Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

MCSA-Windows Server 2016 70-740 > Chapter 7 - Implement Network Connectivity and Remote Access Solutions > Flashcards

Chapter 7 - Implement Network Connectivity and Remote Access Solutions Flashcards

1
Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1 that will be used as a virtual private network (VPN) server. What VPN protocol should you use if you need to configure Server1 to support VPN Reconnect?
A. Internet Key Exchange Protocol Version 2 (IKEv2)
B. Layer 2 Tunneling Protocol (L2TP)
C. Point-to-Point Tunneling Protocol (PPTP)
D. Secure Socket Tunneling Protocol (SSTP)

A

A. VPN Reconnect uses the Internet Key Exchange v2 (IKEv2) tunneling protocol. VPN Reconnect can be used in conjunction with DirectAccess.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1 that is located on the perimeter network and only uses inbound TCP port 443 to connect from the Internet. You install the Remote Access server role on Server1. You need to configure Server1 to accept VPN connections over port 443. Which VPN protocol should you use?
A. Internet Key Exchange Protocol Version 2 (IKEv2)
B. Layer 2 Tunneling Protocol (L2TP)
C. Point-to-Point Tunneling Protocol (PPTP)
D. Secure Socket Tunneling Protocol (SSTP)

A

D. Secure Socket Tunneling Protocol (SSTP) is a form of VPN tunnel that provides a mech- anism to transport Point-to-Point Protocol (PPP) traffic through a Secure Sockets Layer/ Transport Layer Security (SSL/TLS) channel. SSL/TLS provides transport-level security with key negotiation, encryption, and traffic integrity checking. The use of SSL/TLS over TCP port 443 allows SSTP to pass through virtually all firewalls and proxy servers except for authenticated web proxies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are the administrator for your company network. You create a VPN connection that has the VPN type set to Automatic. What VPN protocol will be used first when attempting to establish a VPN connection?
A. Internet Key Exchange Protocol Version 2 (IKEv2)
B. Layer 2 Tunneling Protocol (L2TP)
C. Point-to-Point Tunneling Protocol (PPTP)
D. Secure Socket Tunneling Protocol (SSTP)

A

A. Routing and Remote Access Service (RRAS) supports Internet Key Exchange version 2 (IKEv2), a VPN tunneling protocol. The primary advantage of IKEv2 is that it tolerates inter- ruptions in the underlying network connection. If the connection is temporarily lost, or if a user moves a client computer from one network to another, IKEv2 automatically restores the VPN after the network connection is reestablished without intervention on the part of the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

You are the administrator for your company network. You have an Active Directory domain. The domain contains Windows Server 2016 servers named Server1 and Server2. On Server1, you install the Remote Access server role. On Server2, you install the Network Policy and Access Services server role. What should you do if you need
to configure Server1 to use Server2 as a Remote Authentication Dial-In User Service (RADIUS) server?
A. Configure the authentication provider from Routing and Remote Access.
B. Create a Connection Manager profile from the Connection Manager Administration
Kit.
C. Create an Access Policy from Server Manager.
D. Modify the Delegation settings of the Server1 computer account from Active Directory Users and Computers.

A

A. When you select the RADIUS Authentication option from the Authentication Provider drop-down menu, you are enabling a RADIUS client that passes authentication duties to a RADIUS server.
To configure a RADIUS server to be the authentication provider:
1. Open the Routing and Remote Access MMC snap-in.
2. Right-click the server name for which you want to configure RADIUS authentication and then click Properties.
3. On the Security tab, in Authentication Provider, click RADIUS Authentication and then click Configure.
4. In the RADIUS Authentication dialog box, click Add.
5. In the Add RADIUS Server dialog box, configure the settings for your RADIUS authen-
tication server and then click OK.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You are the administrator for your company network. The network contains one Active Directory domain named abc.com. You deploy DirectAccess on the network. During the deployment, you enable DirectAccess only for a group called ABC\Test Computers. What should you do if you need to enable DirectAccess for all the client computers in the domain after the initial installation?
A. Modify the membership of the Windows Authorization Access Group from Active Directory Users and Computers.
B. Modify the security filtering of an object named DirectAccess Client Setting Group Policy from Group Policy Management.
C. Run the Set-DAClient cmdlet using PowerShell.
D. Run the Set-DirectAccess cmdlet using PowerShell.

A

B. Deploying Remote Access requires a minimum of two Group Policy Objects: one Group Policy Object contains settings for the Remote Access server and one contains settings for DirectAccess client computers. When you configure Remote Access, the wizard automati- cally creates the required Group Policy Object. However, if your organization enforces a naming convention, or you do not have the required permissions to create or edit Group Policy Objects, they must be created prior to configuring Remote Access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

You are the administrator for your company network. Your network contains an Active Directory forest. The forest contains two domains named abc.com and xyz.com. The com- pany recently deployed DirectAccess for the members of a group named DA_Computers. All client computers are members of DA_Computers. You discover that DirectAccess clients can access the resources located in the abc.com domain only. The clients can access the resources in the xyz.com domain by using an L2TP VPN connection to the network. What should you do if you need to ensure that the DirectAccess clients can access the resources in the xyz.com domain?
A. Configure the Delegation settings from the properties of the servers in xyz.com.
B. Create a zone delegation for xyz.com on an external DNS server.
C. Modify the Name Resolution Policy Table (NRPT) from a Group Policy Object (GPO).
D. Add the servers in xyz.com to the RAS and IAS Servers group.

A

C. The Name Resolution Policy Table (NRPT) contains rules configured by an administra- tor for either names or namespaces and the settings for the required special handling. When performing a DNS name resolution, the DNS Client service compares the requested name against each rule in the NRPT before sending a DNS name query. Queries and responses that match an NRPT rule get the specified special handling applied. You can configure the NRPT with Group Policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q 
You are the administrator for your company network. You have a Windows Server 2016 Remote Access server named Server1 that has DirectAccess enabled. You have a proxy server named Server2. All computers on the internal network connect to the Internet by using the proxy. You run the cmdlet Set-DAClient -forceTunnel Enabled on Server1. Which cmdlet should you run on Server1 if you need to ensure that when a DirectAccess client connects to the network the client accesses all the Internet resources through the proxy?
A. Set-DAEntryPoint
B. Set-DnsClientGlobalSetting 
C. Set-DnsClientNrptGlobal
D. Set-DnsClientNrptRule
A

A. The Set-DAEntryPoint cmdlet configures entry point settings, including the name of the server in the entry point, the name of the entry point, and the IP address used for global load balancing on the specified entry point.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q 
You are the administrator for your company network. You are discussing Remote Access Service (RAS) Gateway modes with a colleague. Which mode are you describing here? Deploy the RAS Gateway as an edge VPN server, an edge DirectAccess server, or both simultaneously. In this configuration, RAS Gateway provides remote employees with con- nectivity to your network by using either VPN or DirectAccess connections.
A. Multitenant mode
B. Single tenant mode
C. Unattached tenant mode
D. Remote tenant mode
A

B. In the single tenant mode, administrators can deploy RAS Gateways as an edge VPN server, an edge DirectAccess server, or both simultaneously. Using RAS Gateways this
way provides remote users with connectivity to your network by using either VPN or DirectAccess connections. Also, single tenant mode allows administrators to connect offices at different physical locations through the Internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You are the administrator for your company network. Your company has a main office
and has 1,000 users who are located in other countries. You plan to deploy a large Remote Access solution for the company. The main office has three Windows Server 2016 servers named Server1, Server2, and Server3. You plan to use Server1 as a VPN server, Server2 as
a RADIUS proxy, and Server3 as a RADIUS server. What actions should you perform on Server2 if you need to configure Server2 to support the planned deployment? (Choose three.)
A. Add a RADIUS client.
B. Create a connection request policy.
C. Create a network policy.
D. Create a remote RADIUS server group.
E. Deploy a Windows container.

A

A, B, D. To set up a RADIUS server, the components needed on the RADIUS server include the RADIUS client and a RADIUS group. Microsoft recommends that you set up RADIUS connection policies as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You are the administrator for your company network. Your network contains an Active Directory forest that has a functional level of Windows Server 2012. The forest contains five domain controllers and five VPN servers that run Windows Server 2016. The VPN server has 500 users who connect daily. What should you do first if you need to configure a new RADIUS server named Server1?
A. Deploy the Remote Access server role on Server1.
B. Set the forest functional level to Windows Server 2016 on a domain controller.
C. Deploy the Network Policy and Access Services role on Server1.
D. Run the New-NpsRadiusClient cmdlet on each VPN server.

A

C. Network Policy Server (NPS) is Microsoft’s solution for enforcing company-wide access policies, including remote authentication. NPS is a role service of the Network Policy
and Access Services (NPAS) server role. Other role services of NPAS are the Routing and Remote Access Service, Health Registration Authority, and Host Credential. These help you safeguard the health and security of a network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are the administrator for your company network. Your company has 5,000 remote users. You have 40 VPN servers that host the remote connections. You plan to deploy a RADIUS solution that contains five RADIUS servers. What should you do if you need to ensure that client authentication requests are distributed evenly among the RADIUS servers?
A. Install the Network Load Balancing (NLB) role service on all of the RADIUS servers and configure all of the RADIUS clients to connect to a virtual IP address.
B. Deploy a RADIUS proxy to a new server and configure all of the RADIUS clients to connect to the RADIUS proxy.
C. Deploy a RAS Gateway to a new server and configure all of the RADIUS clients to connect to the RAS Gateway.
D. Install the Failover Clustering role service on all of the RADIUS servers and configure all of the RADIUS clients to connect to the IP address of the cluster.

A

B. Use Network Policy Server (NPS) configured as a RADIUS proxy to load balance con- nection requests between multiple NPS servers or other RADIUS servers. On the NPS proxy, configure load balancing so that the proxy evenly distributes the connection requests among the RADIUS servers. This method of load balancing is best for medium and large organizations that have many RADIUS clients and servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You are the administrator for your company network. You have multiple servers that run Windows Server 2016 and are configured as VPN servers. You deploy a Network Policy Server (NPS) server named NPS1. What should you configure on NPS1 so that it will accept authentication requests from the VPN servers?
A. Add a connection request policy from Policies.
B. Add a remote RADIUS server group from RADIUS Clients and Servers.
C. Add RADIUS clients from RADIUS Clients and Servers.
D. Add a network policy from Policies.

A

C. When you add a new network access server (VPN server, wireless access point, authen- ticating switch, or dial-up server) to your network, you must add the server as a RADIUS client in NPS so that NPS is aware of and can communicate with the network access server. On the NPS server, in the NPS console, double-click RADIUS Clients and Servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are the administrator for your company network. Your company has a Sales depart- ment. The network contains an Active Directory domain. The domain contains two top- level organizational units (OUs) named Sales_Computers, which contains the computer accounts, and Sales_Users, which contains the user accounts. You link a new Group Policy Object (GPO) named GPO1 to Sales_Computers. You need to deploy a VPN connection to all of the users who sign in to the Sales department computers. The users must be placed where?
A. Computer Configuration/Policies/Administrative Templates/Network/Network Connections
B. Computer Configuration/Preferences/Control Panel Settings/Network Options
C. User Configuration/Preferences/Control Panel Settings/Network Options
D. User Configuration/Policies/Administrative Templates/Network/Network Connections

A

C. Create a VPN connection for the users by following User Configuration/Preferences/ Control Panel Settings/Network Options.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are the administrator for your company network. The company has employees who work remotely by using a VPN connection from their computers. These employees use an application to access the company intranet database servers. The company recently decided to distribute the latest version of the application using a public cloud. Some users report that every time they try to download the application by using Internet Explorer they receive a warning message that indicates the application could harm their computer. What should you do if you need to recommend a solution that prevents this warning message from appearing, without compromising the security protection of the computers?
A. Use the intranet website to publish the application.
B. Use the Windows Store to publish the application.
C. Use a public File Transfer Protocol (FTP) site to publish the application.
D. Using the Internet Explorer settings, instruct the employees to disable the SmartScreen Filter.

A

A. Intranet is the generic term for a collection of private computer networks within an organization. The intranet uses network technologies as a tool to facilitate communication between people or work groups to improve the data-sharing capability and overall knowl- edge base of an organization’s employees. The Internet utilizes standard network hardware and software technologies like Ethernet, Wi-Fi, TCP/IP, web browsers, and web servers. An organization’s intranet typically includes Internet access but is firewalled so that its comput- ers cannot be reached directly from the outside. Because all the users can connect via VPN, this would allow access to the intranet website and the published application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q 
You are the administrator for your company network. Which Control Panel application should you use if you need to change the password used for an L2TP VPN connection?
A. Credential Manager
B. System
C. Network and Sharing Center
D. Phone and Modem
E. Power Options
F. RemoteApp and Desktop Connections
G. Sync Center
H. Work Folders
A

C. The Control Panel application from which most of the networking settings and tasks can be launched is the Network and Sharing Center. The Network and Sharing Center is one of the most important Control Panel apps for managing your network connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You are the administrator for your company network. Your company has 100 client com- puters. The client computers are connected to a corporate private network. You deploy
a Remote Desktop Gateway, DirectAccess, and a VPN server at the main office. Users are currently unable to connect from their home computers to their work computers by using Remote Desktop. You need to ensure that users can remotely connect to their office computers by using Remote Desktop. What should you configure if the users must not be able to access any other corporate network resource from their home computers?
A. A VPN connection
B. The Remote Desktop Gateway IP address in the advanced Remote Desktop Connection
settings on each client
C. The local resource settings of the Remote Desktop connection
D. A DirectAccess connection

A

B. The solution is to deploy Remote Desktop Gateway in the office. Remote users can then connect to their computers on the office network by using Remote Desktop client on their home computers configured with the IP address of the Remote Desktop Gateway. Remote Desktop Gateway (RD Gateway) is a role service that enables authorized remote users to con- nect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. VPN connections would enable remote access to the office network, but this solution would not prevent users from accessing other corporate network resources. Remote Desktop local resources determine which local resources (printers, drives, etc.) are available in a Remote Desktop connection. However, this solution makes no provision for actually connecting to the office network. DirectAccess connections would enable remote access to the office network, but this solution would not prevent users from accessing other corporate network resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You are the administrator for your company network. Your network contains a single Active Directory domain. The domain contains a VPN server that supports all of the VPN protocols. A user named Sue works from home and has a desktop computer. She has an application named App1 that requires access to a server on the corporate network. She creates a VPN connection on the computer. What should you do if you need to ensure that, when Sue opens App1, she can access the required data?
A. Click Turn on Password Protected Sharing.
B. Disable Network Discovery.
C. Modify the Profile settings of an incoming firewall rule.
D. Run the Add-VpnConnectionTriggerApplication cmdlet.
E. Run the New-NetFirewallRule cmdlet and specify the -Direction Outbound parameter.
F. Run the New-VpnConnection cmdlet.
G. Run the Set-NetConnectionProfile cmdlet.
H. Run the Set-VpnConnection cmdlet.

A

D. The Add-VpnConnectionTriggerApplication cmdlet adds applications to a VPN con- nection object. The applications automatically trigger a VPN connection when launched. This setting allows App1 to automatically request the VPN connection to ensure it can access the required data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

You are the administrator for your company network. Your network contains a single Active Directory domain. The domain contains a VPN server that supports all of the VPN protocols. A user named User1 creates an SSTP VPN connection to a network named VPN1. User1 successfully connects to the VPN server. When the user roams between dif- ferent Wi-Fi access points, the user loses the connection to the corporate network and must manually reestablish the VPN connection. What should you do if you need to ensure that VPN1 automatically maintains the connection while the user roams between Wi-Fi access points?
A. Click Turn on Password Protected Sharing.
B. Disable Network Discovery.
C. Modify the Profile settings of an incoming firewall rule.
D. Run the Add-VpnConnection Trigger Application cmdlet.
E. Run the New-NetFirewallRule cmdlet and specify the -Direction Outbound parameter.
F. Run the New-VpnConnection cmdlet.
G. Run the Set-NetConnectionProfile cmdlet.
H. Run the Set-VpnConnection cmdlet.

A

H. The Set-VpnConnection cmdlet changes the configuration settings of an existing VPN connection profile. If the VPN profile specified does not exist, you see an error. If errors occur when you modify the VPN profile, the cmdlet returns the error information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

You are the administrator for your company network. Your network contains a single Active Directory domain. The domain contains a VPN server that supports all of the VPN protocols. You have mobile devices and have a VPN connection to the VPN server. What should you do if you need to ensure that when users work remotely they can connect to the VPN, and that only traffic for the corporate network is sent through the VPN server?
A. Click Turn on Password Protected Sharing.
B. Disable Network Discovery.
C. Modify the Profile settings of an incoming firewall rule.
D. Run the Add-VpnConnection Trigger Application cmdlet.
E. Run the New-NetFirewallRule cmdlet and specify the -Direction Outbound parameter.
F. Run the New-VpnConnection cmdlet.
G. Run the Set-NetConnectionProfile cmdlet.
H. Run the Set-VpnConnection cmdlet.

A

E. The New-NetFirewallRule cmdlet creates an inbound or outbound firewall rule and adds the rule to the target computer. The -Direction parameter specifies that matching firewall rules of the indicated direction are created. This parameter specifies which direc- tion of traffic to match with this rule. The acceptable values for this parameter are Inbound or Outbound. The default value is Inbound.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

You are the administrator for your company network. A user connects to a wireless net- work and receives the following message: “Do you want to allow your PC to be discover- able by other PCs and devices on this network?” The user clicks No. The user is unable
to browse to the shared folders of other computers on the network by using File Explorer. What should you do if you need to ensure that the user can browse to the other computers?
A. Click Turn on Password Protected Sharing.
B. Disable Network Discovery.
C. Modify the Profile settings of an incoming firewall rule.
D. Run the Add-VpnConnection Trigger Application cmdlet.
E. Run the New-NetFirewallRule cmdlet and specify the -Direction Outbound parameter.
F. Run the New-VpnConnection cmdlet.
G. Run the Set-NetConnectionProfile cmdlet.
H. Run the Set-VpnConnection cmdlet.

A

D. The Add-VpnConnectionTriggerApplication cmdlet adds applications to a VPN con- nection object. The applications automatically trigger a VPN connection when launched. This setting allows App1 to automatically request the VPN connection to ensure it can access the required data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

You are the administrator for your company network. Your network contains a single Active Directory domain. What should you do if you need to prevent computers from connecting to hosts on subnet 131.107.0.0/24?
A. Click Turn on Password Protected Sharing.
B. Disable Network Discovery.
C. Modify the Profile settings of an incoming firewall rule.
D. Run the Add-VpnConnection Trigger Application cmdlet.
E. Run the New-NetFirewallRule cmdlet and specify the -Direction Outbound parameter.
F. Run the New-VpnConnection cmdlet.
G. Run the Set-NetConnectionProfile cmdlet.
H. Run the Set-VpnConnection cmdlet.

A

E. The New-NetFirewallRule cmdlet creates an inbound or outbound firewall rule and adds the rule to the target computer. The -Direction parameter specifies that matching firewall rules of the indicated direction are created. This parameter specifies which direc- tion of traffic to match with this rule. The acceptable values for this parameter are Inbound or Outbound. The default value is Inbound.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

You are the administrator for your company network. You have a Windows Server 2016 server named Server1. What should you install on Server1 if you need to configure Server1 as a multitenant RAS Gateway?
A. The Network Controller server role
B. The Network Policy and Access Services server role C. The Data Center Bridging feature
D. The Remote Access server role

A

D. Remote Access is a server role that provides administrators with a dashboard for man- aging, configuring, and monitoring network access. The Remote Access server role is a logi- cal grouping of Remote Access Service (RAS), Routing, and Web Application Proxy. These technologies are the role services of the Remote Access server role. When you install the Remote Access server role with the Add Roles and Features Wizard or with Windows Pow- erShell, you can install one or more of these role services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

You are the administrator for your company network. You are planning to implement a VPN. You currently have the following servers:
DC1 – Domain Controller and DNS Server
FS1 – DHCP Server and File Server
RA1 – Remote Access Server
RS1 – Network Policy Server (NPS) Server RP1 – Network Policy Server (NPS) Server
RA1 will use the RADIUS proxy for authentication. You need to ensure that VPN clients can be authenticated and can access internal resources. What actions should you perform if you need to ensure that RS1 is used as a RADIUS server and RP1 is used as a RADIUS proxy? (Choose two.)
A. On RS1, create a connection request policy.
B. On RP1, create a connection request policy.
C. On FS1, create a network policy.
D. On RS1, delete the default connection request policy.
E. On RP1, create a network policy.

A

B, D. Connection request policies are sets of conditions and settings that allow admin- istrators to designate which RADIUS servers authenticate and authorize the connection requests that the server running Network Policy Server (NPS) receives from the RADIUS clients. The default connection request policy uses NPS as a RADIUS server and processes all authentication requests locally. If you do not want the NPS server to act as a RADIUS server and process connection requests locally, you can delete the default connection request policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

You are the administrator for your company network. You support desktop computers and tablets that run an older version of Windows. All of the computers are able to connect to your company network from the Internet by using DirectAccess. Your company wants to deploy a new application to the tablets. The deployment solution must meet the following requirements:

  • The application is isolated from other applications.
  • The application uses the least amount of disk space on the tablet.
  • The application can access files stored on an internal Solid State Drive (SSD) on the tablets.

What should you do if you need to deploy the new application to the tablets? A. Install the application in a Windows To Go workspace.
B. Install Hyper-V on a tablet and then install the application on a virtual machine.
C. Deploy the application as an Application Virtualization (App-V) package and install
the App-V 4.6 client on the tablets.
D. Install the application on a local drive on the tablets.
E. Publish the application to Windows Store.
F. Install the application within a separate installation in a virtual hard disk (VHD) file and then configure the tablets with dual boot.
G. Deploy the application as a published application on the Remote Desktop server and create a Remote Desktop connection on the tablets.
H. Install the application within a separate installation in a VHDX file and then configure tablets with dual boot.

