Federation Services (AD FS) to a server named Server1.
The company purchases a Microsoft Office 365 subscription.
You plan to register the company’s SMTP domain for Office 365 and to configure single sign-on for all users.
You need to identify which certificate is required for the planned deployment.
Which certificate should you identify?
A. a server authentication certificate that is issued by a trusted third-party root CA and that contains the subject name serverl.contoso.com
B. a self-signed server authentication certificate for server1.contoso.com
C. a server authentication certificate that is issued by a trusted third-party root CA and that contains the subject name Server1
D. a server authentication certificate that is issued by CA1 and that contains the subject name Server1
Answer: A
Explanation:
Prepare Your Server and Install ADFS You can install ADFS on a domain controller or another server. You’ll first need to configure a few prerequisites.
The following steps assume you’re installing to Windows Server 2008 R2.
Using Server Manager, install the IIS role and the Microsoft .NET Framework. Then purchase and install a server-authentication certificate from a public certificate authority. Make sure you match the certificate’s subject name with the Fully Qualified Domain Name of the server.
Launch IIS Manager and import that certificate to the default Web site.
https://technet.microsoft.com/en-us/magazine/jj631606.aspx
QUESTION 216
You administer an Active Directory Domain Services environment.
There are no certification authorities (CAs) in the environment.
You plan to implement a two-tier CA hierarchy with an offline root CA.
You need to ensure that the issuing CA is not used to create additional subordinate CAs.
What should you do?
A. In the CAPolicy.inf file for the issuing CA, enter the following constraint:
PathLength=1
B. In the CAPolicy.inf file for the root CA, enter the following constraint:
PathLength=1
C. In the CAPolicy.inf file for the root CA, enter the following constraint:
PathLength=2
D. In the CAPolicy.inf file for the issuing CA, enter the following constraint:
PathLength=2
Answer: B
Explanation:
You can use the CAPolicy.inf file to define the PathLength constraint in the Basic Constraints extension of the root CA certificate. Setting the PathLength basic constraint allows you to limit the path length of the CA hierarchy by specifying how many tiers of subordinate CAs can exist beneath the root. A PathLength of 1 means there can be at most one tier of CAs beneath the root. These subordinate CAs will have a PathLength basic constraint of 0, which means that they cannot issue any subordinate CA certificates.
http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx
QUESTION 217
Drag and Drop Question
You need to delegate permissions for DETCA01.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Answer:
QUESTION 218
Your network contains an Active Directory domain named contoso.com.
All servers run Windows Server 2012 R2.
The network contains a System Center 2012 R2 Data Protection Manager (DPM) deployment.
The domain contains six servers.
The servers are configured as shown in the following table.
You install System Center 2012 R2 Virtual Machine Manager (VMM) on the nodes in Cluster2.
You configure VMM to use a database in Cluster1. Server5 is the first node in the cluster.
You need to back up the VMM encryption key.
What should you back up?
A. a system state backup of Server2
B. a full system backup of Server6
C. a system state backup of Server5
D. a full system backup of Server3
Answer: A
Explanation:
Encryption keys in Active Directory Domain Services: If distributed key management (DKM) is configured, then you are storing VMM-related encryption keys in Active Directory Domain Services (AD DS). To back up these keys, back up Active Directory on a regular basis.
https://technet.microsoft.com/en-us/library/dn768227.aspx#BKMK_b_misc
QUESTION 219
Your network contains an Active Directory domain named contoso.com.
You currently have an intranet web site that is hosted by two Web servers named Web1 and Web2. Web1 and Web2 run Windows Server 2012.
Users use the name intranet.contoso.com to request the web site and use DNS round robin.
You plan to implement the Network Load Balancing (NLB) feature on Web1 and Web2.
You need to recommend changes to the DNS records for the planned implementation.
What should you recommend?
A. Delete one of the host (A) records named Intranet. Modify the remaining host (A) record named Intranet.
B. Delete both host (A) records named Intranet. Create a pointer (PTR) record for each Web server.
C. Create a new host (A) record named Intranet. Remove both host (A) records for Web1 and Web2.
D. Create a service locator (SRV) record. Map the SRV record to Intranet.
Answer: C
Explanation:
You must manually register the NLB cluster name in DNS by using a host (A) or (AAAA) record because DNS does not automatically register static IP addresses.
https://technet.microsoft.com/en-us/library/bb633031.aspx
QUESTION 220
Your network contains an Active Directory domain named contoso.com.
The network contains two servers named Server1 and Server2.
You deploy Active Directory Certificate Services (AD CS).
The certification authority (CA) is configured as shown in the exhibit. (Click the Exhibit button).
You need to ensure that you can issue certificates based on certificate templates.
What should you do?
A. Configure Server2 as a standalone subordinate CA.
B. On Server1, install the Network Device Enrollment service role service.
C. Configure Server2 as an enterprise subordinate CA.
D. On Server1, run the Add-CATemplate cmdlet.
Answer: C
Explanation:
The Add-CATemplate cmdlet adds a certificate template to the CA for issuing. Certificate templates allow for the customization of a certificate that can be issued by the CA.
Example: Adds a CA template with the template display name Basic EFS and the template name EFS.
Windows PowerShell
C:\PS>Add-CATemplate -Name EFS
More free Lead2pass 70-414 exam new questions on Google Drive: https://drive.google.com/open?id=0B3Syig5i8gpDdzk4ajRnWG50TzA
The Microsoft 70-414 questions and answers in PDF on Lead2pass are the most reliable study guide for 70-414 exam. Comparing with others’, our 70-414 dump is more authoritative and complete. We provide the latest full version of 70-414 PDF and VCE dumps with new real questions and answers to ensure your 70-414 exam 100% pass.
2017 Microsoft 70-414 (All 252 Q&As) exam dumps (PDF&VCE) from Lead2pass:
https://www.lead2pass.com/70-414.html [100% Exam Pass Guaranteed]