HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain
contains two servers named Server1 and Server2. Server1 has the Network Policy Server
server role installed. Server2 has the DHCP Server server role installed. Both servers run
Windows Server 2012 R2.
You are configuring Network Access Protection (NAP) to use DHCP enforcement.
You configure a DHCP scope as shown in the exhibit. (Click the Exhibit button.)
You need to ensure that non-compliant NAP clients receive different DHCP options than
compliant NAP clients.
What should you configure on each server?
To answer, select the appropriate options for each server in the answer area.
Answer: See the explanation.
Explanation:
Health Policies
Server Options
* Health policy on the NAP server.
* The DHCP server must be NAP enabled.Note: With DHCP enforcement, a computer must be compliant to obtain an unlimited access
IP address configuration from a DHCP server. For noncompliant computers, network access
is limited by an IP address configuration that allows access only to the restricted network.
DHCP enforcement enforces health policy requirements every time a DHCP client attempts
to lease or renew an IP address configuration. DHCP enforcement also actively monitors the
health status of the NAP client and renews the IPv4 address configuration for access only to
the restricted network if the client becomes noncompliant.
http://msdn.microsoft.com/en-us/library/dd125315(v=ws.10).aspx
It’s health policies for server1 and scope options for server2
I agree with sysadmin.
Default NAP class: You must configure any required scope options for computers that are noncompliant with health requirements. A default gateway is not provided to noncompliant computers regardless of whether the 003 Router option is configured here.
https://msdn.microsoft.com/en-us/library/dd125315(v=ws.10)
Server Option (* The DHCP server behaviour when NPS is unreachable)
http://blog.ittoby.com/2013/06/windows-2012-nap-nps-with-dhcp.html
I come back on my previous answer, it must be Scope Option. “ensure that non-compliant NAP clients receive different DHCP options” is asked, not what happens “when the NPS server becomes unavailable”.
I disagree, I think it needs to be Server Options. The picture in this question IS the Scope Options!
On this page https://technet.microsoft.com/en-us/library/cc733020(v=ws.10).aspx microsoft says
“If DHCP is not installed on the local computer, you must also configure the following:
Install NPS on the computer that is running DHCP.
Configure NPS on the remote DHCP NPS server as a RADIUS proxy to forward connection requests to the local NPS server.”
So the answer for server 2 is Server options.
Also I don’t believe that it is MS-Serve Class conditions as the policy if for clients that have already received an IP address from a DHCP scope. The question is asking about changing the DHCP scope based on compliance. Compliance comes from Health Policies.
So the answer for sever 1 is Health Policies
The MS-Service Class condition restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method.
Server1: MS-Service class
Server options are standard for all scopes. Scope options override server options.
Server2: Scope options
But the scope has already been assigned NAP policy enforcment. So to ensure NON NAP-compliant machines get a different scope…you would configure server options on the DHCP server.
I mean different options…but my point still stands
I think Sysadmin it´s ok!
https://ripusudan.wordpress.com/2013/03/19/how-to-configure-nap-enforcement-for-dhcp/
“Remember that the network policy conditions shown in Figure 7-4 are used to match a state of health compliance for a particular DHCP scope. To use the MS-Service class condition shown you have to assign the scope a profile name (here, “scope1”) in the scope properties on the DHCP server. The MS-Service class condition lets you apply different network policies (and therefore different levels of access protection) to different scopes.”
Peter is correct I think. No two dumps have the same answer.
Ms Service class – nps
Scope option – dhcp
“If you want to configure the MS-Service Class condition, click MS-Service Class, and then click Add. In Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile, and then click Add. The MS-Service Class condition restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method.”
https://technet.microsoft.com/en-us/library/cc731560(v=ws.10).aspx
looks like scope option does not work:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/19b5dc02-00a7-4eba-9076-ef0f30e16bb4/cant-select-user-classes-in-dhcp-server-2012?forum=winserverNIS
ever tried with 2012R2? There are no user classes to choose when configuring DHCP options! You have to use Policys…
ref: Demonstrate NAP DHCP Enforcement in a Test Lab
https://www.microsoft.com/en-au/download/confirmation.aspx?id=2409
Server1: health policies
Configure NPS as a NAP health policy server
To serve as a NAP health policy server, NPS1 must validate the system health of clients against the configured network health requirements. Health policies define which SHVs are evaluated, and how they are used in the validation of the configuration of computers that attempt to connect to your network.
Server2: scope options
As shown in question, enable NAP settings for this scope, configure scope options further for NAP. These server options are used when a compliant client computer attempts to access the network and obtain an IP address from the DHCP server.
Yes it says “server options” too…
“You need to ensure that non-compliant NAP clients receive different DHCP options than
compliant NAP clients.” Creating a health policy does not ensure that. Configuring a scope to give IP addresses to non-compliant machines does.
would like to know your answer…
you reference does not work! try to do that with 2012R2 and you will find out the difference between old OS versions and the one we are discussing here.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/19b5dc02-00a7-4eba-9076-ef0f30e16bb4/cant-select-user-classes-in-dhcp-server-2012?forum=winserverNIS
You first have to select “Define a User Class…” and call it “Profile1” on the server before you can set either Server Options of Scope Options so I vote for “a user class” on Server 2.
This is because you are using a Custom Profile for NAP, if you use the Default NAP Profile, then the User Class is already created by default. After the User Class is created you can apply settings either in Server Options or Scope Options, depending if you want the DHCP options to apply just to one scope or to all scopes.
This is a tricky question, as NPS would need to be installed on the DHCP server and configured as a RADIUS Proxy for NAP enforcement to work. You don’t need to define the user class. The profile is simply used with NPS to differentiate between many scopes so that you can have custom restrictions for more than one scope. Therefore, the first answer is the ‘MS-Service Class’, as this condition needs setting for the appropriate network policy so that it only affects that DHCP scope.
You then need to set a scope policy for the ‘Default Network Access Protection Class’ that has different DHCP options than those set within scope options. The scope options will affect compliant clients, the scope policy set for the ‘Default Network Access Protection Class’ will only affect non-compliant clients. When a client is deemed as non-compliant the DHCP server assigns it to this class and the appropriate scope policy will take effect.
I’ve confirmed all this in a lab.
Help. Help. So confused here. Is it Health/Scope OR Health/Serve Options OR Service Class/Scope?
Problem with this is… you configure scope options and user class on Server2.
Now agree with Trev.
Server1 Health Policies
Server2 Scope Options
https://ripusudan.wordpress.com/2013/03/19/how-to-configure-nap-enforcement-for-dhcp/
On Windows Server 2012 under the advanced tab, on socpe options, you don’t have the “User Class” available. It is available on the scope policies, so in this case i would select or “a policy” or “User class” not scope options…
Server2: under Windows 2008 you can use DHCP Scope options to have different settings for noncompliant NAP clients (https://msdn.microsoft.com/en-us/library/dd296905(v=ws.10).aspx).
However, under Windows 2012, you cannot do this. You have to add a DHCP Policy to differntiate. So I would say: server2 should be policy.
server 1 MS-service class
server 2 a policy?
Just compleated my 70-411 exam. Got around 5 new questions, which all can be found in PassLeader 70-411 dumps (http://www.passleader.com/70-411.html). Also, PassLeader’s 70-411 dumps have corrected many wrong answers. Good Luck for All.
Answer: Health Policies; a Policy
Explanation: You have to define Health Policies on Server1 to determine whether a NAP client is compliant or not. Identity Type, MS-Service Class, and Service Type are all Network Policy conditions and don’t apply to this question. As of Windows Server 2012, User Classes (under which the Default NAP class resides) have been moved into scope policies. You need to configure a policy that defines the Default NAP class to give appreciate DHCP options to non-compliant NAP clients for restricted network access and their remediation.
Resources: https://msdn.microsoft.com/en-us/library/dd125315, https://technet.microsoft.com/en-us/library/dn425039
Exam Objective: Configure a Network Policy Server (NPS) Infrastructure – Configure Network Access Protection (NAP)
appropriate DHCP options*
Wonder how appreciate got in there…
I agree with John.
You first create a health policy on the NAP server
Then on the DHCP server create a scope policy that dictates how IP addresses will get leased.
For example – send noncompliant clients to another subnet where they can receive the necessary updates to become compliant.
There’s a lot of confusion here, mainly because the question, as usual, is unclear. Let’s try to settle this:
Server1 (NPS Server):
Of course you need to configure Health Policies, or NAP won’t work at all. BUT you also need to configure a Network policy with a condition set for MS-Service Class, since we’re using a different DHCP Server. The fact that the exhibit is showing us the MS-Service Class of Scope1 seems to suggest this might be the correct answer, so I’d settle for this.
Server2 (DHCP Server):
The technet tutorials all relates to ws2008. In WS2012 user-class options can only be defined in a DHCP policy and not from the scope options. So answer to this is definitely “A Policy”.
My bets are on
– MS-Service Class
– A Policy
New 70-411 Exam Questions and Answers Updated Recently (6/May/2016):
NEW QUESTION 435
You have a server named Server1 that is a number of a domain named contoso.com. You view the properties of a service on Server1 as shown in the graphic.
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4351_thumb.png
Use the drop-down menus to select the answer choice that completes each statement. NOTE: Each correct selection is worth one point.
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4352_thumb.jpg
Answer:
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4353_thumb.jpg
Explanation:
Virtual accounts are “managed local accounts” that provide the following features to simplify service administration:
– No password management is required.
– The ability to access the network with a computer identity in a domain environment.
Virtual accounts require very little management. They cannot be created or deleted, nor do they require any password management. You must be a member of the Administrators group on the local computer to perform the following procedures. To configure a service to use a virtual account:
– Click Start, point to Administrative Tools, and then click Services.
– In the details pane, right-click the service that you want to configure, and then click Properties.
– Click the Log On tab, click This account, and then type NT SERVICE\ServiceName. When you are finished, click OK.
– Restart the service for the change to take effect.
READ MORE — technet.microsoft.com/en-us/library/dd548356%20(v=WS.10).aspx
NEW QUESTION 436
You have a Windows Server Update Services (WSUS) server named Server1. Server1 synchronizes from Microsoft Update. You plan to deploy a new WSUS server named Server2. Server2 will synchronize updates Server2 will be separated from Server1 by a firewall from Server1. You need to identify which port must be open on the firewall so that Server2 can synchronize the updates. Which port should you identify?
A. 8530
B. 3389
C. 443
D. 80
Answer: A
Explantion:
WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. By default, these ports are configured as follows:
– On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS
– On WSUS 6.2 and later (at least Windows Server 2012), port 8530 for HTTP and 8531 for HTTPS The firewall on the WSUS server must be configured to allow inbound traffic on these ports
READ MORE — technet.microsoft.com/en-us/library/hh852346.aspx
NEW QUESTION 437
A technician installs a new server that runs Windows Server 2012 R2. During the installation of Windows Server Update Services (WSUS) on the new server, the technician reports that on the Choose Languages page of the Windows Server Update Services Configuration Wizard, the only available language is English. The technician needs to download updates in French and English. What should you tell the network technician to do to ensure that the required updates are available?
A. Complete the Windows Server Update Services Configuration Wizard, and then modify the update language on the server.
B. Uninstall all instances of the Windows Internal Database.
C. Change the update languages on the upstream server.
D. Change the System Local of the server to French.
Answer: C
Explanation:
Configure upstream servers to synchronize updates in all languages that are required by downstream replica servers.
You will not be notified of needed updates in the unsynchronized languages.
The Choose Languages page of the WSUS Configuration Wizard allows you to get updates from all languages or from a subset of languages. Selecting a subset of languages saves disk space, but it is important to choose all the languages that are needed by all the downstream servers and client computers of a WSUS server.
Downstream servers and client computers will not receive all the updates they need if you have not selected all the necessary languages for the upstream server. Make sure you select all the languages that will be needed by all the client computers of all the downstream servers.
You should generally download updates in all languages on the root WSUS server that synchronizes to Microsoft Update. This selection guarantees that all downstream servers and client computers will receive updates in the languages that they require.
To choose update languages for a downstream server:
If the upstream server has been configured to download update files in a subset of languages:
In the WSUS Configuration Wizard, click Download updates only in these languages (only languages marked with an asterisk are supported by the upstream server), and then select the languages for which you want updates.
READ MORE — technet.microsoft.com/en-us/library/hh328568(v=ws.10).aspx
NEW QUESTION 438
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question. Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs. You have a GPO named GPO1 that is linked to the domain. You need to configure GPO1 to apply settings to Group1 only. What should you use?
A. Dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gpedit. msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember
Answer: C
NEW QUESTION 439
……
NEW QUESTION 440
Your network contains one Active Directory forest named contoso.com. You create a starter Group Policy object (GPO) named Starter_GPO1. From the Delegation tab of Starter_GPO1, you add a group named GPO_Admins and you assign the Edit settings permissions to the group. You create a new GPO named GPO1 from Starter_GPO1. You need to identity which action can he performed by the members of the GPO Admins group. What should you identify?
A. Modify the Delegation settings of Starter_GPO1.
B. Modify the Group Policy Preferences in Starter_GPO1.
C. Link a WMI filter to GPO1.
D. Modify the Administrative Templates in GPO1.
Answer: A
Explanation:
Permission rights applied to starter GPO objects are relative to the starter GPO objects only; they are not inherited from actual GPOs created from starter GPOs.
B is wrong because Starter GPOs do not have preferences, only Administrative Template policy settings.
READ MORE — technet.microsoft.com/en-us/library/cc753200.aspx
NEW QUESTION 441
……
P.S. These New 70-411 Exam Questions Were Just Updated From The Real 70-411 Exam, You Can Get The Newest 70-411 Dumps In PDF And VCE From — http://bitly.com/70-411-dumps-vce-pdf (447q)
Good Luck !!!
BTW, NEW 70-411 PDF Dumps from Google Drive for Free: https://drive.google.com/open?id=0B-ob6L_QjGLpfnVfbXEwbmlUa1paemdDc19zQ1JWdVpqU1poRlB2TnktaWlBUFhfQXNJZVU