A

G. Deploying the application as a published application on the Remote Desktop server will use no disk space on the tablets. Users will be able to access the application by using Remote Desktop Connections. This will also ensure that the application is isolated from other applications on the tablets. You can use Remote Desktop Connection “redirection” to ensure that the application can access files stored on an internal SSD on the tablets. The redirection enables access to local resources such as drives and printers in a Remote Desk- top Connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
You are the administrator for your company network. You have a Windows Server 2016 server named Server1 that is configured as a VPN server. Server1 is configured to allow domain users to establish VPN connections from 6:00 a.m. to 6:00 p.m. every day of the week. What should you do if you need to ensure that domain users can establish VPN connections Monday through Friday only? A. Configure the Properties of Server1 from Routing and Remote Access. B. Modify the Access Policies on Server1 from Server Manager. C. Modify the Dial-in Properties of the computer accounts from Active Directory Users and Computers. D. Modify the Network Policy on Server1 from Network Policy Server.
B. Access policies are a list of roles and the resources with which roles are to be provi- sioned or deprovisioned. Access policies are used to automate the provisioning of target systems to users.
26
You are the administrator for your company network. You have a DirectAccess server that is accessible by using the name directaccess.abc.com. On the DirectAccess server you install a new server certificate that has the same subject name. You then configure the DNS records for directaccess.abc.com. What cmdlet should you run if you need to change the endpoint name for DirectAccess to directaccess.abc.com? A. Set-DaServer -ConnectToAddress directaccess.abc.com B. Set-DaEntryPoint -EntrypointName directaccess.abc.com C. Set-DaEntryPoint -ComputerName directaccess.abc.com D. Set-DaClient -ComputerName directaccess.abc.com
D. The Set-DAClient cmdlet configures the properties related to a DirectAccess (DA) cli- ent. The -ComputerName parameter specifies the IPv4 or IPv6 address, or host name, of the computer on which the Remote Access server computer–specific tasks should be run.
27
You are the administrator for your company network. You are deploying DirectAccess to a server named DirectAccess1. DirectAccess1 will be located behind a firewall and will have a single network adapter. The network will be IPv4. To support DirectAccess, what proto- col and port would you assign to Teredo traffic? A. Internet Protocol (IP) ID 1 B. Internet Protocol (IP) ID 41 C. Transmission Control Protocol (TCP) 443 D. User Datagram Protocol (UDP) 3544
D. Teredo traffic uses UDP port 3544. UDP Port 3544 must be open to ensure that Teredo clients can successfully communicate with the Teredo server.
28
You are the administrator for your company network. You are deploying DirectAccess to a server named DirectAccess1. DirectAccess1 will be located behind a firewall and will have a single network adapter. The network will be IPv4. To support DirectAccess, what proto- col and port would you assign to 6to4 traffic? A. Internet Protocol (IP) ID 1 B. Internet Protocol (IP) ID 41 C. Transmission Control Protocol (TCP) 443 D. User Datagram Protocol (UDP) 3544
Y B. 6to4 traffic uses Internet Protocol (IP) ID 41. 6to4 is a special usage of protocol 41. A 6to4 address starts with the digits 2002, followed by the IPv4 address of its router. Here’s an example of a 6to4 address: 2002:CB00:71FF:0:fe64:3486:d398:3346.
29
You are the administrator for your company network. You are deploying DirectAccess to a server named DirectAccess1. DirectAccess1 will be located behind a firewall and will have a single network adapter. The network will be IPv4. To support DirectAccess, what proto- col and port would you assign to IP-HTTPS traffic? A. Internet Protocol (IP) ID 1 B. Internet Protocol (IP) ID 41 C. Transmission Control Protocol (TCP) 443 D. User Datagram Protocol (UDP) 3544
C. Internet Protocol - Hypertext Transfer Protocol Secure (IP-HTTPS) traffic uses Trans- mission Control Protocol (TCP) 443. HTTPS URLs begin with https:// and use port 443. HTTP Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP) for secure communication over a computer network and is widely used on the Internet.
30
You are the administrator for your company network. You are configuring the network for a small branch office. Currently, the branch office does not connect directly to the Internet. You deploy a new server named Server1, in the branch office, that has a Server Core installation of Windows Server 2016. Server1 has two network adapters configured as: Network Adapter Name IP Address Connects To NIC1 192.168.1.1/24 The branch office network NIC2 131.107.10.1/29 The Internet You plan to use Server1 to provide Internet connectivity for the branch office. Routing and Remote Access Service (RRAS) is installed and configured for VPN remote access on Server1. What command or cmdlet should you use first if you need to configure RRAS on Server1 to provide Network Address Translation (NAT)? A. New-NetNat NAT1 –ExternalIPInterfaceAddressPrefix 131.107.10.1/29 B. Route.exe add 192.168.1.1 255.255.255.0 131.107.10.1 metric 1 C. Enable-NetNatTransitionConfiguration D. Netsh.exe routing ip nat install
B. The route.exe command is an MS-DOS executable for Windows. It is used to block IP connections to the system by adding IP addresses to a routing table. The syntax is Route [command] [destination] [subnet mask] [gateway] [metric]. add: Adds a route. destination: Specifies the host. subnet mask: Specifies the subnet mask value for the route entry. The default is 255.255.255.255. gateway: Specifies the gateway. metric: Specifies the metric (the cost for the destination). Metrics are cost values used by routers to determine the best path to a destination network.
31
You are the administrator for your company network. You have an internal network that contains multiple subnets. You have a Microsoft Azure subscription that contains multiple virtual networks. You need to deploy a hybrid routing solution between the network and the Azure subscription. The solution must ensure that the computers on all of the networks can connect to each other. You install RAS Gateway and enable Border Gateway Protocol (BGP) routing on the network and in Azure. What three actions should you perform next? A. Create a new route for each network. B. Deploy a site-to-site VPN. C. Advertise all of the routes on all of the BGP routers. D. Deploy a point-to-site VPN. E. Install the Routing Information Protocol (RIP). F. Configure BGP Peering.
B, C, F. In order, you would want to deploy a site-to-site VPN, configure BGP Peering, and then advertise all of the routes on all of the BGP routers. A site-to-site VPN connec- tion lets branch offices use the Internet as a means for accessing the main office’s intranet. BGP is the standard routing protocol commonly used on the Internet to exchange routing and reachability information between two or more networks. BGP enables the Azure VPN gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange “routes” that will inform both gateways on the availability and reachability of those pre- fixes to go through the gateways or routers. For each prefix in the routing table, the routing protocol process selects a single best path, called the active path. Unless you configure BGP to advertise multiple paths to the same destination, BGP advertises only the active path. Peering is a process by which two Internet networks connect and exchange traffic. It allows them to directly hand off traffic between each other’s customers, without having to pay a third party to carry that traffic across the Internet for them.
32
You are the administrator for your company network. Your client computers use DirectAccess. What should you implement on the client computers if you need to ensure that the client computers can communicate to IPv4 resources by name? are the administrator for your company network. Your client computers use A. AAAA (Quad A) resource records B. Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) C. NAT64/DNS64 D. Teredo relays E. Teredo tunnels
C. NAT64 is an IPv6 transition mechanism that facilitates communication between IPv6 and IPv4 hosts by using a form of Network Address Translation (NAT). The NAT64 gate- way is a translator between IPv4 and IPv6 protocols. It needs at least one IPv4 address and an IPv6 network segment comprising a 32-bit address space. DNS64 describes a DNS server that synthesizes the AAAA records from the A records. The first part of the synthe- sized IPv6 address points to an IPv6/IPv4 translator, and the second part embeds the IPv4 address from the A record. The translator in question is usually a NAT64 server.
33
You are the administrator for your company network. You and a colleague are discussing Border Gateway Protocol (BGP). What PowerShell cmdlet would you use to see the configu- ration information for your BGP routers? A. Add-BgpClient B. Get-BgpRouter C. Get-Router D. Set-RouterClient
B. The Get-BgpRouter PowerShell cmdlet allows you to see the configuration information for BGP routers.
34
``` You are the administrator for your company network. What PowerShell cmdlet would you use if you need to see a list of client security groups that are a part of the DirectAccess deployment? A. Get-Client B. Get-DAClient C. Get-VpnClient D. Get-RASClient ```
B. The Get-DAClient cmdlet allows you to see the list of client security groups that are part of the DirectAccess deployment and the client properties.
35
``` You are the administrator for your company network. Your network contains an Active Directory domain. Network Access Protection (NAP) is deployed to the domain. What should you run if you need to create NAP event trace log files on a client computer? A. Logman B. Register-EngineEvent C. Register-ObjectEvent D. Tracert ```
A. The logman.exe utility can be used to create and manage Event Trace Session and Per- formance logs and allows an administrator to monitor many different applications through the use of the command line.
36
``` You are the administrator for your company network. You and a colleague are discussing DirectAccess and VPN servers. What PowerShell cmdlet would you use to view the configu- ration of a DirectAccess or VPN server? A. Get-RASAccess B. Get-RemoteAccess C. Get-Server D. View-Server ```
B. The Get-RemoteAccess cmdlet shows the configuration of a DirectAccess and VPN server.
37
You are the administrator for your company network. Your network contains four NPS servers named Server1, Server2, Server3, and Server4. Server1 is configured as a RADIUS proxy that forwards connection requests to a remote RADIUS server group named Group1. You need to ensure that Server2 and Server3 receive connection requests. Server4 should receive connection requests only if Server2 and Server3 are both unavailable. How should you configure Group1? A. Change the weight of Server2 and Server3 to 10. B. Change the weight of Server4 to 10. C. Change the priority of Server2 and Server3 to 10. D. Change the priority of Server4 to 10
D. The higher the RADIUS priority number, the less often the RADIUS server gets used. To make sure that RADIUS Server4 is used only when Server2 and Server3 are unavail- able, you would set the RADIUS priority from 1 to 10. This way, it will be used only when Server2 and Server3 are having issues or are unresponsive.
38
``` You are the administrator for your company network. You and a colleague are discussing DirectAccess. What PowerShell cmdlet would you use if you need to set the properties of your DirectAccess server? A. Set-DirectAccessServer B. Set-DAServer C. Set-DirectServer D. Set-RASServer ```
