Question 6 of 448

HOTSPOT -

Your network contains three Active Directory forests. The forests are configured as shown in the following table.

Exam 70-412: Question 6 - Image 1

A two-way forest trust exists between contoso.com and divisionl.contoso.com. A two-way forest trust also exists between contoso.com and division2.contoso.com.

You plan to create a one-way forest trust from divisionl.contoso.com to division2.contoso.com.

You need to ensure that any cross-forest authentication requests are sent to the domain controllers in the appropriate forest after the trust is created.

How should you configure the existing forest trust settings?

In the table below, identify which configuration must be performed in each forest. Make only one selection in each column. Each correct selection is worth one point.

Hot Area:

Exam 70-412: Question 6 - Image 2
Answer

Suggested Answer

There will be a one-way forest trust from division1.contoso.com to division2.contoso.com
Division1 trusts Division2. Division2 must be able to access resources in Division1.
Division1 should not be able to access resources in Division2. Exam 70-412: Question 6 - Image 3
Question 7 of 448

Your network contains an Active Directory forest named contoso.com. The forest contains three domains. All domain controllers run Windows Server 2012 R2.

The forest has a two-way realm trust to a Kerberos realm named adatum.com.

You discover that users in adatum.com can only access resources in the root domain of contoso.com.

You need to ensure that the adatum.com users can access the resources in all of the domains in the forest.

What should you do in the forest?

Answer

Suggested Answer

The suggested answer is D.

* A one-way, outgoing realm trust allows resources in your Windows Server domain (the domain that you are logged on to at the time that you run the New Trust
Wizard) to be accessed by users in the Kerberos realm.
* You can establish a realm trust between any non-Windows Kerberos version 5 (V5) realm and an Active Directory domain. This trust relationship allows cross- platform interoperability with security services that are based on other versions of the Kerberos V5 protocol, for example, UNIX and MIT implementations. Realm trusts can switch from nontransitive to transitive and back. Realm trusts can also be either one-way or two-way.
Reference: Create a One-Way, Outgoing, Realm Trust
Question 8 of 448

Your network contains an Active Directory forest named contoso.com. The forest contains two domains named contoso.com and childl.contoso.com. The domains contain three domain controllers.

The domain controllers are configured as shown in the following table.

Exam 70-412: Question 8 - Image 1

You need to ensure that the KDC support for claims, compound authentication, and kerberos armoring setting is enforced in the child1.contoso.com domain.

Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)

Answer

Suggested Answer

The suggested answer is B, C.

To ensure that KDC support for claims, compound authentication, and Kerberos armoring is enforced in the child1.contoso.com domain, you need to upgrade the domain controllers in that specific domain to at least Windows Server 2012 R2 and raise the domain functional level of childl.contoso.com to Windows Server 2012 R2. Upgrading DC11 to Windows Server 2012 R2 will fulfill the part of ensuring the domain controllers are of the required version. Then, raising the domain functional level of the child domain (child1.contoso.com) will establish the necessary environment to support these features. There is no direct requirement to upgrade the root domain's functional level or its domain controllers for enforcing these features in the child domain.

Question 9 of 448

Your network contains an Active Directory domain named contoso.com. All domain controllers run Windows Server 2012 R2. The domain contains two domain controllers.

The domain controllers are configured as shown in the following table.

Exam 70-412: Question 9 - Image 1

You configure a user named User1 as a delegated administrator of DC10.

You need to ensure that User1 can log on to DC10 if the network link between the Main site and the Branch site fails.

What should you do?

Answer

Suggested Answer

The suggested answer is C.

repadmin /prp will allow the password caching of the local administrator to the RODC. This command lists and modifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).

Reference: RODC Administration -
https://technet.microsoft.com/en-us/library/cc755310%28v=ws.10%29.aspx
Question 10 of 448

Your company has offices in Montreal, New York, and Amsterdam.

The network contains an Active Directory forest named contoso.com. An Active Directory site exists for each office. All of the sites connect to each other by using the DEFAULTIPSITELINK site link.

You need to ensure that only between 20:00 and 08:00, the domain controllers in the Montreal office replicate the Active Directory changes to the domain controllers in the Amsterdam office.

The solution must ensure that the domain controllers in the Montreal and the New York offices can replicate the Active Directory changes any time of day.

What should you do?

Answer

Suggested Answer

The suggested answer is C.

We create a new site link between Montreal and Amsterdam and schedule it only between 20:00 and
08:00. To ensure that traffic between Montreal and Amsterdam only occurs at this time we also remove Amsterdam from the DEFAULTIPSITELINK.
Reference: How Active Directory Replication Topology Works http://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx