Your network contains an Active Directory domain named contoso.com. The domain
contains three servers. The servers are configured as shown in the following table.
You need to ensure that end-to-end encryption is used between clients and Server2 when
the clients connect to the network by using DirectAccess.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
From the Remote Access Management Console, reload the configuration.
B.
Add Server2 to a security group in Active Directory.
C.
Restart the IPSec Policy Agent service on Server2.
D.
From the Remote Access Management Console, modify the Infrastructure Servers
settings.
E.
From the Remote Access Management Console, modify the Application Servers settings.
Explanation:
Unsure about these answers:
• A public key infrastructure must be deployed.
• Windows Firewall must be enabled on all profiles.
• ISATAP in the corporate network is not supported. If you are using ISATAP, you
should remove it and use native IPv6.
• Computers that are running the following operating systems are supported as
DirectAccess clients:
Windows Server® 2012 R2
Windows 8.1 Enterprise
Windows Server® 2012
Windows 8 Enterprise
Windows Server® 2008 R2
Windows 7 Ultimate
Windows 7 Enterprise
• Force tunnel configuration is not supported with KerbProxy authentication.
• Changing policies by using a feature other than the DirectAccess management
console or Windows PowerShell cmdlets is not supported.• Separating NAT64/DNS64 and IPHTTPS server roles on another server is not
supported.
http://technet.microsoft.com/en-us/library/ee649285(v=WS.10).aspx
B is wrong. I should add the client computers to an Active Directory security group not Server2.
You have to add the client computers regardless. If you require end to end encryption, you also have to add the server.
“Adding the application servers to a security group is required only if you require end-to-end authentication and encryption.”
https://technet.microsoft.com/en-us/library/jj134232.aspx#bkmk_AppServers
Also, step 16c of your own link implies the server must be added to a security group:
Select Allow access to only those *****servers***** in the selected *****security groups.******
B and E are correct
http://technet.microsoft.com/en-us/library/jj134232.aspx#bkmk_AppServers
http://technet.microsoft.com/en-us/library/jj134239.aspx
The example shows that Server2 is a file server, not an application server. Microsoft says “Adding the application servers to a security group is required only if you require end-to-end authentication and encryption.” Doesn’t mention “file servers.”
I think “application server” is a generic qualification for servers that are not DCs, DNS, etc… These would be infrastructure servers.
I believe this is correct according to this article:
“Application servers are the servers on the corporate network that are accessible by client computers over a DirectAccess connection.”
https://technet.microsoft.com/en-us/library/jj134232
B & E are correct.
When you open the Remote Access Managment, Direct Access & VPN .. And then on the DIrect Access Applicatoin Server Setup you will have the option to Extend Authentication to seletected applicatoin servers. There you have to add the group. No chance of adding a specific server, so in this case u gotta make the group.