■Microsoft releases all its operating systems in multiple editions, which provides consumers with varying price points and feature sets.
■ When you select the Windows Server Core installation option, you get a stripped down version of the operating system.
Windows Server 2012 R2 includes an installation option that minimizes the user interface on a server. When you select the Windows Server Core installation option, you will install a stripped-down version of the operating system. There is no Start menu, no desktop Explorer shell, no Microsoft Management Console (MMC), and virtually no graphical applications. All you see when you start the computer is a single window with a command prompt, as shown in Figure 1-1.
■ The Minimal Server Interface is a setting that removes some of the most hardware intensive elements from the graphical interface.
■An in-place upgrade is the most complicated form of a Windows Server 2012 R2 installation. It is also the lengthiest and the most likely to cause problems during its execution. Whenever possible, Microsoft recommends that administrators perform a clean installation or migrate required applications and settings instead.
■ Migration is the preferred method of replacing an existing server with one running Windows Server 2012 R2. Unlike an in-place upgrade, a migration copies vital information from an existing server to a clean Windows Server 2012 R2 installation
- Which of the following processor architectures can be used for a clean Windows Server 2012 R2 installation? (Choose all that apply.)
- 32-bit processor only
- 64-bit processor only
- 32-bit or 64-bit processor
- 64-bit or Itanium processor
Correct: Windows Server 2012 R2 can run only on a 64-bit processor.
- Which of the following paths is a valid upgrade path to Windows Server 2012 R2?
Windows Server 2003 Standard to Windows Server 2012 R2 Standard
B. Windows Server 2008 Standard to Windows Server 2012 R2 Standard
C. Windows Server 2008 32-bit to Windows Server 2012 R2 64-bit
D. Windows 7 Ultimate to Windows Server 2012 R2 Essentials
Correct: You can upgrade Windows Server 2008 Standard to Windows Server 2012 R2 Standard.
- Which of the following features must be added to a Windows Server 2012 R2 Server Core installation to convert it to the Minimal Server Interface?
A. Graphical Management Tools and Infrastructure
B. Server Graphical Shell
C. Windows PowerShell
D. Microsoft Management Console
Correct: Installing the Graphical Management Tools and Infrastructure module—and only that module—on a Server Core installation results in the Minimal Server Interface.
Converting between GUI and Server Core
In Windows Server 2012 R2, you can convert a computer installed with the full GUI option to Server Core and add the full GUI to a Server Core computer. This is a major improvement in the usefulness of Server Core over the version in Windows Server 2008 R2, in which you can only change the interface by reinstalling the entire operating system. With this capability, administrators can install servers with the full GUI, use the graphical tools to perform the initial setup, and then convert them to Server Core to conserve system resources. If it later becomes necessary, it is possible to reinstall the GUI components. To convert a full GUI installation of Windows Server 2012 R2 to Server Core by using Server Manager, you must run the Remove Roles And Features Wizard and uninstall the following
features, as shown in Figure 1-6:
■■ Graphical Management Tools And Infrastructure
■■ Server Graphical Shell
To add the full GUI to a Server Core computer, you must use Windows PowerShell to install the same features you removed in the previous procedure. To convert a Windows Server 2012 R2 Server Core installation to the full GUI option, use the following Windows PowerShell command:
Install-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell –Restart
To convert a full GUI server installation to Server Core, use the following command:
Uninstall-WindowsFeature Server-Gui-Mgmt-Infra,Server-Gui-Shell -Restart
4.Which of the following terms is the name of the directory where Windows stores all the operating system modules it might need to install at a later time?
Correct: Windows stores all the operating system installation modules in the WinSxS directory.
During a Windows Server 2012 R2 installation, the Setup program copies the files for all the operating system components from the installation medium to a directory called WinSxS, the side-by-side component store. This enables you to activate any of the features included with Windows Server 2012 R2 without having to supply an installation medium.
- Which of the following statements are valid reasons as to why administrators might want to install their Windows Server 2012 R2 servers by using the Server Core option?(Choose all that apply.)
A Server Core installation can be converted to the full GUI without reinstalling theoperating system.
B. The Windows PowerShell 4.0 interface in Windows Server 2012 R2 includes morethan 10 times as many cmdlets as Windows PowerShell 2.0.
C. The new Server Manager in Windows Server 2012 R2 makes it much easier to
administer servers remotely.
D. A Windows Server 2012 R2 Server Core license costs significantly less than a full
A Correct: It is possible to convert a computer running Windows Server 2012 R2between the Server Core and the Full GUI interface as needed.
C Correct: Server Manager incorporates a server selection interface into many of its wizards.
6. Which of the following NIC teaming modes provides fault tolerance and bandwidth aggregation?
A. Hyper-v Live migration
B. Switch independent mode
C. Switch dependent mode
D. Server graphical shell
B. Correct: In Switch Independent Mode, the NICs in the team are connected to
different switches, providing alternate paths through the network.
NIC teaming, also called bonding, balancing, and aggregation, is a technology that has
been available for some time, but it was always tied to specific hardware implementations. The NIC teaming capability in Windows Server 2012 R2 is hardware independent and enables you to combine multiple physical network adapters into a single interface. The results can include increased performance by combining the throughput of the adapters and protection from adapter failures by dynamically moving all traffic to the functioning NICs. NIC teaming in Windows Server 2012 R2 supports two modes:
■■ Switch Independent Mode All the network adapters are connected to different
switches, providing alternative routes through the network.
■■ Switch Dependent Mode All the network adapters are connected to the same
switch, providing a single interface with their combined bandwidth.
In Switch Independent Mode, you can choose between two configurations. The
active/active configuration leaves all the network adapters functional, providing increased ]throughput. If one adapter fails, all the traffic is shunted to the remaining adapters. In theactive/standby configuration, one adapter is left offline to function as a failover in the event the active adapter fails. In active/active mode, an adapter failure causes a performance reduction; in active/standby mode, the performance remains the same before and after an adapter failure.
In Switch Dependent Mode, you can choose static teaming, a generic mode that balances
the traffic between the adapters in the team, or you can opt to use the Link Aggregation
Control Protocol defined in IEEE 802.3ax, assuming that your equipment supports it.
In Windows Server 2012, there is one significant limitation to NIC teaming. If your traffic
consists of large TCP sequences, such as a Hyper-V live migration, the system will avoid using multiple adapters for those sequences to minimize the number of lost and out-of-order TCP segments. You will therefore not realize any performance increase for large file transfers using
■■ Server Manager is designed to enable administrators to fully manage Windows serverswithout ever having to interact directly with the server console, either physically or remotely.
■■ There are some tasks that administrators might have to perform immediately after the operating system installation that require direct access to the server console.
■■ If you selected the Server Core option when installing Windows Server 2012 R2, you
can perform postinstallation tasks from the command line.
■■ In Windows Server 2012 R2, the Properties tile in Server Manager provides the same
functionality as the Initial Configuration Tasks window in previous versions.
■■ In Windows Server 2012 R2, you can convert a computer installed with the full GUI
option to Server Core and add the full GUI to a Server Core computer.
■■ NIC teaming is a new feature in Windows Server 2012 R2 that enables administrators
to combine the bandwidth of multiple network interface adapters, providing increased
performance and fault tolerance.
■■ For administrators of enterprise networks, it might be necessary to add a large number of servers to Server Manager. To avoid having to work with a long scrolling list of servers, you can create server groups based on server locations, functions, or any other organizational paradigm.
■■ In addition to installing roles and features to servers on the network, Server Manager
enables administrators to install them to VMs that are currently in an offline state.
7. Which features must be removed from a full GUI installation of Windows Server 2012
R2 in order to convert it to a Server Core installation? (Choose all that apply.)
A. Windows Management Instrumentation (WMI)
B. Graphical Management Tools and Infrastructure
C. Desktop Experience
D. Server Graphical Shell
B. Correct: Removing the Graphical Management Tools and Infrastructure feature is
required to convert to a Server Core installation.
D. Correct: Server Graphical Shell provides support for the Windows graphical interface,
including the desktop and File Explorer. You must remove it to convert to a
Server Core installation.
8. Which of the following command-line tools are used to join a computer to a domain?
C. Correct: Netdom.exe is the Windows command-line domain manager application.
9. Which of the following statements about Server Manager is not true?
A. Server Manager can deploy roles to multiple servers at the same time.
B. Server Manager can deploy roles to VHDs while they are offline.
C. Server Manager can install roles and features at the same time.
D. Server Manager can install roles and features to any Windows Server 2012 R2
server on the network.
A. Correct: Server Manager cannot deploy roles to multiple servers at the same time.
10. Which of the following operations can you not perform on a service by using Server
Manager? (Choose all that apply.)
A. Stop a running service
B. Start a stopped service
C. Disable a service
D. Configure a service to start when the computer starts
C. Correct: You cannot disable a service by using Server Manager.D. Correct: You cannot configure a service to start when the computer starts by
using Server Manager.
