Best practices MOC20411D.
Enjoy. Hope these help for our assessment. 
C.Stark.
Module 1 – Configuring and troubleshooting DNS
- Use a central forwarding DNS server for Internet name resolution. This security best practice can
improve performance and simplify troubleshooting. You can locate the forwarding DNS sever on a
perimeter network, which ensures that no server within the network is communicating directly to
the Internet.
- Conditional forwarding: Use conditional forwarders if you have multiple internal namespaces. This
provides faster name resolution.
Module 2 – Maintaining AD DS
Credential Caching
You should observe the following best practices to ensure the most effective use of cached
credentials:
- Create separate AD DS global groups for RODC (Read Only Domain Controller).
- Do not cache passwords for domain-wise administrative accounts.
Administering AD DS
- Do not virtualize all domain controllers on the same hypervisor host or server.
- Virtual machine snapshots provide an excellent reference point or quick recover method, but you
should not use them as a replacement for regular backups. They also will not allow you to recover
objects by reverting to an older snapshot
- Use RODC’s when physical security makes a writable domain controller unfeasible.
- Use the best tool for the job. Active Director Uses and Computers (ADUC) is the most commonly
used tool for managing AD DS, but it is not always the best. You can use Active Directory
Administrative Centre (ADAC) for performing large-scale tasks or those tasks that involve multiple
objects. You can also use the Active Directory module for Windows PowerShell to create reusable
scripts for frequently repeated administrative tasks.
- Enable Active Directory Recycle Bin if your forest functional level supports the functionality. It can
be invaluable in saving time when recovering accidentally deleted objects in the AD DS.
Module 3 – Managing User and Server Accounts
Module 4- Implementing a Group Policy Infrastructure
Module 5 – Managing User Desktops with Group Policy
Best practices related to Group Policy Management: - Include common comments on GPO settings.
- Use a central store for Administrative templates when client computers run Windows Vista or
newer.
- Use Group Policy preferences to configure settings that are not available in the policy settings.
- Use Group Policy software installation to deploy packages in .msi format to a large number of users
or computers.
Module 6 – Installing, Configuring and Troubleshooting the Network Policy Server Role
Module 7 – Implement Network Access Protection
Module 8 – Implementing Remote Access
- Although DirectAccess was present in previous Windows 7 and Windows 2008 R2 editions,
Windows 8 introduces new features for improved manageability, ease of deployment, and improved
scale and performance.
- Monitoring of the environment is now much easier with Windows PowerShell, Windows
Management Instrumentation (WMI) and GUI monitoring, along with Network Connectivity
Assistant on the client side.
- One of the best enhancements is that Direct Access can now access IPv4 servers on your network
and your servers do not need to have IPv6 addresses to be exposed through DirectAccess, because
your DirectAccess server acts as a proxy.
- For ease of deployment, you do not need to have IP addresses on the Internet-facing network.
Therefore, this is a good scenario for proof-of-concept. However, if you are concerned about
security and if you want to integrate with Network Access Protection (NAP), you still need two public
addresses.
- Consider integrating DirectAccess with your existing Remote Access solution because Windows
Server 2012 can implement DirectAccess sever behind the NAT device, which is the most common
remote access server solution for organizations.
Module 9 – Optimizing File Services
- Use quota templates to control and monitor the amount of data that groups store.
- Use file classification to identify and provide more granular control over certain types of data.
- Do not use DFS (Distributed File System) for files that may be accessed by different people
simultaneously. DFS is best suited for static files or one-way replication scenarios.
- Data deduplication can help reduce the amount of storage space consumed by similar files.
Module 10 – Configuring Encryption and Advanced Auditing
Module 11 – Deploying and Maintaining Server Images
Module 12 – Implementing Update Management
Module 13 – Monitoring Windows Server 2012.
- Create an end-to-end monitoring strategy for your IT infrastructure. Monitoring should focus on
proactively detecting potential failures or performance issues.
- When monitoring, estimate the baseline of system utilizations for each server. This will help you
determine whether the system is performing well or is overused.
Module Review and Takeaway Questions and Answers.
Module 1 – Configuring and troubleshooting DNS
Q) You are deploying DNS servers into an Active Directory domain, and your customer requires that
the infrastructure be resistant to single points of failure. What must you consider while planning the
DNS configuration?
A) - How many DNS zones will you configure on the server and how many DNS records will each zone
contain?
- How many DNS clients will be communicating with the server on which you configure the DNS role?
- Where will you place the DNS servers? IE: will you place the servers centrally, or does it make more
sense to locate DNS servers in branch offices?
Q) What is the different between recursive and iterative queries?
A) Recursive Queries – A recursive query is a query made by a DNS client to a DNS server. The DNS
client service waits while the DNS server retrieves the answer. There are two possible results to a
recursive query: - The recursive query returns the IP address of the requested host.
- The DNS server cannot resolve an IP address.
Iterative Queries - An iterative query is a query made by a DNS server for information it has either
in its zone or in cache. Iterative queries provide a mechanism for accessing domain-name
information that resides across the DNS system, and enable servers to resolve names quickly and
efficiently across many servers.
Q) You are the administrator of a Windows Server 2012 DNS environment. Your company recently
acquired another company. You want to replicate their primary DNS zone. The acquired company is
using Berkeley Internet Name Domain (BIND) 4.9.4 to host its primary DNS zones. You notice a
significant amount of traffic between the Windows Server 2012 DNS server and the BIND server.
What is one possible reason for this?
A) BIND 4.9.4 does not support IXFR (Incremental Zone Transfer). Each time a change occurs in the
BIND zone, it has to replicate the entire zone to a computer that is running Windows Server 2012 to
remain updated.
Q) You must automate a DNS server configuration process so that you can automate the deployment
of Windows Sever 2012. What DNS tool can you use to do this?
A) Dnscmd.exe can be used for this.
Module 2 – Maintaining AD DS
Q) Which AD DS objects should have their credentials cached on an RODC located in a remote
location?
A) Typically, you would cache credentials that require authentication of AD DS for user, service and
computer accounts on an RODC located remotely.
Q) What benefits does Active Directory Administrative Centre (ADAC) provide over Active Directory
Users and Computers (ADUC)?
A) Active Directory Administrative Center (ADAC) is built on Windows PowerShell, so you can
perform tasks on a larger scale with more flexibility. Windows PowerShell provides more granular
control and parameters than many of the GUI-based tools. You also can use the Active Directory
Administrative Center to administer components like Active Directory Recycle Bin and fine-grained
password policies, unlike Active Directory Users and Computers.
Module 3 – Managing User and Server Accounts
Q) In what scenarios could users have multiple PSO’s (Password Settings Objects) applied to their
accounts without actually having PSOs linked to their accounts?
A) PSO’s can be linked to groups. If a user is a member of one or more groups to which PSO’s are
linked, any PSO’s applied to those groups will be linked to the user account. However, only the PSO’s
with the lowest precedence value will apply its settings to a user’s account.
Q) What benefit do managed service accounts provide compared to standard user accounts when
used for services?
A) Managed service accounts provide managed password changes that do not require administrator
intervention.
Q) Why would you use secpol.msc to configure local account policy settings for a computer running
the Windows Server 2012 operating system instead of using domain-based Group Policy account
policy settings?
A) Secpol.msc is applied to local user accounts, and as its name applies, it only relevant to your
particular local machine.
Module 4- Implementing a Group Policy Infrastructure
Q) You have assigned a logon script to an OU via Group Policy. The script is in a shared network
folder named Scripts. Some users in the OU receive the script, whereas others do not. What might
be the cause?
A) Security permissions might be a problem. If some users do not have read access to the shared
network folder where the scripts are stored, they will not be able to apply policy. Also, security
filtering on GPOs might be the cause for this problem.
Q) What GPO settings apply across slow links by default?
A) Registry policy and Security policy apply even when a slow link is detected. You cannot change
this setting.
Q) You need to ensure that a domain level policy is enforced, but the Managers global group needs
to be exempt from the policy. How would you accomplish that?
