2013 Latest MCSA 70-417 Exam Questions 21-25

Ensurepass

QUESTION 21
Your network contains an Active Directory domain named contoso.com. The domain contains a file server named Server1.
All servers run Windows Server 2012.
All domain user accounts have the Division attribute automatically populated as part of the user provisioning process.
The Support for Dynamic Access Control and Kerberos armoring policy is enabled for the domain.
You need to control access to the file shares on Server1 based on the values in the Division attribute and the Division resource property.
Which three actions should you perform in sequence?
To answer, move the three appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Correct Answer:
Section: Access Control & Dynamic Access Control
Explanation
Explanation/Reference:
First create a claim type for the property, then create a reference resource property that points back to the claim. Finally set the classification value on the folder.
and if you want the complete procedure :
create a claim type :
create a
which you’ll later be able to see in the classification tab of the folders :
you create a CentralAccesRule
(NB : you can leave selected the Use Following Permissions as Proposed Permissions option if you just
want to “stage” a policy rule.
Staging policies can be used to monitor the effects of a new policy entry before you enable it.)
then a CentralAccesPolicy including the previously created CentralAccessRule
then you create (or modify an existing) GPO by integrating the CentralAccessPolicy to it
NB : The GPO is linked to the concerned OUs, for example an OU containing the files servers) :
This previous step will make the CentralAccessPolicy available in the Central Policy tab of the advanced security settings of the folders properties (after a gpupdate /force or a logon/start of course)
We’re supposed to set it at the end of the process, when GPOs are configured and applied :
(and if you do not want to apply your CentralAccessPolicy and just want to check its effects before applying it you can configure the Audit Central Access Policy Staging in the same GPO) :
Last point about GPOs : “KDC support for claims, compound authentication and Kerberos armoring”
must be enabled on a GPO linked to the domain controllers :
Then, at last (as i showed you earlier, you go to the “Central Policy” tab of advanced security to apply the
CAP :
if you want to apply conditional permissions, you can go to the “Permissions” security tab of the folder :
NB : the Central Access Policy (CAP) is deployed to the objects on which applies the GPO in which we added this CAP BUT this CAP is applied only to resources whose CAP (in Central Policy tab of advanced security of the resource) is set to the concerned CAP
NB : I’m not an expert at all on it, i’m learning and i just tell you what i understood
(or think i understood?)
feel free to go check by yourself

QUESTION 22
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2012.
Server1 has the IP Address Management (IPAM) Server feature installed. IPAM is configured currently for
Group Policy-based provisioning.
You need to change the IPAM provisioning method on Server1. What should you do? A. Run the ipamgc.exe command.
B. Run the Set-IPAMConfiguration cmdlet.
C. Reinstall the IP Address Management (IPAM) Server feature. D. Delete IPAM Group Policy objects (GPOs) from the domain.
Correct Answer: C
Section: Network (DNS, DHCP, NIC teaming, IPAM, VPN, NAP, DirectAccess…) Explanation
Explanation/Reference:
You cannot change the provisioning method after completing the initial setup.
When you install IPAM and configure either manual OR GPO, you receive the same message about not being able to change the provisioning method.
As a matter of fact, I set it up in my lab and configured it as GPO. Here is a copy/paste of the message that is presently on the IPAM home page in server manager:
“The access configuration mode cannot be modified after completing the IPAM provisioning wizard”
Also, the help console in IPAM displays this when searching about provisioning methods:
“The managed server provisioning method cannot be changed after you complete the IPAM
provisioning wizard.”
I think those two items make it perfectly clear.

QUESTION 23
Your network contains an Active Directory domain named contoso.com.
The domain contains four servers. The servers are configured as shown in the following table.
You plan to deploy an enterprise certification authority (CA) on a server named Server5. Server5 will be used to issue certificates to domain-joined computers and workgroup computers.
You need to identify which server you must use as the certificate revocation list (CRL) distribution point for
Server5. Which server should you identify?
A. Server1
B. Server3
C. Server4
D. Server2
Correct Answer: B Section: Certificates Explanation
Explanation/Reference:
CDP (and AD CS) always uses a Web Server
NB : this CDP must be accessible from outside the AD, but here we don’t have to wonder about that as there’s only one web server.
=========
http://technet.microsoft.com/fr-fr/library/cc782183%28v=ws.10%29.aspx
Selecting a CRL Distribution Point
Because CRLs are valid only for a limited time, PKI clients need to retrieve a new CRL periodically. Windows Server 2003 PKI applications look in the CRL distribution point extension for a URL that points to a network location from which the CRL object can be retrieved. Because CRLs for enterprise CAs are stored in Active Directory, they can be accessed by means of LDAP. In comparison, because CRLs for stand-alone CAs are stored in a directory on the server, they can be accessed by means of HTTP, FTP,
and so on as long as the CA is online. Therefore, you should set the CRL distribution point after the CA has been installed.
The system account writes the CRL to its distribution point, whether the CRL is published manually or is published according to an established schedule. Therefore you must ensure that the system accounts for CAs have permission to write to the CRL distribution point.
Because the CRL path is also included in every certificate, you must define the CRL location and its access path before deploying certificates. If an application performs revocation checking and a valid CRL is not available on the local computer, it rejects the certificate.
You can modify the CRL distribution point by using the Certification Authority MMC snap-in. In this way, you can change the location where the CRL is published to meet the needs of users in your organization. You must move the CRL distribution point from the CA configuration folder to a Web server to change the location of the CRL, and you must move each new CRL to the new distribution point, or else the chain will break when the previous CRL expires.
Note
On root CAs, you must also modify the CRL distribution point in the CAPolicy.inf file so that the root CA
certificate references the correct CDP and AIA paths, if specified.
If you are using certificates on the Internet, you must have at least one HTTPs-accessible location for all certificates that are not limited to internal use.
=========
http://technet.microsoft.com/en-us/library/cc771079.aspx
Configuring Certificate Revocation
It is not always possible to contact a CA or other trusted server for information about the validity of a certificate. To effectively support certificate status checking, a client must be able to access revocation data to determine whether the certificate is valid or has been revoked. To support a variety of scenarios, Active
Directory Certificate Services (AD CS) supports industry-standard methods of certificate revocation. These
include publication of certificate revocation lists (CRLs) and delta CRLs, which can be made available to clients from a variety of locations, including Active Directory Domain Services (AD DS), Web servers, and network file shares.
================
Old explanation : CRL is published to a web site

QUESTION 24
Your network contains three Active Directory forests.
Each forest contains an Active Directory Rights Management Services (AD RMS) root cluster.
All of the users in all of the forests must be able to access protected content from any of the forests.
You need to identify the minimum number of AD RMS trusts required. How many trusts should you identify?
A.
2
B.
3
C.
4
D.
6
Correct Answer: D Section: Certificates Explanation
Explanation/Reference:
http://technet.microsoft.com/en-us/library/dd772648%28v=ws.10%29.aspx
AD RMS Multi-forest Considerations

QUESTION 25
Your network contains an Active Directory domain named contoso.com.
The network contains a file server named Server1 that runs Windows Server 2012. You create a folder named Folder1. You share Folder1 as Share1.
The NTFS permissions on Folder1 are shown in the Folder1 exhibit.
The Everyone group has the Full control Share permission to Folder1.
You configure a central access policy as shown in the Central Access Policy exhibit.
Members of the IT group report that they cannot modify the files in Folder1. You need to ensure that the IT group members can modify the files in Folder1. The solution must use central access policies to control the permissions.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. On the Security tab of Folder1, remove the permission entry for the IT group.
B. On the Classification tab of Folder1, set the classification to “Information Technology”
C. On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group. D. On Share1, assign the Change Share permission to the IT group.
E. On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT
group.
Correct Answer: BC
Section: Access Control & Dynamic Access Control
Explanation
Explanation/Reference:
NB : added the missing exhibits by searching for a piece of the question on google => i did get an answer (a pdf file with a few questions and exhibits, but how to be sure they’re ok…)
initial answer :
On the Classification tab of Folder1, set the classification to Information Technology. => true
On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT
group. => false
it took me a whole day and a hole night to find that, but now i’m sure of the answer. Let me explain my point of view
You first set the Folder1 classification to “Information Technology” so it meets the target resource requirement and the Central Access Policy can be applied to it, no problem about that.
But my problem is about the second answer, to me none of them is good :
A : On the Security tab of Folder1, remove the permission entry for the IT group. => tested => it failed of course, users don’t even have read permissions anymore
D : On Share1, assign the Change share permission to the IT group => Everyone already has the full control share permission => won’t solve the problem which is about the NTFS Read permission
E : On the Security tab of Folder1, add a conditional expression to the existing permission entry for the IT group => how could a condition, added to a read permission, possibly transform a read to a modify permission??
if they had said “modify the permission and add a conditional expression” => ok (even if that’s stupid, it works)
a condition is applied to the existing permissions to filter existing access to only matching users or groups
so if we apply a condition to a read permission, the result will only be that less users (only them matching the conditions) will get those read permissions, which actually don’t solve the problem neither
so only one left :
C : On the Security tab of Folder1, assign the Modify permission to the Authenticated Users group => for sure it works and it’s actually the only one which works, but what about security?
well i first did not consider this method => “modify” permission for every single authenticated users??
But now it looks very clear :
THE MORE RESTRICTIVE PERMISSION IS ALWAYS THE ONE APPLIED!!
So “Modify” for Authenticated Users group and this will be filtered by the DAC who only allows IT
group.
and it matches the current settings that no other user (except admin, creator owner, etc…) can even read the folder.
======================
and this link confirms my theory :
http://autodiscover.wordpress.com/2012/09/12/configuring-dynamic-access-controls-and-file-classification- part4-winservr-2012-dac-microsoft-mvpbuzz/
Configuring Dynamic Access Controls and File Classification
Note: In order to allow DAC permissions to go into play, allow everyone NTFS full control permissions and then DAC will overwrite it, if the user doesnt have NTFS permissions he will be denied access even if DAC grants him access.
====================
And if this can help, a little summary of configuring DAC :

Download Ensurepass Latest 2013 MCSA 70-417 Real Exam Questions , help you to pass exam 100%.