■■ Windows Server 2012 R2 supports two hard disk partition types: MBR and GPT; two
disk types: basic and dynamic; five volume types: simple, striped, spanned, mirrored,
and RAID-5; and three file systems: ReFS, NTFS, and FAT.
■■ The Disk Management snap-in can initialize, partition, and format disks on the local
machine. Server Manager can perform many of the same tasks for servers all over the
■■ Windows Server 2012 R2 includes a new disk virtualization technology called Storage
Spaces, which enables a server to concatenate storage space from individual physical
disks and allocate that space to create virtual disks of any size supported by the
■■ All Windows Server 2012 R2 installations include the File and Storage Services role,
which causes Server Manager to display a menu when you click the icon in the navigation pane. This menu provides access to home pages that enable administrators to
manage volumes, disks, storage pools, shares, and iSCSI devices.
■■ The Disk Management snap-in in Windows Server 2012 R2 enables you to create VHD
files and mount them on the computer.
■■ Once you have installed your physical disks, you can concatenate their space into a
storage pool, from which you can create virtual disks of any size. Once you have created
a storage pool, you can use the space to create as many virtual disks as you need.
11. Which of the following statements are true of striped volumes? (Choose all that apply.)
A. Striped volumes provide enhanced performance over simple volumes.
B. Striped volumes provide greater fault tolerance than simple volumes.
C. You can extend striped volumes after creation.
D. If a single physical disk in the striped volume fails, all the data in the entire volume
A. Correct: Striping provides improved performance because each disk drive in the
array has time to seek the location of its next stripe while the other drives are
D. Correct: If a single physical disk in the striped volume fails, all the data in the
entire volume is lost.
Understanding volume types
A dynamic disk can contain an unlimited number of volumes that function much like primary partitions on a basic disk, but you cannot mark an existing dynamic disk as active. When you create a volume on a dynamic disk by using the Disk Management snap-in in Windows Server 2012 R2, you choose from the following five volume types:
■■ Simple volume Consists of space from a single disk. After you have created a simple
volume, you can extend it to multiple disks to create a spanned or striped volume, as
long as it is not a system volume or boot volume. You can also extend a simple volume
into any adjacent unallocated space on the same disk or, with some limitations, shrink
the volume by deallocating any unused space in the volume.
■■ Spanned volume Consists of space from 2 to 32 physical disks, all of which must be
dynamic disks. A spanned volume is essentially a method for combining the space from
multiple dynamic disks into a single large volume. Windows Server 2012 R2 writes to
the spanned volume by filling all the space on the first disk and then filling each of the
additional disks in turn. You can extend a spanned volume at any time by adding disk
space. Creating a spanned volume does not increase the disk’s read/write performance
or provide fault tolerance. In fact, if a single physical disk in the spanned volume fails,
all the data in the entire volume is lost.
■■ Striped volume Consists of space from 2 to 32 physical disks, all of which must be
dynamic disks. The difference between a striped volume and a spanned volume is that
in a striped volume, the system writes data one stripe at a time to each successive disk
in the volume. Striping provides improved performance because each disk drive in the
array has time to seek the location of its next stripe while the other drives are writing.
Striped volumes do not provide fault tolerance, however, and you cannot extend them
after creation. If a single physical disk in the striped volume fails, all the data in the
entire volume is lost.
■■ Mirrored volume Consists of an identical amount of space on two physical disks,
both of which must be dynamic disks. The system performs all read and write operations
on both disks simultaneously so they contain duplicate copies of all data stored on the volume. If one disk fails, the other continues to provide access to the volume
until the failed disk is repaired or replaced.
■■ RAID-5 volume Consists of space on three or more physical disks, all of which must be
dynamic. The system stripes data and parity information across all the disks so that if onephysical disk fails, the missing data can be re-created by using the parity information onthe other disks. RAID-5 volumes provide improved read performance because of the diskstriping, but write performance suffers due to the need for parity calculations.
Understanding file systemsTo organize and store data or programs on a hard drive, you must install a file system. A filesystem is the underlying disk drive structure that enables you to store information on yourcomputer. You install file systems by formatting a partition or volume on the hard disk.In Windows Server 2012 R2, five file system options are available:
■■ FAT (also known as FAT16)
NTFS is the preferred file system for a server; the main benefits are improved support forlarger hard drives than FAT and better security in the form of encryption and permissions thatrestrict access by unauthorized users.
Because the FAT file systems lack the security that NTFS provides, any user who gains accessto your computer can read any file without restriction. Additionally, FAT file systems have disk size limitations: FAT32 cannot handle a partition greater than 32 GB or a file greater than 4 GB. FAT cannot handle a hard disk greater than 4 GB or a file greater than 2 GB. Because of these limitations, the only viable reason for using FAT16 or FAT32 is the need to dual boot the computer with a non-Windows operating system or a previous version of Windows that does not support NTFS, which is not a likely configuration for a server. ReFS is a new file system first appearing in Windows Server 2012 R2 that offers practically unlimited file and directory sizes and increased resiliency that eliminates the need for errorchecking tools, such as Chkdsk.exe. However, ReFS does not include support for NTFS features such as file compression, Encrypted File System (EFS), and disk quotas. ReFS disks also cannot be read by any operating systems older than Windows Server 2012 and Windows 8.
12. Which of the following statements best describes the requirements for extending a
volume on a dynamic disk? (Choose all that apply.)
A. If you want to extend a simple volume, you can use only the available space on the
same disk if the volume is to remain simple.
B. The volume must have a file system (a raw volume) before you can extend a simple
or spanned volume.
C. You can extend a simple or spanned volume if you formatted it by using the FAT or
FAT32 file systems.
D. You can extend a simple volume across additional disks if it is not a system volume
or a boot volume
A. Correct: When extending a simple volume, you can use only the available space
on the same disk. If you extend the volume to another disk, it is no longer simple.
D. Correct: You can extend a simple volume across additional disks if it is not a
system volume or a boot volume.
mBR limite is 2 TB old technology normally bios allow 16 max pertion in one hard disk
GPT pertition 128 pertion
4 partion (extendend pertion will create )
we need dynamic in server
1) spamed volume
can increaseing the capacity without datalost without shoutdown
one disk is full than it will go next volume
2) Raid 0= stripped volume
it will have same size both harddisk and make to one disk
both disk can use at the same time data reading
RAID 1 level mirrod volume
mirror does not support more than 2 hard disk
3) Raid 5 Stripping with parity
13. Which of the following volume types supported by Windows Server 2012 R2 provide
fault tolerance? (Choose all that apply.)
C. Correct: A mirrored volume writes duplicate copies of all data to two disks,
thereby providing fault tolerance.
D. Correct: A RAID-5 volume writes data and parity information on multiple disks,
thereby providing fault tolerance.
14. A JBOD(just bunch of disk)drive array is an alternative to which of the following storage technologies?
C. Correct: A JBOD array is an alternative to a RAID array that treats each disk as an
CHAP TE R 2
■■ Creating folder shares makes the data stored on a file server’s disks accessible to
■■ NTFS permissions enable you to control access to files and folders by specifying the
tasks individual users can perform on them. Share permissions provide rudimentary
access control for all the files on a network share. Network users must have the proper
share and NTFS permissions to access file server shares.
■■ ABE applies filters to shared folders based on an individual user’s permissions to the
files and subfolders in the share. Simply put, users who cannot access a particular
shared resource are unable to see that resource on the network.
■■ Offline Files is a Windows feature that enables client systems to maintain local copies
of files they access from server shares.
■■ Volume Shadow Copies is a Windows Server 2012 R2 feature that enables you to
maintain previous versions of files on a server, so if users accidentally delete or
overwrite a file, they can access a copy.
■■ NTFS quotas enable administrators to set a storage limit for users of a particular
■■ Work Folders is a Windows Server 2012 R2 feature that synchronizes files between
multiple client devices and a file server located on a private network.
1. What is the maximum number of shadow copies a Windows Server 2012 R2 system can
maintain for each volume?
Correct: Windows Server 2012 R2 can maintain up to 64 volume shadow copies
before it begins deleting the oldest data
2. Which of the following terms describes the process of granting users access to file
server shares by reading their permissions?
B. Correct: Authorization is the process by which a user is granted access to specific
resources based on the permissions he or she possesses.
3. Which of the following are tasks you can perform by using the quotas in File Server
Resource Manager but can’t perform by using NTFS quotas? (Choose all that apply.)
A. Send an email message to an administrator when users exceed their limits.
B. Specify different storage limits for each user.
C. Prevent users from consuming storage space on a volume beyond their allotted
D. Generate warnings to users when they approach their allotted storage limit
A. Correct: Using File Server Resource Manager, you can notify administrators with
email messages when users exceed their allotment of storage.
4. In the Windows Server 2012 R2 NTFS permission system, combinations of advanced
permissions are also known as _____________ permissions. (Choose all that apply.)
B. Correct: Basic permissions are formed by creating various combinations of
D. Correct: In Windows Server versions prior to Windows Server 2012 R2, standard
permissions are formed by creating various combinations of special permissions.