A) Set the link to enforce at the domain level, and use security group filtering to deny Apply Group
Policy permission to the Administrators group.
Module 5 – Managing User Desktops with Group Policy
Q) Why can some Group Policy settings take two log ins before going into effect?
A) Users typically log in with cached credentials. Credential caching occurs before Group Policy is
applied to the current session. The settings take effect at the next log in. However, by enabling the
Always wait for the network at computer startup and logon policy setting, you can ensure that
Group Policy settings take effect on the first log in.
Q) How can you support Group Policy preferences on Windows XP?
A) You must download and install the Group Policy client-side extensions for Group Policy
preferences.
Q) What is the benefit of having a central store?
A) A central store is a single folder in SYSVOL that holds all the .ADMX and .ADML files that are
required for administering Group Policy. After you have set up the central store, the Group Policy
Management Editor recognizes it, and then loads all Administrative templates from the central store
instead of from the local machine.
Q) What is the main difference between Group Policy settings and Group Policy preferences?
A) Group Policy settings enforce some settings on the client side and disable the client interface for
modification of the settings that were configured. However, Group Policy preferences configure
settings and allow the user to modify them.
Q) What is the difference between publishing and assigning software through Group Policy?
A) If you assign software to user or computer, it will be installed without asking users whether they
want to install it. Publishing software will allow user to decide whether to install software.
Q) Can you use Windows PowerShell® scripts as startup scripts?
A) Only computers that are running the Windows Server® 2008 R2 operating system or newer or the
Windows 7 operating system or newer can run Windows PowerShell scripts as startup scripts.
Module 6 – Installing, Configuring and Troubleshooting the Network Policy Server Role
Q) How can you make the most effective use of the NPS logging features?
A) You can make the most effective use of the NPS logging features by performing the following
tasks:
- Turn on logging initially for both authentication and accounting records. Modify these selections
after you determine what is appropriate for your environment.
- Ensure that you configure event logging with sufficient capacity to maintain your logs.
- Back up all log files on a regular basis, because you cannot recreate them when they become
damaged or are deleted.
- Use the RADIUS Class attribute to track usage and simplify the identification of which department
or user to charge for usage. Although the Class attribute, which is automatically generated, is unique
for each request, duplicate records might exist in cases where the reply to the access server is lost
and the request is resent. You might need to delete duplicate requests from your logs to track usage
accurately.
- To provide failover and redundancy with Microsoft SQL Server logging, place two computers that
are running Microsoft SQL Server on different subnets. Use the Microsoft SQL Server Create
Publication Wizard to configure database replication between the two servers.
Q) What consideration must you follow if you choose to use a nonstandard port assignment for
RADIUS traffic?
A) If you do not use the RADIUS default port numbers, you must configure exceptions on the firewall
for the local computer to allow RADIUS traffic on the new ports.
Q) Why must you register the NPS server in AD DS?
A) When NPS is a member of an Active Directory domain, NPS performs authentication by comparing
user credentials that it receives from NASs with the user-account credentials that AD DS stores. NPS
authorizes connection requests by using network policy and by checking user account dial-in
properties in AD DS. You must register the NPS server in AD DS to have permission to access useraccount credentials and dial-in properties.
Module 7 – Implement Network Access Protection
Q) What are the three main client configurations that you need to configure for most NAP
deployments?
A) Some NAP deployments that use Windows Security Health Validator require that you enable
Security Center. The Network Access Protection service is required when you deploy NAP to NAPcapable client computers. You also must configure the NAP enforcement clients on the NAP-capable
computers.
Q) You want to evaluate the overall health and security of the NAP enforced network. What do you
need to do to start recording NAP events?
A) NAP trace logging is disabled by default, but you should enable it if you want to troubleshoot
NAP-related problems or evaluate the overall health and security of your organization’s computers.
You can use the NAP Client Management console or the Netsh command-line tool to enable logging
functionality.
Q) On a client computer, what steps must you perform to ensure that its health is assessed?
A) You must perform the following steps to ensure that it can be assessed for health:
- Enable the NAP enforcement client.
