What should you configure on each server?

HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains two servers
named Server1 and Server2. Server1 has the Network Policy Server server role installed. Server2 has the DHCP
Server server role installed. Both servers run Windows Server 2012 R2.
You are configuring Network Access Protection (NAP) to use DHCP enforcement.
You configure a DHCP scope as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that non-compliant NAP clients receive different DHCP options than compliant NAP clients.
What should you configure on each server?
To answer, select the appropriate options for each server in the answer area.


HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains two servers
named Server1 and Server2. Server1 has the Network Policy Server server role installed. Server2 has the DHCP
Server server role installed. Both servers run Windows Server 2012 R2.
You are configuring Network Access Protection (NAP) to use DHCP enforcement.
You configure a DHCP scope as shown in the exhibit. (Click the Exhibit button.)

You need to ensure that non-compliant NAP clients receive different DHCP options than compliant NAP clients.
What should you configure on each server?
To answer, select the appropriate options for each server in the answer area.


Answer: See the explanation

Explanation:
Health Policies
Server Options
* Health policy on the NAP server.
* The DHCP server must be NAP enabled.
Note: With DHCP enforcement, a computer must be compliant to obtain an unlimited access IP address
configuration from a DHCP server. For noncompliant computers, network access is limited by an IP address
configuration that allows access only to the restricted network. DHCP enforcement enforces health policy
requirements every time a DHCP client attempts to lease or renew an IP address configuration. DHCP
enforcement also actively monitors the health status of the NAP client and renews the IPv4 address
configuration for access only to the restricted network if the client becomes noncompliant.

Show Hint

Leave a Reply 28

Your email address will not be published. Required fields are marked *

da

da

Can somebody explain how this task od dhcp enforcement can be achieved in server options?

Reply

Bart

Bart

Look here:
http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Group-Policy-Filtering-Part4.html

You will now see entries for both the None and the Default Network Access Protection Class. The latter class options will be assigned to non-compliant computers when DHCP enforcement is used with NAP.

Look at the icons before the “Option Names”. You can recognize if it is a scope option or a server option. Both “Default Network Access Protection Class” are SCOPE(!) options.

Reply

a.l.i

a.l.i

The answers are MS-Service Class for server with NPS to identify the Network Policy as profile 1 and scope option as presented in the picture for DHCP server.

Reply

sepp

sepp

I’d Say
Health Policy
Scope Option

Reply

NervousTestTaker

NervousTestTaker

Hi all I believe the answer provided is spot on.
Server1 Health Policy – because the key word is nap NON-COMPLIANT indicating there is some health check in place (dont confuse it with NON-COMPATIBLE indicating systems that dont understand NAP in witch case MS-Service Class would fit)

Server2 Server Options – NAP section under the Server Options (properties) has Full, Restricted and Deny options and see the wording here http://www.poweradmin.com/blog/nap-enforcement-network-access-protection/ (roughly half way through)

Just my take on it

Reply

Akoachi

Akoachi

“You need to ensure that non-compliant NAP clients receive different DHCP options than compliant NAP clients.” Creating a health policy only defines which machines are compliant and non-compliant, and that is not what is asked of us.

Reply

OSA

OSA

On 2012R2 DHCP , you have to create a policy on scope, and set criteria of “user class” equal “Default Network Access Class” to define DHCP options for noncompliant PCs.

Because a profile name is used on DHCP scope , a MS-Service class equal to profile name has to be added to Network policy on NPS.

Reply

Mazar Khan

Mazar Khan

Anwser
Health Policies
Server Options

Reply

den

den

I also go for “Policy” as answer for server2.
I tried to setup in test lab but no user classes available.
then I found this, indicating you should use a policy to get your work done:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/19b5dc02-00a7-4eba-9076-ef0f30e16bb4/cant-select-user-classes-in-dhcp-server-2012?forum=winserverNIS

When it comes to server1 I’m not sure:
The question states “you are configuring NAP to use DHCP enforcement”, so I assume we are using the “Configure NAP” wizard?
After finishing the wizard for configuring NAP Health policy is being created automatically, and I think together with the auto created Network Policys this might fit.
This article has some interesting info:
https://technet.microsoft.com/en-us/library/Cc731560%28v=WS.10%29.aspx
“The MS-Service Class condition restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method.”
So looks to me that MS-Service Class could be the appropriate answer.