B. The Set-DAServer cmdlet allows an administrator to set the properties specific to the DirectAccess server. This cmdlet configures properties that are applicable globally to the entire DA deployment; properties that are applicable per-server or per-cluster in a load-balancing scenario; or properties that are applicable per-site, such as in a multisite deployment.
39
``` You are the administrator for your company network. You and a colleague are discussing implementing a VPN server. You want to use PowerShell to implement the VPN server. You want to set the authentication type. What cmdlet do you use? A. Set-AuthType B. Set-VpnAuth C. Set-VpnAuthType D. Set-VpnType ```
C. The Set-VpnAuthType cmdlet is used only to toggle from one authentication type to another. This cmdlet cannot be used to explicitly add any RADIUS servers if RADIUS authentication is being used. Administrators use the Set-VpnAuthType cmdlet to set the authentication type to be used for a VPN connection.
40
You are the administrator for your company network. Your network contains an Active Directory domain where all servers run Windows Server 2016. The domain contains a server named Server1 that has the NPS server role and the Remote Access server role installed. The domain contains a server named Server2 that is configured as a RADIUS server. Server1 provides VPN access to external users. What should you run if you need to ensure that all of the VPN connections to Server1 are logged to the RADIUS server on Server2? A. Add-RemoteAccessRadius -ServerNameServer1 - AccountingOnOffMsg Enabled -SharedSecret "Secret" -Purpose Accounting B. Add-RemoteAccessRadius -ServerName Server2 -AccountingOnOffMsg Enabled -SharedSecret "Secret" -Purpose Accounting C. Set-RemoteAccessAccounting -AccountingOnOffMsg Enabled -AccountingOnOffMsg Enabled D. Set-RemoteAccessAccounting -EnableAccountingType Inbox -AccountingOnOffMsg Enabled
B. Add-RemoteAccessRadius adds a new external RADIUS server for VPN authentica- tion, accounting for DirectAccess (DA) and VPN, or one-time password (OTP) authentica- tion for DA. The AccountingOnOffMsg indicates the enabled state for sending accounting on or off messages. The acceptable values for this parameter are Enabled or Disabled. Disabled is the default value. This parameter is applicable only when the RADIUS server is being added for remote access accounting.
41
``` You are the administrator for your company network. What PowerShell cmdlet would you use if you needed to add a new external RADIUS server for VPN connectivity? A. Add-RASServer B. Add-RemoteAccess C. Add-RemoteAccessRadius D. Add-RemoteAccessServer ```
C. The Add-RemoteAccessRadius cmdlet adds a new external RADIUS server. This cmd- let allows an administrator to add a new external RADIUS server for VPN or DirectAccess connectivity.
42
You are the administrator for your company network. You and a colleague are discussing different protocols. What protocol handles the details of establishing and configuring the lowest-level Point-to-Point Protocol (PPP) link? A. Challenge Handshake Authentication Protocol (CHAP) B. Compression Control Protocol (CCP) C. IP Control Protocol (IPCP) D. Link Control Protocol (LCP)
D. The Link Control Protocol (LCP) handles the details of establishing and configuring the lowest-level PPP link. In that regard, you can think of LCP as if it were almost part of the Physical layer.
43
You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a server named Server1 that has the Remote Access server role installed. By using the default configuration, DirectAccess is implemented on Server1. You discover that DirectAccess clients do not use DirectAccess when accessing websites on the Internet. What should you do if you need to ensure that DirectAccess clients access all Internet websites by using their DirectAccess connection? A. Configure DirectAccess to enable force tunneling. B. Configure a DNS suffix search list on the DirectAccess clients. C. Disable the DirectAccess Passive Mode policy setting in the DirectAccess Client Settings GPO. D. Enable the Route All Traffic Through The Internal Network policy setting in the DirectAccess Server Settings GPO.
A. You can configure DirectAccess clients to send all of their traffic through the tunnels to the DirectAccess server with force tunneling. When force tunneling is configured, DirectAccess clients detect that they are on the Internet, and they remove their IPv4 default route. With the exception of local subnet traffic, all traffic sent by the DirectAccess client is IPv6 traffic that goes through tunnels to the DirectAccess server.
44
You are the administrator for your company network. You and a colleague are discussing protocols. Which of the following is a more secure protocol between Point-to-Point Tunnel- ing Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP)? A. PPTP and L2TP. Both of them define the same security standard. B. PPTP is more secure than L2TP. C. PPTP and L2TP. Both of them are used to provide the database connection. D. L2TP is more secure than PPTP.
D. Layer 2 Tunneling Protocol (L2TP) is more secure than Point-to-Point Tunneling Protocol (PPTP). PPTP uses Microsoft Point-to-Point Encryption (MPPE) for security, which is less secure than the IPsec encryption method, which is what L2TP uses for security.
45
``` You are the administrator for your company network. You have a Windows Server 2016 server named Server1 that has the Remote Access server role installed. What should you modify if you need to configure the ports on Server1 to ensure that client computers can establish VPN connections to Server1 by using TCP port 443? A. WAN Miniport (IKEv2) B. WAN Miniport (L2TP) C. WAN Miniport (PPTP) D. WAN Miniport (PPPOE) E. WAN Miniport (SSTP) ```
E. Secure Socket Tunneling Protocol (SSTP) is the tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and web proxies that might block PPTP and L2TP/IPsec traffic.
46
You are the administrator for your company network. You and a colleague are discussing Server Logging properties. By default, where are the log files stored? A. systemroot\system\Logs B. systemroot\system\LogFiles C. systemroot\system32\Logs D. systemroot\system32\LogFiles
D. By default, each server logs its data in systemroot\system32\LogFiles. You can change this location to wherever you want.
47
``` You are the administrator for your company network. You and a colleague are discussing setting VPN options. On which tab of the Connection Properties dialog box do you set the VPN options? A. The General tab B. The Networking tab C. The Options tab D. The Security tab ```
A. The General tab of the Connection Properties dialog box is where you specify either the IP address of the VPN server or the modem and phone number to use with this particular connection. With the General tab, you can set VPN options by entering the VPN server address or host name and specifying whether to dial another connection automatically first and then specify the connection to dial.
48
You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a Windows Server 2016 RADIUS server named Server1. You add a VPN server named Server2 to the network. On Server1, you create several network policies. Which tool should you use on Server1 if you need to configure Server1 to accept authentication requests from Server2? A. Connection Manager Administration Kit (CMAK) B. Network Policy Server (NPS) C. Routing and Remote Access D. Set-RemoteAccessRadius
B. The Network Policy Server (NPS) snap-in allows you to set up RADIUS servers and determine which RADIUS server would accept authentication from other RADIUS servers. You can do your entire RADIUS configuration through the NPS snap-in.
49
``` You are the administrator for your company network. You are discussing RAS Gateway modes with a colleague. Which RAS Gateway mode is being described if you deploy a RAS Gateway server between your Cloud Service Providers (CSPs) and Enterprise networks? A. Multitenant mode B. Single tenant mode C. Unattached tenant mode D. Remote tenant mode ```
A. When an administrator chooses Multitenant mode, Cloud Service Providers (CSPs) and Enterprise networks can use RAS Gateways to allow datacenter and cloud network traffic routing between both virtual and physical networks. For multitenant mode, it is recommended that you deploy RAS Gateways on virtual machines that are running Win- dows Server 2016.
50
``` You are the administrator for your company network. You have a VPN server setup. Users are connecting to the VPN but are not disconnecting. What PowerShell cmdlet will allow you to disconnect a user from the VPN? A. Disconnect-User B. Disconnect-VpnUser C. Remove-User D. Remove-VpnUser ```
B. The Disconnect-VpnUser cmdlet disconnects a VPN connection originated by a spe- cific user or originating from a specific client computer. A VPN connection can be discon- nected in one of the following two ways: by the username of the user who originated the connection, or by the tunnel IP address assigned by the VPN server. Just note that only one of these methods can be used at a time.
51
You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a Windows Server 2016 server named Server1 that has the NPS role service installed. You plan to configure Server1 as a NAP health policy server for VPN enforcement by using the Configure NAP Wizard. You need to ensure that you can configure the VPN enforcement method on Server1 successfully. What should you install on Server1 before you run the Configure NAP Wizard? A. A computer certificate B. A system health validator (SHV) C. Host Credential Authorization Protocol (HCAP) D. The Remote Access server role
B. SHVs settings define the requirements for client computers that connect to your net- work. They are configured using the Network Policy Server console. Using this feature allows you to specify different network policies for different sets of health requirements based on a specific configuration of the SHV.
52
You are the administrator for your company network. Your company has offices in five locations around the country. Most of the users’ activity is local to their own networks. Sometimes, some of the users in one location need to send confidential information to one of the other locations or retrieve information from one of them. The communication between the remote locations is periodic and intermittent, so you have configured RRAS to use demand-dial lines to set up the connections. You want this communication to be appropriately secured. Which of the following steps should you take to ensure that this communication is appropriately secure? (Choose two.) A. Configure Challenge Handshake Authentication Protocol (CHAP) on all the RRAS servers. B. Configure Password Authentication Protocol (PAP) on all the RRAS servers. C. Configure Microsoft Point-to-Point Encryption (MPPE) on all the RRAS servers. D. Configure Layer 2 Tunneling Protocol (L2TP) on all the RRAS servers. E. Configure Microsoft Challenge-Handshake Authentication Protocol v2 (MS-CHAPv2) on all the RRAS servers.
C, E. MS-CHAPv2 provides encrypted and mutual authentication between the respective RRAS locations. MPPE works with MS-CHAPv2 and provides encryption for all of the data between the locations. CHAP provides encrypted authentication, but MS-CHAPv2 is needed for MPPE to work. PAP is the lowest level of authentication providing passwords, but it sends passwords in clear text, which is not the most secure solution. L2TP needs to team up with IPsec to provide the data encryption for the secure transfer of information between the locations.
53