- Enable the Security Center.
- Start the NAP agent service.
Module 8 – Implementing Remote Access
Q) What remote access solutions can you deploy by using Windows Server 2012 R2?
A) In Windows Server 2012 R2, you can deploy following remote access solutions: DirectAccess, VPN,
routing, and Web Application Proxy.
Q) What are the main benefits of using DirectAccess for providing remote connectivity?
A) The main benefits of using DirectAccess for providing remote connectivity are as follows:
- Always-on connectivity. When the user is connected to the Internet, the user is also connected to
the intranet.
- A user has the same experience regardless of whether he or she connected locally or remotely.
- Bidirectional access. When the client computer is accessing the intranet, the computer is also
connected and managed by the administrators.
- Improved security. Administrators can set and control the intranet resources that are accessible
through DirectAccess.
Q) How do you configure DirectAccess clients?
A) To configure DirectAccess clients, use Group Policy. When you use the Configure Remote Access
Wizard to configure DirectAccess, two GPOs are created and linked to the domain. These two GPOs
define DirectAccess-related settings and are applied to the DirectAccess clients.
Q) How does the DirectAccess client determine if it is connected to the intranet or the Internet?
A) When you configure the DirectAccess server, you need to define the computer that will be a
network location server. The network location server should be a highly-available web server. Based
on the response from this web server, the DirectAccess client determines if it is connected to the
intranet or the Internet.
Q) What is the benefit of an NRPT?
A) An NRPT stores a list of DNS namespaces and their corresponding configuration settings. These
settings define the DNS server to contact and the DNS client behavior for that namespace.
Q) What type of remote access solutions you can provide by using VPN in Windows Server 2012?
A) You can configure the following remote access solutions by using VPN in Windows Server 2012:
- Secure remote access to internal network resources for users located on the Internet. The users act
as VPN clients that are connecting to Windows Server 2012 that, in turn, acts as a VPN server.
- Secure communication between network resources located in different geographical locations or
sites. This solution is called site-to-site VPN. In each site, Windows Server 2012 acts as a VPN server
that encrypts communication between the sites.
Q) What type of applications you can publish by using Web Application Proxy in Windows Server
2012 R2?
A) Web Application Proxy in Windows Server 2012 R2 is a role service that you can use for publishing
web applications. You can choose between two types of pre-authentication for web applications:
- AD FS pre-authentication, which uses AD FS for web applications that use claims-based
authentication.
- Pass-through pre-authentication, where a user is connected to the web application through Web
Application Proxy, and the user is authenticated by the web application.
Module 9 – Optimizing File Services
Q) How do FSRM templates for quotas and file screens provide a more efficient FSRM management
experience?
A) Templates enable administrators to create quotas and file screens quickly, based on predefined
templates. You also can use templates to manage child quotas in a one-to-many manner. To change
the file size for several quotas created from the template, you only need to change the template.
Q) Why does DFS Replication make a more efficient replication platform than FSRM?
A) DFS Replication uses an advanced delta-based heuristic, which only replicates modified portions
of the file system, whereas FSRM always replicates the complete file. DFS Replication also uses
remote differential compression RDC to reduce replication-based network traffic.
Module 10 – Configuring Encryption and Advanced Auditing
Q) Some users are encrypting files that are stored on network shares to protect them from other
departmental users with file system permissions to those files. Is this an effective way to prevent
users from viewing and modifying those files?
A) Yes. Unauthorized users cannot open or modify an EFS-encrypted file. By default, only the user
who encrypted the file and the recovery agent can decrypt the file.
Q) Why might EFS be considered a problematic encryption method in a widely distributed network
file server environment?
A) EFS encryption is based primarily on personal certificates, which are commonly stored in a user
profile. The ability to decrypt files relies strictly on access to the certificate in the profile or access to
a data recovery agent, which might not be available. This will depend on the computer the user is
logging on to.
Q) You have configured an audit policy by using Group Policy to apply to all of the file servers in your
organization. After enabling the policy and confirming that the Group Policy settings are being
applied, you discover that audit events are not being recorded in the event logs. What is the most
likely reason for this?
A) To audit file access, you must configure files or folders to audit specific events. If you do not do
so, the audit events will not be recorded.
Q) You need to encrypt the data of a folder that is used by the HR department on a shared
computer. Three different people need to read and modify the data in the folder. Should you use EFS
or BitLocker to encrypt the data?
A) Because only a single folder will be encrypted, EFS is the right choice. EFS can encrypt a single
folder and will meet the requirements of having multiple people work with the data.
Module 11 – Deploying and Maintaining Server Images
Q) Windows Deployment Services supports two types of multicast transmission. Which type is
suitable for minimizing total network traffic during deployment to a fixed number of clients?
A) Scheduled-Cast configuration is such that it waits for a threshold number of clients before starting
and deploying simultaneously, which makes it better for a fixed number of clients. This is especially
true if deployment occurs at different times for different computers. Auto-cast loops around while
client computers are connected. If clients do not connect simultaneously, the Windows Deployment
Services server transmits the image multiple times. This may consume large amounts of network
bandwidth.
Q) How is Windows ADK useful for Windows Deployment Services deployments?
A) Windows ADK provides tools such as ImageX.exe, Sysprep.exe, and Windows SIM that enable you
to manage images for use by Windows Deployment Services. For example, you can use Windows
SIM to create and configure answer files for automating Windows Deployment Services
deployments. You also can use Sysprep to generalize a capture image for Windows Deployment
Services. Additionally, Windows ADK provides a number of Windows PE images and management
tools.
Q) What steps are necessary to automate the end-to-end deployment process?
A) The following steps are required to automate the end-to-end deployment process:
1.
Configure your PXE boot policy to Always Continue PXE boot.
2.
Configure a default boot image.
3.
Create and associate an answer file for your Windows Deployment Services client file.
4.
Create and associate an answer file for an install image.
5.
Configure clients to boot first from hard disk and then from PXE, to avoid boot loop.
6.
If necessary, configure multicast transmission.
Module 12 – Implementing Update Management
Q) Your manager has asked if all updates to the Windows operating system should be applied
automatically when they are released. Do you recommend an alternative process?
A) An alternative process could be testing the updates before they are approved, declining if they
are not needed and removing if they cause problems.
Q) Your organization implements several applications that are not Microsoft applications. A
colleague has proposed using WSUS to deploy application and operating system updates. Are there
any potential issues with using WSUS?
A) Some issues could potentially be: - Computers not appearing in WSUS. This results from a misconfiguration of the client computer or a
GPO that is not applied to the client computer.
- WSUS server stops with full database. When this happens, you will notice an SQL (Structured Query
Language) Server dump (SQLDumpnnnn.txt) in the LOGs folder for SQL Server. This is usually due to
index corruption in the database. You may need help from an SQL Server DBA to recreate indexes or
you may simply need to re-install WSUS to fix the problem.
- You cannot connect to WSUS. Verify network connectivity. Ensure the client can connect to the
ports used by WSUS using the Telnet client utility.
- Other problems. Consider using the server diagnostics tool and the client diagnostics tool available
from Microsoft.
Q) Why is WSUS easier to manage in an Active Directory Domain Services domain?
A) Because you have one place to manage it instead of multiple.
Module 13 – Monitoring Windows Server 2012.
Q) What significant counters should you use to monitor in Performance Monitor?
A) Primary Processor Counters – This counter measures the percentage of elapsed time the
processor spends executing a nonidle thread.
Primary Memory Counters – The memory performance object consists of counters that describe the
behaviour of the computers physical and virtual memory.
Primary Disk Counters – The physical disk performance object consists of counters that monitor hard
or fixed disk drives.
Primary Network Counters – Most workloads require access to production networks to ensure
communication with other applications, and services and to communicate with users.
Q) Why is it important to monitor server performance periodically?
A) To determine whether the system is performing well or is overused.
Q) Why should you use performance alerts?
A) You should use performance alerts because they notify you when certain events occur or when
certain performance thresholds are reached.