I’m not sure I have enough resources to extend my testlab with all stuff needed to validate a proof-of-concept, neither technically nor seasonal. But I’ll let you know if I get it done!

BTW: Most documents I can find concerning stuff like this are about “NAP enforcement for DHCP”. Quite confusing this vice-versa terminology…?!

Reply

Who

Who

The answer to the second server appears to be here, question number 5, that is user class:
http://www.aiotestking.com/microsoft/which-criteria-should-you-specify-when-you-create-the-dhcp-policy-4/

Reply

den

den

yeah, you specify a user class condition, but in fact you must configure this in a DHCP policy to get the whole thing to work:
http://1ask2.com/Wndows2012/DHCP/DHCPNAP.html

as for the NPS server my current thoughts are as follows:
Commonly you might use both, MS-Service-Class and Health-Policy to get things going. In this case I don’t think you need to use the MS-Service-Class because the question just asks for different DHCP options for NAP-capable and non-NAP-capable clients. Therefore how do you differ? By just defining a Health Policy. Without a Health Policy it won’t work! The MS-Service-Class condition is only used to specify DHCP scopes but that’s not mentioned in the question…

therefore, my current votes:
Server1 – Health Policy
Server2 – Policy

Reply

Hal

Hal

1. healt policy
2. server option ( then scope option, and then user class)

Reply

Andrey C.

Andrey C.

The answer is:
Server1: MS Service Class.
Server2: a policy

If you setup “Use Custom profile” as in the exhibit, then you must setup “MS Service Class” in Network Policies, else DHCP Scope not apply. And you need setup “a policy” in the DHCP Scope, that Non Compliant Computer apply another dhcp options.

Reply

piety

piety

how much are you sure about this answer….

Reply

iBecher

iBecher

Passed my 70-411 exam yesterday. About 5 new questions, all new questions can be found in PassLeader 70-411 dumps (http://www.passleader.com/70-411.html). Also, PassLeader’s 70-411 dumps have corrected many wrong answers. Good Luck for All.

Reply

kurt

kurt

answer is to configure a non compliant health policy on server 1 and then to use scope options on your dhcp server to set network access protection settings on the said scope. the profiles are the ms-server class inputs that are passed to the network policy. the answer is clearly network policy and scope options

Reply

piet

piet

network policy is not a options 🙂

Reply

kurt

kurt

i clearly meant health policy dip shit

Reply

shelly

shelly

Network Policy and Access Services
Network Policy and Access Services (NPAS) helps you safeguard the health and security of your network. The NPAS server role includes Network Policy Server (NPS), Health Registration Authority (HRA), and Host Credential Authorization Protocol (HCAP).
NPS allows you to provide local and remote network access and to define and enforce policies for network access authentication, authorization, and—when you deploy Network Access Protection (NAP) —client health. HRA is a feature of NPS used when you deploy NAP, and HCAP provides NAP interoperability with Network Access Control (NAC), the Cisco client health solution.
In Windows Server 2003, Internet Authentication Service (IAS) is the Microsoft implementation of a Remote Authentication Dial-In User Service (RADIUS) server. In Windows Server operating systems later than Windows Server 2003, IAS is renamed to NPS.

Reply

Raei Siva

Raei Siva

New 70-411 Exam Questions and Answers Updated Recently (6/May/2016):

NEW QUESTION 435
You have a server named Server1 that is a number of a domain named contoso.com. You view the properties of a service on Server1 as shown in the graphic.
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4351_thumb.png
Use the drop-down menus to select the answer choice that completes each statement. NOTE: Each correct selection is worth one point.
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4352_thumb.jpg

Answer:
Image URL: examgod.com/plimages/257a8e899d68_F2B9/new-70-411-exam-dumps-4353_thumb.jpg
Explanation:
Virtual accounts are “managed local accounts” that provide the following features to simplify service administration:
– No password management is required.
– The ability to access the network with a computer identity in a domain environment.
Virtual accounts require very little management. They cannot be created or deleted, nor do they require any password management. You must be a member of the Administrators group on the local computer to perform the following procedures. To configure a service to use a virtual account:
– Click Start, point to Administrative Tools, and then click Services.
– In the details pane, right-click the service that you want to configure, and then click Properties.
– Click the Log On tab, click This account, and then type NT SERVICE\ServiceName. When you are finished, click OK.
– Restart the service for the change to take effect.
READ MORE — technet.microsoft.com/en-us/library/dd548356%20(v=WS.10).aspx

NEW QUESTION 436
You have a Windows Server Update Services (WSUS) server named Server1. Server1 synchronizes from Microsoft Update. You plan to deploy a new WSUS server named Server2. Server2 will synchronize updates Server2 will be separated from Server1 by a firewall from Server1. You need to identify which port must be open on the firewall so that Server2 can synchronize the updates. Which port should you identify?

A. 8530
B. 3389
C. 443
D. 80

Answer: A
Explantion:
WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. By default, these ports are configured as follows:
– On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS
– On WSUS 6.2 and later (at least Windows Server 2012), port 8530 for HTTP and 8531 for HTTPS The firewall on the WSUS server must be configured to allow inbound traffic on these ports
READ MORE — technet.microsoft.com/en-us/library/hh852346.aspx

NEW QUESTION 437
A technician installs a new server that runs Windows Server 2012 R2. During the installation of Windows Server Update Services (WSUS) on the new server, the technician reports that on the Choose Languages page of the Windows Server Update Services Configuration Wizard, the only available language is English. The technician needs to download updates in French and English. What should you tell the network technician to do to ensure that the required updates are available?

A. Complete the Windows Server Update Services Configuration Wizard, and then modify the update language on the server.
B. Uninstall all instances of the Windows Internal Database.
C. Change the update languages on the upstream server.
D. Change the System Local of the server to French.

Answer: C
Explanation:
Configure upstream servers to synchronize updates in all languages that are required by downstream replica servers.
You will not be notified of needed updates in the unsynchronized languages.
The Choose Languages page of the WSUS Configuration Wizard allows you to get updates from all languages or from a subset of languages. Selecting a subset of languages saves disk space, but it is important to choose all the languages that are needed by all the downstream servers and client computers of a WSUS server.
Downstream servers and client computers will not receive all the updates they need if you have not selected all the necessary languages for the upstream server. Make sure you select all the languages that will be needed by all the client computers of all the downstream servers.
You should generally download updates in all languages on the root WSUS server that synchronizes to Microsoft Update. This selection guarantees that all downstream servers and client computers will receive updates in the languages that they require.
To choose update languages for a downstream server:
If the upstream server has been configured to download update files in a subset of languages:
In the WSUS Configuration Wizard, click Download updates only in these languages (only languages marked with an asterisk are supported by the upstream server), and then select the languages for which you want updates.
READ MORE — technet.microsoft.com/en-us/library/hh328568(v=ws.10).aspx

NEW QUESTION 438
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question. Your network contains an Active Directory domain named contoso.com. The domain contains more than 100 Group Policy objects (GPOs). Currently, there are no enforced GPOs. You have a GPO named GPO1 that is linked to the domain. You need to configure GPO1 to apply settings to Group1 only. What should you use?

A. Dcgpofix
B. Get-GPOReport
C. Gpfixup
D. Gpresult
E. Gpedit. msc
F. Import-GPO
G. Restore-GPO
H. Set-GPInheritance
I. Set-GPLink
J. Set-GPPermission
K. Gpupdate
L. Add-ADGroupMember

Answer: C

NEW QUESTION 439
……

NEW QUESTION 440
Your network contains one Active Directory forest named contoso.com. You create a starter Group Policy object (GPO) named Starter_GPO1. From the Delegation tab of Starter_GPO1, you add a group named GPO_Admins and you assign the Edit settings permissions to the group. You create a new GPO named GPO1 from Starter_GPO1. You need to identity which action can he performed by the members of the GPO Admins group. What should you identify?

A. Modify the Delegation settings of Starter_GPO1.
B. Modify the Group Policy Preferences in Starter_GPO1.
C. Link a WMI filter to GPO1.
D. Modify the Administrative Templates in GPO1.

Answer: A
Explanation:
Permission rights applied to starter GPO objects are relative to the starter GPO objects only; they are not inherited from actual GPOs created from starter GPOs.
B is wrong because Starter GPOs do not have preferences, only Administrative Template policy settings.
READ MORE — technet.microsoft.com/en-us/library/cc753200.aspx

NEW QUESTION 441
……

P.S. These New 70-411 Exam Questions Were Just Updated From The Real 70-411 Exam, You Can Get The Newest 70-411 Dumps In PDF And VCE From — http://bitly.com/70-411-dumps-vce-pdf (447q)

Good Luck !!!

Reply