You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a Windows Server 2016 server named Server1 that has the Network Policy and Access Services server role installed. You plan to deploy 802.1X authentication to secure the wireless network. You need to identify which NPS authentication method supports certificate-based mutual authentication for the 802.lX deployment. Which authentication method should you identify? A. Extensible Authentication Protocol (EAP) Transport Layer Security (TLS)—EAP-TLS B. Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) C. Microsoft Challenge-Handshake Authentication Protocol v2 (MS-CHAPv2) D. Protected Extensible Authentication Protocol (PEAP) - Microsoft Challenge- Handshake Authentication Protocol v2 (MS-CHAPv2)—PEAP-MS-CHAPv2
A. Windows Server 2016 comes with EAP-TLS. This allows you to use public key certifi- cates as an authenticator. TLS is similar to the familiar Secure Sockets Layer (SSL) protocol used for web browsers and 802.1X authentication. When EAP-TLS is turned on, the client and server send TLS-encrypted messages back and forth. EAP-TLS is the strongest authen- tication method you can use. EAP-TLS supports smartcards. EAP-TLS requires your NPS server to be part of the Windows Server 2016 domain.
54
You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a Windows Server 2016 server named Server1 that has the Network Policy and Access Services server role installed. Company policy requires that certificate-based authentication be used by some network services. You need to identify which NPS authentication methods comply with the security policy. Which authentication methods should you identify? (Choose two.) A. Challenge-Handshake Authentication Protocol (CHAP) B. Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP) C. Microsoft Challenge-Handshake Authentication Protocol v2 (MS-CHAPv2) D. Extensible Authentication Protocol (EAP) Transport Layer Security (TLS) - EAP-TLS E. Protected Extensible Authentication Protocol (PEAP) Microsoft Challenge-Handshake Authentication Protocol v2 (MS-CHAPv2)—PEAP-MS-CHAPv2
D, E. PEAP-MS-CHAP v2 is an EAP type protocol that is easier to deploy than EAP-TLS. It is easier because user authentication is accomplished by using password-based credentials (username and password) instead of digital certificates or smartcards. Both PEAP and EAP use certificates with their protocols.
55
You are the administrator for your company network. All servers run Windows Server 2016. You want to set up an accounting system so each department is responsible for their cost of using network services. Your network contains a NPS server named Server1. The network contains a server named Database1 that has Microsoft SQL Server installed. You configure NPS on Server1 to log accounting data to a database on Database1. What should you do if you need to ensure that the accounting data is captured if Database1 fails, while minimizing cost? A. Implement database mirroring. B. Implement failover clustering. C. Modify the SQL Server Logging properties. D. Run the Accounting Configuration wizard
D. One advantage of NPS is that you can use the accounting part of NPS so that you can keep track of what each department does on your NPS server. This way, departments pay for the amount of time they use on the SQL server database. Configuring Network Policy Server Accounting, you can use the following log types: ■■ Event logging: Used primarily for auditing and troubleshooting connection attempts. You can configure NPS event logging by obtaining the NPS server properties in the NPS console. ■■ Logging user authentication and accounting requests to a local file: Used primarily for connection analysis and billing purposes. Also used as a security investigation tool because it provides you with a method of tracking the activity of a malicious user after an attack. You can configure local file logging using the Accounting Configuration Wizard. ■■ Logging user authentication and accounting requests to a Microsoft SQL Server XML- compliant database: Used to allow multiple servers running NPS to have one data source. Also provides the advantages of using a relational database. You can configure SQL Server logging by using the Accounting Configuration Wizard.
56
You are the administrator for your company network. Your network contains an Active Directory domain. The domain contains a Windows Server 2016 server named Server1 that has Network Policy Server, DirectAccess, and VPN (RRAS) installed. Remote users have client computers that run legacy Windows operating systems. You need to ensure that only the client computers that run Windows 7 or Windows 10 can establish VPN connections to Server1. What should you configure on Server1? A. A condition of a NPS connection request policy B. A condition of a NPS network policy C. A constraint of a NPS network policy D. A vendor-specific RADIUS attribute of a NPS connection request policy
A. Connection request policies are sets of conditions that allow network administrators to designate which RADIUS servers perform the authentication and autho- rization of connection requests that the server running NPS receives from RADIUS clients. NPS allows you to set up policies on how your users could log into the network. NPS allows you to set up policies that systems need to follow, and if they don’t follow these poli- cies or rules, they will not have access to the full network.
57
You are the administrator for your company network. You and a colleague are discussing Point-to-Point Protocol (PPP) and the protocols that run on top of it. Which protocol allows the client to authenticate itself to the server and functions much like a regular network logon in that once the client presents its logon credentials, the server can figure out what access to grant? A. Link Control Protocol (LCP) B. Callback Control Protocol (CBCP) C. Challenge Handshake Authentication Protocol (CHAP) D. Compression Control Protocol (CCP)
C. CHAP—as well as MS-CHAPv2 and PAP—allow the client to authenticate itself to the server. This authentication functions much like a regular network logon; once the client presents its logon credentials, the server can figure out what access to grant.
58
``` You are the administrator for your company network. You and a colleague are discussing a process that allows the client to take a packet with private content, wrap it inside an IP datagram, and send it to the server. The server, in turn, processes the IP datagram, routing real datagrams normally and handling any packets with the appropriate protocol. What is this process called? A. Multilink B. Encrypted tunnel C. Primer D. Encapsulation ```
D. Encapsulation allows the client to take a packet with some kind of private content, wrap it inside an IP datagram, and send it to the server. The server, in turn, processes the IP data- gram, routing real datagrams normally and handling any encapsulated packets with the appropriate protocol.
59
You are the administrator for your company network. Your company network includes two branch offices. Users at the company access internal virtual machines (VMs). You want to ensure secure communications between the branch offices and the internal VMs and network. You want to create a site-to-site VPN connection. What are two possible ways to achieve this goal? A. Using a private IPv4 IP address and a compatible VPN device B. Using a private IPv4 IP address and an RRAS running on Windows Server 2016 C. Using a public-facing IPv4 IP address and a compatible VPN device D. Using a public-facing IPv4 IP address and an RRAS running on Windows Server 2016
C, D. A VPN Device IP Address is a public-facing IPv4 address of your on-premises VPN device that you’ll use to connect to Azure. The VPN device cannot be located behind a NAT. You need at least one or preferably two publicly visible IP addresses. One of the IP addresses is used on the Windows Server 2016 machine that acts as the VPN device by using RRAS. The other optional IP address is to be used as the default gateway for out- bound traffic from the on-premises network.
60
You are the administrator for your company network. You and a colleague are discussing the benefits of using VPNs. Which of the following is a benefit of using VPN support? A. Can have unlimited simultaneous connections B. Can set up account lockout policies for dial-up and VPN users C. VPNs will automatically connect when the client machine sees an Internet connection. D. Clients need to be using Windows 10 only.
B. Windows Server 2016’s VPN support includes several worthwhile features; one is that you can set up account lockout policies for dial-up and VPN users. This capacity has existed for network and console users for some time. When you’re using Windows Server 2016 and enabling the VPN client access, a system policy rule named Allow VPN Clients to Firewall is enabled. This allows a maximum of 1,000 VPN clients to connect simultane- ously in Standard Edition and 16,000 in Enterprise Edition. VPNs do not auto-connect to a network, DirectAccess does auto-connect, and you can connect to a RADIUS server using most Windows clients (not just Windows 10).
61
You are the administrator for your company network. You and a colleague are discussing the VPN connection process and how it works. Once the client establishes a connection to the Internet, what is the next phase? A. The client authenticates itself to the server. B. The client and server negotiate parameters for the VPN session. C. The client and server go through the PPP negotiation process. D. The client sends a VPN connection request to the server.
D. The client sends a VPN connection request to the server. The exact format of the request varies, depending on whether the VPN is using PPTP, L2TP, or SSTP.
62
You are the administrator for your company network. You and a colleague are discussing how encapsulation works. Which of the following describes how encapsulation works? A. Software at each level of the OSI model has to see header information to figure out where a packet is coming from and where it’s going. B. Hardware at each level of the OSI model has to see header information to figure out where a packet is coming from and where it’s going. C. Software at each level of the OSI model has to see trailer information to figure out where a packet is coming from and where it’s going. D. Hardware at each level of the OSI model has to see trailer information to figure out where a packet is coming from and where it’s going.
A. Software at each level of the OSI model has to see header information to figure out where a packet is coming from and where it’s going. However, the payload contents aren’t important to most of those components, and the payload is what’s encapsulated. By fabri- cating the right kind of header and prepending it for whatever you want in the payload, you can route foreign traffic types through IP networks with no trouble.
63
You are the administrator for your company network. You and a colleague are discussing the Point-to-Point Tunneling Protocol (PPTP) tunneling process. When the client and server have successfully established a PPTP tunnel, the authorization process begins. This process is an exchange of credentials that allows the server to decide whether the client is permitted to connect. Once the server sends a challenge message to the client, what is the next phase of the process? A. The server checks the response to see whether the answer is right. The challenge- response process allows the server to determine which account is trying to make a connection. B. The client answers with an encrypted response. C. The server determines whether the user account is authorized to make a connection. D. If the account is authorized, the server accepts the inbound connection.
B. The answer to this question would be phase 2, the client answers with an encrypted response. The phases are as follows: 1. The server sends a challenge message to the client. 2. The client answers with an encrypted response. 3. The server checks the response to see whether the answer is right. The challenge- response process allows the server to determine which account is trying to make a connection. 4. The server determines whether the user account is authorized to make a connection. 5. If the account is authorized, the server accepts the inbound connection; any access controls or remote access restrictions still apply.
64
You are the administrator for your company network. You and a colleague are discussing Secure Sockets Tunneling Protocol (SSTP) as a secure way to make a VPN connection using the Secure Sockets Layer v.3 (SSL) using port 443. Once the client connects to the server through the Internet using port 443, what is the next step? A. During the SSL authentication phase, the client machine receives the server certificate. B. The client machine will send HTTPS requests on top of the encrypted SSL session. C. During the TCP session, SSL negotiation takes place. D. The client machine will then also send SSTP control packets on top of the HTTPS session.
C. The answer to this question would be phase 2: during the TCP session, SSL negotiation takes place. The phases are as follows: 1. The client connects to the server through the Internet using port 443. 2. During the TCP session, SSL negotiation takes place. 3. During the SSL authentication phase, the client machine receives the server certificate. 4. The client machine will send HTTPS requests on top of the encrypted SSL session. 5. The client machine will then also send SSTP control packets on top of the HTTPS session. 6. PPP negotiation now takes place on both ends of the connection. 7. After PPP is finished, both ends are ready to send IP packets to each other.
65
You are the administrator for your company network. You want to configure the Point-to- Point Protocol options that are available to clients. Where do you modify these properties? A. In the PPP tab of the RRAS server’s Properties dialog box B. In the Security tab of the RRAS server’s Properties dialog box C. In the General tab of the RRAS server’s Properties dialog box D. In the Logging tab of the RRAS server’s Properties dialog box
A. You can use the PPP tab of the RRAS server’s Properties dialog box to control the PPP layer options available to clients that call in. The settings you specify here control whether the related PPP options are available to clients; you can use remote access policies to control whether individual connections can use them.
66
You are the administrator for your company network. You want to configure the Point-to- Point Protocol options that are available to clients. The properties tab has four check boxes. Which box is checked by default? A. Dynamic Bandwidth Control Using BAP Or BACP check box B. Link Control Protocol (LCP) Extensions check box C. Software Compression check box D. Multilink Connections check box
D. The Multilink Connections check box is selected by default. It controls whether the server will allow clients to establish multilink connections when they call in
67
You are the administrator for your company network. You and a colleague are discussing VPNs. When setting up a VPN, where does it sit? A. A VPN sits between your external network and the Internet, accepting connections from clients in the outside world. B. A VPN sits between your internal network and the Internet, accepting connections from clients in the outside world. C. A VPN sits behind the firewall on your internal network and the Internet, rejecting connections from clients in the outside world. D. A VPN sits behind the firewall on your external network and the Internet, rejecting connections from clients in the outside world.
B. A VPN sits between your internal network and the Internet, accepting connections from clients in the outside world.
68
You are the administrator for your company network. You want to enable your RRAS server to act as a VPN. Where do you modify the properties to specify whether your RRAS server is a router, a Remote Access server, or both? A. In the PPP tab of the server’s Properties dialog box B. In the Security tab of the server’s Properties dialog box C. In the General tab of the server’s Properties dialog box D. In the Logging tab of the server’s Properties dialog box
C. The General tab of the server’s Properties dialog box allows you to specify whether your RRAS server is a router, a Remote Access server, or both. The first step in converting your existing RRAS server to handle VPN traffic is to make sure that the IPv4 Remote Access Server or the IPv6 Remote Access Server check box is selected on this tab.
69
You are the administrator for your company network. You and a colleague are discussing the three controls that are pertinent to a VPN configuration. What check box must be activated in order to accept VPN connections? A. Remote Access Connections (Inbound Only) check box B. Demand-Dial Routing Connections (Inbound and Outbound) check box C. Maximum Ports check box D. Remote Access Connections (Outbound Only) check box
A. The Remote Access Connections (Inbound Only) check box must be activated in order to accept VPN connections with this port type. To disable a VPN type (for instance, if you want to turn off L2TP), deselect this box.
70
``` You are the administrator for your company network. When you install RRAS, by default what is the number of inbound connections that are supported for PPTP? A. 2 B. 5 C. 100 D. 250 ```
B. The Maximum Ports control lets you set the number of inbound connections that this port type will support. By default, you get 5 PPTP and 5 L2TP ports when you install RRAS; you can use from 0 to 250 ports of each type by adjusting the number here.
71
You are the administrator for your company network. You and a colleague are discussing troubleshooting a VPN. What is the first thing you should check when troubleshooting a VPN connection? A. That the VPN protocol used by the client is enabled on the server B. That the username and password are correct C. That your clients can make the underlying connection to their Internet service provider (ISP) D. That the authentication settings in the server’s policies (if any) match the supported set of authentication protocols
C. Sometimes the simplest solutions are overlooked. The first thing you will want to check is that your clients can make the underlying connection to their ISP.
72
``` You are the administrator for your company network. You and a colleague are discussing RAS. A standard RRAS installation will always log some data locally. You can manage logging through which folder? A. Remote Logging/Local File B. Remote Access Logging/Local File C. Remote Logging/Remote File D. Remote Access Logging/Remote File ```
B. A standard RRAS installation will always log some data locally, but that’s pretty useless unless you know what gets logged and where it goes. Each RRAS server on your network has its own set of logs, which you manage through the Remote Access Logging folder. Within that folder, you’ll usually see a single item labeled Local File, which is the log file stored on that particular server.
73
``` You are the administrator for your company network. You and a colleague are discussing setting server logging properties at the server level. If you use the Logging tab and want to instruct the server to log errors and nothing else, what radio button should you select? A. Log Errors Only radio button B. Log Errors and Warnings radio button C. Log All Events radio button D. Do Not Log Any Events radio button ```
A. The Log Errors Only radio button instructs the server to log errors and nothing else. This gives you an adequate indication of problems after they happen, but it doesn’t point out potential problems noted by warning messages.
74
You are the administrator for your company network. You and a colleague are discussing Network Address Translation (NAT). What is a huge advantage of using NAT? A. The ability for you to share multiple public IP addresses and a single Internet connec- tion between multiple locations using private IP addressing schemes B. The ability for you to share a single public IP address and multiple Internet connections between multiple locations using private IP addressing schemes C. The ability for you to share multiple public IP addresses and multiple Internet connec- tions between multiple locations using private IP addressing schemes D. The ability for you to share a single public IP address and a single Internet connection between multiple locations using private IP addressing schemes
D. The huge advantage of NAT is the ability for you to share a single public IP address and a single Internet connection between multiple locations using private IP addressing schemes. The nodes on the private network use nonroutable private addresses. NAT maps the private addresses to the public address.
75
``` You are the administrator for your company network. You and a colleague are discussing how to program the route on your Microsoft-based network. What command should you use? A. Path B. Route C. RouteConfig D. Router ```
B. To program the route, you would need to use the Route command. To add a route, you would type Route add and the parameters of the route path. route.exe is an MS-DOS executable for Windows. It is used to block IP connections to the system by adding IP addresses to a routing table.
76
You are the administrator for your company network. You and a colleague are discussing a way to automatically program routes in your large company network. What can you use to automatically program routes on your Microsoft-based network? A. Routing Information Protocol (RIP) B. Open Shortest Path First (OSPF) C. Enhanced Interior Gateway Routing Protocol (EIGRP) D. Intermediate System to Intermediate System (IS-IS)
A. Microsoft uses the Routing Information Protocol (RIP) to automatically program routes. RIP is a broadcast-based protocol that can be added to any Microsoft router. The downside to using RIP is the extra broadcast traffic. So if you have only a few routers, it’s best to configure the routes manually. On a large network with many subnets, you may want to consider using RIP.
77
``` You are the administrator for your company network. You and a colleague are discussing configuring a VPN client. Which tab of the Connection Properties dialog box is where you would want to enter the VPN server address or host name? A. The Security tab B. The General tab C. The Options tab D. The Networking tab ```
B. The General tab has a field where you enter the VPN server address or host name. The First Connect group lets you specify which dial-up connection, if any, you want brought up before the VPN connection is established.
78
You are the administrator for your company network. You and a colleague are discussing Web Application Proxies (WAPs). What does the Web Application Proxy feature allow? A. Allows applications running on servers outside the corporate network to be accessed by any device inside the corporate network B. Allows applications running on servers inside the corporate network to be accessed by any device inside the corporate network C. Allows applications running on servers outside the corporate network to be accessed by any device outside the corporate network D. Allows applications running on servers inside the corporate network to be accessed by any device outside the corporate network
D. The Web Application Proxy feature allows applications running on servers inside the corporate network to be accessed by any device outside the corporate network. The pro- cess of allowing an application to be available to users outside of the corporate network is known as publishing.
79
You are the administrator for your company network. You are setting up a Web Application Proxy (WAP) so that your users can access applications, but you must also have some kind of security or anyone with a device would be able to access and use your applications. What must always be deployed with WAP? A. Active Directory Domain Services (AD DS) B. Active Directory Federation Services (AD FS) C. Active Directory Lightweight Directory Services (AD LDS) D. Active Directory Certificate Services (AD CS)