Windows provides preconfigured permission combinations suitable for most common accesscontrol tasks. When you open the Properties sheet for a system element and look at itsSecurity tab, the NTFS permissions you see are called basic permissions. Basic permissions areactually combinations of advanced permissions, which provide the most granular control over the element.
5. Which of the following statements best describes the role of the security principal in
file system permission assignments?
A. The security principal in file system permission assignments is the only person who
can access a file that has no permissions assigned to it.
B. The security principal in file system permission assignments is the person
responsible for creating permission policies.
C. The security principal in file system permission assignments is the person assigning
D. The security principal in file system permission assignments is the person to whom
the permissions are assigned
D. Correct: The security principal is the user or computer to which permissions are
Since the early days of the Microsoft server operating system, administrators have used
groups to manage network permissions. Groups enable administrators to assign permissions to multiple users simultaneously. A group can be defined as a collection of user or computer accounts that functions as a security principal, in much the same way that a user does.
■■ Printing in Windows typically involves the following four components: print device,
printer, print server, and print driver.
■■ The simplest form of print architecture consists of one print device connected to one
computer, known as a locally attached print device. You can share this printer (and the
print device) with other users on the same network.
■■ With network-attached print devices, the administrator’s primary deployment decision
is which computer will function as the print server.
■■ Remote Desktop Easy Print is a driver that enables Remote Desktop clients running
applications on a server to redirect their print jobs back to their local print devices.
■■ Printer permissions are much simpler than NTFS permissions; they dictate whether
users are allowed to use the printer, manage documents submitted to the printer, or
manage the properties of the printer itself.
■■ The Print Management console is an administrative tool that consolidates the controls
for the printing components throughout the enterprise into a single console
1. Which of the following terms best describes the software interface through which a
computer communicates with a print device?
B. Print server
C. Printer driver
D. Print Management console
A. Correct: In Windows, a printer is the software interface through which a computer
communicates with a print device.
2. You are setting up a printer pool on a computer running Windows Server 2012 R2. The
printer pool contains three identical print devices. You open the Properties dialog box
for the printer and select the Enable Printer Pooling option on the Ports tab. Which of
the following steps must you perform next?
A. Configure the LPT1 port to support three printers.
B. Select or create the ports mapped to the three printers.
C. On the Device Settings tab, configure the installable options to support two
additional print devices.
D. On the Advanced tab, configure the priority for each print device so that printing is
distributed among the three print devices.
B. Correct: To set up printer pooling, select the Enable Printer Pooling check box and
select or create the ports corresponding to printers that will be part of the pool.
Creating a printer pool
As mentioned earlier, a printer pool increases the production capability of a single printer by
connecting it to multiple print devices. When you create a printer pool, the print server sends
each incoming job to the first print device it finds that is not busy. This effectively distributes
the jobs among the available print devices, providing users with more rapid service.
To configure a printer pool, use the following procedure.
1. Open Control Panel and select Hardware, Devices and Printers. The Devices and Printers
2. Right-click one of the printer icons and, from the shortcut menu, select Printer
Properties. The Properties sheet for the printer appears.
3. Click the Ports tab.
4. Select the Enable Printer Pooling check box and click OK.
5. Select all the ports to which the print devices are connected.
6. Close Control Panel.
To create a printer pool, you must have at least two identical print devices, or at least two
print devices that use the same printer driver. The print devices must be in the same location because there is no way to tell which print device will process a given document. You must also connect all the print devices in the pool to the same print server. If the print server is a Windows Server 2012 R2 computer, you can connect the print devices to any viable ports.
3. One of your print devices is not working properly, so you want to temporarily prevent
users from sending jobs to the printer serving that device. Which of the following
actions should you take?
A. Stop sharing the printer.
B. Remove the printer from Active Directory.
C. Change the printer port.
D. Rename the share.
A. Correct: If you stop sharing the printer, users will no longer be able to use the
4. You are administering a computer running Windows Server 2012 R2 configured as a
print server. Users in the Marketing group report that they cannot print documents
using a printer on the server. You view the permissions in the printer’s properties. The
Marketing group is allowed Manage Documents permission. Which of the following
statements best explains why the users cannot print to the printer?
A. The Everyone group must be granted the Manage Documents permission.
B. The Administrators group must be granted the Manage Printers permission.
C. The Marketing group must be granted the Print permission.
D. The Marketing group must be granted the Manage Printers permission.
C. Correct: The Print permission allows users to send documents to the printer; the
Manage Documents permission does not.
5. You are administering a print server running Windows Server 2012 R2. You want to
perform maintenance on a print device physically connected to the print server. There
are several documents in the print queue. You want to prevent the documents from
being printed to the printer, but you don’t want users to have to resubmit the documents
to the printer. Which of the following statements best describes the best way to
A. Open the printer’s Properties dialog box, select the Sharing tab, and select the Do
Not Share This Printer option.
B. Open the printer’s Properties dialog box and select a port that is not associated
with a print device.
C. Open the printer’s queue window, select the first document, and select Pause from
the Document window.
D. Open the printer’s queue window and select the Pause Printing option from the
D. Correct: When you select the Pause Printing option, the documents will remain in
the print queue until you resume printing. This option applies to all documents in
■■ Windows Server 2012 R2 is designed to facilitate remote server management so
administrators rarely if ever have to work directly at the server console. This conserves
server resources that can better be devoted to applications.
■■ When you add servers running Windows Server 2012 R2 to Server Manager, you can
immediately begin using the Add Roles and Features Wizard to install roles and features
on any of the servers you have added.
■■ The Windows Firewall rules you have to enable for remote servers running Windows
Server 2012 R2 are also disabled by default on computers running versions earlier than
Windows Server 2012, so you also have to enable them there.
■■ For administrators of enterprise networks, it might be necessary to add a large
number of servers to Server Manager. To avoid having to work with a long scrolling list
of servers, you can create server groups based on server locations, functions, or any
other organizational paradigm.
■■ You can manage remote servers from any computer running Windows Server 2012 R2;all the required tools are installed by default. However, the new administrative methothat Microsoft is promoting urges administrators to keep servers locked away and usea workstation to manage servers from a remote location.
1. Which of the following tasks must you perform before you can manage a remote
server running Windows Server 2012 R2 using the Computer Management snap-in?
A. Enable WinRM on the remote server.
B. Enable the COM+ Network Access rule on the remote server.
C. Enable the Remote Event Log Management rules on the remote server.
D. Install Remote Server Administration Tools on the remote server.
Working with remote servers
Once you have added remote servers to Server Manager, you can access them using a varietyof remote administration tools.Server Manager provides three basic methods for addressing remote servers, as follows:
■■ Contextual tasks When you right-click a server in a Servers tile anywhere in Server
Manager, you see a shortcut menu that provides access to tools and commands pointed
at the selected server. Some of these are commands that Server Manager executes
on the remote server, such as Restart Server and Windows PowerShell. Others launch
tools on the local system and direct them at the remote server, such as MMC snap-ins
and the Install Roles And Features Wizard. Still others modify Server Manager itself by
removing servers from the interface. Other contextual tasks sometimes appear in the
Tasks menus for specific panes.
■■ Noncontextual tasks The menu bar at the top of the Server Manager console provides
access to internal tasks, such as launching the Add Server Wizard and the Install
Roles And Features Wizard, and the Server Manager Properties dialog box, in which
you can specify the console’s refresh interval.
■■ Noncontextual tools The console’s Tools menu provides access to external programs,
such as MMC snap-ins and the Windows PowerShell interface, that are directed
at the local system.
2. Which of the following Windows PowerShell cmdlets can you use to list the existing
Windows Firewall rules on a computer running Windows Server 2012 R2? (Choose all
A. Correct: The Get-NetFirewallRule cmdlet displays a list of all the rules on a system
running Windows Firewall
C. Correct: The Show-NetFirewallRule cmdlet displays a list of all the rules on a
system running Windows Firewall.
3. Which of the following tasks can you not perform remotely on a server running Windows Server 2008?
A. Install roles by using Server Manager
B. Install roles by using Windows PowerShell
C. Connect to the remote server by using the Computer Management snap-in
D. Monitor event log entries
A. Correct: You cannot install roles on a remote server running Windows Server 2008
by using Server Manager.
4. Which of the following updates must you install on a server running Windows Server
2008 before you can connect to it by using Windows Server 2012 R2 Server Manager?
(Choose all that apply.)
A. .NET Framework 3.5
B. .NET Framework 4.0
C. Windows Management Framework 3.0
D. Windows Server 2008 R2
B. Correct: .NET Framework 4.0 is needed for Server Manager to connect to
Windows Server 2008.
C. Correct: Windows Management Framework 3.0 is needed for Server Manager to
connect to Windows Server 2008.
5. When you run Server Manager from a Windows 8 workstation using Remote Server Administration Tools, which of the following elements do not appear in the default display?
A. The Dashboard
B. The Local Server home page
C. The All Servers home page
D. The Welcome tile
B. Correct: The Local Server home page does not appear, because the local system is
a workstation, not a server.
CHAP TE R 3
■■ Virtualization is a process that adds a layer of abstraction between actual, physical
hardware and the system making use of it. Instead of having the server access the
computer’s hardware directly, an intervening component called a hypervisor creates a
VM environment, and the server OS runs in that environment.
■■ Virtualization is the process of deploying and maintaining multiple instances of an OS, called VMs, on a single computer.
■■ Microsoft Hyper-V is a hypervisor-based virtualization system for x64 computers
starting with Windows Server 2008. The hypervisor is installed between the hardware
and the OS and is the main component that manages the virtual computers.
■■ For licensing purposes, Microsoft refers to each VM that you create on a Hyper-V
server as a virtual instance. Each Windows Server 2012 R2 version includes licenses
for a set number of virtual instances; you must purchase additional licenses to license
■■ To keep a small footprint and minimal overhead, Hyper-V Server contains only the
Windows Hypervisor, Windows Server driver model, and virtualization components.
■■ Hyper-V in Windows Server 2012 R2 supports two types of VMs: Generation 1 and
Generation 2. Generation 1 VMs are designed to emulate the hardware found in a
typical computer and are compatible with previous versions of Hyper-V. Generation 2
VMs use synthetic drivers and software-based devices instead and can only run on the
Windows Server 2012 R2 Hyper-V.
■■ Windows Server 2012 R2 Hyper-V supports an enhanced session mode that enables
the Virtual Machine Connection window to redirect a variety of local resources to VMs
running Windows Server 2012 R2 or Windows 8.1.
1. Which of the following statements about Type I and Type II virtualization are true?
(Choose all that apply.)
A. In Type I virtualization, the hypervisor runs on top of a host OS.
B. In Type I virtualization, the hypervisor runs directly on the computer hardware.
C. In Type II virtualization, the hypervisor runs on top of a host OS.
D. In Type II virtualization, the hypervisor runs directly on the computer hardware.
B. Correct: A Type I hypervisor runs directly on the computer hardware.
C. Correct: A Type II hypervisor runs on top of a host OS.
This arrangement, in which the hypervisor runs on top of a host OS, is called Type II virtualization. By using the Type II hypervisor, you create a virtual hardware environment for each VM. You can specify how much memory to allocate to each VM, create virtual disk drives byusing space on the computer’s physical drives, and provide access to peripheral devices. You then install a “guest” OS on each VM, just as if you were deploying a new computer. The host OS then shares access to the computer’s processor with the hypervisor, with each taking the clock cycles it needs and passing control of the processor back to the other.Type II virtualization can provide adequate VM performance, particularly in classroom andlaboratory environments, but it does not provide performance equivalent to separate physicalcomputers. Therefore, it is not generally recommended for high-traffic servers in production environments.
2. Which of the following types of server virtualization provides the best performance for high-traffic servers in production environments?
A. Type I virtualization
B. Type II virtualization
C. Presentation virtualization
A. Correct: Type I virtualization provides the best performance because the hypervisor
runs directly on the computer hardware and does not have the overhead of a
b Incorrect: Type II virtualization provides poorer performance than Type I because
of the need to share processor time with the host OS.
3. Which of the following Microsoft operating systems includes a license that enables you
to license an unlimited number of virtual instances?
A. Hyper-V Server
B. Windows Server 2012 R2 Datacenter
C. Windows Server 2012 R2 Standard
D. Windows Server 2012 R2 Foundation
B. Correct: Windows Server 2012 R2 Datacenter edition includes a license that
enables you to create an unlimited number of virtual instances.
4. Which of the following Hyper-V features make it possible for a VM to function with a
minimum RAM value that is lower than the startup RAM value? (Choose all that apply.)
A. Smart paging
B. Dynamic Memory
C. Memory Weight
D. Guest Integration Services
A. Correct: Smart paging enables a VM to restart even if the amount of RAM specified
as the startup value is unavailable. Smart paging causes the system to use disk
space as a temporary substitute for memory during a system restart.
B. Correct: Dynamic Memory enables you to specify a minimum RAM value that
is smaller than the startup RAM value, but Smart paging enables the system to
function with those parameters.
C. Incorrect: Windows Memory Weight controls the allocation of memory among
VMs, but it does not affect the ability of a system to start.
D. Correct: Guest Integration Services is required for a guest OS to use Dynamic
5. When you install the Hyper-V role on a server running Windows Server 2012 R2, the
instance of the OS on which you installed the role is converted to what system element?
A. The hypervisor
B. The Virtual Machine Monitor
C. The parent partition
D. A child partition
C. Correct: The instance of the OS on which you install the Hyper-V role becomes the
6. Which of the following statements about Generation 1 and Generation 2 virtual machines are true? (Choose all that apply.)
A. You must create a Generation 1 VM before you can create a Generation 2 VM.
B. Generation 2 VMs deploy faster than Generation 1 VMs.
C. Generation 2 VMs only support Windows 8.1 and Windows Server 2012 R2 as
guest operating systems.
D. Generation 2 VMs use the same device drivers as Generation 1 VMs.
B. Correct: Because they use improved and synthetic drivers, Generation 2 VMs deploy
faster than Generation 1 VMs.
■■ Hyper-V uses a specialized VHD format to package part of the space on a physical disk
and make it appear to the VM as though it is a physical hard disk drive.
■■ A dynamic hard disk image is an image file with a specified maximum size, which starts small and expands as needed to accommodate the data the system writes to it.
■■ A differencing hard disk image is a child image file associated with a specific parent
image. The system writes all changes made to the operating system to the child
image, to facilitate a rollback at a later time.
■■ VHDX image files in Windows Server 2012 R2 can be as large as 64 TB, and they also
support 4-KB logical sector sizes to provide compatibility with new 4-KB native drives.
■■ A pass-through disk is a type of virtual disk that points to a physical disk drive installedon the host computer.
■■ In Hyper-V, a checkpoint is a captured image of the state, data, and hardware configuration of a VM at a particular moment in time.
■■ QoS management in Hyper-V takes the form of controls that enable you to specify the
minimum and maximum input/output operations per second (IOPS) for a disk.
■■ The specialized networking technologies used to build Fibre Channel SANs have, in the past, made it difficult to use them with virtualized servers. However, Windows Server2012 R2 Hyper-V supports the creation of virtual Fibre Channel adapters.
1. Which of the following statements about VHDX files is not true?
A. VHDX files can be as large as 64 TB.
B. VHDX files can only be opened by computers running Windows Server 2012 and
Windows Server 2012 R2.
C. VHDX files support larger block sizes than VHD files.
D. VHDX files support 4-KB logical sectors.
A. Incorrect: VHDX files can be as large as 64 TB, whereas VHD files are limited
to 2 TB.
B. Correct: Windows Server 2012, Windows Server 2012 R2, Windows 8, and
Windows 8.1 can all open VHDX files.
C. Incorrect: VHDX files support block sizes as large as 256 MB.
D. Incorrect: VHDX files can support the 4,096-byte block sizes found on some
2. Which of the following must be true about a pass-through disk?
A. A pass-through disk must be offline in the guest OS that will access it.
B. A pass-through disk must be offline in the parent partition of the Hyper-V server.
C. A pass-through disk can only be connected to a SCSI controller.
D. A pass-through disk must be added to a VM with the Disk Management snap-in
B. Correct: A pass-through disk must be offline in the parent container so that the
guest OS can have exclusive access to it.
3. The Merge function only appears in the Edit Virtual Hard Disk Wizard under which of
the following conditions?
A. When you select a VHDX file for editing
B. When you select two or more disks for editing
C. When you select a disk with free space available in it
D. When you select a differencing disk for editing
D. Correct: The Merge function appears only when you select a differencing disk for
editing. The object of the function is to combine the data in the differencing disk
with that of the parent.
4. Which of the following are valid reasons not to take checkpoints of VMs? (Choose all
A. Checkpoints can consume a large amount of disk space.
B. Each checkpoint requires a separate copy of the VM’s memory allocation.
C. Each checkpoint can take several hours to create.
D. The existence of checkpoints slows down VM performance.
A. Correct: Checkpoints consume disk space that could be better used for other
D. Correct: The Hyper-V server must locate and process checkpoints each time it
accesses a VM’s disk drives, slowing down its performance.
5. Which of the following is not required to add a Fibre Channel adapter to a Hyper-V VM?
A. You must create a Fibre Channel virtual SAN.
B. You must have a physical Fibre Channel adapter installed in the host computer.
C. You must have a Fibre Channel adapter driver that supports virtual networking.
D. You must have a SCSI cable connecting the Fibre Channel adapter to the storage
D. Correct: SCSI cables are not required for Fibre Channel installations.
■■ Networking is a critical part of creating a VM infrastructure. Depending on your
network plan, the VMs you create on a Windows Server 2012 R2 Hyper-V server can
require communication with other VMs, with the computers on your physical network,
and with the Internet.
■■ A virtual switch, like its physical counterpart, is a device that functions at Layer 2 of
the OSI reference model. A switch has a series of ports, each of which is connected to
a computer’s network interface adapter. Any computer connected to the switch can
transmit data to any other computer connected to the same switch.
■■ Hyper-V in Windows Server 2012 R2 supports three types of switches: external, internal,
and private, which you must create in the virtual Switch Manager before you can
connect VMs to them.
■■ Every network interface adapter has a MAC address—sometimes called a hardware
address—that uniquely identifies the device on the network.
■■ Once you have created virtual switches in Hyper-V Manager, you can connect VMs to
them by creating and configuring virtual network adapters.
■■ Selecting the Network Adapter option on the Add Hardware page creates what is
known in Hyper-V terminology as a synthetic network adapter. Hyper-V supports two
types of network and storage adapters: synthetic and emulated (sometimes called
■■ NIC teaming is a Windows feature that enables administrators to join multiple network adapters into a single entity for performance enhancement or fault tolerance purposes.
1. Which of the following are valid reasons for using an emulated network adapter ratherthan a synthetic one? (Choose all that apply.)
A. You want to install the guest OS by using a Windows Deployment Services server.
B. There is no Guest Integration Services package available for the guest OS you plan
C. The manufacturer of your physical network adapter has not yet provided a synthetic
network adapter driver.
D. The emulated network adapter provides better performance.
A. Correct: A Windows Deployment Server installation requires the network adapter
to support PXE, which emulated adapters do, but synthetic adapters do not.
B. Correct: Synthetic adapter drivers are installed as part of the Guest Integration
Services package; if there is no package for the guest OS, then there are no
2. Which of the following statements is not true about synthetic network adapters?
A. Synthetic adapters communicate with the parent partition by using the VMBus.
B. Synthetic adapters require the Guest Integration Services package to be installed
on the guest OS.
C. Synthetic adapters provide faster performance than emulated adapters.
D. Synthetic adapters can start the child VM by using a PXE network boot.
D. Correct: Synthetic network adapters load with the Guest Integration Services on
the guest OS, which prevents them from supporting PXE.
3. What is the maximum number of ports supported by a Hyper-V virtual switch?
D. Correct: Hyper-V virtual switches can support an unlimited number of
4. Which of the following virtual switch types does not enable guest OSs to communicate
with the parent partition?
C. Correct: Private switches enable the guest OSs to communicate with one another
but not with the outside network or the parent partition.
5. How many dynamically assigned MAC addresses can a Hyper-V server provide by
B. Correct: A Hyper-V server provides a pool of 256 MAC addresses by default. You
can create more by modifying the default address range.
CHAP TE R 4
■■ The IPv4 address space consists of 32-bit addresses, notated as four 8-bit decimal
values from 0 to 255 separated by periods, as in the example 192.168.43.100. This is
known as dotted-decimal notation and the individual 8-bit decimal values are called
octets or bytes.
■■ Because the subnet mask associated with IP addresses can vary, the number of bits
used to identify the network and the host can also vary. The original IP standard
defines three address classes for assignment to networks, which support different
numbers of networks and hosts.
■■ Because of its wastefulness, classful addressing was gradually made obsolete by a
series of subnetting methods, including VLSM and eventually CIDR.
■■ When a Windows computer starts, it initiates the IPv6 stateless address
autoconfiguration process, during which it assigns each interface a link-local
■■ The simplest and most obvious method for transitioning from IPv4 to IPv6 is to run
both, and this is what all current versions of Windows do.
■■ The primary method for transmitting IPv6 traffic over an IPv4 network is called
tunneling. Tunneling is the process by which a system encapsulates an IPv6 datagram
within an IPv4 packet.
1. Which of the following is the primary method for transmitting IPv6 traffic over an IPv4
B. Correct: Tunneling is a method for encapsulating IPv6 traffic within IPv4
2. Which of the following is the IPv6 equivalent to a private IPv4 address?
A. Link-local unicast address
B. Global unique unicast address
C. Unique local unicast address
D. Anycast address
C. Correct: Unique local unicast addresses are the IPv6 equivalent of the 10.0.0.0/8,
172.16.0.0/12, and 192.168.0.0/16 private network addresses in IPv4.
3. Which of the following is an automatic tunneling protocol used by Windows operating
systems that are located behind NAT routers?
A. Correct: Teredo is a mechanism that enables devices behind non-IPv6 NAT routers
to function as tunnel endpoints.
To use 6to4 tunneling, both endpoints of the tunnel must have registered IPv4 addresses.
However, on many networks, the system that would function as the endpoint is located
behind a NAT router, and therefore has an unregistered address. In such a case, the only
registered address available is assigned to the NAT router itself, and unless the router supports 6to4 (which many don’t), it is impossible to establish the tunnel.
Teredo is a mechanism that addresses this shortcoming by enabling devices behind
non-IPv6 NAT routers to function as tunnel endpoints. To do this, Teredo encapsulates IPv6packets within transport-layer User Datagram Protocol (UDP) datagrams rather than networklayer
IPv4 datagrams, as 6to4 does.
For a Teredo client to function as a tunnel endpoint, it must have access to a Teredo server,with which it exchanges Router Solicitation messages and Router Advertisement messages to determine whether the client is located behind a NAT router.
To initiate communications, a Teredo client exchanges null packets called bubbles with thedesired destination, using the Teredo servers at each end as intermediaries. The function ofthe bubble messages is to create mappings for both computers in each other’s NAT routers.
4. Which type of IP address must a system have to be visible from the Internet?
C. Class B
A. Correct: For an address to be visible from the Internet, it must be registered
with the IANA.
5. Which of the following subnet mask values would you use when configuring a TCP/IP
client with an IPv4 address on the 172.16.32.0/19 network?
C. Correct: In binary form, the mask 255.255.224.0 is 11111111.11111111.11100000.
00000000, which contains 19 network identifier bits.
how to find a subnet mask
Subnet mask 128 192 224 240 248 252 254 255
128 64 32 16 8 4 2 1
Class A/8 9 10 11 12 13 14 15 16
Class B/16 17 18 19 20 21 22 23 24
Class C/24 25 26 27 28 29 30 31 32
TCP/IP: 3 classes
first octec default subnetmask Private IP range(FREE)
A: 1-126 255.0.0.0 10.0.0.1-10.255.255.254
B: 128-191 255.255.0.0 172.16.0.1-172.31.255.254
C: 192-223 255.255.255.0 192.168.0.1-192.168.255.254
D: 224-239 (multicast IP range)
E: 240-255 (Research & Dev.)
127.* = for loopback IP range
127.0.0.1 = loopback or localhost
127.0.0.2 = ?
■■ DHCP is a service that automatically configures the IP address and other TCP/IP
settings on network computers by assigning addresses from a pool (called a scope)
and reclaiming them when they are no longer in use.
■■ DHCP consists of three components: a DHCP service, a DHCP client, and a DHCP
■■ The DHCP standards define three different IP address allocation methods: dynamic
allocation, automatic allocation, and manual allocation.
1. Which of the following terms best describes the component that enables DHCP clients
to communicate with DHCP servers on other subnets?
D. Relay agent
D. Correct: A relay agent is a software module that receives DHCP broadcast
messages and forwards them to a DHCP server on another subnet.
2. Which of the following message types is not used during a successful DHCP address
A. Incorrect: The DHCP address assignment process begins when the DHCP client
generates DHCPDISCOVER messages and broadcasts them on the local network.
B. Incorrect: The client eventually stops broadcasting and signals its acceptance of
one of the offered addresses by generating a DHCPREQUEST message.
C. Incorrect: When the server offering the accepted IP address receives the
DHCPREQUEST message, it transmits a DHCPACK message to the client, acknowledging
the completion of the process.
D. Correct: The DHCPINFORM message type is not used during an IP address
3. Which of the following DHCP address allocation types is the equivalent of a reservation in Windows Server 2012 R2?
A. Dynamic allocation
B. Automatic allocation
C. Manual allocation
D. Hybrid allocation
C. Correct: Manual allocation is when the DHCP server permanently assigns a specific
IP address to a specific computer on the network. In the Windows Server 2012 R2
DHCP server, manually allocated addresses are called reservations.
4. Which of the following network components are typically capable of functioning as
DHCP relay agents?
A. Windows 8.1 computers
D. Windows Server 2012 R2 computers
4. Correct answers: B, D
A. Incorrect: Windows 8.1 cannot function as a LAN router, and it therefore cannot
function as a DHCP relay agent.
B. Correct: Most IP routers have DHCP relay agent capabilities built into them. If
the routers connecting your subnets are so equipped, you can use them as relay
agents, eliminating the need for a DHCP server on each subnet.
C. Incorrect: Switches are data-link layer devices and are designed to communicate
with devices on the same subnet. A DHCP relay agent requires access to two
D. Correct: If your routers cannot function as DHCP relay agents, you can use
the relay agent capability built into the Windows server operating systems. In
Windows Server 2012 R2, the DHCP relay agent capability is built into the Remote
5. Which of the following TCP/IP parameters is typically deployed as a scope option in
A. DNS Server
B. Subnet Mask
C. Lease Duration
D. Default Gateway
5. Correct answer: D
A. Incorrect: In most cases, all the computers on a network will use the same DNS
server, so it is more convenient to deploy its address once by using a server option
than to deploy it as a scope option on every scope.
B. Incorrect: The subnet mask is automatically included with every address lease and
therefore does not have to be deployed as a scope option or a server option.
C. Incorrect: The lease duration option is automatically included with every address
lease and therefore does not have to be deployed as a scope option or a server
D. Correct: The default gateway must be a router on the same subnet as the IP
addresses the DHCP server is allocating. Therefore, the gateway address is different
for every scope and must be deployed as a scope option
■■ DHCP is a service that automatically configures the IP address and other TCP/IP
settings on network computers by assigning addresses from a pool (called a scope)
and reclaiming them when they are no longer in use.
■■ TCP/IP networks today use DNS servers to convert host names into IP addresses.
This conversion process is referred to as name resolution.
■■ DNS consists of three elements: the DNS namespace, name servers, and resolvers.
■■ The hierarchical nature of the DNS namespace is designed to make it possible for any
DNS server on the Internet to locate the authoritative source for any domain name by
using a minimum number of queries.
■■ In a recursive query, the DNS server receiving the name resolution request takes full
responsibility for resolving the name. In an iterative query, the server that receives the
name resolution request immediately responds with the best information it possesses
at the time.
■■ For Internet name resolution purposes, the only functions required of the DNS server
are the ability to process incoming queries from resolvers and send its own queries to
other DNS servers on the Internet.
1. Which of the following resource record types contains the information a DNS server
needs to perform reverse name lookups?
1. Correct answer: D
A. Incorrect: A resource record contains information for forward name lookups, not
reverse name lookups.
B. Incorrect: CNAME resource records contain alias information for A records. They
are not used for reverse name lookups.
C. Incorrect: SOA records specify that a server is the authoritative source for a zone.
They are not used for reverse name lookups.
D. Correct: PTR records contain the information needed for the server to perform
reverse name lookups.
2. Which of the following would be the correct FQDN for a resource record in a reverse
lookup zone if the computer’s IP address is 10.75.143.88?
A. Correct: To resolve the IP address 10.75.143.88 into a name, a DNS server would
locate a domain called 143.75.10.in-addr.arpa in the usual manner and read the
contents of a resource record named 88 in that domain.
3. Which of the following is not one of the elements of DNS?
B. Relay agents
C. Name servers
3. Correct answer: B
A. Incorrect: Resolvers are client programs that generate DNS queries and send them
to a DNS server for fulfillment.
B. Correct: Relay agents are router devices that enable DHCP clients to communicate
with servers on other networks.
C. Incorrect: Name servers are applications running on server computers that maintain
information about the domain tree structure.
D. Incorrect: DNS consists of a tree-structured namespace in which each branch of
the tree identifies a domain.
4. In which of the following DNS transactions does the querying system generate a recursive query?
A. A DNS client sends the server name http://www.adatum.com to its designated DNS
server for resolution.
B. A client’s DNS server sends a request to a root domain server to find the authoritative
server for the com top-level domain.
C. A client’s DNS server sends a request to the com top-level domain server to find
the authoritative server for the adatum.com domain.
D. A client’s DNS server sends a request to the adatum.com domain server to find the
IP address associated with the server name www.
4. Correct answer: A
A. Correct: When a client sends a name resolution query to its DNS server, it uses a
recursive request so that the server will take on the responsibility for resolving the
B. Incorrect: A DNS server seeking the server for a top-level domain uses iterative,
not recursive, queries.
C. Incorrect: A DNS server seeking the server for a second-level domain uses iterative,
not recursive, queries.
D. Incorrect: A DNS server requesting a server name resolution from an authoritative
server uses iterative, not recursive, queries.
5. Which of the following contains the controls used to modify DNS name caching?
A. The Forwarders tab of a server’s Properties sheet
B. The Start of Authority (SOA) tab of a zone’s Properties sheet
C. The Root Hints tab of a server’s Properties sheet
D. The New Zone Wizard
5. Correct answer: B
A. Incorrect: The Forwarders tab is where you specify the addresses of servers that
will have your server’s recursive queries.
B. Correct: The Start of Authority (SOA) tab of a zone’s Properties sheet contains the
Minimum (Default) TTL setting that controls DNS name caching for the zone.
C. Incorrect: The Root Hints tab is where you specify the addresses of the root name
servers on the Internet.
D. Incorrect: The New Zone Wizard does not enable you to modify name caching
CHAP TE R 5
■■ A directory service is a repository of information about the resources—hardware,
software, and human—that are connected to a network. Active Directory is the
directory service that Microsoft first introduced in Windows 2000 Server, which has
been upgraded in each successive server operating system release, including Windows
Server 2012 R2.
■■ When you create your first domain on an Active Directory network, you are in essence
creating the root of a domain tree. You can populate the tree with additional domains,
as long as they are part of the same contiguous namespace.
■■ When beginning a new AD DS installation, the first step is to create a new forest, which
you do by creating the first domain in the forest, the forest root domain.
■■ In Windows Server 2012 R2, it is now possible to install AD DS on a computer running
the Server Core installation option and promote the system to a domain controller, all
by using Windows PowerShell.
■■ IFM is a feature that enables administrators to streamline the process of deploying
replica domain controllers to remote sites.
■■ There are two ways to upgrade an AD DS infrastructure. You can upgrade the existing
down-level domain controllers to Windows Server 2012 R2 or you can add a new
Windows Server 2012 R2 domain controller to your existing installation.
■■ The global catalog is an index of all the AD DS objects in a forest that prevents systems
from having to perform searches among multiple domain controllers.
■■ DNS is essential to the operation of AD DS. To accommodate directory services such
as AD DS, a special DNS resource record was created that enables clients to locate
domain controllers and other vital AD DS services.
1. Which of the following cannot contain multiple Active Directory domains?
A. Organizational units
A. Correct: In AD DS, you can subdivide a domain into OUs and populate it with
objects, but you cannot create domains within OUs.
2. What are the two basic classes of Active Directory objects?
2. Correct answers: B, D
A. Incorrect: There is no object class called resource.
B. Correct: There are two basic classes of objects: container objects and leaf objects.
A leaf object cannot have subordinate objects.
C. Incorrect: A domain is a specific object type, not a general classification.
D. Correct: There are two basic classes of objects: container objects and leaf objects.
A container object is one that can have other objects subordinate to it.
3. Which of the following is not true about an object’s attributes?
A. Administrators must manually supply information for certain attributes.
B. Every container object has, as an attribute, a list of all the other objects it contains.
C. Leaf objects do not contain attributes.
D. Active Directory automatically creates the globally unique identifier (GUID).
3. Correct answer: C
A. Incorrect: Some attributes are created automatically, whereas administrators must
supply information for other attributes manually.
B. Incorrect: A container object has, as one of its attributes, a list of all the other
objects it contains.
C. Correct: Leaf objects have attributes that contain information about the specific
resource the object represents.
D. Incorrect: Some attributes are created automatically, such as the globally unique
identifier (GUID) that the domain controller assigns to each object when it
4. Which of the following is not a reason you should try to create as few domains as
possible when designing an Active Directory infrastructure?
A. Creating additional domains increases the administrative burden of the installation.
B. Each additional domain you create increases the hardware costs of the Active
C. Some applications might have problems working in a forest with multiple domains.
D. You must purchase a license from Microsoft for each domain you create
D. Correct: No special Microsoft licenses are needed for domains.
5. Which of the following does an Active Directory client use to locate objects in another
B. Global Catalog
D. Site Link
5. Correct answer: B
A. Incorrect: DNS is used for searches within a domain.
B. Correct: To locate an object in another domain, Active Directory clients perform
a search of the global catalog first. This search provides the client with the
information it needs to search for the object in the specific domain that contains it.
C. Incorrect: DHCP does not provide search capabilities.
D. Incorrect: Site link objects do not provide search capabilities.
■■ The user account is the primary means by which people using an AD DS forest access
■■ One of the most common tasks for administrators is the creation of Active Directory
user objects. Windows Server 2012 R2 includes several tools you can use to create
■■ Windows Server 2012 R2 has redesigned the Active Directory Administrative Center
(ADAC) application, first introduced in Windows Server 2008 R2, to fully incorporate
new features such as the Active Directory Recycle Bin and fine-grained password
policies. You can also use the tool to create and manage AD DS user accounts.
■■ For applications in which you can have a number of users, with their accompanying
information, to add to the AD DS database, you can export information from the applications
by saving it to a file in CSV format.
■■ LDIFDE.exe is a utility that has the same basic functionality as CSVDE.exe and provides
the ability to modify existing records in Active Directory.
■■ Because an AD DS forest uses a centralized directory, there has to be some means of
tracking the actual computers that are part of the domain. To do this, Active Directory
uses computer accounts, which are realized in the form of computer objects in the
Active Directory database.
■■ The process of joining a computer to a domain must occur at the computer itself and
be performed by a member of the computer’s local Administrators group.
■■ It is possible to perform an offline domain join by using a command-line program
1. Which of the following can be used to add, delete, or modify objects in Active Directory, in addition to modifying the schema if necessary?
1. Correct answer: B
A. Incorrect: Dcpromo, now deprecated in Windows Server 2012 R2, is a tool used to
promote and demote Active Directory domain controllers.
B. Correct: Like CSVDE.exe, the LDAP Data Interchange Format Directory Exchange
(LDIFDE.exe) utility can be used to import or export Active Directory information.
It can be used to add, delete, or modify objects in Active Directory, in addition to
modifying the schema, if necessary.
C. Incorrect: CSVDE.exe can create Active Directory objects from information in CSV
files, but it cannot modify existing objects.
D. Incorrect: NSLOOKUP is a DNS name resolution utility. It cannot create AD DS
2. When using CSVDE, what is the first line of the text file that uses proper attribute
A. Header row
B. Header record
C. Name row
D. Name record
2. Correct answer: B
A. Incorrect: The first line of the CSV file is the header record, not the header row.
B. Correct: The CSVDE command-line utility enables an administrator to import or
export AD DS objects. It uses a .csv file that is based on a header record, which
describes each part of the data. A header record is just the first line of the text file
that uses proper attribute names.
C. Incorrect: The first line of the CSV file is the header record, not the name row.
D. Incorrect: The first line of the CSV file is the header record, not the name record.
3. Which of the following utilities are used to perform an offline domain join?
A. net join
C. Correct: You can perform an offline domain join on a computer running Windows
Server 2012 R2 by using the Djoin.exe utility.
4. Which of the following is not a type of user account that can be configured in Windows Server 2012 R2?
A. Local accounts
B. Domain accounts
C. Network accounts
D. Built-in accounts
4. Correct answer: C
A. Incorrect: Local accounts can be created and configured in Windows Server
B. Incorrect: Domain accounts can be created and configured in Windows Server
C. Correct: There are three types of user accounts in Windows Server 2012 R2: local
accounts, domain accounts, and built-in user accounts.
D. Incorrect: Built-in accounts can be configured, but not created in Windows Server
5. Which of the following are the two built-in user accounts created automatically on a
computer running Windows Server 2012 R2?
C. Correct: By default, the two built-in user accounts created on a computer running
Windows Server 2012 R2 are the Administrator account and the Guest account.
D. Correct: By default, the two built-in user accounts created on a computer running
Windows Server 2012 R2 are the Administrator account and the Guest account.
■■ Adding OUs to your Active Directory hierarchy is easier than adding domains; you
don’t need additional hardware, and you can easily move or delete an OU as necessary.
■■ When you want to grant a collection of users permission to access a network resource,
such as a file system share or a printer, you cannot assign permissions to an OU; you
must use a security group instead. Although they are container objects, groups are not
part of the Active Directory hierarchy in the same way that domains and OUs are.
■■ Creating OUs enables you to implement a decentralized administration model, in
which others manage portions of the AD DS hierarchy, without affecting the rest of the
■■ Groups enable administrators to assign permissions to multiple users simultaneously. Agroup can be defined as a collection of user or computer accounts that functions as a
security principal, in much the same way that a user does.
■■ In Active Directory, there are two types of groups: security and distribution. There are
also three group scopes: domain local, global, and universal.
■■ Group nesting is the term used when groups are added as members of other groups.
■■ It is possible to control group memberships by using Group Policy. When you create
Restricted Groups policies, you can specify the membership for a group and enforce it.
1. Which of the following groups are used to consolidate groups and accounts that span
either multiple domains or the entire forest?
B. Domain local
1. Correct answer: D
A. Incorrect: Global groups cannot contain users from other domains.
B. Incorrect: Domain local groups cannot have permissions for resources in other
C. Incorrect: Built-in groups have no inherent cross-domain qualities.
D. Correct: Universal groups, like global groups, are used to organize users according
to their resource access needs. You can use them to organize users to facilitate access
to any resource located in any domain in the forest through the use of domain
local groups. Universal groups are used to consolidate groups and accounts that
span either multiple domains or the entire forest.
2. Which of the following is not a correct reason for creating an OU?
A. To create a permanent container that cannot be moved or renamed
B. To duplicate the divisions in your organization
C. To delegate administration tasks
D. To assign different Group Policy settings to a specific group of users or computers
A. Correct: The reasons for creating an OU include duplicating organizational divisions,
assigning Group Policy settings, and delegating administration. You can
easily move or rename an OU as necessary
3. Which of the following group scope modifications are never permitted? (Choose all
A. Global to universal
B. Global to domain local
C. Universal to global
D. Domain local to universal
3. Correct answer: B
A. Incorrect: Global to universal group conversions are sometimes permitted.
B. Correct: Global to domain local group conversions are never permitted.
C. Incorrect: Universal to global group conversions are sometimes permitted.
D. Incorrect: Domain local to universal group conversions are sometimes permitted
4. In a domain running at the Windows Server 2012 R2 domain functional level, which of the following security principals can be members of a global group? (Choose all that apply.)
C. Universal groups
D. Global groups
4. Correct answers: A, B, D
A. Correct: Users can be security principals in a global group.
B. Correct: Computers can be security principals in a global group.
C. Incorrect: Universal groups cannot be security principals in a global group.
D. Correct: Global groups can be security principals in a global group.
5. You are attempting to delete a global security group in the Active Directory Users And
Computers console but the console will not let you complete the task. Which of the
following could possibly be causes for the failure? (Choose all that apply.)
A. There are still members in the group.
B. One of the group’s members has the group set as its primary group.
C. You do not have the proper permissions for the container in which the group is
D. You cannot delete global groups from the Active Directory Users And Computers
B. Correct: If any member sets the group as its primary group, then the system does
not permit the group to be deleted.
C. Correct: You must have the appropriate Active Directory permissions for the
container in which the group is located to delete it.
CHAP TE R 6
■■ Group Policy consists of user and computer settings that can be implemented during
computer startup and user logon. These settings can be used to customize the user
environment, to implement security guidelines, and to assist in simplifying user and
■■ In AD DS, Group Policies can be assigned to sites, domains, and OUs. By default, there
is one local policy per computer. Local policy settings are overwritten by Active Directory
■■ The Group Policy Management console is the tool used to create and modify GPOs
and their settings.
1. Which of the following types of files do Group Policy tools access from a Central Store
A. ADM files
B. ADMX files
C. Group Policy Objects
D. Security templates
B. Correct: Group Policy tools look for XML-based administrative template (ADMX)
files in the Central Store by default.
2. Which of the following local GPOs takes precedence on a system with multiple local
A. Local Group Policy
B. Administrators Group Policy
C. Non-Administrators Group Policy
D. D. User-specific Group Policy
D. Correct: Of the local GPO types, user-specific local GPOs are applied last
3. Which of the following techniques can be used to apply GPO settings to a specific
group of users in an OU?
A. GPO linking
B. B. Administrative templates
C. C. Security filtering
D. D. Starter GPOs
C. Correct: Security filtering is a Group Policy feature that enables you to restrict the
dissemination of Group Policy settings to specific users and groups within an AD
4. Which of the following statements best describes the function of a starter GPO?
A. A starter GPO functions as a template for the creation of new GPOs.
B. A starter GPO is the first GPO applied by all Active Directory clients.
C. A starter GPO uses a simplified interface for elementary users.
D. A starter GPO contains all the settings found in the default Domain Policy GPO.
A. Correct: Starter GPOs are templates that you can use to create multiple GPOs with
the same set of baseline Administrative Templates settings
5. When you apply a GPO with a value of Not Configured for a particular setting to a
system on which that same setting is disabled, what is the result?
A. The setting remains disabled.
B. The setting is changed to Not Configured.
C. The setting is changed to Enabled.
D. The setting generates a conflict error.
A. Correct: A Not Configured policy setting has no effect on the existing setting
of that policy
■■ Most security-related settings are found within the Windows Settings node of the
Computer Configuration node of a GPO.
■■ Local policy settings govern the actions users can perform on a specific computer and
determine if the actions are recorded in an event log.
■■ Auditing can be configured to audit successes, failures, or both.
■■ Administrators can use security templates to configure local policies, group memberships,
event log settings, and other policies.
■■ When a standard user attempts to perform a task that requires administrative
privileges, the system displays a credential prompt, requesting that the user supply the
name and password for an account with administrative privileges.
■■ User Account Control is enabled by default in all Windows Server 2012 R2 installations,
but it is possible to configure its properties and even to disable it completely.
1. Which of the following tools are used to deploy the settings in a security template to
all the computers in an AD DS domain?
A. Active Directory Users and Computers
B. Security Templates snap-in
C. Group Policy Object Editor
D. Group Policy Management console
1. Correct answer: C, D
A. Incorrect: You cannot use Active Directory Users and Computers to apply a
security template to a domain.
B. Incorrect: You cannot use the Security Templates snap-in to apply a security
template to a domain.
C. Correct: You must use the Group Policy Object Editor to import a template into a
GPO before you apply it to a domain.
D. Correct. After importing the security template into a GPO, you can link it to a
domain object and deploy the template settings.
2. Which of the following are local groups to which you can add users with the Windows
Control Panel? (Choose all that apply.)
B. Power Users
2. Correct answers: A, C
A. Correct: By creating a standard user in Windows Control Panel, you are adding the
account to the local Users group.
B. Incorrect: You cannot add users to the Power Users group by using the Windows
C. Correct: Granting a user administrative privileges in the Windows Control Panel
adds the account to the local Administrators group.
D. Incorrect: There is no Non-Administrators local group in Windows
3. Which of the following tools are used to modify the settings in a security template?
A. Active Directory Users and Computers
B. Security Templates snap-in
C. Group Policy Object Editor
D. Group Policy Management console
B. Correct: You use the Security Templates snap-in to modify the settings in a
4. The built-in local groups on a server running Windows Server 2012 R2 receive their
special capabilities through which of the following mechanisms?
A. Security options
B. Windows Firewall rules
C. NTFS permissions
D. User rights
4. Correct answer: D
A. Incorrect: Security options cannot provide the capabilities granted to the built-in
B. Incorrect: Windows Firewall rules cannot provide the capabilities granted to the
built-in local groups.
C. Incorrect: NTFS permissions cannot provide the capabilities granted to the built-in
D. Correct: Built-in local groups on a server running Windows Server 2012 R2 receive
their special capabilities through user rights.
5. After configuring and deploying the Audit Directory Service Access policy, what must
you do before a computer running Windows Server 2012 R2 begins logging Active
Directory access attempts?
A. You must select the Active Directory objects you want to audit by using the Active
Directory Users and Computer console.
B. You must wait for the audit policy settings to propagate to all the domain
controllers on the network.
C. You must open the Audit Directory Service Access Properties sheet and select all
the Active Directory objects you want to audit.
D. You must add an underscore character to the name of every Active Directory
object you want to audit.
5. Correct answer: A
A. Correct: The Audit Directory Service Access policy audits only the objects you
select in the Active Directory Users and Computers console.
B. Incorrect: There is no need to wait for the policy settings to propagate to all the
C. Incorrect: You configure the objects to be audited in the Active Directory Users
and Computers console, not in the policy itself.
D. Incorrect: Modifying the object names will have no effect.
■■ Software restriction policies enable the software’s executable code to be identified and either allowed or disallowed on the network.
■■ The three Default Security Levels within software restriction policies are Unrestricted,which means all applications function based on user permissions; Disallowed, whichmeans all applications are denied execution regardless of the user permissions; and Basic User, which enables only executables to be run that can be run by normal users.
■■ Four rule types can be defined within a software restriction policy. They include, in
order of precedence, hash, certificate, network zone, and path rules. The security level
set on a specific rule supersedes the Default Security Level of the policy.
■■ Software restriction policies are Group Policy settings that enable administrators to
specify the programs that are allowed to run on workstations by creating rules of
■■ AppLocker enables administrators to create application restriction rules much more
easily than was previously possible.
1. Which of the following is not one of the software restriction rule types supported by
Windows Server 2012 R2?
A. Hash rules
B. Certificate rules
C. Path rules
D. Firewall rules
D. Correct: Firewall rules is not one of the software restriction rule types.
2. Which of the following strategies for enforcing software restrictions will prevent any
executable from running except for those that have been specifically allowed by an
A. Basic user
C. Power user
2. Correct answer: B
A. Incorrect: The Basic User strategy prevents any application from running that
requires administrative rights, but enables programs to run that only require
resources that are accessible by normal users.
B. Correct: The Disallowed strategy prevents all applications from running except
those that are specifically allowed.
C. Incorrect: There is no Power User strategy for enforcing software restrictions.
D. Incorrect: The Unrestricted strategy enables all applications to run except those
that are specifically excluded.
3. Under which of the following conditions will a hash rule in a software restriction policy cease to function? (Choose all that apply.)
A. When you move the file on which the hash is based to a different folder
B. When you update the file on which the hash is based to a new version
C. When the file on which the hash is based is modified by a virus
D. When you change the permissions for the file on which the hash is based
3. Correct answers: B, C
A. Incorrect: The hash is based on the file, not on its location, so moving it does not
affect its functionality.
B. Correct: Substituting a different version of the file renders the hash unusable.
C. Correct: Modifying the file in any way renders the hash unusable.
D. Incorrect: Changing the file’s permissions does not modify the file itself, so the
hash remains functional.
4. Which of the following rule types applies to files with an .msi extension?
A. Executable rules
B. Windows Installer rules
C. Script rules
D. Packaged app rules
4. Correct answer: B
A. Incorrect: Executable rules apply to files with .exe and .com extensions.
B. Correct: Windows Installer rules apply to Windows Installer packages with .msi
and .msp extensions.
C. Incorrect: Script rules apply to script files with .ps1, .bat, .cmd, .vbs, and
D. Incorrect: Packaged app rules apply to applications purchased through the
5. Which of the following services must you manually start before Windows can apply
A. Application Identity
B. Application Management
C. Credential Manager
D. Network Connectivity Assistant
5. Correct answer: A
A. Correct: To use AppLocker, Windows Server 2012 R2 requires the Application
Identity service to be running.
B. Incorrect: The Application Management service is not necessary for Windows to
apply AppLocker policies.
C. Incorrect: The Credential Manager service is not necessary for Windows to apply
D. Incorrect: The Network Connectivity Assistant service is not necessary for Windows
to apply AppLocker policies
■■ A firewall is a software program that protects a computer by allowing certain types of
network traffic in and out of the system while blocking others.
■■ A firewall is essentially a series of filters that examine the contents of packets and the
traffic patterns to and from the network to determine which packets they should allow
to pass through.
■■ The default rules preconfigured into the firewall are designed to admit the traffic used
by standard Windows networking functions, such as file and printer sharing. For outgoing
network traffic, Windows Firewall allows all traffic to pass the firewall except that
which conforms to a rule.
■■ The Windows Firewall control panel is designed to enable administrators to perform
basic firewall configuration tasks as needed.
■■ For full access to the Windows Firewall configuration settings, you must use the
Windows Firewall With Advanced Security snap-in for the MMC.
1. Which of the following mechanisms is used most often in firewall rules to allow traffic
onto the network?
A. Hardware addresses
B. IP addresses
C. Protocol numbers
D. Port numbers
1. Correct answer: D
A. Incorrect: Firewalls can conceivably use hardware addresses to filter network
traffic, but this is rarely a practical solution.
B. Incorrect: Firewalls typically filter specific types of network traffic, not entire
C. Incorrect: Filtering by protocol number typically does not provide the granularity
needed to create an efficient firewall configuration.
D. Correct: Firewalls typically use port numbers to allow traffic onto the network.
2. Connection security rules require that network traffic allowed through the firewall use
which of the following security mechanisms?
2. Correct answer: B
A. Incorrect: Encrypting File System only provides security for the storage medium,
not for network traffic.
B. Correct: Connection security rules require that network traffic allowed through
the firewall use IPsec for security.
C. Incorrect: User Account Control cannot restrict network traffic.
D. Incorrect: Kerberos is an authentication protocol. It cannot restrict network traffic.
3. Which of the following actions cannot be performed from the Windows Firewall
A. Allowing an application through the firewall in all three profiles
B. Blocking all incoming connections for any of the three profiles
C. Creating firewall exceptions based on port numbers for all three profiles
D. Turning Windows Firewall off for all three profiles
C. Correct: You cannot block traffic based on port numbers for all three profiles by
using the Windows Firewall control panel.
4. Which of the following tools cannot enable and disable the Network Discovery firewall
A. File Explorer
B. B. Network and Sharing Center
C. Action Center
D. Allowed Apps dialog box
C. Correct: The Action Center control panel does not contain Network Discovery
5. Which of the following statements about Windows Firewall are true? (Choose all that
A. Applying firewall rules by using Group Policy overwrites all the firewall rules on the
B. Applying firewall rules by using Group Policy combines the newly deployed rules
with the ones already there.
C. Importing firewall rules saved from another computer overwrites all the rules on
the target system.
D. Importing firewall rules saved from another computer combines both sets of
5. Correct answers: B, C
A. Incorrect: Firewall rules applied with Group Policy combine with the existing rules.
B. Correct: Firewall rules applied with Group Policy combine with the existing rules.
C. Correct: Importing Windows Firewall rules from another system overwrites all the
D. Incorrect: Importing rules overwrites the existing rules; it does not combine them.