B. Active Directory Federation Services (AD FS) must always be deployed with WAP. AD FS gives you features such as Single Sign-On (SSO), which allows you to log in one time with a set of credentials and use that set of credentials to access the applications over and over. AD FS also allows you to set up security so that only authorized users can access the applications through AD FS.
80
You are the administrator for your company network. You and a colleague are discussing DirectAccess. To establish a connection, which of the following does DirectAccess use? A. Internet Protocol (IP) and IPv6 B. Internet Protocol Security (IPsec) and IPv4 C. Internet Protocol Security (IPsec) and IPv6 D. Internet Protocol (IP) and IPv
C. To establish this connection, DirectAccess uses IPsec and IPv6. IPsec provides a high level of security between the client and the server, and IPv6 is the protocol that the machines use.
81
You are the administrator for your company network. You and a colleague are discuss- ing DirectAccess prerequisites on the server side. Which of the following is a DirectAccess server with Advanced Settings prerequisite? A. A public key infrastructure must be deployed. B. A private key infrastructure must be deployed. C. A private trust license must be deployed. D. A public trust license must be deployed.
A. As with any software package, role, or feature, when you install any one of these, there are always prerequisites that you must deal with. DirectAccess is no different. With DirectAccess Server with Advanced Settings, a public key infrastructure must be deployed.
82
``` You are the administrator for your company network. You and a colleague are discussing configuring wireless access. When you install Windows Server 2016, it provides built-in support for 802.11 wireless LAN networking. There are two operating modes you can use. Which one is being described here? By using this mode, wireless network computers con- nect directly to each other without the use of an access point (AP) or bridge. A. Infrastructure mode B. Ad Hoc mode C. Wired Equivalent Privacy D. Wi-Fi Protected Access ```
B. By using Ad Hoc mode, wireless network computers connect directly to each other with- out the use of an access point (AP) or bridge.
83
You are the administrator for your company network. You and a colleague are discussing the authentication protocols that Windows Server 2016 supports. Which protocol is being described here? It is the simplest authentication protocol. It transmits all authentication information in clear text with no encryption, which makes it vulnerable to snooping if attackers can put themselves between the modem bank and the Remote Access server. A. Extensible Authentication Protocol (EAP) B. Transport Layer Security/Secure Sockets Layer (TLS/SSL) (Schannel) C. Kerberos D. Password Authentication Protocol (PAP)
D. The Password Authentication Protocol (PAP) is the simplest authentication protocol. It transmits all authentication information in clear text with no encryption, which makes it vul- nerable to snooping if attackers can put themselves between the modem bank and the Remote Access server. However, this type of attack is unlikely in most networks. PAP is the most widely supported authentication protocol, and therefore you may find that you need to leave it enabled.
84
``` You are the administrator for your company network. You and a colleague are discussing using PowerShell for remote access. What cmdlet allows an administrator to add a new application server security group to DirectAccess? A. Add-DAClient B. Add-DirectAccessServer C. Add-DAAppServer D. Add-DirectAccessApp ```
C. The Add-DAAppServer cmdlet allows an administrator to add a new application server security group to DirectAccess.
85
You are the administrator for your company network. You have a Windows Server 2016 server named Server1. What should you install on Server1 if you need to configure Server1 as a multitenant RAS Gateway? A. The Network Controller server role B. The Network Policy and Access Services server role C. The Data Center Bridging feature D. The Remote Access server role
D. Remote Access is a server role that provides administrators with a dashboard for man- aging, configuring, and monitoring network access. The Remote Access server role is a logi- cal grouping of Remote Access Service (RAS), Routing, and Web Application Proxy. These technologies are the role services of the Remote Access server role. When you install the Remote Access server role with the Add Roles and Features Wizard or with Windows Pow- erShell, you can install one or more of these role services.
86
You are the administrator for your company network. You are planning to implement a VPN. You currently have the following servers: DC1 – Domain Controller and DNS Server FS1 – DHCP Server and File Server RA1 – Remote Access Server RS1 – Network Policy Server (NPS) Server RP1 – Network Policy Server (NPS) Server RA1 will use the RADIUS proxy for authentication. You need to ensure that VPN clients can be authenticated and can access internal resources. What actions should you perform if you need to ensure that RS1 is used as a RADIUS server and RP1 is used as a RADIUS proxy? (Choose two.) A. On RS1, create a connection request policy. B. On RP1, create a connection request policy. C. On FS1, create a network policy. D. On RS1, delete the default connection request policy. E. On RP1, create a network policy.
B, D. Connection request policies are sets of conditions and settings that allow admin- istrators to designate which RADIUS servers authenticate and authorize the connection requests that the server running Network Policy Server (NPS) receives from the RADIUS clients. The default connection request policy uses NPS as a RADIUS server and processes all authentication requests locally. If you do not want the NPS server to act as a RADIUS server and process connection requests locally, you can delete the default connection request policy.
87
You are the administrator for your company network. You support desktop computers and tablets that run an older version of Windows. All of the computers are able to connect to your company network from the Internet by using DirectAccess. Your company wants to deploy a new application to the tablets. The deployment solution must meet the following requirements: The application is isolated from other applications. The application uses the least amount of disk space on the tablet. The application can access files stored on an internal Solid State Drive (SSD) on the tablets. What should you do if you need to deploy the new application to the tablets? A. Install the application in a Windows To Go workspace. B. Install Hyper-V on a tablet and then install the application on a virtual machine. C. Deploy the application as an Application Virtualization (App-V) package and install the App-V 4.6 client on the tablets. D. Install the application on a local drive on the tablets. E. Publish the application to Windows Store. F. Install the application within a separate installation in a virtual hard disk (VHD) file and then configure the tablets with dual boot. G. Deploy the application as a published application on the Remote Desktop server and create a Remote Desktop connection on the tablets. H. Install the application within a separate installation in a VHDX file and then configure tablets with dual boot.
G. Deploying the application as a published application on the Remote Desktop server will use no disk space on the tablets. Users will be able to access the application by using Remote Desktop Connections. This will also ensure that the application is isolated from other applications on the tablets. You can use Remote Desktop Connection “redirection” to ensure that the application can access files stored on an internal SSD on the tablets. The redirection enables access to local resources such as drives and printers in a Remote Desk- top Connection.
88
You are the administrator of your company network. You have a Windows Server 2016. server named Server1 that is configured as a VPN server. Server1 is configured to allow domain users to establish VPN connections from 6:00 a.m. to 6:00 p.m. every day of the week. What should you do if you need to ensure that domain users can establish VPN connections Monday through Friday only? A. Configure the Properties of Server1 from Routing and Remote Access. B. Modify the Access Policies on Server1 from Server Manager. C. Modify the Dial-in Properties of the computer accounts from Active Directory Users and Computers. D. Modify the Network Policy on Server1 from Network Policy Server.
B. Access policies are a list of roles and the resources with which roles are to be provi- sioned or deprovisioned. Access policies are used to automate the provisioning of target systems to users.
89
You are the administrator for your company network. You have a DirectAccess server that is accessible by using the name directaccess.abc.com. On the DirectAccess server you install a new server certificate that has the same subject name. You then configure the DNS records for directaccess.abc.com. What cmdlet should you run if you need to change the endpoint name for DirectAccess to directaccess.abc.com? A. Set-DaServer -ConnectToAddress directaccess.abc.com B. Set-DaEntryPoint -EntrypointName directaccess.abc.com C. Set-DaEntryPoint -ComputerName directaccess.abc.com D. Set-DaClient -ComputerName directaccess.abc.com
D. The Set-DAClient cmdlet configures the properties related to a DirectAccess (DA) cli- ent. The -ComputerName parameter specifies the IPv4 or IPv6 address, or host name, of the computer on which the Remote Access server computer–specific tasks should be run.
90
You are the administrator for your company network. You are deploying DirectAccess to a server named DirectAccess1. DirectAccess1 will be located behind a firewall and will have a single network adapter. The network will be IPv4. To support DirectAccess, what proto- col and port would you assign to Teredo traffic? A. Internet Protocol (IP) ID 1 B. Internet Protocol (IP) ID 41 C. Transmission Control Protocol (TCP) 443 D. User Datagram Protocol (UDP) 3544
D. Teredo traffic uses UDP port 3544. UDP Port 3544 must be open to ensure that Teredo clients can successfully communicate with the Teredo server.
91
You are the administrator for your company network. Your network contains an Active Directory domain. The functional level of the domain is Windows Server 2012. The net- work uses an address space of 192.168.0.0/16 and contains multiple subnets. The network is not connected to the Internet. The domain contains three servers: Server1—Domain Controller and DNS Server Server2—Member Server Server3—DHCP Server Client computers obtain their TCP/IP settings from Server3. You add a second network adapter to Server2. You connect the new network adapter to the Internet. You install the Routing role service on Server2. Server1 has four DNS zones configured: DNS Zone Name Type Zone Filename abc.com Active-Directory Integrated None xyz.com Primary xyz.com.dns lmn.com Primary lmn.com.dns 168.192.in-addr.arpa Primary 168.192.in-addr.arpa.dns You want to enable Server2 as a NAT server. What should you do? A. Run the Install-WindowsFeature cmdlet. B. Run the New-RoutingGroupConnector cmdlet. C. Add an interface from Routing and Remote Access. D. Add a routing protocol from Routing and Remote Access.
C. You will first install the Routing and Remote Access Service (RRAS). In the wizard you have to select NAT and then add an interface for NAT. Then, add the public interface to the NAT configuration, right-click NAT, and click New Interface. Select the interface con- nected to the network, and then click OK.

MCSA-Windows Server 2016 70-740 (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions