70 741 PDF

4/27/2019 Training
Microsoft - 70-741
Networking with Windows Server 2016
Mark for review Ques on: 1 1 of 238
Comments 0 Help Next Wrong Result
Home : Training : Test Choice : Exam

Implement Network Connec vity and Remote Access Solu ons (20-25%)
You have an Ac ve Directory domain named contoso com. The domain contains servers named Server1 and Server2 that run Windows
Server 2016.
You install the Remote Access server role on Server1. You install the Network Policy and Access Services server role on Server2.
You need to configure Server1 to use Server2 as a RADIUS server.
What should you do?
Explana on:
We need to configure the RADIUS Authen ca on provider in the proper es of the Rou ng and Remote Access server.
Right answer: A
A From Rou ng and Remote Access, configure the authen ca on provider.
B From the Connec on Manager Administra on Kit, create a Connec on Manager profile.
C From Server Manager, create an Access Policy.
D From Ac ve Directory Users and Computers, modify the Delega on se ngs of the Server1 computer account.
https://www.cert2brain.com/Server/Exam.aspx 1/2
4/27/2019 Training
Comments 0 Help Next Wrong Result
4/27/2019 Training
Microsoft - 70-741
Comments 3 Help Exhibit Back Next Wrong Result

Implement DHCP and IPAM (25-30%)
Your company has a tes ng environment that contains an Ac ve Directory domain named contoso.com.
The domain contains a server named Server11 that runs Windows Server 2016. Server11 has IP Address Management (IPAM) installed
IPAM has the following configura on.
The IPAM Overview page from Server Manager is shown in the IPAM Overview exhibit.
The group policy configura ons are shown in the GPO exhibit.
4/27/2019 Training
For each of the shown statements, select Yes if the statement is true Otherwise, select No.
Explana on:
IP Address Management (IPAM) has been provisioned using the group policy based mode. The IPAM GPOs has been created and linked
using the Invoke-IpamGpoProvisioning cmdlet, but the server discovery is not configured yet. So the automa c discovery doesn´t
work.
Right answer: A
If a DNS server is added to contoso.com, the server will be discovered by IPAM automa cally: No
If you manually add a DHCP server named Server3 to IPAM and set the Manageability status to Managed, the
A
IPAM_DHCP Group Policy will apply to Server3: Yes
If you click Start server discovery, the domain controllers in contoso.com will be discovered by IPAM: No
If a DNS server is added to contoso.com, the server will be discovered by IPAM automa cally: No
B
IPAM_DHCP Group Policy will apply to Server3: No
If you click Start server discovery, the domain controllers in contoso.com will be discovered by IPAM: Yes
If a DNS server is added to contoso.com, the server will be discovered by IPAM automa cally: Yes
C
IPAM_DHCP Group Policy will apply to Server3: Yes
If a DNS server is added to contoso.com, the server will be discovered by IPAM automa cally: Yes
D
IPAM_DHCP Group Policy will apply to Server3: No
4/27/2019 Training
Microsoft - 70-741
Comments 0 Help Back Next Wrong Result

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a server named Server1 that runs
Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. IPAM is configured to use the Group Policy based provisioning method. The
prefix for the IPAM Group Policy objects (GPOs) is IP.
From Group Policy Management, you manually rename the IPAM GPOs to have a prefix of IPAM.
You need to modify the GPO prefix used by IPAM.
What should you do?
4/27/2019 Training
Explana on:
If you have chosen the Group Policy based provisioning method, you must also provide a GPO name prefix in the provisioning wizard.
A er providing a GPO name prefix, the wizard will display the GPO names that must be created in domains that will be managed by
IPAM. The following GPOs are not created by the provisioning wizard and must be created in each domain that will be managed by the
IPAM server:
<GPO-prefix>_DHCP: For managed DHCP servers.
<GPO-prefix>_DNS: For managed DNS servers.
<GPO-prefix>_DC_NPS: For managed domain controllers and NPS servers.
You must create GPOs with these names in order for them to be automa cally applied by IPAM when a server in the server inventory
is marked as managed. GPOs are also removed automa cally when a server is marked as unmanaged. Addi on and removal of these
GPOs is accomplished by modifying security filtering for the GPO. Server names are added when they are marked as managed, or
removed if they are marked as unmanaged
The Set-IpamConfigura on cmdlet modifies the IP Address Management (IPAM) server configura on, including the TCP port over
which the computer that runs the IPAM Remote Server Administra on Tools (RSAT) client connects and communicates with the
computer that runs the IPAM server. The GpoPrefix parameter specifies the unique Group Policy object (GPO) prefix name that IPAM
uses to create the group policy objects. Use this parameter only when the value of the ProvisioningMethod parameter is set to
Automa c.
Right answer: A
A Run the Set-IpamConfigura on cmdlet.
B Click Provision the IPAM server in Server Manager.
C Click Configure server discovery in Server Manager.
D Run the lnvoke-IpamGpoProvisioning cmdlet.
4/27/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a domain controller named Server1 and
a member server named Server2.
Server1 has the DNS Server role installed. Server2 has IP Address Management lPAM installed. The IPAM server retrieves zones from
Server1 as shown in the following table.
The IPAM server has one access policy configured as shown in the exhibit.
For each of following statements, select YES, if the statement is true. Otherwise, select NO.
Right answer: C
User1 can add a host(A) record to adatum.com: Yes
A User1 can add a host(A) record to fabrikam.com: Yes
User1 can delete the fabrikam.com zone: Yes
4/27/2019 Training
User1 can add a host(A) record to adatum.com: No

User1 can add a host(A) record to fabrikam.com: No

C User1 can add a host(A) record to fabrikam.com: Yes

D User1 can add a host(A) record to fabrikam.com: No
User1 can delete the fabrikam.com zone: No
4/27/2019 Training
Microsoft - 70-741

Implement Domain Name System (DNS) (15–20%)
Your network contains an Ac ve Directory domain named contoso.com. The domain contains a DNS server named Server1.
Server1 is configured to use a forwarder named server2.contoso.com that has an IP address of 10.0.0.10.
You need to prevent Server1 from using root hints if the forwarder is unavailable.
What command should you run?
(To answer, select the appropriate op ons in the answer area.)
Right answer: D
A Suspend-DnsServerZone -NameServer server2.contoso.com
B Set-DnsServer -UseRootHint $false
C Set-DnsServer -Name *.* -PassThru
D Set-DnsServerForwarder -UseRootHint $false
E Set-DnsServerRootHint -IPAddress 10.0.0.10
F Set-DnsServerRootHint -Name *.* -PassThru
4/27/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a member server named Server1 that
runs Windows Server 2016.
You install IP Address Management (IPAM) on Server1. You select the automa c provisioning method, and then you specify a prefix of
IPAM1.
You need to configure the environment for automa c IPAM provisioning.
Which cmdlet should you run?
Right answer: C
A Add-IpamDiscoveryDomain -Domain "contoso.com" -DiscoverDns "IPAM1"
B Enable-IpamCapability -Domain "contoso.com" -ProvisioningMethod "IPAM1"
C Invoke-IpamGpoProvisioning -Domain "contoso.com" -GpoPrefixName "IPAM1"
D Set-IpamConfigura on -Domain "contoso.com" -AssetTag "IPAM1"
4/27/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains two servers named Server1 and Server2
that run Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. Server2 has Microso System Center 2016 Virtual Machine Manager (VMM)
installed.
You need to integrate IPAM and VMM.
Which types of objects should you create on each server?
(To answer, drag the appropriate object types to the correct servers Each object type may be used once, more than once, or not at all.)
Explana on:
To enable IPAM and Virtual Machine Manager (VMM) integra on, you must first configure a user account for VMM on the IPAM server
and then configure the IPAM network service plugin in VMM.
Reference: h ps://msdn.microso .com/en-gb/library/dn783349(v=ws.11).aspx
Right answer: A
Server1: Access Policy
A Server2: Network Service
Server2: Run As Account
Server1: Network Service

B Server2: User Role
Server2: Network Service
Server1: Run As Account

C Server2: Network Service
Server2: User Role
D
4/27/2019 Training
Server1: Access Policy

Server2: Service Template
Server2: User Role
4/27/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains four servers named Server1, Server2,
Server3 and Server4 that run Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. Server2, Server3, and Server4 have the DHCP Server role installed.
IPAM manages Server2, Server3 and Server4.
A domain user named User1 is a member of the groups shown in the following table.
Which ac ons can User1 perform?
Explana on:
Members of the DHCP Administrators group have administra ve access to the Dynamic Host Configura on Protocol (DHCP) Server
service. This group provides a way to assign limited administra ve access to the DHCP server only, while not providing full access to
the server. Members of this group can administer DHCP on a server using the DHCP console or the Netsh command, but are not able
to perform other administra ve ac ons on the server.
Members of the DHCP Users group have read-only access to the DHCP Server service. This allows members to view informa on and
proper es stored at a specified DHCP server. This informa on is useful to support staff when they need to obtain DHCP status reports.
Both the DHCP Administrators group and DHCP Users group are created automa cally when the DHCP server role is installed using
Server Manager.
Right answer: D
4/27/2019 Training
A Use the DHCP console on Server1 to create a DHCP scope on Server2: No

Use the DHCP console on Server1 to create a DHCP scope on Server3: Yes
Use the IPAM node of Server Manager on Server1 to create a DHCP scope on Server4: No
B Use the DHCP console on Server1 to create a DHCP scope on Server3: No
Use the IPAM node of Server Manager on Server1 to create a DHCP scope on Server4: Yes
Use the DHCP console on Server1 to create a DHCP scope on Server2: No

C Use the DHCP console on Server1 to create a DHCP scope on Server3: No
Use the IPAM node of Server Manager on Server1 to create a DHCP scope on Server4: Yes
D Use the DHCP console on Server1 to create a DHCP scope on Server3: No
Use the IPAM node of Server Manager on Server1 to create a DHCP scope on Server4: No
4/27/2019 Training
Microsoft - 70-741

You are the administrator for your company. Your Network contains an Ac ve Directory domain named contoso.com. You pilot
DirectAccess on the network.
During the pilot deployment, you enable DirectAccess only for a group named Contoso\Test Computers. Ones the pilot is complete,
you need to enable DirectAccess for all the client computers in the domain.
What should you do?
Right answer: D
A From Windows PowerShell, run the Set-DAClient cmdlet.
B From Windows PowerShell, run the Set-DirectAccess cmdlet.
C From Ac ve Directory Users and Computers, modify the membership of the Windows Authoriza on Access Group.
From Group Policy Management, modify the security filtering of an object named Direct Access Client Se ng Group
D
Policy.
4/27/2019 Training
Microsoft - 70-741

Implement an Advanced Network Infrastructure (15-20%)
You have two Windows Server Update Services (WSUS) Server named Server1 and Server2. Server1 downloads updates from
Microso update.
You need to ensure that Server2 syncronizes updates from Server1.
Which port should to open on the Firewall between Server1 and Server2?
Explana on:
WSUS upstream and downstream servers will synchronize on the port configured by the WSUS Administrator. By default, these ports
are configured as follows:
On WSUS 3.2 and earlier, port 80 for HTTP and 443 for HTTPS
On WSUS 6.2 and later (at least Windows Server 2012), port 8530 for HTTP and 8531 for HTTPS
The firewall on the WSUS server must be configured to allow inbound traffic on these ports.
Right answer: D
A 80
B 443
C 3389
D 8530
4/27/2019 Training
Microsoft - 70-741

You have an applica on named App1. App1 is distributed to mul ple Hyper-V virtual machines in a mul tenant environment.
You need to ensure that the traffic is distributed evenly among the virtual machines that host App1.
What should you include in the environment?
Explana on:
Cloud Service Providers (CSPs) and Enterprises that are deploying So ware Defined Networking (SDN) in Windows Server 2016
Technical Preview can use So ware Load Balancing (SLB) to evenly distribute tenant and tenant customer network traffic among
virtual network resources. The Windows Server SLB enables mul ple servers to host the same workload, providing high availability and
scalability.
Windows Server SLB includes the following capabili es.
Layer 4 (L4) load balancing services for “North-South” and “East-West” TCP/UDP traffic.
Public and Internal network traffic load balancing.
Supports dynamic IP addresses (DIPs) on virtual Local Area Networks (VLANs) and on virtual networks that you create by using
Hyper-V Network Virtualiza on.
Health probe support.
Ready for cloud scale, including scale-out capability, and scale up capability for mul plexers and Host Agents.
So ware Load Balancer are implemented by use of the Network Controller feature.
Reference: h ps://technet.microso .com/en-us/library/mt632286.aspx
Right answer: B
A Network Controller and Windows Server Network Load Balancing (NLB) nodes.
B Network Controller and Windows Server So ware Load Balancing (SLB) nodes.
C An RAS Gateway and Windows Server Network Load Balancing (NLB) nodes.
D An RAS Gateway and Windows Server So ware Load Balancing (SLB) nodes.
4/27/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. You need to configure Server1 as a mul tenant RAS Gateway.
What should you install on Server1?
Right answer: B
A The Network Policy and Access Services server role
B The Remote Access server role
C The Data Center Bridging feature
D The Network Controller server role
4/27/2019 Training
Microsoft - 70-741

Note: This ques on is part of a series of ques ons that present the same scenario. Each ques on in the series contains a unique
solu on. Determine whether the solu on meets the stated goals.
Your network contains an Ac ve Directory domain named contoso.com. The domain contains a DNS server named Server1. All client
computers run Windows 10.
On Server1, you have the following zone configura on.
You have the following subnets defined on Server1:
You need to prevent Server1 from resolving queries from DNS clients located on Subnet4. Server1 must resolve queries from all other
DNS clients.
Solu on: From a Group Policy object (GPO) in the domain, you modify the Network List Manager Policies.
Does this meet the goal?
Explana on:
Network List Manager policies are security se ngs that you can use to configure different aspects of how networks are listed and
displayed on one device or on many devices.
We should create a firewall rule to block access to the DNS Server service from specific subnets.
Right answer: B
A Yes
B No
4/27/2019 Training
4/27/2019 Training
Microsoft - 70-741

DNS clients.
Solu on: From the Security se ng of each zone on Server1, you modify the permissions.
Explana on:
Modify the permissions of the zones will affect all clients.
We should create a firewall rule to block access to the DNS Server service from specific subnets.
Right answer: B
A Yes
B No
4/27/2019 Training
4/27/2019 Training
Microsoft - 70-741

DNS clients.
Solu on: From Windows Firewall with Advanced Security on Server1, you create an inbound rule.
Explana on:
We can create a firewall rule to block access to the DNS Server service and restrict the rule to remote computers on subnet4.
Right answer: A
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

DNS clients.
Solu on: From a Group Policy object (GPO) in the domain, you modify the Name Resolu on Policy.
Right answer: B
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

DNS clients.
Solu on: From Windows PowerShell on Server1, you run the Add-DnsServerTrustAnchor cmdlet.
Right answer: B
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

DNS clients.
Solu on: From Windows PowerShell on Server1, you run the Export-DnsServerDnsSecPublicKey cmdlet.
Explana on:
The Export-DnsServerDnsSecPublicKey cmdlet exports delega on signer (DS) or Domain Name System public key (DNSKEY)
informa on for a Domain Name System Security Extensions (DNSSEC)-signed zone.
Right answer: B
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. You need to deploy the first node cluster of a Network Controller
cluster.
Which four cmdlets should you run in sequence?
(To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.)
Explana on:
Reference: h ps://technet.microso .com/de-de/library/mt282165.aspx
Right answer: B
A Steps: 1, 4, 2, 3
B Steps: 1, 2, 5, 4
C Steps: 4, 5, 2, 3
D Steps: 4, 2, 5, 3
4/27/2019 Training
Microsoft - 70-741

You install a new Nano Server named Nano1. Nano1 is a member of a workgroup and has an IP address of 192 1698 1.10.
You have a server named Server1 that runs Windows Server 2016.
From Server1, you need to establish a Windows PowerShell session to Nano1.
How should you complete the PowerShell script?
(To answer, drag the appropriate cmdlets to the correct targets Each cmdlet may be used once, more than once, or not at all.)
Explana on:
In an Ac ve Directory environment, you can just use the computer name to connect to a remote machine. If you remotely connect to a
standalone machine, you usually have to use the IP address instead. If you try to connect to the remote computer with the Enter-
PSSession cmdlet using the IP address of the remote machine, PowerShell will throw an error because the remote system cannot
authen cate your creden als.
You may use the winrm command to add the IP to the trusted hosts:
winrm set winrm/config/client @{TrustedHosts="192.168.1.10"}
Or you may use the PowerShell way to add an IP address to the trusted hosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "192.168.1.10" -Force
Use the Get-Item cmdlet and view the trusted hosts from the WSMan drive, as shown here.
Get-Item WSMan:\localhost\Client\TrustedHosts
Right answer: B
4/27/2019 Training
A P1: Enter-PSSession
P2: Set-Item
P1: Set-Item
B
P2: Enter-PSSession
P1: Set-LocalUser
C
P2: Set-ItemProperty
P1: Set-ItemProperty
D
P2: Enter-PSSession
P1: Enable-PSRemo ng
E
P2: Set-LocalUser
4/27/2019 Training
Microsoft - 70-741

You enable Response Rate Limi ng on Server1.
You need to prevent Response Rate Limi ng from applying to hosts that reside on the network of 10.0.0.0/24.
Which cmdlets should you run?
Explana on:
The Add-DnsServerClientSubnet cmdlet adds a client subnet to a Domain Name System (DNS) server. A client subnet is a group of IP
subnets. A client subnet is iden fied by a name. A client subnet contains two lists of IP address, one for IPv4 subnets and one for IPv6
subnets. A client subnet can represent a logical group, for example, a geographical area, a datacenter, or a trusted resolver fleet. You
can use client subnets in criteria in DNS policies. Mul ple DNS policies can refer to the same client subnet.
The Add-DnsServerResponseRateLimi ngExcep onlist cmdlet adds a Response Rate Limi ng (RRL) excep on list on the DNS server.
The RRL excep on list indicates that responses to queries for specified Fully Qualified Domain Names (FQDNs), queries origina ng
from specified client subnets, queries received on specified server interfaces, or any combina on of these values, are exempt from
RRL.
See also:
h ps://blogs.technet.microso .com/teamdhcp/2015/08/28/response-rate-limi ng-in-windows-dns-server/
Right answer: A
First cmdlet to run: Add-DnsServerClientSubnet
A
Second cmdlet to run: Set-DnsServerResponseRateLimi ngExcep onlist
First cmdlet to run: Enable-DnsServerPolicy

B
Second cmdlet to run: Add-DnsServerZoneScope
4/27/2019 Training
C First cmdlet to run: Set-DnsServerResponseRateLimi ng

Second cmdlet to run: Add-DnsServerQueryResolu onPolicy
First cmdlet to run: Set-DnsServerResponseRateLimi ngExcep onlist

D
Second cmdlet to run: Set-DnsServerDsSe ng
4/27/2019 Training
Microsoft - 70-741

You are deploying DirectAccess to a server named DA1. DA1 will be located behind a firewall and will have a single network adapter.
The intermediary network will be IPv4.
You need to configure firewall to support DirectAccess.
Which firewall rules should you create for each type of traffic?
(To answer, drag the appropriate ports and protocols to the correct traffic types. Each port and protocol may be used once, more than
once, or not at all.)
4/27/2019 Training
Explana on:
“Most organiza ons use an Internet firewall between the Internet and the computers on their perimeter network. The firewall is
typically configured with packet filters that allow specific types of traffic to and from the perimeter network computers. When you add
a Forefront UAG DirectAccess server to your perimeter network, you must configure addi onal packet filters, to allow the traffic to and
from the Forefront UAG DirectAccess server for all the traffic that a DirectAccess client uses to obtain IPv6 connec vity to the
Forefront UAG DirectAccess server.
The following describes the type of traffic you can configure on your Internet firewall depending on whether the Forefront UAG
DirectAccess server is on an IPv4 or IPv6 Internet.
When the Forefront UAG DirectAccess server is on the IPv4 Internet
Configure packet filters on your Internet firewall to allow the following types of IPv4 traffic for the Forefront UAG DirectAccess server:
Protocol 41 inbound and outbound—For DirectAccess clients that use the 6to4 IPv6 transi on technology to encapsulate IPv6
packets with an IPv4 header. In the IPv4 header, the Protocol field is set to 41 to indicate an IPv6 packet payload.
UDP des na on port 3544 inbound and UDP source port 3544 outbound—For DirectAccess clients that use the Teredo IPv6
transi on technology to encapsulate IPv6 packets with an IPv4 and UDP header. The Forefront UAG DirectAccess server is
listening on UDP port 3544 for traffic from Teredo-based DirectAccess clients.
TCP des na on port 443 inbound and TCP source port 443 outbound—For DirectAccess clients that use IP-HTTPS to
encapsulate IPv6 packets within an IPv4-based HTTPS session. The Forefront UAG DirectAccess server is listening on TCP port 443
for traffic from IP-HTTPS-based DirectAccess clients.
Reference: h ps://blogs.technet.microso .com/tomshinder/2010/05/06/directaccess-and-firewalls-and-nat/
Right answer: B
Teredo traffic: IP protocol ID 1
A 6to4 traffic: TCP 443
IP-HTTPS: IP protocol ID 41
Teredo traffic: UDP 3544

B 6to4 traffic: IP protocol ID 41
IP-HTTPS: TCP 443
Teredo traffic: UDP 3544

C 6to4 traffic: IP protocol ID 1
IP-HTTPS: TCP 443
Teredo traffic: TCP 443

D 6to4 traffic: IP protocol ID 1
IP-HTTPS: UDP 3544
4/27/2019 Training
Microsoft - 70-741

You have a server named Server1. Server1 runs Windows Server 2016 and will be used as a VPN server.
You need to configure Server1 to support VPN Reconnect.
Which VPN protocol should you use?
Right answer: D
A PPTP
B L2TP
C SSTP
D lKEv2
4/27/2019 Training
Microsoft - 70-741

Server1 is configured to use a forwarder named Server2 that has an IP address of 10.0.0.10.
Server2 can resolve names hosted on the Internet successfully. Server2 hosts a primary DNS zone named adatum.com.
The "." zone contains the following records.
For each of the following statements, select Yes of the statement is true. Otherwise, select No.
Explana on:
The DNS server Server1 hosts the root zone represented as a dot ( . ). This will prevent Server1 from using forwarders and root hints.
Server1 caon only resolve hostnames within the zones contoso.com and fabrikam.com.
Right answer: B
Server1 can resolve host names that are in the adatum,com zone on Server2: Yes
A Server1 can resolve www.microso .com to an IP address successfully: No
Server1 can resolve host names that are in the contoso.com zone: Yes
B Server1 can resolve host names that are in the adatum,com zone on Server2: No
Server1 can resolve www.microso .com to an IP address successfully: No
4/27/2019 Training
Server1 can resolve host names that are in the adatum,com zone on Server2: Yes
C Server1 can resolve www.microso .com to an IP address successfully: Yes
Server1 can resolve host names that are in the adatum,com zone on Server2: No
D Server1 can resolve www.microso .com to an IP address successfully: Yes
4/27/2019 Training
Microsoft - 70-741

On Server1, you have the following zone configura on:
You need to ensure that all of the client computers in the domain perform DNSSEC valida on for the fabrikam.com namespace.
Solu on: From a Group Policy object (GPO) in the domain, you add a rule to the Name Resolu on Policy Table (NRPT).
Right answer: A
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

You have an Ac ve Directory domain that contains several Hyper-V hosts that run Windows Server 2016.
You plan to deploy network virtualiza on and central management of Datacenter Firewall policies.
Which component must you install for the planned deployment?
Right answer: C
A The Rou ng role service
B The Canary Network Diagnos cs feature
C The Network Controller server role
D The Data Center Bridging feature
4/27/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains three servers named Server1, Server2,
and Server3 that run Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. Server2 and Server3 have the DHCP Server role installed and have several DHCP
scopes configured.
The IPAM server retrieves data from Server2 and Server3.
A domain user named User1 is a member of the groups shown in the following table.
On Server1, you create a security policy for User1. The policy grants the IPAM DHCP Scope Administrator Role with the \Global access
scope to the user.
Which ac ons can User1 perform?
4/27/2019 Training
Explana on:
Members of the DHCP Administrators group have administra ve access to the Dynamic Host Configura on Protocol (DHCP) Server
service. This group provides a way to assign limited administra ve access to the DHCP server only, while not providing full access to
the server. Members of this group can administer DHCP on a server using the DHCP console or the Netsh command, but are not able
to perform other administra ve ac ons on the server.
Members of the DHCP Users group have read-only access to the DHCP Server service. This allows members to view informa on and
proper es stored at a specified DHCP server. This informa on is useful to support staff when they need to obtain DHCP status reports.
Both the DHCP Administrators group and DHCP Users group are created automa cally when the DHCP server role is installed using
Server Manager. .
The "IPAM DHCP scope administrators" role grants permission to manage DHCP scopes within the given acces scope. The role includes
the permissions create DHCP scope, edit DHCP scope and edit DHCP scope op ons.
Right answer: F
From Server Manager on Server1, User1 can modify the descrip on of the DHCP scopes: On Server2 only
A
From Server Manager on Server1, User1 can create a new DHCP scope: On Server2 only
B
From Server Manager on Server1, User1 can create a new DHCP scope: On both Server2 and Server3
C
D
From Server Manager on Server1, User1 can modify the descrip on of the DHCP scopes: On both Server2 and
E Server3
From Server Manager on Server1, User1 can modify the descrip on of the DHCP scopes: On both Server2 and
F Server3
From Server Manager on Server1, User1 can create a new DHCP scope: On both Server2 and Server3
4/27/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a server named Server1 that runs
You install IP Address Management (IPAM) on Server1.
You need to manually start discovery of servers that IPAM can manage in contoso.com.
Which three cmdlets should you run in sequence?
(To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.)
Right answer: A
A Order: 2, 6, 1
B Order: 6, 3, 1
C Order: 4, 5, 3
D Order: 2, 6, 3
4/27/2019 Training
Microsoft - 70-741

solu on that might meet the stated goals. Some ques on sets might have more than one correct solu on, while others might not have
a correct solu on.
You network contains an Ac ve Directory domain named contoso.com. The domain contains a member server named Server1 that
runs Windows Server 2016 and has the DNS Server role installed.
Automa c scavenging of stale records is enabled and the scavenging period is set to 10 days.
All client computers dynamically register their names in the contoso.com DNS zone on Server1.
You discover that the names of mul ple client computers that were removed from the network several weeks ago can s ll be resolved.
You need to configure Server1 to automa cally remove the records of the client computers that have been offline for more than 10
days.
Solu on: You run the dnscmd.exe command and specify the /AgeAllRecords parameter for the zone.
Explana on:
The ques on states that automa c scavenging of stale records is enabled. Automa c scavenging of stale records is a server se ng. To
ensure that zone data is processed by this feature, we have to configure Aging for the zone. Per default Zone Aging is disabled.
Dnscmd /ageallrecords sets the current me on a me stamp on resource records at a specified zone or node on a DNS server.
The ageallrecords command is for backward compa bility between the current version of DNS and previous releases of DNS in which
aging and scavenging were not supported. It adds a me stamp with the current me to resource records that do not have a me
stamp, and it sets the current me on resource records that do have a me stamp.
Record scavenging does not occur unless the records are me stamped.
Client computers which dynamically register their names maintain a mestamp per default. Names that are manually added are
marked as sta c.
Right answer: B
A Yes
B No
4/27/2019 Training
4/27/2019 Training
Microsoft - 70-741

a correct solu on.
days.
Solu on: You modify the Zone Aging/Scavenging proper es of the zone.
Right answer: A
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

a correct solu on.
days.
Solu on: You set the Time to live (TTL) value of all of the records in the zone.
Explana on:
ensure that zone data is processed by this feature, we have to configure Aging for the zone. By default Zone Aging is disabled.
The Time to live (TTL) value of the records in the zone specify how long the client will cache the resolved IP address.
Right answer: B
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

a correct solu on.
Your network contains an Ac ve Directory domain named contoso.com. The domain contains a DHCP server named Server2 than runs
Users report that their client computers fail to obtain an IP address.
You open the DHCP console as shown in the following Exhibit.
Scope1 has an address range of 172.16.0.10 to 172.16.0.100 and a prefix length of 23 bits.
You need to ensure that all of the client computers on the network can obtain an IP address from Server2.
Solu on: You run the Set-DhcpServerv4Scope cmdlet.
Right answer: A
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

a correct solu on.
Solu on: You run the Reconcile-DhcpServerv4IPRecord cmdlet.
Right answer: B
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

a correct solu on.
Solu on: You run the Repair-DhcpServerv4IPRecord cmdlet.
Right answer: B
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

a correct solu on.
You network contains an Ac ve Directory domain named contoso.com. The domain contains a DHCP server named Server1.
All client computers run Windows 10 and are configured as DHCP clients.
Your helpdesk received calls today from users who failed to access the network from their Windows 10 computer.
You open the DHCP console as shown in the following exhibit.
You need to ensure that all of the Windows 10 computers can receive a DHCP lease.
Solu on: You ac vate the scope.
Right answer: A
A Yes
B No
4/27/2019 Training
4/27/2019 Training
Microsoft - 70-741

a correct solu on.
Solu on: You start the DHCP Server service.
Right answer: B
A Yes
B No
4/27/2019 Training
4/27/2019 Training
Microsoft - 70-741

a correct solu on.
Solu on: You increase the scope size.
Right answer: B
A Yes
B No
4/27/2019 Training
4/27/2019 Training
Microsoft - 70-741

Note: This ques on is part of a series of ques ons that use the same scenario. For your convenience, the scenario is repeated in each
ques on. Each ques on presents a different goal and answer choices, but the text of the scenario is exactly the same in each ques on
in this series.
Start of repeated scenario.
Your network contains an Ac ve Directory domain named contoso.com. The func onal level of the domain is Windows Server 2012.
The network uses an address space of 192.168.0.0/16 and contains mul ple subnets. The network is not connected to the Internet.
The domain contains three servers configured as shown in the following table.
Client computers obtain TCP/IP se ngs from Server3.
You add a second network adapter to Server2. You connect the new network adapter to the Internet. You install the Rou ng role
service on Server2.
Server1 has four DNS zones configured as shown in the following table.
End of repeated scenario.
You need to create a zone to ensure that Server1 can resolve single-label names.
What should you name the zone on Server1?
Right answer: D
A .(root)
B WINS
C NetBIOS
4/27/2019 Training
D GlobalNames
4/27/2019 Training
Microsoft - 70-741

in this series.
service on Server2.
You need to ensure that when a computer is removed from the network, the associated records are deleted automa cally a er 15
days.
Which two ac ons should you perform?
(Each correct answer presents part of the solu on.)
Right answer: B, D
A Create a scheduled task that runs the Remove-Computer cmdlet.
4/27/2019 Training
B Modify the Zone Aging/Scavenging Proper es of the zone.
C Modify the Time to live (TTL) value of the start of authority (SOA) record.
D Set the Scavenging period of Server1.
E Modify the Expires a er value of the start of authority (SOA) record.
4/27/2019 Training
Microsoft - 70-741

in this series.
service on Server2.
You need to ensure that when a record is added dynamically to fabrikam.com, only the computer that created the record can modify
the record.
The solu on must allow administrators to modify all of the records in fabrikam.com.
What should you do?
4/27/2019 Training
Explana on:
Domain Name System (DNS) client computers can use dynamic update to register and dynamically update their resource records with
a DNS server whenever changes occur. This reduces the need for manual administra on of zone records, especially for clients that
frequently move or change loca ons and use Dynamic Host Configura on Protocol (DHCP) to obtain an IP address.
Dynamic updates can be secure or nonsecure. DNS update security is available only for zones that are integrated into Ac ve Directory
Domain Services (AD DS). A er you directory-integrate a zone, access control list (ACL) edi ng features are available in DNS Manager
so that you can add or remove users or groups from the ACL for a specified zone or resource record.
Right answer: A
A Change fabrikam.com to an Ac ve Directory-integrated zone.
B Raise the func onal level of the domain.
C Modify the security se ngs of the Fabrikam.com.dns file.
D Modify the Start of Authority (SOA) se ngs of fabrikam.com.
4/27/2019 Training
Microsoft - 70-741

in this series.
service on Server2.
What should you do to enable Server2 as a NAT server?
4/27/2019 Training
Explana on:
Network address transla on (NAT) allows you to share a connec on to the public Internet through a single interface with a single
public IP address. The computers on the private network use private, non-routable addresses. NAT maps the private addresses to the
public address.
To enable network address transla on addressing
1. In the RRAS MMC snap-in, expand Your Server Name. If you are using Server Manager, expand Rou ng and Remote Access.
2. Expand IPv4, right-click NAT, and then click Proper es.
3. If you do not have a DHCP server on the private network, then you can use the RRAS server to respond to DHCP address
requests. To do this, on the Address Assignment tab, select the Automa cally assign IP addresses by using the DHCP
allocator check box.
4. To allocate addresses to clients on the private network by ac ng as a DHCP server, in IP address and Mask, configure a subnet
address from which the addresses are assigned. For example, if you enter 192.168.0.0and a subnet mask of 255.255.255.0,
then the RRAS server responds to DHCP requests with address assignments from 192.168.0.1 through 192.168.0.254.
5. (Op onal) To exclude addresses in the configured network range from being assigned to DHCP clients on the private network,
click Exclude, click Add, and then configure the addresses.
6. To add the public interface to the NAT configura on, right-click NAT, and then click New Interface. Select the interface connected
to the public network, and then click OK.
7. On the NAT tab, click Public interface connected to the Internet and Enable NAT on this interface, and then click OK.
8. To add the private interface to the NAT configura on, right-click NAT, and then click New Interface. Select the interface
connected to the private network, and then click OK.
9. On the NAT tab, click Private interface connected to private network, and then click OK.
Right answer: C
A From Rou ng and Remote Access, add an interface.
B From Windows PowerShell, run the New-Rou ngGroupConnector cmdlet.
C From Rou ng and Remote Access, add a rou ng protocol.
D From Windows PowerShell, run the Install-WindowsFeature cmdlet.
4/27/2019 Training
Microsoft - 70-741

Note: This ques on is part of a series of ques ons that use the same or similar answer choices. An answer choice may be correct for
more than one ques on in the series. Each ques on is independent of the other ques ons in this series. Informa on and details
provided in a ques on apply only to that ques on.
You have a DHCP server named Server1 that has three network cards. Each network card is configured to use a sta c IP address. Each
network card connects to a different network segment.
Server1 has an IPv4 scope named Scope1.
You need to ensure that Server1 only uses one network card when leasing IP addresses in Scope1.
What should you do?
(The help text contains addi onal answer choices.)
4/27/2019 Training
Explana on:
A computer running a Windows Server opera ng system can perform as a mul homed DHCP server. For mul homed servers, the
DHCP service binds to the first IP address sta cally configured for each network connec on in use.
By default, the service bindings depend on whether the first network connec on is configured dynamically or sta cally for TCP/IP.
Based on the method of configura on it uses, reflected by its current se ngs in Internet Protocol (TCP/IP) proper es, the DHCP Server
service performs default service bindings as follows:
If the first network connec on uses a manually specified IP address, the connec on is enabled in server bindings. For this to
occur, a value for IP address must be configured and the Use the following IP address op on selected in Internet Protocol
(TCP/IP) proper es. In this mode, the DHCP server listens for and provides service to DHCP clients.
If the first network connec on uses an IP address configured dynamically, the connec on is disabled in server bindings. This
occurs when the Obtain an IP address automa cally op on is selected in Internet Protocol (TCP/IP) proper es. For computers
running Windows Server opera ng systems, this is the default se ng. In this mode, the DHCP server does not listen for and
provide service to DHCP clients un l a sta c IP address is configured.
The DHCP server will bind to the first sta c IP address configured on each adapter.
By design, DHCP server bindings are enabled and disabled on a per-connec on, not per-address basis. All bindings are based on
the first configured IP address for each connec on appearing in the Network Connec ons folder. If addi onal sta c IP addresses
(for example, as set in Advanced TCP/IP proper es) are configured for the applicable connec on, these addresses are never used
by DHCP servers running Windows Server and are inconsequen al for server bindings.
DHCP servers running Windows Server never bind to any of the NDISWAN or DHCP-enabled interfaces used on the server. These
interfaces are not displayed in the DHCP console under the current server bindings list because they are never used for DHCP
service. Only addi onal network connec ons that have a primary sta c IP address configured can appear in the server bindings
list (or be selec vely enabled or disabled there).
Addi onal Answer Choices:

A: From the proper es of Scope1, modify the Conflict detec on a empts se ng.
B: From the proper es of Scope1, configure Name Protec on.
C: From the proper es of IPv4, configure the bindings.
D: From IPv4, create a new filter.
E: From the proper es of Scope1, create an exclusion range.
F: From IPv4, run the DHCP Policy Configura on Wizard.
G: From Control Panel, modify the proper es of Ethernet.
H: From Scope1, create a reserva on.
4/27/2019 Training
Right answer: C
A From the proper es of IPv4, modify the Conflict detec on a empts se ng.
B From the proper es of Scope1, configure Name Protec on.
C From the proper es of IPv4, configure the bindings.
D From IPv4, create a new filter.
E From the proper es of Scope1, create an exclusion range.
F From IPv4, run the DHCP Policy Configura on Wizard.
4/27/2019 Training
Microsoft - 70-741

You have a DHCP server named Server1 that has an IPv4 scope named Scope1.
Users report that when they turn on their client computers, it takes a long me to access the network.
You validate that it takes a long me for the computers to receive an IP address from Server1.
You monitor the network traffic and discover that Server1 issues five ping commands on the network before leasing an IP address.
You need to reduce the amount of me it takes for the computers to receive an IP address.
What should you do?
4/27/2019 Training
Explana on:
When conflict detec on a empts are set, the DHCP server uses the ping process to test available scope IP addresses before including
these addresses in DHCP lease offers to clients.
A successful ping means the IP address is in use on the network. Therefore, the DHCP server does not offer to lease the address to a
client. If the ping request fails and mes out, the IP address is not in use on the network. In this case, the DHCP server offers to lease
the address to a client.
Each addi onal conflict detec on a empt delays the DHCP server response by a second while wai ng for the ping request to me out.
This increases the load on the server.
To change the address conflict detec on value
1. Click Start, point to Administra ve Tools and then click DHCP.
2. In the console tree, expand the applicable DHCP server, right click IPv4, right-click the applicable scope and then click Proper es.
3. Click Advanced, type 1, 2 or 3 in Conflict detec on a empts: and then click OK.

Right answer: A
4/27/2019 Training
4/27/2019 Training
Microsoft - 70-741

You have a DHCP server named Server1 that has three network cards. Each network card is configured to use a sta c IP address.
You need to prevent all client computers that have physical address beginning with 98-5F from leasing an IP address from Server1.
What should you do?
4/27/2019 Training
Explana on:
MAC address based filtering allows specific control over which clients have access to DHCP addresses. You can create a list of
computers that are allowed to obtain DHCP addresses from the server by MAC. Likewise, you can deny computers access by adding
their MAC addresses to the DHCP deny list. By enabling the allow list, you automa cally deny DHCP addresses to any client computer
not on the list.
Depending on your configura on of reserva ons and allow/deny lists, you may have to change either the allow or deny list to correct
this conflict. If a client has a reserva on, there is an allow list enabled, and the client is not on the allow list, you’ll need to add the
client’s MAC address to the list. If a client has a reserva on, the allow list is not enabled, and the client is on the deny list, you’ll have
to remove the MAC address for that client from the deny list.
Membership in the Administrators or DHCP Administrators group is the minimum required to complete this procedure.
To add a MAC address to the DHCP allow list
2. In the console tree, expand the applicable DHCP server, expand IPv4, and then expand Filters
3. Click Allow, click New Filter…, type the Mac address and Descrip on of the client to allow, and then click Add.
To remove a MAC address from the DHCP deny list
2. In the console tree, expand the applicable DHCP server, expand IPv4, and then expand Filters
3. Click Deny, right-click the MAC address of the client with the corresponding reserva on, click Delete and then click Yes.

Right answer: D
4/27/2019 Training
4/27/2019 Training
Microsoft - 70-741

DNS clients.
Solu on: From Windows PowerShell on Server1, you run the Add-DnsServerQueryResolu onPolicy cmdlet.
Right answer: A
A Yes
B No
4/27/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016 and is configured as a domain controller. You install the DNS Server
server role on Server1.
You plan to store a DNS zone in a custom Ac ve Directory par on.
You need to create a new Ac ve Directory par on for the zone.
What should you use?
Explana on:
We can use dnscmd.exe to create a custom Ac ve Directory par on:
dnscmd dc1 /CreateDirectoryPar on par on1.contoso.com
To enlist an addi onal domain controller for replica on of the new par ton execute:
dnscmd dc2 /EnlistDirectoryPar on par on1.contoso.com
Right answer: D
A Set-DnsServer
B Ac ve Directory Sites and Services
C Dns.exe
D Dnscmd.exe
4/27/2019 Training
Microsoft - 70-741

You network contains an Ac ve Directory named contoso.com. The domain contains two servers named Server1 and Server2 that run
Server1 has IP Address Management (IPAM) installed. Server2 has the DHCP Server role installed. The IPAM server retrieves data from
Server2.
The domain has two users named User1 and User2 and a group named Group1. User1 is the only member of Group1.
Server1 has one IPAM access policy. You edit the access policy as shown in the following exhibit.
The DHCP scopes are configured as shown in the following Exhibit.
4/27/2019 Training
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Explana on:
Group1 has "IPAM DHCP scope administrators" role permissions for the access scope Scope2. Address scope Scope2 and address
scope Scope3 are within access scope Scope2.
The "IPAM DHCP scope administrators" role grants permission to manage DHCP scopes within the given acces scope. The role includes
the permissions create DHCP scope, edit DHCP scope and edit DHCP scope op ons.
Right answer: D
User1 can modify the descrip on of Scope1: Yes
A User2 can modify the descrip on of Scope1: Yes

B User2 can modify the descrip on of Scope1: No
User1 can modify the descrip on of Scope1: No

C User2 can modify the descrip on of Scope1: Yes

D User2 can modify the descrip on of Scope1: No
4/27/2019 Training
4/27/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory forest named contoso.com. The forest contains two domains named contoso.com and
litwareinc.com.
Your company recently deployed DirectAccess for the members of a group named DA_Computers. All client computers are members
of DA_Computers.
You discover that DirectAccess clients can access the resources located in the contoso.com domain only.
The clients can access the resources in the litwareinc.com domain by using an L2TP VPN connec on to the network.
You need to ensure that the DirectAccess clients can access the resources in the litwareinc.com domain.
What should you do?
Explana on:
In order for the DirectAccess (DA) client to determine whether to turn on it’s DirectAccess client configura on (which connects the DA
client to the DA server), it must know if it is on the corporate network or not. If the DA client is not on the corporate network, then the
DA client components are turned on, and if the DA client is on the corporate network, then the DA client components are not turned
on.
DA client off the corporate network – DA client components are turned on

DA client on the corporate network – DA client components are turned off
When the DA client components are turned on, the DA client tries to reach corporate resources though a connec on through the
DA server.
If the DA client components are not turned on, then the DA client connects directly to the resources.
The DA client uses a Network Loca on Server (NLS) to find out if it is on the corporate network. The NLS is a web server that is
accessible only when the client is on the corporate network. That means there must never be a DNS entry on the public Internet that
matches the name of your NLS server. For example, if the name of your NLS server is nls.contoso.com, then that name must not be
resolvable by any public DNS server. However, that name mustbe resolvable by your internal NLS servers.
When the DA client has disabled its DA client components, it resolves names based on the DNS server IP address se ngs on its NIC.
However, when the DA client has enabled its DA client configura on, name resolu on depends on the se ngs on the Name
Resolu on Policy Table or NRPT.
The NRPT provides a form of “DNS server rou ng” based on the names configured on the NRPT. You configure the NRPT during the
setup of the Windows DA server or the UAG DA server.
Reference: DirectAccess Client Loca on Awareness – NRPT Name Resolu on
Right answer: A
A From a Group Policy object (GPO), modify the Name Resolu on Policy Table (NRPT).
B From the proper es of the servers in litwareinc.com, configure the delega on se ngs.
4/27/2019 Training
C On an external DNS server, create a zone delega on for litwareinc.com.
D Add the servers in litwareinc.com to the RAS and IAS Servers group.
4/27/2019 Training
Microsoft - 70-741

Implement Core and Distributed Network Solu ons (15-20%)
Your company has two main offices. The offices are located in London and Sea le. All servers run Windows Server 2016.
In the Sea le office, you have a Distributed File System (DFS) server named FS1. FS1 has a folder named Folder1 that contains large
Windows image files.
In the London office, you deploy a DFS server named FS2, and you then replicate Folder1 to FS2.
A er several days, you discover that the replica on of certain files failed to complete.
You need to ensure that all of the files in Folder1 can replicate to FS2.
What should you do?
Explana on:
DFS Replica on uses staging folders for each replicated folder to act as caches for new and changed files that are ready to be
replicated from sending members to receiving members. These files are stored under the local path of the replicated folder in the
DfsrPrivate\Staging folder.
By default, the quota size of each staging folder is 4,096 MB, and the quota size of each Conflict and Deleted folder is 660 MB. The size
of each folder on a member is cumula ve per volume, so if there are mul ple replicated folders on a member, DFS Replica on creates
mul ple staging and Conflict and Deleted folders, each with its own quota.
You can edit the quota of the staging folder and Conflict and Deleted folder on a per-replicated folder, per-member basis. You can also
change the loca on of the staging folder.
Important:
For the ini al replica on of exis ng data on the primary member, the staging folder quota must be large enough so that replica on
can con nue even if mul ple large files remain in the staging folder because partners cannot promptly download the files.
To properly size the staging folder for ini al replica on, you must take into account the size of the files to be replicated. At a minimum,
the staging folder quota should be at least the size of the 32 largest files in the replicated folder, or the 16 largest files for read-only
replicated folders. To improve performance, set the size of the staging folder quota as close as possible to the size of the replicated
folder.
To determine the size of the largest files in a replicated folder using Windows Explorer, sort by size and add the 32 largest file sizes (16
if it’s a read-only replicated folder) to get the minimum staging folder size. To get the recommended minimum staging folder size (in
gigabytes) from a Windows PowerShell® command prompt, use this Windows PowerShell command where <replicatedfolderpath> is
the path to the replicated folder (change 32 to 16 for read-only replicated folders):
(Get-ChildItem <replicatedfolderpath> -recurse –force | Sort-Object length -descending | select-object -

first 32 | measure-object -property length -sum).sum /1gb
Right answer: D
4/27/2019 Training
A Modify the disk quota of the drive that contains Folder1.
B From a command prompt, run dfsu l /purgemupcache.
C Create a quota for Folder1 by using File Server Resource Manager (FSRM).
D Modify the size of staging area of Folder1.
4/27/2019 Training
Microsoft - 70-741

You company has a main office in London. The company has 1,000 users who are located in many countries. You plan to deploy a large
remote access solu on for the company.
The London office has three servers named Server1, Server2, and Server3 that run Windows Server 2016. You plan to use Server1 as a
VPN server, Server2 as a RADIUS proxy, and Server3 as a RADIUS server.
You need to configure Server2 to support the planned deployment.
Which three ac ons should you perform on Server2?
(Each correct answer presents part of the solu on.)
Explana on:
The following checklist provides the steps required to configure NPS as a RADIUS proxy that forwards connec on requests to other
RADIUS servers for authen ca on and authoriza on:
Checklist: Configure NPS as a RADIUS Proxy
Right answer: A, C, E
A Create a connec on request policy.
B Deploy a Windows container.
C Add a RADIUS client.
D Create a network policy.
E Create a remote RADIUS server group.
4/27/2019 Training
Microsoft - 70-741

You have two Hyper-V hosts named Server1 and Server2 that run Windows Server 2016. Server1 and Server2 are connected to the
same network.
On Server1 and Server2, you create an external network switch named Switch1.
You have the virtual machine shown in the following table.
All three virtual machines are connected to Switch1.
You need to prevent applica ons in VM3 from being able to capture network traffic from VM1 or VM2. The solu on must ensure that
VM1 retains network connec vity.
What should you do?
Explana on:
We can use the VLAN ID se ngs of the VMs or configure network virtualiza on. Hyper-V Network Virtualiza on (HNV) is a very
complex theme with a high learning curve.
See also: What's New in Hyper-V Network Virtualiza on
Right answer: A
A Configure network virtualiza on for VM1 and VM2.
B Modify the subnet mask of VM1 and VM2.
C On Server2, configure the VLAN ID se ng of Switch1.
D On Server2, create an external switch and connect VM3 to the switch.
4/27/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 is a Hyper-V host that hosts a virtual machine named VM1.
Server1 has three network adapter cards that are connected to virtual switches named vSwitch1, vSwitch2 and vSwitch3.
You configure NIC Teaming on VM1 as shown in the following exhibit.
You need to ensure that VM1 will retain access to the network if a physical network adapter card fails on Server1.
What should you do?
4/27/2019 Training
Explana on:
We need to enable NIC Teaming in the advanced features of the VM:
Right answer: B
A From Windows PowerShell on VM1, run the Set-VmNetworkAdapterTeamMapping cmdlet.
B From Hyper-V Manager on Server1, modify the se ngs on VM1.
C From Windows PowerShell on Server1, run the Set-VmNetworkAdapterFailoverConfigura on cmdlet.
D From the proper es of the NIC team on VM1, add the adapter named Ethernet to the NIC team.
4/29/2019 Training
Microsoft - 70-741

Your company has 5,000 users who work remotely. You have 40 VPN servers that host the remote connec ons for the users.
You plan to deploy a RADIUS solu on that contains five RADIUS servers.
You need to ensure that client authen ca on requests are distributed evenly between the five RADIUS servers.
What should you do?
Explana on:
There are two methods you can use to balance the load of connec on requests sent to your NPS servers:
Configure your network access servers to send connec on requests to mul ple RADIUS servers. For example, if you have 20
wireless access points and two RADIUS servers, configure each access point to send connec on requests to both RADIUS servers.
You can load balance and provide failover at each network access server by configuring the access server to send connec on
requests to mul ple RADIUS servers in a specified order of priority. This method of load balancing is usually best for small
organiza ons that do not deploy a large number of RADIUS clients.
Use NPS configured as a RADIUS proxy to load balance connec on requests between mul ple NPS servers or other RADIUS
servers. For example, if you have 100 wireless access points, one NPS proxy, and three RADIUS servers, you can configure the
access points to send all traffic to the NPS proxy. On the NPS proxy, configure load balancing so that the proxy evenly distributes
the connec on requests between the three RADIUS servers. This method of load balancing is best for medium and large
organiza ons that have many RADIUS clients and servers.
Right answer: D
Install the Network Load Balancing role service on all of the RADIUS server. Configure all of the RADIUS clients to
A
connect to a virtual IP address.
B Deploy RAS Gateway to a new server. Configure all of the RADIUS clients to connect to RAS Gateway.
Install the Failover Clustering role service on all of the RADIUS servers. Configure all of the RADIUS clients to connect
C
to the IP address of the cluster.
D Deploy a RADIUS proxy to a new server. Configure all of the RADIUS clients to connect to the RADIUS proxy.
4/29/2019 Training
Microsoft - 70-741
Comments 0 Help Exhibit Back Next Right Result

You have a server named Server1 that runs Windows Server 2016. Server1 is a Hyper-V host.
You have two network adapter cards on Server1 that are Remote Direct Memory Access (RDMA) - capable.
You need to aggregate the bandwidth of the network adapter cards for a virtual machine on Server1. The solu on must ensure that
the virtual machine can use the RDMA capabili es of the network adapter cards.
Which command should you run first?
Explana on:
Virtual Switches based on NIC-teaming are not RDMA capable. We have to create a Switch Embedded Teaming (SET) virtual Switch.
Right answer: D
A Add-NetLbfoTeamNic -Name Produc on -NetAdapterName "NIC1", "NIC2" -EnableEmbeddedTeaming $true
B Add-VmNetworkAdapter -Name Produc on -NetAdapterName "NIC1", "NIC2" -EnablePacketDirect $true
C New-NetLbfoTeam -Name Produc on -NetAdapterName "NIC1", "NIC2" -EnableIov $true
D New-VmSwitch -Name Produc on -NetAdapterName "NIC1", "NIC2" -EnableEmbeddedTeaming $true
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a domain-based Distributed File System
(DFS) namespace named Namespace1.
Namespace1 has the following configura on.
Namespace1 has a folder named Folder1. Folder1 has the targets shown in the following table.
You have the site links shown in the following table.
4/29/2019 Training
Explana on:
The referal ordering method is set to Insite Referrals this is equal to Exclude targets outside of the client's site.
A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user
accesses a namespace root or folder with targets. A er the client receives the referral, the client a empts to access the first target in
the list. If the target is not available, the client a empts to access the next target.
Targets on the client's site are always listed first in a referral. Targets outside of the client's site are listed according to the ordering
method.
The three ordering methods are:
Random order
Lowest cost
Exclude targets outside of the client's site
Random order
In this method, targets are ordered as follows:
1. Targets in the same AD DS site as the client are listed in random order at the top of the referral.
2. Targets outside of the client’s site are listed in random order.
If no same-site target servers are available, the client computer is referred to a random target server regardless of how expensive the
connec on is or how distant the target is.
Lowest cost
1. Targets in the same site as the client are listed in random order at the top of the referral.
2. Targets outside of the client’s site are listed in order of lowest cost to highest cost. Referrals with the same cost are grouped
together, and the targets are listed in random order within each group.
In this method, the referral contains only the targets that are in the same site as the client. These same-site targets are listed in
random order. If no same-site targets exist, the client does not receive a referral and cannot access that por on of the namespace.
Right answer: C
If a user in Site1 tries to connect to Folder1, the user will connect to \\Server1\Folder1 always: Yes
A
If a user in Site3 tries to connect to Folder1, the user will connect to either \\Server1\Folder1 or \\Server2\Folder1:
Yes
If a user in Site1 tries to connect to Folder1, the user will connect to \\Server1\Folder1 always: No
B
No
4/29/2019 Training
No
D
Yes
4/29/2019 Training
Microsoft - 70-741

You have a network address transla on (NAT) server named NAT1 that has an external IP address of 131.107.50.1 and an internal IP
address of 10.0.0.1.
You deploy a new server named Web1 that has an IP address of 10.0.0.211.
A remote server named app.fabrikam.com has an IP address of 131.107.1.232.
You need to make Web1 accessible to app.fabrikam.com through NAT1.
What command should you run from NAT1?
Explana on:
The Add-NetNatSta cMapping cmdlet adds a sta c mapping to a network address transla on (NAT) instance. A sta c mapping
enables an incoming connec on from an external network to access a host on an internal network through the NAT.
Right answer: F
A Add-NetNatExternalAddress -ExternalIPAddress 10.0.0.211 -InternalIPAddress 131.107.50.1
B Add-NetNatExternalAddress -ExternalIPAddress 131.107.1.232 -InternalIPAddress 10.0.0.211
C Add-NetNatExternalAddress -ExternalIPAddress 131.107.50.1 -InternalIPAddress 10.0.0.1
D Add-NetNatSta cMapping -ExternalIPAddress 10.0.0.211 -InternalIPAddress 131.107.1.232
E Add-NetNatSta cMapping -ExternalIPAddress 131.107.1.232 -InternalIPAddress 131.107.50.1
F Add-NetNatSta cMapping -ExternalIPAddress 131.107.50.1 -InternalIPAddress 10.0.0.211
4/29/2019 Training
Microsoft - 70-741

Server1 has Microso System Center 2016 Virtual Machine Manager (VMM) installed. Server2 has IP Address Management (IPAM)
installed.
You create a domain user named User1.
You need to integrate IPAM and VMM. VMM must use the account of User1 to manage IPAM. The solu on must use the principle of
least privilege.
What should you do on each server?
4/29/2019 Training
Explana on:
To create the VMM user account
1. On the IPAM server, open an elevated command prompt, type lusrmgr.msc, and press ENTER. The Local Users and
Groups console will open.
2. In the console tree, right-click Groups and click New Group.
3. In the New Group dialog box, next to Group name, type a name for the group, for example VMM Users.
4. Click Add, and under Enter the object names to select, type the username of the VMM user account, for example vmmuser, and
then click OK.
5. Confirm that the user account was added to the VMM Users group, and then click Create.
6. Click Close to close the New Group dialog box.
7. Leave the Local Users and Groups console open for the following procedure.
To assign permissions to the VMM user account
1. In the IPAM server console, in the upper naviga on pane, click ACCESS CONTROL, right-click Access Policies in the lower
naviga on pane, and then click Add Access Policy.
2. On the Add Access Policy page, click Add, type the name of the VMM Users group that was created in the previous procedure,
for example VMM Users, and then click OK.
3. Click Access Se ngs, click New, and then choose IPAM ASM Administrator Role from the drop-down list under Select role.
4. Verify that the Global access scope is selected, click Add Se ng, and then click OK.
5. In the Local Users and Groups console, right-click Remote Management Users and click Add to Group.
6. Click Add, and under Enter the object names to select, type the username of the VMM user account, for example vmmuser, and
then click OK.
7. Click OK to close Remote Management Users Proper es.
VMM must be granted permission to view and modify IP address space in IPAM, and to perform remote management of the IPAM
server. VMM uses a “Run As” account to provide these permissions to the IPAM network service plugin. The “Run As” account must be
configured with appropriate permission on the IPAM server.
Right answer: B
On Server1: Create a Run as Account that uses User1
A
On Server2: Add User1 to the IPAM Administrator role
On Server1: Create a Run as Account that uses User1

B
On Server2: Add User1 to the IPAM ASM Administrator role
On Server1: Add User1 to the Fabric Administrator user role

C
On Server2: Add User1 to the IPAM MSM Administrator role
On Server1: Add User1 to the Fabric Administrator user role

D
On Server2: Add User1 to the IPAM Administrator role
On Server1: Add User1 to the Remote Management Users group

E
On Server2: Add User1 to the IPAM ASM Administrator role
On Server1: Add User1 to the Remote Management Users group

F
On Server2: Add User1 to the IPAM MSM Administrator role
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741
Comments 0 Help Back Next Right Result

Your network contains mul ple wireless access points (WAPs) that use WPA2-Personal authen ca on. The network contains an
enterprise root cer fica on authority (CA).
The security administrator at your company plans to implement WPA2-Enterprise authen ca on on the WAPs.
To support the authen ca on change, you deploy a server that has Network Policy Server (NPS) installed.
You need to configure NPS to authen cate the wireless clients.
What should you do on the NPS server?
Explana on:
When users a empt to connect to your network through network access servers (also called RADIUS clients), such as wireless access
points, 802.1X authen ca ng switches, dial-up servers, and virtual private network (VPN) servers, Network Policy Server (NPS)
authen cates and authorizes the connec on request before allowing or denying access.
See also: Crea ng a secure 802.1x wireless infrastructure using Microso Windows
Right answer: A
A Add RADIUS clients and configure network policies.
B Create a remote RADIUS server group and configure connec on request policies.
C Create a remote RADIUS server group and install a server cer ficate.
D Add RADIUS clients and configure connec on request policies.
4/29/2019 Training
Microsoft - 70-741

You have two servers named Server1 and DHCP1. Both servers run Windows Server 2016. DHCP1 contains an IPv4 scope named
Scope1.
You have 1,000 client computers.
You need to configure Server1 to lease IP addresses for Scope1. The solu on must ensure that Server1 is used to respond to up to 30
percent of the DHCP client requests only.
You install the DHCP Server server role on Server1.
What should you do next?
4/29/2019 Training
Explana on:
DHCP failover in Windows Server 2012 and 2016 enables administrators to deploy a highly resilient DHCP service to support a large
enterprise without the challenges of the op ons discussed earlier. The main goals of the feature are the following:
Provide DHCP service availability at all mes on the enterprise network.
If a DHCP server is no longer reachable, the DHCP client is able to extend the lease on its current IP address by contac ng
another DHCP server on the enterprise network.
The DHCP server failover feature provides the ability to have two DHCP servers provide IP addresses and op on configura on to the
same subnet or scope, providing for con nuous availability of DHCP service to clients. The two DHCP servers replicate lease
informa on between them, allowing one server to assume responsibility for servicing of clients for the en re subnet when the other
server is unavailable. It is also possible to configure failover in a load-balancing configura on with client requests distributed between
the two servers in a failover rela onship.
DHCP failover provides support for a maximum of two DHCP servers, and the failover rela onship is limited to IPv4 scopes and
subnets.
Hot standby mode
In hot standby mode, two servers operate in a failover rela onship where an ac ve server is responsible for leasing IP addresses and
configura on informa on to all clients in a scope or subnet. The secondary server assumes this responsibility if the primary server
becomes unavailable. A server is primary or secondary in the context of a subnet. For instance, a server that has the role of a primary
for a given subnet could be a secondary server for another subnet.
Hot standby mode of opera on is best suited to deployments where a central office or data center server acts as a standby backup
server to a server at a remote site, which is local to the DHCP clients (ex: hub and spoke deployment). In such deployments, it is
undesirable to have a remote standby server service any clients unless the local DHCP server becomes unavailable.
Load sharing mode
In a load sharing mode deployment, which is the default mode of opera on, the two servers simultaneously serve IP addresses and
op ons to clients on a given subnet. The client requests are load balanced and shared between the two servers.
The load sharing mode of opera on is best suited to deployments where both servers in a failover rela onship are located at the same
physical site. Both servers respond to DHCP client requests based on the load distribu on ra o configured by the administrator.
Right answer: A
A From the DHCP console, run the Configure Failover wizard.
B From Server Manager, install the Network Load Balancing feature.
C From Server Manager, install the Failover Clustering feature.
D From the DHCP console, create a superscope.
4/29/2019 Training
Microsoft - 70-741

Your company owns the public Internet IP address range of 131.107.20.0 to 131.107.20.255.
You need to create a subnet that supports four hosts. The solu on must minimize the number of addresses available to the subnet.
Which subnet should you use?
Explana on:
A 29-bit subnet mask leaves 3 bits for host addressing. This allows 2^3 - 2 = 6 host addresses
Right answer: C
A 131.107.20.16/28
B 131.107.20.16/30
C 131.107.20.0/29
D 131.107.20.0 with subnet mask 255.255.255.224
4/29/2019 Training
Microsoft - 70-741

Your company has 10 offices. Each office has a local network that contains several Hyper-V hosts that run Windows Server 2016. All of
the offices are connected by high speed, low latency WAN links.
You need to ensure that you can use QoS policies for Live Migra on traffic between the offices.
Which component should you install?
Explana on:
Data Center Bridging DCB is a suite of Ins tute of Electrical and Electronics Engineers (IEEE) standards that enable Converged Fabrics in
the data center, where storage, data networking, cluster IPC and management traffic all share the same Ethernet network
infrastructure. DCB provides hardware-based bandwidth alloca on to a specific type of traffic and enhances Ethernet transport
reliability with the use of priority-based flow control. Hardware-based bandwidth alloca on is essen al if traffic bypasses the
opera ng system and is offloaded to a converged network adapter, which might support Internet Small Computer System Interface
(iSCSI), Remote Direct Memory Access (RDMA) over Converged Ethernet, or Fiber Channel over Ethernet (FCoE). Priority-based flow
control is essen al if the upper layer protocol, such as Fiber Channel, assumes a lossless underlying transport.
Right answer: A
A The Data Center Bridging feature
B The Rou ng role service
C The Network Controller server role
D The Mul path I/O feature
4/29/2019 Training
Microsoft - 70-741

You have a server that is configured as a hosted BranchCache server. You discover that a Service Connec on Point (SCP) is missing for
the BranchCache server.
What should you run to register the SCP?
Explana on:
When you register hosted cache servers with an SCP in AD DS, the SCP allows client computers that are configured correctly to
automa cally discover hosted cache servers by querying AD DS for the SCP.
To install the BranchCache feature and configure the hosted cache server
1. On the server computer desktop, in the Taskbar, right-click the Windows PowerShell icon, right-click the words Windows
PowerShell, and then click Run as Administrator.
2. Windows PowerShell opens. Type the following command, and then press ENTER.
Install-WindowsFeature BranchCache
3. To configure the computer as a hosted cache server a er the BranchCache feature is installed, and to register a Service
Connec on Point in AD DS, type the following command in Windows PowerShell, and then press ENTER.
Enable-BCHostedServer -RegisterSCP
4. To verify the hosted cache server configura on, type the following command and press ENTER.
Get-BCStatus
The results of the command display status for all aspects of your BranchCache installa on. Following are a few of the
BranchCache se ngs and the correct value for each item:
BranchCacheIsEnabled: True
HostedCacheServerIsEnabled: True
HostedCacheScpRegistra onEnabled: True
5. To prepare for the step of copying your data packages from your content servers to your hosted cache servers, either iden fy an
exis ng share on the hosted cache server or create a new folder and share the folder so that it is accessible from your content
servers. A er you create your data packages on your content servers, you will copy the data packages to this shared folder on
the hosted cache server.
6. If you are deploying more than one hosted cache server, repeat this procedure on each server.
Right answer: D
A Setspn.exe
4/29/2019 Training
B Reset-BC
C Ntdsu l.exe
D Enable-BCHostedServer
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory forest named contoso.com. The func onal level of the forest is Windows Server 2012.
The forest contains five domain controllers and five VPN servers that run Windows Server 2016. Five hundred users connect to the
VPN servers daily.
You need to configure a new server named Server1 as a RADIUS server.
What should you do first?
Explana on:
Network Policy Server (NPS) can be used as a Remote Authen ca on Dial-In User Service (RADIUS) server to perform authen ca on,
authoriza on, and accoun ng for RADIUS clients. A RADIUS client can be an access server, such as a dial-up server or wireless access
point, or a RADIUS proxy. When NPS is used as a RADIUS server, it provides the following:
A central authen ca on and authoriza on service for all access requests that are sent by RADIUS clients.
A central accoun ng recording service for all accoun ng requests that are sent by RADIUS clients.
Right answer: B
A On Server1, deploy the Remote Access server role.
B On Server1, deploy the Network Policy and Access Services role.
C On a domain controller, set the forest func onal level to Windows Server 2016.
D On each VPN server, run the New-NpsRadiusClient cmdlet.
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 has the following rou ng table.
What will occur when Server1 a empts to connect to a host that has an IP address of 172.20.10.50?
Explana on:
The rou ng table contains an entry for the des na on 172.16.0.0 / 255.240.0.0. This network includes the address range 172.16.0.1 to
172.31.255.254. The interface used for the network is "On-link". This means that the network is reachable without using a router.
Right answer: A
A Server1 will a empt to connect directly to 172.20.10.50.
B Server1 will route the connec on to 10.10.0.2.
C Server1 will silently drop the connec on a empt.
D Server1 will route the connec on to 192.168.2.1.
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 is located on the perimeter network, and only inbound TCP
port 443 is allowed to connect Server1 from the Internet.
You install the Remote Access server role on Server1.
You need to configure Server1 to accept VPN connec ons over port 443.
Explana on:
Tunneling enables the encapsula on of a packet from one type of protocol within the datagram of a different protocol. For example,
VPN uses Point-to-Point Tunneling Protocol (PPTP) to encapsulate IP packets over a public network, such as the Internet. You can
configure a VPN solu on based on PPTP, Layer Two Tunneling Protocol (L2TP), Secure Socket Tunneling Protocol (SSTP), or Internet
Protocol security (IPsec) using Internet Key Exchange version 2 (IKEv2).
SSTP
Secure Socket Tunneling Protocol (SSTP) is a tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through
firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the
Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong authen ca on methods, such as
EAP-TLS. SSL provides transport-level security with enhanced key nego a on, encryp on, and integrity checking.
When a client tries to establish a SSTP-based VPN connec on, SSTP first establishes a bidirec onal HTTPS layer with the SSTP server.
Over this HTTPS layer, the protocol packets flow as the data payload.
Encapsula on
SSTP encapsulates PPP frames in IP datagrams for transmission over the network. SSTP uses a TCP connec on (over port 443) for
tunnel management as well as PPP data frames.
Encryp on
The SSTP message is encrypted with the SSL channel of the HTTPS protocol.
Right answer: B
A PPTP
B SSTP
C L2TP
D IKEv2
4/29/2019 Training
Microsoft - 70-741

Your company has a main office in London and a branch office in Sea le. The offices connect to each other by using a WAN link.
In the London office, you have a Distributed File System (DFS) server named FS1 that contains a folder named Folder1. In the Sea le
office, you have a DFS server named FS2. All servers run Windows Server 2016.
You configure replica on of Folder1 to FS2.
Users in both offices frequently add files in Folder1.
You monitor DFS Replica on, and you discover excessive replica on over the WAN link during business hours.
You need to reduce the amount of bandwidth used for replica on during business hours. The solu on must ensure that the users can
con nue to save content to Folder1.
What should you do?
Explana on:
The proper es of the replica on group allow to modify the schedule for the replica on :
Right answer: B
A Modify the quota se ngs on Folder1 on FS2.
B Modify the proper es of the replica on group.
4/29/2019 Training
C Configure the copy of Folder1 on FS2 as read-only.
D Modify the replicated folder proper es of Folder1 on FS1.
4/29/2019 Training
Microsoft - 70-741

You are a network administrator for your company. Your company uses Windows Server 2016.
You must implement network virtualiza on.
In which object do you configure the ID for the virtual subnet?
4/29/2019 Training
Explana on:
In Hyper-V Network Virtualiza on (HNV), a customer or tenant is defined as the “owner” of a set of IP subnets that are deployed in an
enterprise or datacenter. A customer can be a corpora on or enterprise with mul ple departments or business units in a private
datacenter which require network isola on, or a tenant in a public data center which is hosted by a service provider. Each customer
can have one or more Virtual networks in the datacenter, and each virtual network consists of one or more Virtual subnets.
There are two HNV implementa ons which will be available in Windows Server 2016: HNVv1 and HNVv2.
HNVv1
HNVv1 is compa ble with Windows Server 2012 R2 and System Center 2012 R2 Virtual Machine Manager (VMM). Configura on
for HNVv1 relies on WMI management and Windows PowerShell cmdlets (facilitated through System Center VMM) to define
isola on se ngs and Customer Address (CA) – virtual network – to Physical Address (PA) mappings and rou ng. No addi onal
features have been added to HNVv1 in Windows Server 2016 and no new features are planned.
HNVv2
A significant number of new features are included in HNVv2 which is implemented using the Azure Virtual Filtering Pla orm
(VFP) forwarding extension in the Hyper-V Switch. HNVv2 is fully integrated with Microso Azure Stack which includes the new
Network Controller in the So ware Defined Networking (SDN) Stack. Virtual network policy is defined through the
Microso Network Controller using a RESTful NorthBound (NB) API and plumbed to a Host Agent via mul ple SouthBound
Intefaces (SBI) including OVSDB. The Host Agent programs policy in the VFP extension of the Hyper-V Switch where it is enforced.
Virtual network
Each virtual network consists of one or more virtual subnets. A virtual network forms an isola on boundary where the virtual
machines within a virtual network can only communicate with each other. Tradi onally, this isola on was enforced using VLANs
with a segregated IP address range and 802.1q Tag or VLAN ID. But with HNV, isola on is enforced using either NVGRE or VXLAN
encapsula on to create overlay networks with the possibility of overlapping IP subnets between customers or tenants.
Each virtual network has a unique Rou ng Domain ID (RDID) on the host. This RDID roughly maps to a Resource ID to iden fy the
virtual network REST resource in the Network Controller. The virtual network REST resource is referenced using a Uniform
Resource Iden fier (URI) namespace with the appended Resource ID.
Virtual subnets
A virtual subnet implements the Layer 3 IP subnet seman cs for the virtual machines in the same virtual subnet. The virtual
subnet forms a broadcast domain (similar to a VLAN) and isola on is enforced by using either the NVGRE Tenant Network ID
(TNI) or VXLAN Network Iden fier (VNI) field.
Each virtual subnet belongs to a single virtual network (RDID), and it is assigned a unique Virtual Subnet ID (VSID) using either
the TNI or VNI key in the encapsulated packet header. The VSID must be unique within the datacenter and is in the range 4096 to
2^24-2
Reference: Hyper-V Network Virtualiza on Technical Details in Windows Server
Right answer: D
A VM
B Virtual switch
C Hyper-V Server
D Virtual network adapter
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a member server named Server1 that
runs Windows Server 2016.
IP Address Management (IPAM) is installed on Server1. IPAM uses the internal Windows database.
You install Microso SQL Server on Server1.
You want to migrate the IPAM database to SQL Server.
You must create a SQL Server logon for the IPAM service account.
For which user do you create the SQL Server logon?
Explana on:
The IPAM service is running as "NT AUTHORITY\NETWORK SERVICE". We need to create a SQL Server logon with the required
permissions for this account.
Reference: Moving IPAM Database from Windows Internal Database (WID) to SQL server located on the same server
Right answer: B
A Contoso\Local System
B NT Authority\Network Service
C NT Service\Local System
D Server1\Local Service
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory Domain Service (AD DS) domain named contoso.com. The domain contains two servers
named Server1 and Server2. Both servers run Windows Server 2016.
Server1 has IP Address Management (lPAM) installed. Server2 has the DHCP Server role installed. The IPAM server retrieves data from
Server2.
You create a domain user account named User1.
You must ensure that User1 can manage DHCP using IPAM.
4/29/2019 Training
Explana on:
When you install IPAM, local security groups are created on the IPAM server to provide role-based access control for different sets of
IPAM administrators and users. IPAM uses these role-based access controls to determine what informa on is displayed in the IPAM
client console. For example, viewing of IP address lease data can be restricted to a specific set of administrators by adding their user
account to the IPAM IP Audit Administrators or IPAM Administrators group.
The following local user groups are created when you install IPAM:
IPAM Users - IPAM Users is a local security group on an IPAM server that is created when you install the IPAM feature. Members
of this group can view all informa on in server inventory, IP address space, and the monitor and manage IPAM console nodes.
IPAM Users can view IPAM and DHCP opera onal events under in the Event Catalog node, but cannot view IP address tracking
data.
IPAM MSM Administrators - IPAM MSM Administrators is a local security group on an IPAM server that is created when you
install the IPAM feature. Members of this group have all the privileges of the IPAM Users security group, and can perform server
monitoring and management tasks in addi on to IPAM common management tasks.
IPAM ASM Administrators - IPAM ASM Administrators is a local security group on an IPAM server that is created when you install
the IPAM feature. Members of this group have all the privileges of the IPAM Users security group, and can perform IP address
space tasks in addi on to IPAM common management tasks.
IPAM IP Audit Administrators - IPAM IP Audit Administrators is a local security group on an IPAM server that is created when you
install the IPAM feature. Members of this group have all the privileges of the IPAM Users security group. They can view IP
address tracking data and perform IPAM common management tasks.
IPAM Administrators - IPAM Administrators is a local security group on an IPAM server that is created when you install the IPAM
feature. Members of this group have privileges to view all IPAM data and perform all IPAM tasks.
Right answer: A
A net localgroup Server1\IPAM-MSM-Administrator User1 /add
B net localgroup Server1\IPAM-Administrator User1 /add
C net localgroup CONTOSO\DHCP-Administrators User1 /add
D Set-ADGroup Server1\IPAM-MSM-Administrator User1 /add
E Set-ADGroup Server1\IPAM-Administrator User1 /add
F Set-ADGroup CONTOSO\DHCP-Administrators User1 /add
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. You have a DNS server named Server2 that runs Windows Server 2016.
Forwarders are configured as shown in the following exhibit:
The advanced se ngs are configured as shown in the following exhibit:
The root hints are configured as shown in the following exhibit:

4/29/2019 Training
The root hints are configured as shown in the following exhibit:
There are no dns zones created on Server2.
Explana on:
Explana on:
The op on Disable recursion (also disables forwarders) on the Advanced tab, is ac vated. Therefore recursive queries and
forwarding are not possible.
There are no zones created. This also means that no root zone has been created.
Right answer: E
Server2 can resolve the names of hosts on the Internet: Yes
A If you perform a test for a recursive query on the "Monitoring" tab in the "Server2 Proper es", the test passes: Yes
Server2 is configured as a DNS root server: Yes

B If you perform a test for a recursive query on the "Monitoring" tab in the "Server2 Proper es", the test passes: No
Server2 is configured as a DNS root server: No

C If you perform a test for a recursive query on the "Monitoring" tab in the "Server2 Proper es", the test passes: Yes
4/29/2019 Training
D Server2 can resolve the names of hosts on the Internet: No

If you perform a test for a recursive query on the "Monitoring" tab in the "Server2 Proper es", the test passes: No
Server2 is configured as a DNS root server: Yes
Server2 can resolve the names of hosts on the Internet: No

E If you perform a test for a recursive query on the "Monitoring" tab in the "Server2 Proper es", the test passes: No
4/29/2019 Training
Microsoft - 70-741

You have an Ac ve Directory domain named contoso com. The domain contains a VPN server named VPN1 that runs Windows Server
2016.
Users can establish a VPN connec on with VPN1 at any me on seven days of the week.
You must ensure that users can only connect to VPN1 from Monday to Friday.
Solu on: You configure the se ngs on the Dial-in tab in the users proper es.
Explana on:
The se ngs on the "Dial-in" tab in the proper es of the user accounts do not provide a way to restrict the mes for VPN dial-in.
Right answer: B
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

2016.
Solu on: You configure the proper es of the RAS server using the Rou ng and Remote Access console.
Explana on:
The proper es of the RAS server do not provide a way to restrict the mes for VPN dial-in.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

2016.
Solu on: You configure a Network Policy.
Explana on:
We can configure a Network Policy and add a Day and Time Restric on condi on to restrict the mes for VPN dial-in.
4/29/2019 Training
Right answer: A
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

You have mul ple servers that run Windows Server 2016 and are configured as VPN servers.
You deploy a server named NPS1 that has Network Policy Server (NPS) installed.
You need to configure NPS1 to accept authen ca on requests from the VPN servers.
What should you configure on NPS1?
Explana on:
When you configure a network access server (NAS) as a RADIUS client in the Network Policy Server (NPS) Microso Management
Console (MMC) snap-in, the RADIUS client forwards connec on requests from access clients to the NPS server for authen ca on,
authoriza on, and accoun ng.
In addi on to configuring a new RADIUS client, you must also configure the network access server so that it can communicate with
NPS.
On NPS1 we need to add the VPN servers as RADIUS clients.
Right answer: D
A From RADIUS Clients and Servers, add a remote RADIUS server group.
B From Policies, add a connec on request policy.
C From Policies, add a network policy.
D From RADIUS Clients and Servers, add RADIUS clients.
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

You have a DHCP server named Server1 that runs Windows Server 2016. You have a single IP subnet.
Server1 has an IPv4 scope named Scope1.
Scope1 has an IP address range of 10.0.1.10 to 10.0.1.200 and a length of 24 bits.
You need to create a second logical IP network on the subnet. The subnet will use an IP address range of 10.0.2.10 to 10.0.2.200 and a
length of 24 bits.
What should you do?
Explana on:
A superscope is an administra ve feature of Dynamic Host Configura on Protocol (DHCP) servers that you can create and manage by
using the DHCP Microso Management Console (MMC) snap-in. By using a superscope, you can group mul ple scopes as a single
administra ve en ty. With this feature, a DHCP server can:
Support DHCP clients on a single physical network segment (such as a single Ethernet LAN segment) where mul ple logical IP
networks are used. When more than one logical IP network is used on each physical subnet or network, such configura ons are
o en called mul nets.
Support remote DHCP clients located on the far side of DHCP and BOOTP relay agents (where the network on the far side of the
relay agent uses mul nets).
In mul net configura ons, you can use DHCP superscopes to group and ac vate individual scope ranges of IP addresses used on your
network. In this way, the DHCP server can ac vate and provide leases from more than one scope to clients on a single physical
network.
Superscopes can resolve specific types of DHCP deployment issues for mul nets, including situa ons in which:
The available address pool for a currently ac ve scope is nearly depleted, and more computers need to be added to the network.
The original scope includes the full addressable range for a single IP network of a specified address class. You need to use
another range of IP addresses to extend the address space for the same physical network segment.
Clients must be migrated over me to a new scope (such as to renumber the current IP network from an address range used in
an exis ng ac ve scope to a new scope that contains another range of IP addresses).
You want to use two DHCP servers on the same physical network segment to manage separate logical IP networks.
Right answer: A
A Create a second scope, and then create a superscope.
B Create a superscope, and then configure an exclusion range in Scope1.
C Create a new scope, and then modify the IPv4 bindings.
4/29/2019 Training
D Create a second scope, and then run the DHCP Split-Scope Configura on Wizard.
4/29/2019 Training
Microsoft - 70-741

You are deploying a small network that has 30 client computers. The network uses the 192.168.1.0/24 address space. All computers
obtain IP configura ons from a DHCP server named Server1.
You install a server named Server2 that runs Windows Server 2016. Server2 has two network adapters named internal and Internet.
Internet connects to an Internet service provider (ISP) and obtains the 131.107.0.10 IP address. Internal connects to the internal
network and is configured to use the 192.168.1.250 IP address.
You need to provide Internet connec vity for the client computers.
What should you do?
(More than one answer may solve the problem. Choose the best answer.)
4/29/2019 Training
Explana on:
Network address transla on (NAT) provides a method for transla ng the Internet Protocol version 4 (IPv4) addresses of computers on
one network into IPv4 addresses of computers on a different network. A NAT-enabled IP router deployed at the boundary where a
private network, such as a corporate network, meets a public network, such as the Internet, allows computers on the private network
to access computers on the public network by providing this transla on service.
Note: Internet Connec on Sharing (ICS) supports a maximum of 10 concurrent client connec ons. Therefore we should use the
Rou ng role service.
Internet Connec on Sharing (ICS)

With Internet Connec on Sharing (ICS), users can share a public Internet connec on with a private home or small business network. In
an ICS network, a single computer is chosen to be the ICS host. The ICS host has at least two network adapters: one connected to the
Internet and one or more connected to the private network. All Internet-des ned traffic flows through the ICS host. ICS uses Dynamic
Host Configura on Protocol (DHCP) to assign private IP addresses on the network, and it uses Network Address Transla on (NAT) to
allow mul ple computers on the private network to connect to the public network through the ICS host.
Only the ICS host is visible from the Internet. The private network is "hidden." Also, NAT blocks any network traffic that did not
originate from the private network or is a response to traffic origina ng from the private network.
In addi on, ICS provides name resolu on to the home network through a DNS proxy.
Internet Connec on Sharing is ac vated in the proper es of the internal network adapter:
Right answer: D
On Server2, select the Internet and Internal network adapters and bridge the connec ons. From the DHCP console on
A
Server1, authorize Server2.
On Server1, stop the DHCP server. On the Internal network adapter on Server 2, enable Internet Connec on Sharing
B
(ICS).
On Server2 run the New-NetNat -Name NAT1 -InternalIPInterfaceAddressPrefix 192.168.1.0/24 cmdlet. Configure
C
Server1 to provide the 003 Router op on of 131.107.0.10.
Install the Rou ng role service on Server2 and configure the NAT rou ng protocol. Configure Server1 to provide the
D
003 Router op on of 192.168.1.250.
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

more than one ques on in the series. Each ques on is independent of the other ques ons in this series. Informa on and details in a
ques on apply only to that ques on.
Your network contains Windows and non-Windows devices.
You need to prevent a client computer that uses the same name as an exis ng registra on from upda ng the registra on.
What should you do?
4/29/2019 Training
Explana on:
Name squa ng occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already
registered to a Windows-based computer. The use of name protec on in Windows Server prevents name squa ng by non-Windows-
based computers. Name squa ng does not present a problem on a homogeneous Windows network where Ac ve Directory Domain
Services (AD DS) can be used to reserve a name for a single user or computer.
Name protec on is based on the Dynamic Host Configura on Iden fier (DHCID) in the Dynamic Host Configura on Protocol (DHCP)
server, and support for the new DHCID RR (resource record) in DNS. DHCID RR is described by the Internet Engineering Task Force
(IETF) in RFCs 4701 and 4703.
DHCID is a resource record (RR) stored in DNS that maps names to prevent duplicate registra on. This RR is used by DHCP to store an
iden fier for a computer, along with other informa on for the name such as the A/AAAA records of the computer. The unique posi on
of DHCP in the name registra on process allows it to request this match, and then refuse the registra on of a computer with a
different address a emp ng to register a name with an exis ng DHCID record.
DHCID prevents the following name squa ng situa ons:
Server name squa ng by a client
Server name squa ng by another server
Client name squa ng by another client
Client name squa ng by a server
In addi on, support for DHCP Unique Iden fier (DUID) will be added to the IPv4 registra on on the DHCP client. DUID is described by
the IETF in RFC 4361.
Name protec on can be configured for IPv4 and IPv6 at the network adapter level or scope level. Name protec on se ngs configured
at the scope level take precedence over the se ng at the IPv4 or IPv6 level. If Name protec on at the scope level is not configured at
all, then the se ng at the IPv4 or IPv6 network adapter takes precedence. DHCID protects names on a first come-first served basis.
To enable name protec on at the IPv4 or IPv6 node level
1. Open the DHCP Microso Management Console (MMC) snap-in.
2. In the console tree, double-click the DHCP server you want to configure, right-click IPv4 or IPv6, and then click Proper es.
3. Click DNS, click Advanced, and then check Enable Name Protec on.
To enable name protec on at the scope level
1. Open the DHCP console.
2. In the console tree, double-click the DHCP server you want to configure, double-click IPv4 or IPv6, right-click the scope you want,
and then click Proper es.
3. Click DNS, click Configure, and then check Enable Name Protec on.
Right answer: B

4/29/2019 Training
F From IPv4 run the DHCP Policy Configura on Wizard.
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve directory forest named contoso.com. The forest has a Distributed File System (DFS) namespace
named \\contoso.com\namespace1.
The domain contains a file server named Server1 that runs Windows Server 2016. You create a folder named Folder1 on Server1.
You need to add Folder1 as a new folder to the exis ng DFS namespace.
Which two cmdlets should you use?
(Each correct answer presents part of the solu on. NOTE: Each correct selec on is worth one point.)
Explana on:
First we need to use the New-SmbShareCmdlet to create a new Server Message Block (SMB) share for Folder1. Second we need to
add the shared Folder as a new DFS folder to the DFS namesace.
The New-DfsnFolder cmdlet creates a folder in a Distributed File System (DFS) namespace. Specify the path and a path for a folder
target for the new folder.
A DFS namespace folder has one or more folder targets that are shared folders on computers. When a client a empts to connect to a
folder, the DFS namespace server provides a list of folder targets, called referrals. The server determines the order for referrals and
clients a empt to connect to a folder target in the order that the server provides.
Example 1: Create a DFS namespace folder

This command creates a folder called LegacySo ware in the \\Contoso\Accoun ngResources namespace. The folder target is
\\Contoso-FS\Accoun ngLegacy. The command enables target failback for the folder. The command includes a descrip on for the new
folder.
New-DfsnFolder -Path "\\Contoso\Accoun ngResources\LegacySo ware" -TargetPath "\\Contoso-FS\Accoun ngLegacy" -

EnableTargetFailback $True -Descrip on "Folder for legacy so ware."
Right answer: D, E
A New-DfsnFolderTarget
B Install-WindowsFeature
C Grant-DfsnAccess
D New-DfsnFolder
E New-SmbShare
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 has two network cards. One network card connects to your
internal network and the other network card connects to the Internet.
You plan to use Server1 to provide Internet connec vity for client computers on the internal network.
You need to configure Server1 as a network address transla on (NAT) server.
Which server role or role service should you install on Server1 first?
Explana on:
NAT is implemented using the Rou ng role service.
Right answer: C
A Network Controller
B Web Applica on Proxy
C Rou ng
D DirectAccess and VPN (RAS)
4/29/2019 Training
Microsoft - 70-741

Solu on: From Windows PowerShell on Server1, you run the Add-DnsServerTrustAnchor cmdlet.
Explana on:
The Add-DnsServerTrustAnchor cmdlet adds a trust anchor (DNSKEY record or DS record) to a DNS server. A trust anchor (or trust
“point”) is a public cryptographic key for a signed zone. Trust anchors must be configured on every non-authorita ve DNS server that
will a empt to validate DNS data.
Trust anchors do not ensure that client computers perform DNSSEC valida on.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a domain-based Distributed File System
(DFS) namespace named Namespace1.
You need to view the shares to which users will be redirected when the users a empt to connect to a folder named Folder1 in the DFS
namespace.
What cmdlet should you run?
Explana on:
The Get-DfsnFolderTarget cmdlet gets se ngs for targets of a Distributed File System (DFS) namespace folder. You can specify a DFS
namespace folder path to see all the targets for that path. You can specify a namespace path and a target path to see se ngs for a
par cular target.
Right answer: D
A Get-DfsnFolder \\contoso.com\Folder1
B Get-DfsnFolder \\contoso.com\Folder1\Namespace1
C Get-DfsnFolderTarget \\contoso.com\Folder1\Namespace1
D Get-DfsnFolderTarget \\contoso.com\Namespace1\Folder1
E Get-DfsrMember \\contoso.com\Namespace1
F Get-DfsrMembership \\contoso.com\Namespace1\Folder1
4/29/2019 Training
Microsoft - 70-741

Solu on: You use a Group Policy Object (GPO) in the domainn and configure the Network List Manager Policies.
Explana on:
Network List Manager Policies are security se ngs that you can use to configure different aspects of how networks are listed and
displayed on one computer or on many computers.
To configure Network List Manager Policies for one computer, you can use the Microso Management Console (MMC) with the Group
Policy Object Editor snap-in, and edit the local computer policy. The Network List Manager Policies are located at the following path in
Group Policy Object Editor:
Computer Configura on | Windows Se ngs | Security Se ngs | Network List Manager Policies
In order to ensure that all of the client computers in the domain perform DNSSEC valida on for the fabrikam.com namespace we need
to configure the Name Resolu on Policy (NRPT).
Right answer: B
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
days.
Solu on: You set the „Expires a er“ value for the zone.
Explana on:
ensure that zone data is processed by this feature, we have to configure Aging for the zone. By default Zone Aging is disabled.
Expires A er specifies the period of me for which zone informa on is valid on the secondary server. If the secondary server can't
download data from a primary server within this period, the secondary server lets the data in its cache expire and stops responding to
DNS queries. Se ng Expires A er to seven days allows the data on a secondary server to be valid for seven days.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
Your network contains a server named IPAM1 that runs Windows Server 2016. IPAM1 has IP Address Management (IPAM) installed
and is configured to manage all DHCP server on the network.
You solve a problem on a client that prevented the client from retrieving an IP address from a DHCP server.
You need to ensure that you can display all event data for the DHCP leases within the last 24 hours on IPAM1.
Solu on: You run the Windows PowerShell Cmdlet Invoke-IpamServerProvisioning.
Explana on:
The Invoke-IpamServerProvisioning cmdlet installs and configures IP Address Management (IPAM) server components on the host on
which you run the cmdlet. When you run the cmdlet locally on IPAM server or remotely from an RSAT, the cmdlet installs and
configures IPAM components on the IPAM server to which the session is connected. As a part of installa on, the cmdlet performs the
following func ons:
1. Configures the WCF and WSMan se ngs, such as Port and App Pool configura on.
2. Creates and connects to an IPAM database. The cmdlet a empts to create a database by using authen ca on creden als that the
user specifies. An error occurs if the database that you specify does not exist or the chosen creden als do not include permissions to
create a database.
3. Creates IPAM Tasks to get data for IPAM views.
4. Creates default user roles for access control. This includes RBAC roles in the database and any local security groups.
5. Configures a provisioning method.
6. By default, the cmdlet enables all available IPAM op onal capabili es.
You can choose to manually or automa cally provision access to managed servers. If you provisioned the managed servers by using
group policy, make sure to create the corresponding GPOs in every managed domain by using the Invoke-IpamGpoProvisioning cmdlet.
Right answer: B
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
Your network contains a server named IPAM1 that runs Windows Server 2016. IPAM1 has IP Address Management (IPAM) installed
and is configured to manage all DHCP server on the network.
You solve a problem on a client that prevented the client from retrieving an IP address from a DHCP server.
You need to ensure that you can display all event data for the DHCP leases within the last 24 hours on IPAM1.
Solu on: You run the Windows PowerShell Cmdlet Update-IpamServer.
Explana on:
Erläuterungen:
The Update-IpamServer cmdlet updates an IP Address Management (IPAM) server following an opera ng system upgrade. IPAM
binaries and schema files are made available as a part of an upgrade. An error occurs if there is no update available.
As part of an IPAM server update, this cmdlet performs the following steps:
Applies IPAM schema updates. The cmdlet performs data and schema valida on of the exis ng IPAM database, and returns an
error if the valida on fails. A log is generated on the server in the %SystemDrive%\Windows\System32\IPAM\logs folder. If you
specify the DeleteSystemCheckFailureRows parameter, the cmdlet proceeds to automa cally delete the error rows.
Completes any required data format transforma on. This will not result in any loss of exis ng data.
Applies changes in security groups and roles.
No changes are made to any exis ng user configura on, such as adding users to a security group. Any customiza ons to IPAM task
schedules are retained. In case of an error, any changes will be reverted.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

You have a server named Host1 that runs Windows Server 2016. You configure Host1 as a Hyper-V host and deploy 20 new virtual
computers on the server.
You need to ensure that all virtual computers can establish internet connec ons over Host1.
Which three ac ons should you take?
(Each correct answer presents part of the solu on. Choose three.)
Explana on:
Windows 10 and Windows Server 2016 Hyper-V allow na ve network address transla on (NAT) for a virtual network.
NAT gives a virtual machine access to network resources using the host computer's IP address and a port through an internal Hyper-V
Virtual Switch.
Network Address Transla on (NAT) is a networking mode designed to conserve IP addresses by mapping an external IP address and
port to a much larger set of internal IP addresses. Basically, a NAT uses a flow table to route traffic from an external (host) IP Address
and port number to the correct internal IP address associated with an endpoint on the network (virtual machine, computer, container,
etc.)
Addi onally, NAT allows mul ple virtual machines to host applica ons that require iden cal (internal) communica on ports by
mapping these to unique external ports.
To create a NAT virtual network you have to use PowerShell. A NAT switch is based on the internal switch type.
Reference: Set up a NAT network
Right answer: A, C, D
A Configure the NAT network (Network Address Transla on) on Host1.
B Configure the server role Remote Access on a virtual computer.
C Create an internal switch for virtual computers on Host1 and assign an IP address tot he switch.
D Connect each virtual computer to the virtual switch.
E Configure the se ngs of each virtual computer and enable the virtual LAN iden fica on.
4/29/2019 Training
Microsoft - 70-741

Note: This ques on is part of a series of ques ons that present the same scenario. Each ques ons in the series contains a unique
solu on that might meet the stated goals. Some ques ons sets might have more than one correct solu on, while others might not
have a correct solu on. Determine whether the solu on meets the stated goals.
Your network contains an Ac ve Directory forest named contoso.com. The forest has three sites located in London, Paris and Berlin.
The London site contains a web server named Web1 that runs Windows Server 2016.
You need to configure Web1 as an HTTP content server for the hosted cache servers located in the Paris and Berlin sites.
Solu on: You install the DFS Replica on role service, and then you start the Network Connec ons service.
Explana on:
To enable BranchCache accelera on of content served by a Web server or applica on server using the BITS protocol, you must install
the BranchCache feature and ensure that the BranchCache service has started. No other steps are necessary.
Reference: Branch Cache Server Configura on
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Solu on: You install the Deployment Server role service, and then you restart the World Wide Web Publishing Service.
Explana on:
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Solu on: You install the BranchCache feature, and then you start the BranchCache service.
Explana on:
Right answer: A
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

You have 2000 devices, One hundred of the devices are mobile devices that have physical addresses beginning with 98-5F.
You have a DHCP server named Server1.
You need to ensure that the mobile devices register their host name by using a DNS suffix of mobile.contoso.com
What should you do?
4/29/2019 Training
Explana on:
We should configure a DHCP policy with the following proper es:

A: From the proper es of IPv4, modify the Conflict detec on a empts se ng.
C: From the Proper es of IPV4, configure the bindings.
D: From IPV4, create a new filter.
Right answer: F
C From the Proper es of IPV4, configure the bindings.
D From IPV4, create a new filter.
4/29/2019 Training
Microsoft - 70-741

Your network contains Windows and non-Windows devices.
You need to prevent a client computer that uses the same name as an exis ng registra on from upda ng the registra on.
What should you do?
Explana on:
Name squa ng occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already
registered to a Windows-based computer. The use of name protec on in Windows Server prevents name squa ng by non-Windows-
based computers. Name squa ng does not present a problem on a homogeneous Windows network where Ac ve Directory Domain
Services (AD DS) can be used to reserve a name for a single user or computer.
Name protec on is based on the Dynamic Host Configura on Iden fier (DHCID) in the Dynamic Host Configura on Protocol (DHCP)
server, and support for the new DHCID RR (resource record) in DNS. DHCID RR is described by the Internet Engineering Task Force
(IETF) in RFCs 4701 and 4703.
DHCID is a resource record (RR) stored in DNS that maps names to prevent duplicate registra on. This RR is used by DHCP to store an
iden fier for a computer, along with other informa on for the name such as the A/AAAA records of the computer. The unique posi on
of DHCP in the name registra on process allows it to request this match, and then refuse the registra on of a computer with a
different address a emp ng to register a name with an exis ng DHCID record.
DHCID prevents the following name squa ng situa ons:
Server name squa ng by a client
Server name squa ng by another server
Client name squa ng by another client
Client name squa ng by a server
In addi on, support for DHCP Unique Iden fier (DUID) will be added to the IPv4 registra on on the DHCP client. DUID is described by
the IETF in RFC 4361.
Name protec on can be configured for IPv4 and IPv6 at the network adapter level or scope level. Name protec on se ngs configured
at the scope level take precedence over the se ng at the IPv4 or IPv6 level. If Name protec on at the scope level is not configured at
all, then the se ng at the IPv4 or IPv6 network adapter takes precedence. DHCID protects names on a first come-first served basis.
4/29/2019 Training
all, then the se ng at the IPv4 or IPv6 network adapter takes precedence. HCI protects names on a first come first served basis.
To enable name protec on at the IPv4 or IPv6 node level
1. Open the DHCP Microso Management Console (MMC) snap-in.
2. In the console tree, double-click the DHCP server you want to configure, right-click IPv4 or IPv6, and then click Proper es.
3. Click DNS, click Advanced, and then check Enable Name Protec on.
To enable name protec on at the scope level
1. Open the DHCP console.
2. In the console tree, double-click the DHCP server you want to configure, double-click IPv4 or IPv6, right-click the scope you want,
and then click Proper es.
3. Click DNS, click Configure, and then check Enable Name Protec on.

C: From the Proper es of IPV4, configure the bindings.
D: From IPV4, create a new filter.
Right answer: B
C From the Proper es of IPV4, configure the bindings.
D From IPV4, create a new filter.
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a Hyper-V host named Server1 that runs
Server1 hosts four machines that are members of the domains. The virtual machines are configured as sown in the following table.
Which virtual machines can you manage by using PowerShell Direct?
4/29/2019 Training
Explana on:
You can use PowerShell Direct to run arbitrary PowerShell in a Windows 10 or Windows Server Technical Preview virtual machine from
your Hyper-V host regardless of network configura on or remote management se ngs.
Opera ng system requirements:
Host: Windows 10, Windows Server Technical Preview 2, or later running Hyper-V.
Guest/Virtual Machine: Windows 10, Windows Server Technical Preview 2, or later.
Configura on requirements:
The virtual machine must be running locally on the host.

The virtual machine must be turned on and running with at least one configured user profile.
You must be logged into the host computer as a Hyper-V administrator.
You must supply valid user creden als for the virtual machine.
The easiest way to run PowerShell commands in a virtual machine is to start an interac ve session.
When the session starts, the commands that you type run on the virtual machine, just as though you typed them directly into a
PowerShell session on the virtual machine itself.
To start an interac ve session:
1. On the Hyper-V host, open PowerShell as Administrator.
2. Run one of the following commands to create an interac ve session using the virtual machine name or GUID:
Enter-PSSession -VMName <VMName>

Enter-PSSession -VMId <VMId>
Provide creden als for the virtual machine when prompted.
3. Run commands on your virtual machine.
You should see the VMName as the prefix for your PowerShell prompt as shown:
[VMName]: PS C:\ >
Any command run will be running on your virtual machine. To test, you can run ipconfig or hostname to make sure that these
commands are running in the virtual machine.
4. When you're done, run the following command to close the session:
Exit-PSSession
Right answer: B
A Only VM2
B VM1, VM2, and VM4
C only VM4
D VM1, VM2, and VM3
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named Contoso.com.
You need to create a Nano Server image named Nano1 that will be used as a virtualiza on host. The Windows Server 2016 source files
are located in drive D.
Solu on: You run the following cmdlet:
New-NanoServerImage –Edi on Datacenter –DeploymentType Host –MediaPath D:\ –TargetPath C:\Nano1\Nano1.wim –Package
Microso -NanoServer-Compute-Package –Computername Nano1 –DomainName contoso.com
Does this meet your goal?
Explana on:
The New-NanoServerImage cmdlet makes a local copy of the necessary files from the installa on media and converts the included
Nano Server Windows image (.wim) file into a VHD or VHDX image, or reuses the exis ng .wim file.
You can subsequently perform the following opera ons:
Add packages.
Add drivers.
Add servicing packages (updates).
Add an una ended setup file (una end.xml).
Add files.
Add setup scripts.
Set the computer name.
Set the administrator password.
Configure network se ngs.
Join a domain.
Enable debugging.
Enable Emergency Management Services (EMS).
Enable remote management.
Enable development op ons.
In order to add the Compute package, whichincludes Hyper-V and NetQoS we can specify the -Computer parameter or we can use the
-Package parameter and specify the package name Microso -NanoServer-Compute-Package
Right answer: A
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

New-NanoServerImage –Edi on Datacenter –DeploymentType Host –Defender –EnableEMS –MediaPath D:\ –TargetPath
C:\Nano1\Nano1.wim –Computername Nano1 –DomainName contoso.com
Explana on:
Add packages.
Add drivers.
Add files.
Add setup scripts.
Join a domain.
Enable debugging.
In order to add the Compute package, whichincludes Hyper-V and NetQoS we can specify the -Computer parameter orwe can use the
Right answer: B
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

New-NanoServerImage –Edi on Datacenter –DeploymentType Host –MediaPath D:\ –TargetPath C:\Nano1\Nano1.wim –Package
Microso -NanoServer-Containers-Package -Compute –Computername Nano1 –DomainName contoso.com
Explana on:
Add packages.
Add drivers.
Add files.
Add setup scripts.
Join a domain.
Enable debugging.
In order to add the Compute package, whichincludes Hyper-V and NetQoS we can specify the -Computer parameter or we can use the
Right answer: A
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

New-NanoServerImage –Edi on Datacenter –DeploymentType Host –Package Microso -NanoServerSCVMM-Package –MediaPath D:\
–TargetPath C:\Nano1\Nano1.wim –Computername Nano1 –DomainName contoso.com
Explana on:
Add packages.
Add drivers.
Add files.
Add setup scripts.
Join a domain.
Enable debugging.
In order to add the Compute package, whichincludes Hyper-V and NetQoS we can specify the -Computer parameter orwe can use the
Right answer: B
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

You have a Scale-Out File Server that has a share named Share1. Share1 contains a virtual disk file named Disk1.vhd.
You plan to create a guest failover cluster.
You need to ensure that you can use the virtual disk as a shared virtual disk fort he guest failover cluster.
Which cmdlet should you use?
Explana on:
Shared virtual disks were introduced in Windows Server 2012 R2. Shared virtual disk func onality in guest failover clusters exclusively
uses the .vhdx file format. We have to convert the .vhd disk file into .vhdx file format using the Convert-VHD cmdlet.
Right answer: C
A Op mize-VHDSet
B Set-VHD
C Convert-VHD
D Op mize-VHD
4/29/2019 Training
Microsoft - 70-741

The company Contoso, Ltd. has five Hyper-V hosts. The configura on of the five hosts is shown in the following table:
Which two live migra on scenarios for virtual machines are valid?
(Each correct answer represents a complete solu on. Choose two answers.)
Explana on:
You can do a live migra on between hosts running Windows Server 2016 and Windows Server 2012 R2 if the virtual machine is at least
version 5.
Virtual machines cannot be live migrated or saved and restored across virtualiza on hosts that use processors from different CPU
manufacturers. For example, you cannot move running virtual machines or virtual machine saved state from a host with Intel
processors to a host with AMD processors. If you must move a virtual machine in this case, the virtual machine must first be shut
down, then restarted on the new host.
If you plan to move virtual machines, without reboo ng them, between virtualiza on hosts that may use different genera ons of
processors, you should enable processor compa bility mode. For example, you would enable processor compa bility mode to ensure
that you can live migrate your virtual machines between cluster nodes that use different processor feature sets. You could also use
processor compa bility mode to save a virtual machine and restore it on a host computer that has a different processor feature set
than the source host.
Right answer: A, C
A From Server2 to Server3
B From Server4 to Server5
C From server1 to server5
D From Server3 to Server4
4/29/2019 Training
Microsoft - 70-741

You have an Ac ve Directory domain named Contoso com. The domain contains Hyper-V hosts named Server1 and Server2 that run
Windows Server 2016. The Hyper-V hosts are configured to use NVGRE for network virtualiza on.
You have virtual machines that are connected to an external switch. The virtual machines are configured as shown in the following
table.
To which virtual machine or virtual machines can VM1 and VM3 connect?
4/29/2019 Training
Explana on:
Server virtualiza on enables mul ple server instances to run concurrently on a single physical host; yet server instances are isolated
from each other. Each virtual machine essen ally operates as if it is the only server running on the physical computer. Network
virtualiza on provides a similar capability, in which mul ple virtual network infrastructures run on the same physical network
(poten ally with overlapping IP addresses), and each virtual network infrastructure operates as if it is the only virtual network running
on the shared network infrastructure.
Hyper-V Network Virtualiza on (HNV) supports Network Virtualiza on for Generic Rou ng Encapsula on (NVGRE) as the mechanism
to virtualize the IP Address. This network virtualiza on mechanism uses the Generic Rou ng Encapsula on (NVGRE) as part of the
tunnel header. In NVGRE, the virtual machine’s packet is encapsulated inside another packet. The header of this new packet has the
appropriate source and des na on IP addresses in addi on to the Virtual Subnet ID, which is stored in the Key field of the GRE header.
The Virtual Subnet ID groups virtual computers together.
Check: h ps://msdn.microso .com/en-us/library/jj134174(v=ws.11).aspx
Right answer: B
VM1 can connect only to: VM2 only
A
VM3 can connect to: VM6 only
VM1 can connect only to: VM5 only

B
VM3 can connect to: VM2 and VM6 only
VM1 can connect only to: VM2, VM3, VM5 und VM6 only
C
VM3 can connect to: VM1, VM2, VM5, and VM6 only
VM1 can connect only to: VM2, VM3, VM4, VM5, and VM6
D
VM3 can connect to: VM1, VM2, VM4, VM5, and VM6
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 is configured as a VPN server.
Server1 is configured to allow domain users to establish VPN connec ons from 06:00 to 18:00 everyday of the week.
You need to ensure that domain users can establish VPN connec ons only between Monday and Friday.
Solu on: From Rou ng and Remote Access, you configure the Proper es of Server1.
4/29/2019 Training
Explana on:
The proper es of the VPN server do not allow to configure me based res c ons for user connec ons. We should use Network Policy
(NPS) to create a Network Access Policy.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741
Comments 0 Help Next Check Result

Solu on: From Ac ve Directory Users and Computers, you modify the Dial-in Proper es of the user accounts.
A Yes
B No
Comments 0 Help Next Check Result
4/29/2019 Training
Microsoft - 70-741

Solu on: From Server Manager, You modify the Access Policies on Server1.
4/29/2019 Training
Explana on:
We should use Network Policy Server (NPS) to create a Network Access Policy.
Access Policies are used to control role based access for IPAM.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Your network contains three subnets, a produc on subnet that contains produc on servers, a development network that contains
development servers, and a client network that contains client computers.
The development network is used to test applica ons and reproduces servers that are located on the produc on network. The
development network and the produc on network use the same IP address range.
A developer has a client computer on the client network. The developer reports that when he a empts to connect to the IP address
10.10.1.6 from his computer, he connects to a server on the produc on network.
You need to ensure that when the developer connects to 10.10.1.6, he connects to a sever on the development network.
Explana on:
We can use the New-NetRoute cmdlet to create an entry in the rou ng table that forwards packetsthat targets the IP address
10.10.1.6 to the router that connects to the development network.
The New-NetRoute cmdlet creates an IP route in the IP rou ng table. Specify the des na on prefix, and specify an interface by using
the interface alias or the interface index.
IP rou ng is the process of forwarding a packet based on the des na on IP address. Rou ng occurs at TCP/IP hosts and at IP routers.
The sending host or router determines where to forward the packet. To determine where to forward a packet, the host or router
consults a rou ng table that is stored in memory. When TCP/IP starts, it creates entries in the rou ng table. You can add entries either
manually or automa cally.
Example: Add an IP route to the rou ng table

This example adds a rou ng table entry, and then displays the proper es of all the entries in the rou ng table.
The first command creates a route for the des na on prefix 10.0.0.0/24 for the interface that has the index of 12. The command
specifies 192.168.0.1 as the next hop.
The second command uses the Get-NetRoute cmdlet to get all the routes for the computer, and then passes them to the Format-List
cmdlet by using the pipeline operator. The Format-List cmdlet can display all the proper es of an object. For more informa on, type
Get-Help Format-List.
New-NetRoute –Des na onPrefix "10.0.0.0/24" –InterfaceIndex 12 –NextHop 192.168.0.1

Get-NetRoute | Format-List -Property *
Right answer: B
A New-NetNeighbor
B New-NetRoute
C Set-NetTcpSe ng
4/29/2019 Training
D Set-NetNeighbor
4/29/2019 Training
Microsoft - 70-741

You have a Hyper-V host named Server1 that hosts a virtual machine named VM1. Server01 and VM1 run Windows Server 2016.
The se ngs for VM1 are configured as shown in the exhibit below.
You need to ensure that you can use the Copy-VMFile cmdlet on Server01 to copy files from VM1.
Solu on: You start the Hyper-V Guest Service Interface service on VM1.
4/29/2019 Training
Explana on:
With Windows Server 2012 R2, the Hyper-V product team introduced a new cmdlet called Copy-VMFile. This, as the name implies,
help you copy a file into a Hyper-V Virtual Machine (VM). Similiar to PowerShell Direct, the VM does not need to connect to the
network.
As a requirement we need to ensure that the Guest Service component is enabled and that the Hyper-V Guest Service Interface
service on the VM is running. If we enable the Guest Service component, the corresponding service on the VM is started automa cally.
Star ng the service does not enable the Guest Service component.
Reference: Using Copy-VMFile cmdlet in Windows Server 2012 R2 Hyper-V/
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Solu on: You enable the Data Exchange integra on service for VM1.
Right answer: B
A Yes
4/29/2019 Training
B No
4/29/2019 Training
Microsoft - 70-741

Solu on: You enable the Guest Service integra on service for VM1.
Right answer: B
A Yes
4/29/2019 Training
B No
4/29/2019 Training
Microsoft - 70-741

You have two Hyper-V hosts named Server1 and Server2 that run windows server 2012 R2. The servers are nodes in a failover cluster
named Cluster1.
You perform a rolling upgrade of the cluster nodes to Windows Server 2016.
You need to ensure that you can implement the Virtual Machine Load Balancing feature.
Explana on:
VM Load Balancing is a new in-box feature in Windows Server 2016 that allows you to op mize the u liza on of nodes in a Failover
Cluster. It iden fies over-commi ed nodes and re-distributes VMs from those nodes to under-commi ed node.
The Update-ClusterFunc onalLevel cmdlet updates the func onal level of a mixed-version cluster. You can update the cluster a er all
nodes have been updated.
Star ng with Windows Server 2016, you can add a node that runs a more recent version of the Windows opera ng system into a
cluster of nodes that run a previous version of the Windows opera ng system. To add a cluster node, use the Add-ClusterNode cmdlet.
A er you add a node that runs a different version of the Windows opera ng system, the cluster becomes a mixed-version cluster. You
can implement a mixed-version cluster to con nue to run while you upgrade the opera ng system on each node in the cluster.
You can use this cmdlet to support a rolling opera ng system upgrade for a cluster. If you use cluster that runs Hyper-V in which all the
nodes run Windows Server 2012 R2, you can upgrade the nodes of that cluster without down me for your virtual machines.
First, drain one cluster node by specifying the Drain parameter of the Suspend-ClusterNode cmdlet. This cmdlet causes all virtual
machines to live-migrate to one of the other hosts.
Next, remove the host from the cluster by using the Remove-ClusterNode cmdlet.
Next, install a new version of the opera ng system. Do not perform an upgrade or in-place installa on.
Next, add the Hyper-V role and the Failover Clustering feature by using the Install-WindowsFeature cmdlet.
Finally, add the node into the cluster by using the Add-ClusterNode cmdlet.
Repeat these steps for each node of the cluster.
Right answer: A
A Update-ClusterFunc onalLevel
B Set-CauClusterRole
C Update-ClusterNetworkNameResource
D Set-ClusterGroupSet
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a domain-based Distributed file System
(DFS) namespace named Namespace1 that has access-based enumera on enabled.
Namespace1 has a folder named folder1. Folder1 has a target of \\Server1\Folder1.
The Permission for folder1 are configured as shown in the following table.
Access-based enumera on is disabled for the share of Folder1.
You need to ensure that both User1 and User2 can see Folder1 when they access \\Contoso.com\NameSpace1.
What should you do?
Explana on:
Access-based enumera on hides the folders in Namespace1 that the accessing user does not have permission to view.
The proper es of the DFS Folder Folder1 can be used to set explicit display permissions. By default, inherited permissions from the
local file system are used.
User1 has been granted DFS Read permission. User2 has no display permission and therefore Folder1 does not show up when he is
accessing \\contoso.com\Namespace1.
We must either grant user2 permission to view folder1 or disable the access-based enumera on for Namespace1.
User1 can view Folder1, but can not open Folder1 due to missing NTFS permissions.
Right answer: B
A Enable access-based enumera on for Folder1.
B Disable access-based enumera on for Namespace1.
C Assign User1 the read NTFS permission to folder1.
D Deny User1 the read DFS permission to Folder1.
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

in this series.
You are a network administrator for a company named Contoso,Ltd. The network is configured as shown in the exhibit.
Server2 has the following configura on:
Network address transla on (NAT)

The DHCP Server server role
The Security Policy of Contoso states that only TCP ports 80 and 443 are allowed from the internet to server2.
You iden fy the following requirements:
Add 28 devices to subnet2 for a temporary project.

Configure Server2 to accept VPN connec ons from the internet.
Ensure that devices on Subnet2 obtain TCP/IP se ngs from DHCP on Server2.
What should you do to meet the DHCP connec vity requirement for Subnet2?
4/29/2019 Training
Explana on:
We need to configure a DHCP Relay Agent on Server1 that forwards DHCP related traffic between subnet3 and subnet2.
DHCP Relay Agent

The DHCP Relay Agent component relays DHCP messages between DHCP clients and DHCP servers on different IP networks. Because
DHCP is a broadcast-based protocol, by default its packets do not pass through routers. A DHCP relay agent receives any DHCP
broadcasts on the subnet and forwards them to the specified IP address on a different subnet. The DHCP Relay Agent is compliant with
RFC 1542, "Clarifica ons and Extensions for the Bootstrap Protocol." For each IP network segment that contains DHCP clients, either a
DHCP server or a computer ac ng as a DHCP Relay Agent is required.
Right answer: C
A Install the Rou ng role service on Server2.
B Install the IP address Management (IPAM) Server feature on Server2.
C Install the Rou ng role service on Server1.
D Install the DHCP Server server role on Server1.
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
in this series.


You add a computer to subnet1. The computer has an IP address of 10.10.0.129 Web1 receives a request from the new computer and
sends a response. The computer on subnet1 does not receive the response from Web1..
You need to add a new rou ng entry for subnet1 on Web1.
What gateway do you specify for the new route?
Right answer: C
A 10.10.0.129
B 10.10.0.224
C 131.107.0.223
4/29/2019 Training
D 172.16.128.222
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
in this series.


You need to iden fy which subnet mask you must use for subnet2. The solu on must minimize the number of available IP addresses
on Subnet2.
What subnet mask should you iden fy?
Right answer: E
A 255.255.224.224
B 255.255.255.0
C 255.255.128.0
4/29/2019 Training
D 255.255.255.128
E 255.255.255.224
F 255.255.254.240
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
in this series.


You deploy a computer named Computer8 to subnet4. Computer8 has an IP address of 192.168.10.230 and a subnet mask of
255.255.255.240.
What is the broadcast address for Subnet4?
4/29/2019 Training
Explana on:
The broadcast address is always the last IP address of a subnet. Packets sent to the broadcast address are received by all clients within
the subnet.
The subnet with the network ID 192.168.10.224/28 includes the host addresses 192.168.10.225 through 192.168.10.238 and has the
broadcast address 192.168.10.239.
Right answer: D
A 192.168.0.225
B 192.168.0.
C 192.168.10.0
D 192.168.10.239
E 192.168.255.192
F 192.168.255.225
4/29/2019 Training
Microsoft - 70-741

You have a Hyper-V host named Server1 that runs Windows Server 2016. Server1 connects to your corporate network. The Corporate
network uses the 10.10.0.0/16 address space.
Server1 hosts a virtual machine named VM1, VM1 is configured to have an IP addresses of 172.16.1.54/16.
You need to ensure that VM1 can access the resources on the corporate network.
What should you do?
Right answer: C
Connect VM1 to an external virtual switch
A
On Server1 run Add-VMNetworkAdapterRou ngDomainMapping
Connect VM1 to an external virtual switch

B
On Server1 run Route.exe
Connect VM1 to an internal virtual switch

C
On Server1 run New-NetNat
Connect VM1 to an internal virtual switch

D
On Server1 run Netsh.exe
Connect VM1 to a private virtual switch

E
On Server1 run Add-VMNetworkAdapterRou ngDomainMapping
Connect VM1 to a private virtual switch

F
On Server1 run Route.exe
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
Your network contains an Ac ve Directory domain named adatum.com. The domain contains two servers named Server1 and Server2
that run Windows Server 2016. The domain contains three users named User1, User 2 and User 3.
Server1 has a share named Share1 that has the following configura ons.
cls The Share permissions for Share1 are configured as shown in the following exhibit.
Share1 contains a file named File1.txt. The Advanced Security se ngs for File1.txt are configured as shown in the following exhibit.
Select the appropriate statement from the answer area. Select Yes if the state is true, otherwise select No.
(To answer, select the appropriate objects in the answer area.)
4/29/2019 Training
Explana on:
User1 has full controll NTFS permissions on File1.txt. He could take ownership of File1.txt if he would access the file locally. If he
accesses the share over the network this permissions are restricted by the share permissions.
Access-based enumera on displays only the files and folders that a user has permissions to access. If a user does not have Read (or
equivalent) permissions for a folder, Windows hides the folder from the user’s view. This feature is ac ve only when viewing files and
folders in a shared folder; it is not ac ve when viewing files and folders in the local file system.
Right answer: E
When User1 navigates to \\Server1\Share1\ the user can take ownership of File1.txt: Yes
A When User2 navigates to \\Server1\Share1\ the user will see File1.txt: Yes
When User3 navigates to \\Server1\Share1\ the user will see File1.txt: Yes
B When User2 navigates to \\Server1\Share1\ the user will see File1.txt: Yes
When User3 navigates to \\Server1\Share1\ the user will see File1.txt: No
C When User2 navigates to \\Server1\Share1\ the user will see File1.txt: No
When User1 navigates to \\Server1\Share1\ the user can take ownership of File1.txt: No
D When User2 navigates to \\Server1\Share1\ the user will see File1.txt: No
When User3 navigates to \\Server1\Share1\ the user will see File1.txt: Yes
E When User2 navigates to \\Server1\Share1\ the user will see File1.txt: Yes
F When User2 navigates to \\Server1\Share1\ the user will see File1.txt: No
4/29/2019 Training
Microsoft - 70-741

You have a network policy server (NPS) server named NPS1. One network policy is enabled on NPS1. The policy is configured as shown
in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the informa on in the graphic.
(To answer, select the appropriate objects in the answer area.)
4/29/2019 Training
Explana on:
If a policy contains more than one condi on all condi ons must be met in order to meet the policy. If a user is only member of the
Domain Users group, the "Windows Groups" condi on is not met and the policy does not apply.
Members of the Protected Users group can be authen cated by Kerberos but not by NTLM.
Protected Users Security Group
This security group is designed as part of a strategy to effec vely protect and manage creden als within the enterprise. Members of
this group automa cally have non-configurable protec ons applied to their accounts. Membership in the Protected Users group is
meant to be restric ve and proac vely secure by default. The only method to modify these protec ons for an account is to remove
the account from the security group.
This domain-related, global group triggers non-configurable protec on on devices and host computers running Windows Server 2012
R2 and Windows 8.1, and on domain controllers in domains with a primary domain controller running Windows Server 2012 R2. This
greatly reduces the memory footprint of creden als when users sign in to computers on the network from a non-compromised
computer.
Depending on the account’s domain func onal level, members of the Protected Users group are further protected due to behavior
changes in the authen ca on methods that are supported in Windows.
The member of the Protected Users group cannot authen cate by using NTLM, Digest Authen ca on, or CredSSP. On a device
running Windows 8.1, passwords are not cached, so the device that uses any one of these Security Support Providers (SSPs) will
fail to authen cate to a domain when the account is a member of the Protected User group.
The Kerberos protocol will not use the weaker DES or RC4 encryp on types in the pre-authen ca on process. This means that
the domain must be configured to support at least the AES cipher suite.
The user’s account cannot be delegated with Kerberos constrained or unconstrained delega on. This means that former
connec ons to other systems may fail if the user is a member of the Protected Users group.
The default Kerberos Ticket Gran ng Tickets (TGTs) life me se ng of four hours is configurable by using Authen ca on Policies
and Silos, which can be accessed through the Ac ve Directory Administra ve Center (ADAC). This means that when four hours
has passed, the user must authen cate again.
Right answer: B
If a user is only member of the Domain Users group, the policy applies to the user on weekdays between 06:00 and
18:00.
A
If the policy applies to a user who is a member of the Protected Users group, the user can use a password to be
authen cated.
If a user is only member of the Domain Users group, the policy never applies to the user.
B If the policy applies to a user who is a member of the Protected Users group, the user can use a password to be
authen cated.
If a user is only member of the Domain Users group, the policy applies to the user on weekends between 06:00 and
18:00.
C
If the policy applies to a user who is a member of the Protected Users group, the user can use a sta c IP address to be
authen cated.
18:00.
D
If the policy applies to a user who is a member of the Protected Users group, the user can use a sta c IP address to be
authen cated.
4/29/2019 Training
06:00.
If the policy applies to a user who is a member of the Protected Users group, the user can use a virtual smart card to
be authen cated.
If a user is only member of the Domain Users group, the policy never applies to the user.
F If the policy applies to a user who is a member of the Protected Users group, the user can use a virtual smart card to
be authen cated.
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 has two network cards. One network card connects to your
internal network and the other network card connects to the Internet.
You plan to use Server1 to provide Internet connec vity for client computers on the internal network.
You need to configure Server1 as a network address transla on (NAT) server.
Which server role or role service should you install on Server1 first?
Explana on:
Network address transla on (NAT) allows you to share a connec on to the public Internet through a single interface with a single
public IP address. The computers on the private network use private, non-routable addresses. NAT maps the private addresses to the
public address.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.
To enable network address transla on addressing
1. In the RRAS MMC snap-in, expand Your Server Name. If you are using Server Manager, expand Rou ng and Remote Access.
2. Expand IPv4, right-click NAT, and then click Proper es.
3. If you do not have a DHCP server on the private network, then you can use the RRAS server to respond to DHCP address
requests. To do this, on the Address Assignment tab, select the Automa cally assign IP addresses by using the DHCP
allocator check box.
4. To allocate addresses to clients on the private network by ac ng as a DHCP server, in IP address and Mask, configure a subnet
address from which the addresses are assigned. For example, if you enter 192.168.0.0 and a subnet mask
of 255.255.255.0, then the RRAS server responds to DHCP requests with address assignments from 192.168.0.1 through
192.168.0.254.
5. (Op onal) To exclude addresses in the configured network range from being assigned to DHCP clients on the private network,
click Exclude, click Add, and then configure the addresses.
6. To add the public interface to the NAT configura on, right-click NAT, and then click New Interface. Select the interface connected
to the public network, and then click OK.
7. On the NAT tab, click Public interface connected to the Internet and Enable NAT on this interface, and then click OK.
8. To add the private interface to the NAT configura on, right-click NAT, and then click New Interface. Select the interface
connected to the private network, and then click OK.
9. On the NAT tab, click Private interface connected to private network, and then click OK.
Right answer: C
4/29/2019 Training
B Web Applica on Proxy
C Rou ng
D DirectAccess and VPN (RAS)
4/29/2019 Training
Microsoft - 70-741

You have a virtual machine named VM1 that runs Windows Server 2016, VM1 hosts a service that requires high network throughput.
VM1 has a virtual network adapter that connects to a Hyper-V switch named vSwitch1. vSwitch1 has one network adapter.
The network adapter supports Remote Direct Memory Access (RDMA), the single root I/O virtualiza on (SR-IOV) interface, Quality of
Service (QoS), and Receive Side Scaling (RSS).
You need to ensure that the traffic from VM1 can be processed by mul ple networking processors.
Which Windows PowerShell command should you run on the host of VM1?
Explana on:
The Set-NetAdapterRss cmdlet sets the receive side scaling (RSS) proper es on the network adapter. RSS is a scalability technology
that distributes the receive network traffic among mul ple processors by hashing the header of the incoming packet. Without RSS in
Windows Server network traffic is received on the first processor which can quickly reach full u liza on limi ng receive network
throughput.
Right answer: A
A Set-NetAdapterRss
B Set-NetAdapterRdma
C Set-NetAdapterQos
D Set-NetAdapterSriov
4/29/2019 Training
Microsoft - 70-741

You have a RADIUS server named RADIUS1. RADIUS1 is configured to use an IP address of 172.23.100.101.
You add a wireless access point (wap) named WAP1 to your network. You configure WAP1 to use an IP address of 10.0.100.1.
You need to ensure that WAP1 can authen cate to RADIUS1 by using a shared secret key.
(To answer, select the appropriate op ons in answer area.)
Explana on:
The New-NpsRadiusClient cmdlet creates a Remote Authen ca on Dial-In User Service (RADIUS) client. A RADIUS client uses a RADIUS
server to manage authen ca on, authoriza on, and accoun ng requests that the client sends. A RADIUS client can be an access
server, such as a dial-up server or wireless access point, or a RADIUS proxy.
Reference: New-NpsRadiusClient
Right answer: F
A Import-NPSConfigura on -Address 10.0.100.1 -Enabled $True -SharedSecret "001001001001"
B Import-NPSConfigura on -Address 172.23.100.101 -Name WAP1 -SharedSecret "001001001001"
C Import-NPSConfigura on -Address 172.23.100.101 -Enabled $True -SharedSecret "001001001001"
D New-NPSRadiusClient -Address 172.23.100.101 -Name WAP1 -SharedSecret "001001001001"
E New-NPSRadiusClient -Address 10.0.100.1 -Enabled $True -SharedSecret "001001001001"
F New-NPSRadiusClient -Address 10.0.100.1 -Name WAP1 -SharedSecret "001001001001"
4/29/2019 Training
Microsoft - 70-741

You have a virtual machine named VM1 that runs Windows Server 2016. VM1 is a Remote Desktop Services (RDS) server.
You need to ensure that only TCP port 3389 can be used to connect to VM1 over the network.
Which command should you run on the Hyper-V host?
Explana on:
The Add-VMNetworkAdapterExtendedAcl cmdlet creates an extended access control list (ACL) for a virtual network adapter. The ACL
allows or denies access to a virtual machine network adapter for network packets based on source IP address, des na on IP address,
protocol, source port, and des na on port.
Reference: Add-VMNetworkAdapterExtendedAcl
Right answer: C
Add-VmNetworkAdapterAcl -VMName VM1 -Direc on Outbound -Ac on Allow -LocalPort 3389 -Protocol TCP -
A
Weight 10
Add-VmNetworkAdapterAcl -VMName VM1 -Direc on Inbound -Ac on Allow -LocalPort 3389 -Protocol TCP -Weight
B
10
Add-VmNetworkAdapterExtendedAcl -VMName VM1 -Direc on Inbound -Ac on Allow -LocalPort 3389 -Protocol TCP
C
-Weight 10
D Set-VmNetworkAdapter -VMName VM1 -Direc on Outbound -Ac on Allow -LocalPort 3389 -Protocol TCP -Weight 10
Set-VmNetworkAdapterRou ngDomainMapping -VMName VM1 -Direc on Outbound -Ac on Allow -LocalPort 3389
E
-Protocol TCP -Weight 10
Set-VmNetworkAdapterRou ngDomainMapping -VMName VM1 -Direc on Inbound -Ac on Allow -LocalPort 3389 -
F
Protocol TCP -Weight 10
4/29/2019 Training
Microsoft - 70-741

You plan to deploy several Hyper-V hosts that run Windows Server 2016. The deployment will use So ware defined Networking (SDN)
and VXLAN.
Which server role should you install on the network to support the planned deployment?
Explana on:
Network Controller is a highly available and scalable server role, and provides one applica on programming interface (API) that allows
Network Controller to communicate with the network, and a second API that allows you to communicate with Network Controller.
You can deploy Network Controller in both domain and non-domain environments. In domain environments, Network Controller
authen cates users and network devices by using Kerberos; in non-domain environments, you must deploy cer ficates for
authen ca on.
Network Controller communicates with network devices, services, and components by using the Southbound API. With the
Southbound API, Network Controller can discover network devices, detect service configura ons, and gather all of the informa on you
need about the network. In addi on, the Southbound API gives Network Controller a pathway to send informa on to the network
infrastructure, such as configura on changes that you have made.
The Network Controller Northbound API provides you with the ability to gather network informa on from Network Controller and use
it to monitor and configure the network.
The Network Controller Northbound API allows you to configure, monitor, troubleshoot, and deploy new devices on the network by
using Windows PowerShell, the Representa onal State Transfer (REST) API, or a management applica on with a graphical user
interface, such as System Center Virtual Machine Manager.
You can manage your datacenter network with Network Controller by using management applica ons, such as System Center Virtual
Machine Manager (SCVMM), and System Center Opera ons Manager (SCOM), because Network Controller allows you to configure,
monitor, program, and troubleshoot the network infrastructure under its control.
Using Windows PowerShell, the REST API, or a management applica on, you can use Network Controller to manage the following
physical and virtual network infrastructure:
Hyper-V VMs and virtual switches
Datacenter Firewall
Remote Access Service (RAS) Mul tenant Gateways, Virtual Gateways, and gateway pools
Load Balancers
Right answer: A
B Network Policy and Access Services
4/29/2019 Training
C Remote Access
D Host Guardian Service
4/29/2019 Training
Microsoft - 70-741

You are an administrator for Contoso Co., Ltd. Your network is configured as shown in the following network diagram.
Which statements are correct?
(Use the drop-down menus to complete each statement based on the informa on presented in the screen shot. Each correct selec on
is worth one point.)
4/29/2019 Training
Explana on:
ComputerA must use the router interface that connects to his local subnet as gateway address.
The NAT server translates local addresses to the public address that connects to the Internet. the web server will see the request from
ComputerA as coming from 131.107.0.10.
Right answer: A
To access the Internet, ComputerA must use a default gateway of 10.10.0.1.
A When ComputerA requests a page from the web server, the web server will log the request as coming from the IP
address 131.107.0.10.

B When ComputerA requests a page from the web server, the web server will log the request as coming from the IP
address 172.16.0.1.

C When ComputerA requests a page from the web server, the web server will log the request as coming from the IP
address 10.10.0.25.

D When ComputerA requests a page from the web server, the web server will log the request as coming from the IP
address 131.107.15.10.

E When ComputerA requests a page from the web server, the web server will log the request as coming from the IP
address 10.10.0.1.

F When ComputerA requests a page from the web server, the web server will log the request as coming from the IP
address 172.16.0.50.
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
Your network contains an Ac ve Directory forest named contoso.com. The forest has three sites named Site1, Site2 and Site3.
Distributed File System (DFS) for the forest is configured as shown in the exhibit.
The forest contains a server named Server2 that hosts the DFS namespace.
\\Contoso.com\Namespace1\Folder2 has the following configura on.
\\Contoso\Namespace1\Folder2 has the targets configured as shown in the following table.
For each of the following statement, select Yes if the statement is true. Otherwise, select No.
(Select the appropriate op ons in the answer area.)
4/29/2019 Training
4/29/2019 Training
Explana on:
Which folder des na on a client is connected to depends on the sor ng method of the references configured in the namespace
proper es. By default, the "Lowest cost" method is enabled.
A referral is an ordered list of targets that a client computer receives from a domain controller or namespace server when the user
accesses a namespace root or folder with targets. A er the client receives the referral, the client a empts to access the first target in
the list. If the target is not available, the client a empts to access the next target.
Targets on the client's site are always listed first in a referral. Targets outside of the client's site are listed according to the ordering
method.
Use the following sec ons to specify in what order targets should be referred to clients and to understand the different methods of
ordering target referrals.
The three ordering methods are:
Random order
Lowest cost
Random order
1. Targets in the same AD DS site as the client are listed in random order at the top of the referral.
2. Targets outside of the client’s site are listed in random order.
If no same-site target servers are available, the client computer is referred to a random target server regardless of how expensive the
connec on is or how distant the target is.
Lowest cost
1. Targets in the same site as the client are listed in random order at the top of the referral.
2. Targets outside of the client’s site are listed in order of lowest cost to highest cost. Referrals with the same cost are grouped
together, and the targets are listed in random order within each group.
In this method, the referral contains only the targets that are in the same site as the client. These same-site targets are listed in
random order. If no same-site targets exist, the client does not receive a referral and cannot access that por on of the namespace.
Right answer: C
If users from Site1 connect to \\contoso.com\Namespace1\Folder2, the users will always be redirected to Server1:
Yes
If users from Site2 connect to \\contoso.com\Namespace1\Folder2, the users will be redirected to either Server2 or
A
Server3: Yes
If users from Site3 connect to \\contoso.com\Namespace1\Folder2, the users will be redirected to either Server1,
Server2 or Server3: Yes
4/29/2019 Training
Yes
Server3: Yes
Server2 or Server3: No
Yes
C
Server3: No
If users from Site1 connect to \\contoso.com\Namespace1\Folder2, the users will always be redirected to Server1: No
D Server3: No
E Server3: Yes
F Server3: No
4/29/2019 Training
Microsoft - 70-741

You have a Hyper-V host named Server1 that runs Windows Server 2016. Server 1 has a virtual switch Switch1.
Server1 hosts the virtual machines configured as shown in the following table.
Windows firewall on VM1 and VM2 is configured to allow ICMP traffic.
VM1 and VM2 connect to Switch1.
You fail to ping VM1 from VM2.
You need to view the VirtualSubnetId to which VM1 connects.
Which cmdlet should you run on Server1?
4/29/2019 Training
Explana on:
The Get-VMNetworkAdapter cmdlet gets the virtual network adapters of the specified virtual machine, snapshot, or management
opera ng system.
Right answer: C
A Get-VM -VMName VM1 | Format-List
B Get-VM -ComputerName Server1 | Format-List
C Get-VMNetworkAdapter -VMName VM1 | Format-List
D Get-VMNetworkAdapterPortId -SwitchName Switch1 | Format-List
E Get-VMNetworkAdapterPortId -ComputerName Server1 | Format-List
F Get-VMNetworkAdapterVlan -SwitchName Switch1 | Format-List
4/29/2019 Training
Microsoft - 70-741

You have a DirectAccess Server that is accessible by using the name directaccess.fabrikam.com.
On the DirectAccess server, you install a new server cer ficate that has a subject name of directaccess.contoso.com, and then you
configure DNS records for directaccess.contoso.com.
You need to change the endpoint name for DirectAccess to directaccess.contoso.com.
Right answer: B
A Set-DaClient -EntrypointName directaccess.contoso.com
B Set-DaClient -ComputerName directaccess.contoso.com
C Set-DaEntryPoint -ConnectToAddress directaccess.contoso.com
D Set-DaEntryPoint -EntrypointName directaccess.contoso.com
E Set-DaServer -ComputerName directaccess.contoso.com
F Set-DaServer -ConnectToAddress directaccess.contoso.com
4/29/2019 Training
Microsoft - 70-741

Your network contains a server named Server1 that runs Windows Server 2016. You install the DHCP Server role on a server1. You
create a new scope on Server1.
The scope proper es are configured as shown in the following exhibit.
Use the drop down menus to select the answer choice that completes each statement based on the informa on presented in the
graphics.
(Select the appropriate op ons from each list in the answer area.)
4/29/2019 Training
Explana on:
Scope1 is deac vated. Server1 does not issue any IP addresses from Scope1.
Halfway through the lease period, the DHCP client requests a lease renewal, and the DHCP server extends the lease. The lease period
is set to 8 days.
Lease Renewals
The renewal process occurs when a client already has a lease, and needs to renew that lease with the server. To ensure that addresses
are not le in an assigned state when they are no longer needed, the DHCP server places an administrator-defined me limit, known
as a lease dura on, on the address assignment.
Halfway through the lease period, the DHCP client requests a lease renewal, and the DHCP server extends the lease. If a computer
stops using its assigned IP address (for example, if a computer is moved to another network segment or is removed), the lease expires
and the address becomes available for reassignment.
The renewal process occurs as follows:
1. The client sends a request to the DHCP server, asking for a renewal and extension of its current address lease. The client sends a
directed request to the DHCP server, with a maximum of three retries at 4, 8, and 16 seconds.
If the DHCP server can be located, it typically sends a DHCP acknowledgment message to the client. This renews the lease.
If the client is unable to communicate with its original DHCP server, the client waits un l 87.5 percent of its lease me
elapses. Then the client enters a rebinding state, broadcas ng (with a maximum of three retries at 4, 8, and 16 seconds) a
DHCPDiscover message to any available DHCP server to update its current IP address lease.
2. If a server responds with a DHCPOffer message to update the client's current lease, the client renews its lease based on the
offering server and con nues opera on.
3. If the lease expires and no server has been contacted, the client must immediately discon nue using its leased IP address. The
client then proceeds to follow the same process used during its ini al startup to obtain a new IP address lease.
Right answer: A
A
4/29/2019 Training
If a DHCP client requests an IP address from Server1, the client will fail to receive an IP address.
If a client computer that runs Windows 10 receives an IP address from Scope1, the first a empt to renew the lease
will be in four days.
If a DHCP client requests an IP address from Server1, the client will fail to receive an IP address.
B If a client computer that runs Windows 10 receives an IP address from Scope1, the first a empt to renew the lease
will be in eight days.
If a DHCP client requests an IP address from Server1, the client will receive an IP address of 192.168.213.1.
C If a client computer that runs Windows 10 receives an IP address from Scope1, the first a empt to renew the lease
will be in six days.
D If a client computer that runs Windows 10 receives an IP address from Scope1, the first a empt to renew the lease
will be in eight days.
E If a client computer that runs Windows 10 receives an IP address from Scope1, the first a empt to renew the lease
will be in six days.
F If a client computer that runs Windows 10 receives an IP address from Scope1, the first a empt to renew the lease
will be in two days.
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains an IP Address Management (IPAM)
server named Server1. Server1 manages several DHCP and DNS servers.
From Server Manager on Server1, you create a custom role for IPAM.
You need to assign the role to a group named IP_Admins.
What should you do?
Explana on:
A role is a collec on of IPAM opera ons. You can associate a role with a user or group in Windows using an access policy. Several built-
in roles are provided, but you can also create customized roles to meet your business requirements.
An access policy combines a role with an access scope to assign permission to a user or group. For example, you might define an
access policy for a user with a role of IP Block Admin and an access scope of Global\Asia. Therefore, this user will have permission to
edit and delete IP address blocks that are associated to the Asia access scope. This user will not have permission to edit or delete any
other IP address blocks in IPAM.
Right answer: B
A From Windows PowerShell, run the Add-Member cmdlet.
B From Server Manager, create an access policy.
C From Windows PowerShell, run the Set-IpamConfigura on cmdlet.
D From Server Manager, create an access scope.
4/29/2019 Training
Microsoft - 70-741

You are implemen ng a new network. The network contains a DHCP server named DHCP1 that runs Windows Server 2016. DHCP1
contains a scope named Scope1 for the 192.168.0/24 subnet.
Your company has the following policy for alloca ng IP addresses:
All server addresses must be excluded from DHCP scopes.

All client computer must receive IP addresses from Scope1.
All Windows servers must have IP addresses in the range of 192.168.0.200 to 192.168.0.240
All other network devices must have IP addresses in the range of 192.168.0.180 to 192.168.0.199.
You deploy a print device named Print1.
You need to ensure that Print1 adheres to the policy for alloca ng IP addresses.
Which command should you use?
Right answer: D
A Add-DhcpServerv4Lease
B Add-DhcpServerv4ExclusionRange
C Add-DhcpServerv4Filter
D Add-DhcpServerv4Reserva on
4/29/2019 Training
Microsoft - 70-741

You have a remote access server named Server1 that runs Windows Server 2016. Server1 has DirectAccess enabled.
You have a proxy server named Server2. All computers on the internal network connect to the Internet by using the proxy.
On Server1, you run the command Set-DAClient -ForceTunnel Enabled.
You need to ensure that when a DirectAccess client connects to the network, the client accesses all the Internet resources through the
proxy.
What should you run on Server1?
Explana on:
Force tunneling can quickly be enabled by opening an elevated PowerShell command window and running the following command.
Set-DAClient -ForceTunnel Enabled
Once force tunneling has been enabled, run the following PowerShell script to configure an on-premises proxy server for DirectAccess
clients to use. Be sure to subs tute the fully-qualified domain name (FQDN) and port for your proxy server in the $proxy variable
below.
$gpo = (Get-RemoteAccess).ClientGpoName
$gpo = $gpo.Split(‘\’)[1]
$proxy = “proxy.corp.example.net:8080”
$rule = (Get-DnsClientNrptRule -GpoName $gpo | Where-Object Namespace -eq “.” | Select-Object -ExpandProperty “Name”)
Set-DnsClientNrptRule -DAEnable $true -DAProxyServerName $proxy -DAProxyType “UseProxyName” -Name $rule -GpoName $gpo
Reference: DirectAccess Force Tunneling and Proxy Server Configura on
Right answer: C
A Set-DnsClientGlobalSe ng
B Set-DAEntryPoint
C Set-DnsClientNrptRule
D Set-DnsClientNrptGlobal
4/29/2019 Training
Microsoft - 70-741

You have an IP Address Management (IPAM) deployment that is used to manage all of the DNS servers on your network. IPAM is
configured to use Group Policy provisioning.
You discover that a user adds a new mail exchanger (MX) record to one of the DNS zones.
You want to iden fy which user added the record. You open Event Catalog on an IPAM server, and you discover that the most recent
event occurred yesterday.
You need to ensure that the opera onal events in the event catalog are never older than one hour.
What should you do?
4/29/2019 Training
Explana on:
IPAM launches the following tasks upon installa on with the specified periodicity. These tasks can be viewed in Task Scheduler by
naviga ng to Microso > Windows > IPAM.
Right answer: C
A From the proper es on the DNS zone, modify the refresh interval.
B From an IPAM_DNS Group Policy object (GPO), modify the Group Policy refresh interval.
C From Task Scheduler, modify the Microso \Windows\IPAM\Audit task.
D From Task Scheduler, create a scheduled task that runs the Update-IpamServer cmdlet.
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. You have a DHCP server named Server1. Server1 has an IPv4 scope that serves 75 client
computers that run Windows 10.
When you review the address leases in the DHCP console, you discover several leases for devices that you do not recognize.
You need to ensure that only the 75 Windows 10 computers can obtain a lease from the scope.
What should you do?
Explana on:
The policy based assignment (PBA) feature allows you to group DHCP clients by specific a ributes based on fields contained in the
DHCP client request packet. PBA enables targeted administra on and greater control of the configura on parameters delivered to
network devices with DHCP.
We could use a vendor class, a MAC prefix or a DNS suffix to restrict the address assignment to a certain group of computers or
devices.
Introduc on to DHCP Policies
Right answer: C
A Run the Add-DhcpServerv4ExclusionRange cmdlet.
B Create and enable a DHCP filter.
C Create a DHCP policy for the scope.
D Run the Add-DhcpServerv4Op onDefini on cmdlet.
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 has the DHCP Server and the Windows Deployment Service
server roles installed.
Server1 is located on the same subnet as client computers.
You need to ensure that clients can perform a PXE boot from Server1.
Which two IPv4 op ons should you configure in DHCP?
(Each correct answer presents part of the solu on. Choose two.)
Right answer: B, E
A 003 Router
B 066 Boot Server Host Name
C 015 DNS Domain Name
D 006 DNS Servers
E 060 Op on 60
4/29/2019 Training
Microsoft - 70-741

You are an administrator for Fabricam Co., Ltd. You plan to implement a VPN solu on.
Your network contains the servers shown in the following exhibit:
FabRA1 will use the RADIUS proxy for authen ca on.
You need to ensure that VPN clients can be authen cated and can access internal resources. The solu on must ensure that FabRS1 is
used as a RADIUS server and FabRP1 is used as a RADIUS proxy.
Which two ac ons should you perform?
(Each correct answer presents part of the solu on. Choose two.)
Explana on:
We need to create a connec on request policy on the RADIUS proxy (FabRP1) that forwards authen ca on requests to the RADIUS
server (fabRS1). Also we need to create a network policy on FabRS1 that allows users access to the internal network.
Reference: Connec on Request Policies
Right answer: B, C
A Create a connec on request policy on FabRS1.
B Create a connec on request policy on FabRP1.
C Create a network policy on FabRS1.
D Delete the default connec on request policy on FabRS1.
E Create a network policv on FabRP1.
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. You need to verify whether a DNS response from a DNS server is signed by DNSSEC.
What should you run?
Right answer: D
A Nslookup.exe
B Dnscmd.exe
C Get-NetIPAddress
D Resolve-DNSName
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. You have a DNS server named Server1 that runs Windows Server 2016.
You need to disable recursion on Server1.
What are three possible ways to achive the goal?
(Each correct answer presents a complete solu on. Choose three.)
Explana on:
By default, the DNS server performs recursive queries on behalf of its DNS clients and DNS servers that have forwarded DNS client
queries to it. Recursion is a name-resolu on technique in which a DNS server queries other DNS servers on behalf of the reques ng
client to fully resolve the name and then sends an answer back to the client.
A ackers can use recursion to deny the DNS Server service. Therefore, if a DNS server in your network is not intended to receive
recursive queries, recursion should be disabled on that server.
You can use the GUI tool DNS Manager or the command line tool dnscmd.exe to prevent recursion. If you create a root zone ("."),
recursion is also prevented.
Right answer: C, E, F
A Create a reverse lookup zone named 0.in-addr.arpa.
B Create a forward lookup zone named globalnames.
C From DNS Manager, modify the advanced proper es of server1.
D From DNS Manager, modify the forwarders proper es of Server1.
E Create a forward lookup zone named ".".
F Run dnscmd.exe and specify the /config parameter.
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory forest named contoso.com.
Users frequently access the website of an external partner company. The URL of the website is h p://partners.adatum.com.
The partner company informs you that it will perform maintenance on its Web server and that the IP addresses of the Web server will
change.
A er the change is complete, the users on your internal network report that they fail to access the website. However, some users who
work from home report that they can access the website.
You need to ensure that your DNS servers can resolve partners.adatum.com to the correct IP address immediately.
What should you do?
Explana on:
We can clear the DNS cache on the DNS server with either Dnscmd /ClearCache from command prompt or with Clear-DnsServerCache
from Windows PowerShell.
Right answer: C
A Run ipconfig and specify the FlushDns parameter.
B Run ipconfig and specify the Renew parameter.
C Run dnscmd and specify the ClearCache parameter.
D Run Set-DnsServerResourceRecordAging.
4/29/2019 Training
Microsoft - 70-741

Your network contains a Windows Server 2016 Hyper-V host named Server1. Server1 has two virtual machines named VM1 and VM2
Server1 has the following virtual switches configured:
VM1 connects to Private1. VM2 has two network adapters.
You need to ensure that VM1 connects to the corporate network by using NAT.
Solu on: You connect VM2 to Private1 and External1. You install the Remote Access Server role on VM2, and you configure NAT in the
Rou ng and Remote Access console. You configure VM1 to use VM2 as the default gateway.
Right answer: A
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Solu on: You connect VM1 to Internal1. You run the New-NetIpAddress and the New-NetNat cmdlets on Server1. You configure VM1
to use VM2 as the default gateway.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

to use the NAT gateway as the default gateway.
Explana on:
Internal virtual networks are used where you want to allow communica ons between:
Virtual machine to virtual machine on the same physical server.

Virtual machine to parent par on (and visa-versa).
Windows Server 2016 Hyper-V and Windows 10 Hyper-V allow na ve network address transla on (NAT) for a virtual network.
Configuring na ve NAT involves an internal switch and the two cmdlets men oned in the solu on. Each VM must use the configured
NAT gateway as default gateway in order to access external ressources.
Reference: Set up a NAT network
Right answer: A
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. You have an Ac ve Directory forest that contains 30 servers and 6,000 Client computers.
You deploy a new DHCP server that runs Windows Server 2016.
You need to retrieve the list of the authorized DHCP servers.
Which command should you run?
Explana on:
The Get-DhcpServerInDC cmdlet retrieves the list of authorized computers running the Dynamic Host Configura on Protocol (DHCP)
server service from Ac ve Directory (AD). Only a computer running a DHCP server service that is authorized in AD can lease IP
addresses on the network.
Right answer: C
A Get-DHCPServerDatabase
B Netstat -p IP -s -a
C Get-DHCPServerInDc
D Show-ADAuthen ca onPolicyExpression -AllowedToAuthen cateTo
4/29/2019 Training
Microsoft - 70-741

You have a DHCP server named Server1. Server1 has an IPv4 scope that contains 100 addresses for a subnet named Subnet1. Subnet1
provides guest access to the Internet.
There are never more than 20 client computers on Subnet1 simultaneously. However, the computers that connect to Subnet1 are
rarely the same computers.
You discover that some client computers are unable to access the network.
The computers that have the issue have IP addresses in the range of 169.254.0.0/16.
You need to ensure that all of the computers can connect successfully to the network to access the Internet.
What should you do?
Explana on:
By default, the lease me for DHCP clients is 8 days. A once assigned address is therefore blocked for 8 days and excluded from the
assignment to another client. By reducing the lease dura on, enough IP addresses can be provided even with frequently changing
clients.
Right answer: C
A Create a new scope that uses IP addresses in the range of 169.254.0.0/16.
B Modify the scope op ons.
C Modify the lease dura on.
D Configure Network Access Protec on (NAP) integra on on the exis ng scope.
4/29/2019 Training
Microsoft - 70-741

You have a Hyper-V server named Server1 that runs Windows Server 2016. Server1 has an IP address of 192.168.1.78.
Server1 has a container named Container1 that hosts a web applica on on port 84. Container1 has an IP address of 172.16.5.6.
Container1 has a port mapping from port 80 on Server1 to port 84 on Container1.
You have a server named Server2 that has an IP address of 192.168.1.79.
You need to connect to the web applica on from Server2.
To which IP address and port should you connect?
Explana on:
Windows containers func on similarly to virtual machines in regards to networking. Each container has a virtual network adapter
(vNIC) which is connected to a Hyper-V virtual switch (vSwitch). Windows support five different networking drivers or modes which
can be created through Docker: nat, overlay, transparent, l2bridge, and l2tunnel.
The first me the docker engine runs, it will create a default NAT network, 'nat', which uses an internal vSwitch and a Windows
component named WinNAT.
The 'nat' network is the default network for containers running on Windows. Any containers that are run on Windows without any
flags or arguments to implement specific network configura ons will be a ached to the default 'nat' network, and automa cally
assigned an IP address from the 'nat' network's internal prefix IP range. The default internal IP prefix used for 'nat' is 172.16.0.0/16.
Port forwarding / mapping from the container host to container endpoints ensures that certain services on a container are accessible
from external devices.
Windows Container Networking
Right answer: B
A 172.16.5.6:80
B 192.168.1.78:80
C 172.16.5.6:84
D 192.168.1.78:84
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. Your network contains a server named Server1 that runs Windows Server 2016.
Server1 provides DNS name resolu on to both internal and external clients. Server1 hosts the primary zone for contoso.com.
You need to configure Server1 to meet the following requirements:
Internal clients must be able to use Server 1 to resolve internet-based DNS names.
External clients must not be able to use Server1 to resolve Internet-based DNS names.
External clients must be able to use Server1 to resolve names in the contoso.com zone.
Which commands should you run on Server1?
(To answer select the appropriate op on in answer area.)
4/29/2019 Training
Explana on:
The Add-DnsServerRecursionScope cmdlet adds a recursion scope on a Domain Name System (DNS) server. Recursion scopes are
unique instances of a group of se ngs that control recursion on a DNS server. A recursion scope contains a list of forwarders and
specifies whether recursion is enabled. A DNS server can have many recursion scopes.
DNS server recursion policies allow you to choose a recursion scope for a set of queries. If the DNS server is not authorita ve for
certain queries, DNS server recursion policies allow you to control how to resolve those queries. You can specify which forwarders to
use and whether to use recursion.
The legacy recursion se ng and list of forwarders are now referred as the default recursion scope. You cannot add or remove the
default recursion scope, iden fied by name as dot (.).
The Add-DnsServerQueryResolu onPolicy cmdlet adds a policy for query resolu on to a Domain Name System (DNS) server. A policy
determines the resolu on of queries based on criteria that you specify in the policy.
Example: Allow recursion for internal clients
The first command creates a recursion scope called InternalClients. Recursion is enabled for this scope.
The second command modifies the default recursion scope by using the Set-DnsServerRecursionScope cmdlet. The default scope,
iden fied by a dot (.), has recursion disabled.
The final command creates a policy that uses the InternalClients scope. For that scope, on the specified server interface address, the
policy allows recursion.
Add-DnsServerRecursionScope -Name "InternalClients" -EnableRecursion $True
Set-DnsServerRecursionScope -Name . -EnableRecursion $False
Add-DnsServerQueryResolutionPolicy -Name "SplitBrainPolicy" -Action ALLOW -

ApplyOnRecursion -RecursionScope "InternalClients" -ServerInterfaceIP "EQ,10.0.0.34" -
PassThru
Reference:
Add-DnsServerRecursionScope
Add-DnsServerQueryResolu onPolicy
Selec ve Recursion Control Using DNS Server Policies
Right answer: D
Add-DnsServerRecursionScope -Name . -EnableRecursion $False
A
Add-DnsServerQueryResolu onPolicy -Name 'Policy1' -Ac on Allow -ApplyOnRecursion -RecursionScope 'Scope1' -
ClientSubnet "EQ,InternalClients"

Set-DnsServerRecursionScope -Name 'Scope1' -EnableRecursion $True
B
ServerInterfaceIP "EQ,10.0.0.100"

C
ServerInterfaceIP "EQ,131,107,0,100"
D
4/29/2019 Training
Add-DnsServerRecursionScope -Name 'Scope1' -EnableRecursion $True

ServerInterfaceIP "EQ,10.0.0.100"

E
ServerInterfaceIP "EQ,131,107,0,100"

F
ClientSubnet "EQ,InternalClients"
4/29/2019 Training
Microsoft - 70-741

You have a Hyper-V host named Server1 that runs Windows Server 2016. Server1 has two network adapters named NIC1 and NIC2.
Server1 has two virtual switches named vSwitch1 and vSwitch2.
NIC1 connects to vSwitch1. NIC2 connects to vSwitch2.
Server1 hosts a virtual machine named VM1. VM1 has two network adapters named vmNIC1 and vmNIC2. vmNIC1 connects to
vSwitch1. vmNIC2 connects to vSwitch2.
You need to create a NIC team on VM1.
What should you run on VM1?
(To answer, select the appropriate op ons in the answer area. NOTE: Each correct selec on is worth one point.)
4/29/2019 Training
Explana on:
The New-NetLbfoTeam cmdlet creates a new NIC team that consists of one or more network adapters.
-TeamingMode<TeamingModes>
Specifies the mode of the NIC teaming. You can specify one of the following three teaming modes:
LACP: Uses the IEEE 802.1ax Link Aggrega on Control Protocol (LACP) to dynamically iden fy links that are connected between the
host and a given switch. (This protocol was formerly known as IEEE 802.3ad dra )
Sta c: Requires configura on on both the switch and the host to iden fy which links form the team.
SwitchIndependent: Specifies that a network switch configura on is not needed for the NIC team. Because the network switch is not
configured to know about the interface teaming, the team interfaces can be connected to different switches.
-LoadBalancingAlgorithm<LBAlgos>
Specifies the load-balancing algorithm the new team uses to distribute network traffic between the interfaces.
You can specify one of the following five load balancing algorithms:
Dynamic: Uses the source and des na on TCP ports and the IP addresses to create a hash for outbound traffic. Moves outbound
streams from team member to team member as needed to balance team member u liza on. When you specify this algorithm with
the TeamingMode parameter and the SwitchIndependent value, inbound traffic is routed to a par cular team member.
TransportPorts: Uses the source and des na on TCP ports and the IP addresses to create a hash and then assigns the packets that
have the matching hash value to one of the available interfaces. When you specify this algorithm with the TeamingMode parameter
and the SwitchIndependentvalue all inbound traffic arrives on the primary team member.
IPAddresses: Uses the source and des na on IP addresses to create a hash and then assigns the packets that have the matching hash
value to one of the available interfaces. When you specify this algorithm with the TeamingMode parameter and
the SwitchIndependent value, all inbound traffic arrives on the primary team member.
MacAddresses: Uses the source and des na on MAC addresses to create a hash and then assigns the packets that have the matching
hash value to one of the available interfaces. When you specify this algorithm with the TeamingMode parameter and
the SwitchIndependent value, all inbound traffic arrives on the primary team member.
HyperVPort: Distributes network traffic based on the source virtual machine Hyper-V switch port iden fier. When you specify this
algorithm with the TeamingMode parameter and the SwitchIndependent value, inbound traffic is routed to the same team member
as the switch port’s outgoing traffic.
Right answer: E
$var1 = "LACP"
$var2 = "TransportPorts"
A
New-NetLbfoTeam -Name Team1 -TeamMembers vmNic1,vmNic2 -TeamingMode $var1 -LoadBalancingAlgorithm
$var2
$var1 = "LACP"
$var2 = "Dynamic"
B
$var2
$var1 = "Sta c"

$var2 = "HyperVPort"
C
$var2
4/29/2019 Training
D $var1 = "Sta c"

$var2 = "TransportPorts"
$var2
$var1 = "SwitchIndependant"
$var2 = "Dynamic"
E
$var2
$var1 = "SwitchIndependant"
$var2 = "HyperVPort"
F
$var2
4/29/2019 Training
Microsoft - 70-741

On a DNS server that runs Windows Server 2016, you plan to create two new primary zones named adatum.com and contoso.com.
You have the following requirements for the zones:
Ensure that computers on your network can register records automa cally in the adatum.com zone.
Ensure that records that are stale for two weeks are purged automa cally from the contoso.com zone.
What should you configure for each zone?
Explana on:
In order to ensure that computers on your network can register records automa cally in the adatum.com zone we need to configure
dynamic updates for the zone.
In order to ensure that records that are stale for two weeks are purged automa cally from the contoso.com zone we need to configure
the Zone Aging/Scavenging Proper es.
Right answer: A
Adatum.com: Dynamic updates
A
Contoso.com: Scavenging
Adatum.com: Scavenging
B
Contoso.com: The refresh interval
Adatum.com: The expires a er interval

C
Contoso.com: The security of the zone
4/29/2019 Training
Adatum.com: The refresh interval

Contoso.com: Recursion
Adatum.com: The security of the zone

E
Contoso.com: The expires a er interval
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. Your network contains a DFS Namespace named Namespace1. The configura on of
Namespace1 is shown in the following exhibit.
\\server01.contoso.com\namespace1 has a folder target named Folder1.
A user named User1 has Full Control share and NTFS permissions to Folder1.
Folder1 contains a file named File1.docx. User1 has only Write NTFS permissions to File1.docx.
Use the drop-down menus shown in the answer area to select the answer choice that completes each statement based on the
informa on presented in the graphic.
Right answer: C
When you want to provide redundancy for the DFS namespace on Server01, you must implement DFS Replica on.
A
User1 will be able to see File1.docx in File Explorer and will be able to open the file.
4/29/2019 Training
B When you want to provide redundancy for the DFS namespace on Server01, you must implement DFS Replica on.
User1 will be prevented from seeing File1.docx in File Explorer but will be able to delete the file.
When you want to provide redundancy for the DFS namespace on Server01, you must implement Failover Clustering.
C
User1 will be able to see File1.docx in File Explorer but will be prevented from opening the file.
When you want to provide redundancy for the DFS namespace on Server01, you must implement Failover Clustering.
D
User1 will be able to see File1.docx in File Explorer and will be able to open the file.
When you want to provide redundancy for the DFS namespace on Server01, you must install an addi onal domain
E controller.
User1 will be able to see File1.docx in File Explorer but will be prevented from opening the file.
When you want to provide redundancy for the DFS namespace on Server01, you must install an addi onal domain
F controller.
User1 will be prevented from seeing File1.docx in File Explorer but will be able to delete the file.
4/29/2019 Training
Microsoft - 70-741

You are configuring internal virtual networks to support mul tenancy communica on between tenant virtual machine networks and
remote sites.
You have a tenant named Tenant1.
You need to enable Border Gateway Protocol (BGP) for Tenant1.
Which commands should you run?
4/29/2019 Training
Explana on:
When configured on a Windows Server 2016 Remote Access Service (RAS) Gateway in mul tenant mode, Border Gateway Protocol
(BGP) provides you with the ability to manage the rou ng of network traffic between your tenants' VM networks and their remote
sites. You can also use BGP for single tenant RAS Gateway deployments, and when you deploy Remote Access as a Local Area Network
(LAN) router.
BGP reduces the need for manual route configura on on routers because it is a dynamic rou ng protocol, and automa cally learns
routes between sites that are connected by using site-to-site VPN connec ons.
To use BGP rou ng, you must install the Remote Access Service (RAS) and/or the Rou ng role service of the Remote Access server role
on a computer or virtual machine (VM) - the type of system you use depends on whether or not you have a mul tenant deployment:
For a mul tenant deployment, it is recommended that you install the RAS Gateway on one or more VMs. Use of mul ple VMs
provides high availability. The RAS Gateway is capable of handling mul ple connec ons from mul ple tenants, and consists of a
Hyper-V host and a VM that is actually configured as the gateway. This gateway is configured with site-to-site VPN connec ons as
a mul tenant BGP router to exchange tenant and Cloud Service Provider (CSP) subnet routes.
For a single tenant edge gateway deployment or a LAN router deployment, you can install the RAS Gateway on either a physical
computer or a VM.
Important
When you install a RAS Gateway, you must specify whether BGP is enabled for each tenant by using the Enable-
RemoteAccessRou ngDomain Windows PowerShell command with the Type parameter value of All. To install Remote Access as a BGP-
enabled LAN router without mul tenant capabili es, you can use the command Install-RemoteAccess -VpnType Rou ngOnly.
The following example code illustrates how to install RAS in Mul tenancy mode with all RAS features (point-to-site VPN, site-to-site
VPN, and BGP rou ng) enabled for two tenants, Contoso and Fabrikam.
$Contoso_RoutingDomain = "ContosoTenant"
$Fabrikam_RoutingDomain = "FabrikamTenant"
Install-RemoteAccess -MultiTenancy
Enable-RemoteAccessRoutingDomain -Name $Contoso_RoutingDomain -Type All -PassThru

Enable-RemoteAccessRoutingDomain -Name $Fabrikam_RoutingDomain -Type All -PassThru
Reference: Border Gateway Protocol (BGP)
Right answer: F
Add-BgpRouter -MsgAuthen ca on
A
Install-RemoteAccess -Name Tenant1 -Type All -PassThru
Add-BgpRouter -Mul tenancy

B
Enable-RemoteAccessRou ngDomain -Name Tenant1 -Type All -PassThru
Enable-RemoteAccessRou ngDomain -MsgAuthen ca on

C
Add-BgpRouter -Name Tenant1 -Type All -PassThru
Enable-RemoteAccessRou ngDomain -PassThru

D
Install-RemoteAccess -Name Tenant1 -Type All -PassThru
Install-RemoteAccess -PassThru
E
Add-BgpRouter -Name Tenant1 -Type All -PassThru
Install-RemoteAccess -Mul tenancy

F
Enable-RemoteAccessRou ngDomain -Name Tenant1 -Type All -PassThru
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
You are an administrator for your company. You have two servers named Server01 and Server2 that run Windows Server 2016.
Server01 has the DNS Server role installed. The advanced DNS proper es for Server01 are shown in the following exhibit:
Server01 hosts a zone named adatum.com. The zone content is shown in the following exhibit:
Server2 is configured to use Server1 as a DNS server. Server2 has the following IP configura on:
Select the appropriate selec on if statement is "Yes" or “No” in the answer area.
4/29/2019 Training
Explana on:
The DNS server has Enable round robin and Enable netmask ordering enabled. Enable netmask ordering is used to priori ze local
resources for DNS clients. Windows 2003 and newer Opera ng Systems Subnet Prior za on Feature Defaults to a Class C Subnet.
Host2 is an alias name for a ressource record in the same DNS zone. Since the zone does not contain a host (A) record for Server1,
queries for host1.adatum.com can´t be resolved.
Reference: DNS and Subnet Prior za on & DNS Round Robin
Right answer: F
When Server2 queries for host1.adatum.com, the server always resolves to 172.16.1.100: Yes
When Server2 queries for host2.adatum.com, the server always resolves to an IP address: Yes
A
When a host that has an IP address of 172.16.100.1 queries for host1.adatum.com, the host always resolves to
172.16.1.100: Yes
When Server2 queries for host2.adatum.com, the server always resolves to an IP address: No
B
172.16.1.100: Yes
When Server2 queries for host1.adatum.com, the server always resolves to 172.16.1.100: No
C
172.16.1.100: No
D
172.16.1.100: Yes
E
172.16.1.100: Yes
F
172.16.1.100: No
4/29/2019 Training
Microsoft - 70-741

You have an IP Address Management (IPAM) server named IPAM1 that runs Windows Server 2016. IPAM1 manages 10 DHCP servers.
You need to provide a user with the ability to track which clients receive which IP addresses from DHCP. The solu on must minimize
administra ve privileges.
Which role do you assign to the user?
Explana on:
Right answer: C
4/29/2019 Training
A IPAM MSM Administrators
B IPAM ASM Administrators
C IPAM IP Audit Administrators
D IPAM User
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
You are an administrator for your company. You have two servers named Server01 and Server02 that run Windows Server 2016.
Server1 has the DNS Server role installed. The advanced DNS proper es for Server01 are shown in the following exhibit:
Server01 hosts a zone named adatum.com. The zone content is shown in the following exhibit:
Server02 is configured to use Server1 as a DNS server. Server2 has the following IP configura on:
Select the appropriate selec on if statement is "Yes" or “No” in the answer area.
4/29/2019 Training
Explana on:
The DNS server has Enable round robin and Enable netmask ordering enabled. Enable netmask ordering is used to priori ze local
resources for DNS clients. Windows 2003 and newer Opera ng Systems Subnet Prior za on Feature Defaults to a Class C Subnet.
Host2 is an alias name for a ressource record in the same DNS zone. Since the zone does not contain a host (A) record for Server1,
queries for host1.adatum.com can´t be resolved.
Reference: DNS and Subnet Prior za on & DNS Round Robin
Right answer: A
A
172.16.1.100: No
B
172.16.1.100: No
C
172.16.1.100: Yes
D
172.16.1.100: No
E
172.16.1.100: Yes
F
172.16.1.100: No
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
Solu on: You create a new IPv4 address scope.
4/29/2019 Training
Explana on:
The red down arrow next to the IPv4 address range indicates that the range is disabled. The small window with the sta s cs for the
area indicates that the area contains no addresses for assignment to clients. However, this is only due to the fact that the area is
deac vated and does not allow any conclusions about the addresses contained in the address pool of the area. If the area is ac vated,
the addresses of the address pool are available for assignment by the DHCP server.
The blue circle icon with the white exclama on mark indicates that the server has no IPv4 addresses available for assignment.
To ensure that clients can obtain IP addresses from Server1, we either need to ac vate the exis ng scope or create a completely new
scope.
See also: DHCP Console Icons Reference
Right answer: A
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

You have mul ple servers that run Windows Server 2016. You have a server named Server1 that is configured as a domain controller
and a DNS server.
You need to create an Ac ve Directory-integrated zone on Server1.
Right answer: C
A dism.exe
B dns.exe
C dnscmd.exe
D netsh.exe
E Set-DhcpServerDatabase
F Set-DhcpServerv4DnsSe ng
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a DHCP server named Server2 that runs
Server2 has 10 IPv4 scopes.
You need to ensure that the scopes are backed up every 30 minutes to the folder D:\DHCPBackup.
Explana on:
The Set-DhcpServerDatabase cmdlet modifies one or more configura on parameters of the database of the Dynamic Host
Configura on Protocol (DHCP) server service.
The BackupInterval parameter specifies the interval of me between automa c database backups, in minutes.
The BackupPath parameter specifies the path of the directory where the database should be backed up.
The following example sets the backup file name to D:\NewDhcpPath\dhcp.mdb and the backup path to D:\NewDhcpPath\backup.
This cmdlet also sets the periodicity of the database backup to 30 minutes and the periodic cleanup of the database to 120 minutes.
Set-DhcpServerDatabase -ComputerName dhcpserver.contoso.com -FileName D:\NewDhcpPath\dhcp.mdb -BackupPath

D:\NewDhcpPath\backup -BackupInterval 30 -CleanupInterval 120

A: dism.exe
B: dns.exe
C: dnscmd.exe
D: dsamain.exe
E: Set-DhcpServerDatabase
F: Set-DhcpServerv4DnsSe ng
G: Set-DhcpServerv6DnsSe ng
H: Set-DNSServerSe ng
Right answer: E
A dism.exe
4/29/2019 Training
B dns.exe
C dnscmd.exe
D netsh.exe
4/29/2019 Training
Microsoft - 70-741

You have mul ple servers that run Windows Server 2016.
The DNS Server server role is installed on a server named Server1.
You need to configure Server1 to use a DNS forwarder that has an IP address of 192.168.10.15.
Right answer: C
A dism.exe
B dns.exe
C dnscmd.exe
D netsh.exe
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. You install the DHCP Server server role on Server1.
You need to authorize DHCP on Server1.
Explana on:
You can use the Netsh command to authorize a DHCP server from the command line. In an Ac ve Directory environment, you must
first authorize your DHCP server before it can lease addresses to clients.
For example, to authorize a DHCP server named Server1 in the contoso.com domain and which has IP address 10.10.20.51, type the
following command:
netsh dhcp add server Server1.contoso.com 10.10.20.51
To verify the result, type this command:
netsh dhcp show server
If you decide later to remove the server from your network, you can unauthorized it by typing:
netsh dhcp delete server Server1.contoso.com 10.10.20.51
A: dism.exe
B: dns.exe
C: dnscmd.exe
D: netsh.exe
Right answer: D
4/29/2019 Training
A dism.exe
B dns.exe
C dnscmd.exe
D netsh.exe
4/29/2019 Training
Microsoft - 70-741

You have mul ple servers that run Windows Server 2016.
You need to install the DNS Server server role on one of the servers.
Explana on:
Use the following command line to install the DNS Server server role using DISM.exe:
Dism.exe /online /enable-feature /featurename:DNS-Server-Full-Role /featurename:DNS-Server-Tools
A: dism.exe
B: dns.exe
C: dnscmd.exe
D: netsh.exe
Right answer: A
A dism.exe
B dns.exe
C dnscmd.exe
D netsh.exe
4/29/2019 Training
Microsoft - 70-741

to use Server1 as the default gateway.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
days.
Solu on: You set the Expires a er value of the zone.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
Solu on: You run the Set-DhcpServerv4Mul castScope cmdlet.
Explana on:
The blue exclama on mark signals that all IP addresses have been allocated by the DHCP server and are in use. No more clients can
obtain IP addresses from the DHCP server because it has no more IP addresses to allocate.
We need to extend the address space of the exis ng scope or add a new scope.
See also: DHCP Console Icons Reference
Right answer: B
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
a correct solu on.
Your network contains an Ac ve Directory domain named adatum.com. The domain contains two DHCP servers named Server1 and
Server2.
Server1 has the following IP configura on.
Some users report that some mes they cannot access the network because of conflic ng IP addresses.
You need to configure DHCP to avoid leasing addresses that are in use already.
Solu on: On Server1, you modify the Ac vatePolicies se ng of the scope.
4/29/2019 Training
Explana on:
The IP address ranges on Server1 and Server2 overlap. Therefore, in some cases, Server1 and Server2 will issue the same IP addresses.
The number of conflict detec on a empts is set to 0 on Server1. This means that Server1 does not check whether an IP is already in
use on the network before issuing.
To avoid IP address conflicts, we must either change the address ranges so that there is no overlap or set the number of conflict
detec on a empts on Server1 to a value greater than 0.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
a correct solu on.
Server2.
Solu on: On Server1, you modify the EndRange IP address of the scope.
Right answer: A
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
a correct solu on.
Server2.
Solu on: On Server2, you modify the ConflictDetec onA empts value for IPv4.
4/29/2019 Training
Explana on:
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
a correct solu on.
Server2.
Solu on: On Server1, you modify the ConflictDetec onA empts value for IPv4.
4/29/2019 Training
Explana on:
Right answer: A
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
Your network contains an Ac ve Directory forest named contoso.com. The forest has three sites located in London, Paris, and Berlin.
Solu on: You install the Sta c Content role service, and then you restart the IIS Admin Service.
Explana on:
To deploy content servers that are Secure Hypertext Transfer Protocol (HTTPS) Web servers, Hypertext Transfer Protocol (HTTP) Web
servers, and Background Intelligent Transfer service (BITS)-based applica on servers, such as Windows Server Update Services (WSUS)
and System Center Configura on Manager branch distribu on site system servers, you must install the BranchCache feature, start the
BranchCache service, and (for WSUS servers only) perform addi onal configura on steps.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
You have a server named Server1 that has the Network Policy and Access Services server role installed.
You create a Shared Secret Network Policy Server (NPS) template named Template1.
You need to view the shared secret string used for Template1.
Solu on: From Windows PowerShell, you run Get-NpsSharedSecretTemplate -Name Template1.
Explana on:
The image shows the output of the cmdlet. Secret123 is the shared secret string:
Right answer: A
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
Solu on: From the Network Policy Server console, you export the configura on, and you view the exported XML file.
Explana on:
Prior to the export process, a corresponding note must be approved:
However, in the exported configura on of the NPS server, the secret key is not included unless a RADIUS client is configured using the
secret key template.
The ques on states that the template has just been created. There is no indica on of configured RADIUS clients. The secret key is
therefore not included in the exported NPS configura on.
Right answer: B
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
Solu on: From the Network Policy Server console, you view the proper es of Template1.
Explana on:
From the proper es of the template, the secret key can not be viewed.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

You have a Hyper-V host named Server1 that runs Windows Server 2016. Server1 has two network adapters that are Remote Direct
Memory Access (RDMA)-enabled.
You need to verify whether Switch Embedded Teaming (SET) is enabled.
Explana on:
The following command creates a virtual switch that has Switch Embedded Teaming (SET) enabled:
New-VMSwitch -Name SwitchSET -NetAdapterName "NIC1","NIC2" -EnableEmbeddedTeaming $true
Use the Get-VMSwitch cmdlet to view the proper es of the switch:
Right answer: C
A Get-NetworkSwitchFeature
B Get-VMNetworkAdapter
C Get-VMSwitch
D Get-VMNetworkAdapterFailoverConfigura on
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. Your network contains a server named Server1 that runs Windows Server 2016.
You run Get-NetIPAddress –AddressFamily ipv4 and receive the output shown in the following exhibit:
Use the drop-down menus to select the answer choice that completes each statement based on the informa on presented in the
graphic.
(NOTE: Each correct selec on is worth one point.)
4/29/2019 Training
Explana on:
The network card that has an interface index of 20 has a PrefixLength of 24 bit (255.255.255.0).
The network card that has an interface index of 10 has a PrefixLength of 8 bit (255.0.0.0). This means that there are 24 bits le for host
addressing. Calcula on 2 ^ 24 - 2 addresses for network and broadcast = 16777214 addresses for hosts.
Right answer: B
The network card that has an interface index of 20 has a subnet mask of 255.255.255.240.
A
The network card that has an interface index of 10 is part of a network that has 14 IP addresses for hosts.
B
C
D
E
F
4/29/2019 Training
Microsoft - 70-741

You have an IP Filters Network Policy Server (NPS) template that is used by an NPS policy. The IP filters are configured as shown in the
following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the informa on presented in the
graphic.
(NOTE: each correct selec on is worth one point.)
Explana on:
Input filters control which des na ons can be contacted by NAP client computers. Output filters control which computers can send
traffic to noncompliant NAP clients.
Configure IPv4 filters
4/29/2019 Training
Right answer: F
All packets des ned for a server that has an IP address of 172.16.55.11 ... connect to port 443.
A TCP packets des ned for a server that has an IP address of 192.168.10.100 ... will be allowed to connect to port 443
only.
All packets des ned for a server that has an IP address of 172.16.55.11 ... connect to port 443.
B
TCP packets des ned for a server that has an IP address of 192.168.10.100 ... will be rejected.
TCP packets des ned for a server that has an IP address of 172.16.55.11 ... connect to port 443.
C
TCP packets des ned for a server that has an IP address of 192.168.10.100 ... will be allowed to connect to any port.
TCP packets des ned for a server that has an IP address of 172.16.55.11 ... connect to port 443.
D TCP packets des ned for a server that has an IP address of 192.168.10.100 ... will be allowed to connect to port 443
only.
UDP packets des ned for a server that has an IP address of 172.16.55.11 ... connect to port 443.
E
TCP packets des ned for a server that has an IP address of 192.168.10.100 ... will be rejected.
UDP packets des ned for a server that has an IP address of 172.16.55.11 ... connect to port 443.
F
TCP packets des ned for a server that has an IP address of 192.168.10.100 ... will be allowed to connect to any port.
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory forest named contoso.com. The forest contains a Network Policy Server (NPS) server named
Radius1 that runs Windows Server 2016.
You need to create a new connec on request policy that will allow only Secure Socket Tunneling Protocol (SSTP) connec ons. Radius1
will manage all authen ca on requests.
Which NAS port type and which authen ca on method should you configure in the connec on request policy?
4/29/2019 Training
Explana on:
Connec on request policies are sets of condi ons and se ngs that allow network administrators to designate which Remote
Authen ca on Dial-In User Service (RADIUS) servers perform the authen ca on and authoriza on of connec on requests that the
server running Network Policy Server (NPS) receives from RADIUS clients. Connec on request policies can be configured to designate
which RADIUS servers are used for RADIUS accoun ng.
You can create connec on request policies so that some RADIUS request messages sent from RADIUS clients are processed locally
(NPS is used as a RADIUS server) and other types of messages are forwarded to another RADIUS server (NPS is used as a RADIUS
proxy).
The Gateway a ribute group contains the following a ributes.
Called Sta on ID. Used to designate the phone number of the network access server. This a ribute is a character string. You can
use pa ern-matching syntax to specify area codes.
NAS Iden fier. Used to designate the name of the network access server. This a ribute is a character string. You can use pa ern-
matching syntax to specify NAS iden fiers.
NAS IPv4 Address. Used to designate the Internet Protocol version 4 (IPv4) address of the network access server (the RADIUS
client). This a ribute is a character string. You can use pa ern-matching syntax to specify IP networks.
NAS IPv6 Address. Used to designate the Internet Protocol version 6 (IPv6) address of the network access server (the RADIUS
client). This a ribute is a character string. You can use pa ern-matching syntax to specify IP networks.
NAS Port Type. Used to designate the type of media used by the access client. Examples are analog phone lines (known as async
), Integrated Services Digital Network (ISDN), tunnels or virtual private networks (VPNs), IEEE 802.11 wireless, and Ethernet
switches.
You can set the following forwarding request op ons that are used for RADIUS Access-Request messages:
Authen cate requests on this server. By using this se ng, NPS uses a Windows NT 4.0 domain, Ac ve Directory, or the local
Security Accounts Manager (SAM) user accounts database to authen cate the connec on request. This se ng also specifies that
the matching network policy configured in NPS, along with the dial-in proper es of the user account, are used by NPS to
authorize the connec on request. In this case, the NPS server is configured to perform as a RADIUS server.
Forward requests to the following remote RADIUS server group. By using this se ng, NPS forwards connec on requests to the
remote RADIUS server group that you specify. If the NPS server receives a valid Access-Accept message that corresponds to the
Access-Request message, the connec on a empt is considered authen cated and authorized. In this case, the NPS server acts as
a RADIUS proxy.
Accept users without valida ng creden als. By using this se ng, NPS does not verify the iden ty of the user a emp ng to
connect to the network and NPS does not a empt to verify that the user or computer has the right to connect to the network.
When NPS is configured to allow unauthen cated access and it receives a connec on request, NPS immediately sends an Access-
Accept message to the RADIUS client and the user or computer is granted network access. This se ng is used for some types of
compulsory tunneling where the access client is tunneled before user creden als are authen cated.
Right answer: D
Authen ca on method: Accept users without valida ng creden als
A
NAS port type: Cable
Authen ca on method: Accept users without valida ng creden als

B
NAS port type: Async (Modem)
Authen ca on method: Authen cate requests on this server

C
NAS port type: Cable
Authen ca on method: Authen cate requests on this server

D
NAS port type: Virtual (VPN)
Authen ca on method: Forward requests to the following remote RADIUS server group
E
NAS port type: Async (Modem)
4/29/2019 Training
F Authen ca on method: Forward requests to the following remote RADIUS server group
NAS port type: Virtual (VPN)
4/29/2019 Training
Microsoft - 70-741

Your company has a branch office that has three floors. The office currently uses a different subnet on each floor. The subnets are
configured as shown in the following table.
You have been asked to reconfigure the network to use one subnet that encompasses all three floors. The new subnet will come from
the 192.168.0.0/16 address space.
You need to iden fy which IP address and which subnet mask to use for the default gateway. The solu on must meet the following
requirements:
Use the first available subnet.

Use a single subnet for all three floors.
Use the first available IP address on the segment for the default gateway.
Minimize the number of unused IP addresses.
Which IP address and which subnet mask should you iden fy?
4/29/2019 Training
Explana on:
The network contains a total of 45 computers. This means 45 IP addresses are required for host addressing.
The subnet mask 255.255.255.192 (26 bits) provides 6 bits for host addressing. This results in 2 ^ 6-2 = 62 IP addresses for hosts and 4
possible subnets. The first subnet has the network ID 192.168.0.0 and the broadcast address 192.168.0.63. The addresses from
192.168.0.1 to 192.168.0.62 are available for host addressing.
Right answer: F
Subnet mask: 255.255.0.0
A
Default gateway IP address: 192.168.0.1
Subnet mask: 255.255.255.0

B
Subnet mask: 255.255.255.64

C
Subnet mask: 255.255.255.128

D
Subnet mask: 255.255.255.128

E
Subnet mask: 255.255.255.192

F
4/29/2019 Training
Microsoft - 70-741

You have a test environment that includes two servers named Server1 and Server2. The servers run Windows Server 2016.
You need to ensure that you can implement SMB Direct between the servers.
Which feature should the servers support?
Explana on:
Windows Server 2012 R2 and Windows Server 2012 include a feature called SMB Direct, which supports the use of network adapters
that have Remote Direct Memory Access (RDMA) capability. Network adapters that have RDMA can func on at full speed with very
low latency, while using very li le CPU. For workloads such as Hyper-V or Microso SQL Server, this enables a remote file server to
resemble local storage. SMB Direct includes:
Increased throughput: Leverages the full throughput of high speed networks where the network adapters coordinate the
transfer of large amounts of data at line speed.
Low latency: Provides extremely fast responses to network requests, and, as a result, makes remote file storage feel as if it is
directly a ached block storage.
Low CPU u liza on: Uses fewer CPU cycles when transferring data over the network, which leaves more power available to
server applica ons.
SMB Direct is automa cally configured by Windows Server 2012 R2 and Windows Server 2012.
SMB Mul channel and SMB Direct
SMB Mul channel is the feature responsible for detec ng the RDMA capabili es of network adapters to enable SMB Direct. Without
SMB Mul channel, SMB uses regular TCP/IP with the RDMA-capable network adapters (all network adapters provide a TCP/IP stack
along with the new RDMA stack).
With SMB Mul channel, SMB detects whether a network adapter has the RDMA capability, and then creates mul ple RDMA
connec ons for that single session (two per interface). This allows SMB to use the high throughput, low latency, and low CPU
u liza on offered by RDMA-capable network adapters. It also offers fault tolerance if you are using mul ple RDMA interfaces.
Reference: Improve Performance of a File Server with SMB Direct
Right answer: A
A Remote Direct Memory Access (RDMA)
B Mul path I/O (MPIO)
C Virtual Machine queue (VMQ)
D Single root I/O virtualiza on (SR-IOV)
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. You install the Hyper-V server role on Server1.
Server1 has eight network adapters that are dedicated to virtual machines. The network adapters are Remote Direct Memory Access
(RDMA)-enabled.
You plan to use So ware Defined Networking (SDN). You will host the virtual machines for mul ple tenants on the Hyper-V host.
You need to ensure that the network connec ons for the virtual machines are resilient if one or more physical network adapters fail.
What should you implement?
Explana on:
SET is an alterna ve NIC Teaming solu on that you can use in environments that include Hyper-V and the So ware Defined
Networking (SDN) stack in Windows Server 2016. SET integrates some NIC Teaming func onality into the Hyper-V Virtual Switch.
SET allows you to group between one and eight physical Ethernet network adapters into one or more so ware-based virtual network
adapters. These virtual network adapters provide fast performance and fault tolerance in the event of a network adapter failure.
Reference: Remote Direct Memory Access (RDMA) and Switch Embedded Teaming (SET)
Right answer: D
A Single root I/O virtualiza on (SR-IOV)
B NIC Teaming on the Hyper-V host
C Virtual Receive-side Scaling (vRSS)
D Switch Embedded Teaming (SET)
4/29/2019 Training
Microsoft - 70-741

You manage a Windows Server 2016 so ware-defined network. Network Controller is installed on a three-node domain-joined cluster
of virtual machines.
You need to add a new access control list (ACL) for the network controller to the network interface on a tenant virtual machine. The
ACL will have only one rule that prevents only outbound traffic from the 10.10.10.0/24 subnet.
You plan to run the following Windows PowerShell commands.
$ruleproper es = new-object Microso .Windows.NetworkController.AclRuleProper es

$ruleproper es.SourcePortRange = "0-65535"
$ruleproper es.Des na onPortRange = "0-65535"
$ruleproper es.Ac on = "Deny"
$ruleproper es.Priority = "100"
$ruleproper es.Type = "Outbound"
$ruleproper es.Logging = "Enabled"
Which three remaining proper es should you add to the rule?
(Each correct answer presents part of the solu on. Choose three. NOTE: Each correct selec on is worth one point.)
Explana on:
You can enable and configure Datacenter Firewall by crea ng ACLs that are applied to a virtual subnet or a network interface.
The following ar cle demonstrates how to use Windows PowerShell to create these ACLs.
Use Access Control Lists (ACLs) to Manage Datacenter Network Traffic Flow
Right answer: A, C, F
A $ruleproper es.SourceAddressPrefix = "10.10.10.0/24"
B $ruleproper es.Des na onAddressPrefix = "10.10.10.0/24"
C $ruleproper es.Protocol = "ALL"
D $ruleproper es.Protocol = "TCP"
E $ruleproper es.SourceAddressPrefix = "*"
F $ruleproper es.Des na onAddressPrefix = "*"
4/29/2019 Training
Microsoft - 70-741

You have three servers named Server1, Server2, and Server3 that run Windows Server 2016. On all three servers, Windows Firewall is
configured to allow ICMP traffic. Server2 has two network adapters named NIC1 and NIC2.
Your network is configured as shown in the following exhibit.
The parameters for NIC2 on Server2 are shown in the following output.
Which ping request will result in a reply from the des na on host?
4/29/2019 Training
Explana on:
Server2 and Server3 have no entry for the default gateway and basically can only reach hosts within their local network segment.
Server1 can not reach Server2 because the Forwarding parameter is set to disabled. Forwarding specifies the packet forwarding value
for the IP interface. This value determines if this IP interface forwards packets that arrive on this interface to other interfaces.
Set-NetIPInterface
Right answer: A
A From Server2, ping 192.168.15.1
B From Server3, ping 192.168.15.1
C From Server1, ping 172.16.0.1
D From Server1, ping 172.16.0.35
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a DHCP server named Server1 that runs
You have a DHCP scope for the 10.0.0.0/24 IP subnet. One hundred and fi y clients reside in the subnet. Fi y of the DHCP clients are
NOT domain-joined.
You need to ensure that DHCP clients without a configured DNS suffix register automa cally in a DNS zone named
workgroup.contoso.com. The other DHCP clients must register in the DNS zone of their respec ve domain.
What should you do?
Explana on:
We should create a DHCP policy that has a condi on based on the fully qualified domain name (FQDN) criterion like “Fully Qualified
Domain Name” Not Equals “*.contoso.com” and configure the DNS proper es of the policy.
Right answer: D
A Configure the 015 DNS Domain Name scope op on in the 10.0.0.0/24 DHCP scope.
B Configure the DNS proper es of the 10.0.0.0/24 DHCP scope.
Create a DHCP policy that has a condi on based on the fully qualified domain name (FQDN) criterion. Configure the IP
C
address range proper es of the policy.
Create a DHCP policy that has a condi on based on the fully qualified domain name (FQDN) criterion. Configure the
D
DNS proper es of the policy.
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. You have two DNS servers named Server1 and Server2. All client computers run Windows
10 and are configured to use Server1 for DNS name resolu on.
Server2 hosts a primary zone named contoso.com.
Your network recently experienced several DNS spoofing a acks on the contoso.com zone.
You need to prevent further a acks from succeeding.
What should you do on Server2?
Explana on:
DNS spoofing is the prac ce of assuming the DNS name of another system either by corrup ng a name service cache or by
compromising a DNS server for a valid domain. When a DNS resolver sends a remote query, it tags the query with a 16-bit XID
(transac on ID) value in the DNS packet header and expects that the remote DNS server will respond on the same port with the same
XID value. The query is typically sent over UDP, which is more vulnerable to a acks than TCP because of TCP’s three step "handshake".
Generally, TCP is only used a er a UDP response has been truncated. When the resolver receives a UDP DNS response, it can only
weakly verify that the response is authen c.
In environments that do not employ security technologies such as IPsec or HTTPS, the DNS protocol can be vulnerable to a ack due to
an inherent lack of authen ca on and integrity checking of data that is exchanged between DNS servers or is sent to DNS clients. As
originally designed, DNS itself does not offer any form of security and is vulnerable to spoofing and man-in-the-middle a acks. An
a acker that has compromised a DNS server can gain access to all network communica ons that are sent by a targeted host. If DNS
servers are vulnerable to a ack, it can be cri cal to secure them with DNSSEC.
DNSSEC includes changes to client and server DNS components that enable DNS data to be cryptographically signed and to enforce
name valida on policies that protect DNS communica ons. With DNSSEC, a DNS server can validate responses that it receives as
genuine. By valida ng DNS responses, DNS servers and clients are protected against the single greatest vulnerability in DNS: DNS
spoofing.
Why DNSSEC
Right answer: A
A Sign the contoso.com zone.
B Configure Response Rate Limi ng (RRL).
C Configure DNS-based Authen ca on of Named En es (DANE) for the contoso.com zone.
D Configure the contoso.com zone to be Ac ve Directory-integrated.
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. You have a DHCP server named Server1 that runs Windows Server 2016.
You plan to implement IPv6 on your network.
You need to configure Server1 for stateless DHCPv6.
What should you do from the DHCP console?
Explana on:
A DHCP Client can configure itself with an IPv6 address to be used on the network. Address configura on can be performed in a
stateful or a stateless mode. A host can use both stateless and stateful address configura on completely independent of each other.
The router adver sement messages with the appropriate flags set would indicate the precise method to be used.
The stateless mechanism allows a host to generate its own IPv6 addresses using a combina on of locally available informa on and
informa on adver sed by routers. Other configura ons such as DNS Server addresses are configured by DHCP. The stateless approach
is used when a site is not par cularly concerned with the exact addresses hosts use, so long as they are unique and properly routable.
In the stateful address auto-configura on model, hosts obtain interface addresses and configura on informa on and parameters
from a server. The stateful approach is used when a site requires ghter control over exact address assignments.
Right answer: B
A Configure the Advanced Proper es for Server1
B Configure the IPv6 Server Op ons
C Create an IPv6 scope
D Configure the General IPv6 Proper es
4/29/2019 Training
Microsoft - 70-741

Your company has three offices. The offices are located in Sea le, Chicago, and Montreal.
You are configuring a new WAN link between the three offices by using the Remote Access server role in Windows Server 2016. You
will use Border Gateway Protocol (DGP) as a rou ng protocol between the sites.
You need to configure the server in the Sea le office for BGP rou ng.
What should you do first?
Explana on:
When configured on a Windows Server 2016 Remote Access Service (RAS) Gateway in mul tenant mode, Border Gateway Protocol
(BGP) provides you with the ability to manage the rou ng of network traffic between your tenants’ VM networks and their remote
sites. You can also use BGP for single tenant RAS Gateway deployments, and when you deploy Remote Access as a Local Area Network
(LAN) router.
BGP reduces the need for manual route configura on on routers because it is a dynamic rou ng protocol, and automa cally learns
routes between sites that are connected by using site-to-site VPN connec ons.
To use BGP rou ng, you must install the Remote Access Service (RAS) and/or the Rou ng role service of the Remote Access server
role on a computer or virtual machine (VM) – the type of system you use depends on whether or not you have a mul tenant
deployment:
For a mul tenant deployment, it is recommended that you install the RAS Gateway on one or more VMs. Use of mul ple VMs
provides high availability. The RAS Gateway is capable of handling mul ple connec ons from mul ple tenants, and consists of a
Hyper-V host and a virtual machine (VM) that is actually configured as the gateway. This gateway is configured with site-to-site
VPN connec ons as a mul tenant BGP router to exchange tenant and Cloud Service Provider (CSP) subnet routes.
For a single tenant edge gateway deployment or a LAN router deployment, you can install the RAS Gateway on either a physical
computer or a VM.
The Add-BgpRouter cmdlet adds a BGP router for the specified Tenant ID.
BGP Windows PowerShell Command Reference
Right answer: D
A From Rou ng and Remote Access, add a new IPv4 rou ng protocol.
B From Windows PowerShell, run the Add-BgpPeer cmdlet and specify the -LocalASN parameter.
C From Rou ng and Remote Access, add a new IPv6 rou ng protocol.
D From Windows PowerShell, run the Add-BgpRouter cmdlet and specify the -LocalASN parameter.
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

You have two servers named Server1 and Server2 that run Windows Server 2016. Both servers have the DHCP Server server role
installed.
Server1 has a DHCP scope named Scope1. Server2 has a DHCP scope named Scope2.
You need to ensure that client computers can get an IP address if a single DHCP server fails. You must be able to control the
percentage of requests to which each DHCP server responds during normal network opera ons.
What should you do?
Explana on:
DHCP failover is a new feature that enables two Microso DHCP servers to share service availability informa on with each other,
providing DHCP high availability. DHCP failover works by replica ng IP address leases and se ngs in one or more DHCP scopes from a
primary DHCP server to a failover partner server.
All scope informa on is shared between the two DHCP servers, including ac ve leases. This enables either DHCP server to assume
responsibility for DHCP clients if the other server becomes unavailable.
Two DHCP failover modes are available to use when you create a DHCP failover rela onship:
Hot standby mode: This mode provides redundancy for DHCP services.
Load balance mode: This mode allocates DHCP client leases across two servers.
See also: Understand and Deploy DHCP Failover
Right answer: C
A Add Server1 and Server2 as nodes in a failover cluster, and then configure the DHCP Server server role.
B Add Server1 and Server2 as nodes in a failover cluster, and then configure the quorum mode.
C On Server1 and Server2, configure DHCP failover for Scope1 and Scope2.
D Add Server1 and Server2 as nodes in a failover cluster, and then configure port rules for UDP 67 and UDP 68.
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com that contains a domain controller named DC1. All DNS servers
for the network run BIND 10.
Your perimeter network contains a DHCP server named DHCP1 that runs Windows Server 2016. DHCP1 is a member of a workgroup
named WORKGROUP. DHCP1 provides IP address leases to guests accessing the Wi-Fi network.
Several engineers access the network remotely by using a VPN connec on to a remote access server that runs Windows Server 2016.
All of the VPN connec ons use cer ficate-based authen ca on and are subject to access policies in Network Policy Server (NPS).
Cer ficates are issued by an enterprise cer fica on authority (CA) named CA1.
All Windows computers on the network are ac vated by using Key Management Service (KMS). On-premises users use Remote
Desktop Services (RDS).
You plan to deploy IP Address Management (IPAM) to the network.
Which ac on can you perform on the network by using IPAM?
Right answer: C
A Manage the DNS zones on the DNS servers.
B Audit logon events on the RDS server.
C Audit authen ca on events from DC1.
D Manage ac va ons on the KMS server.
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 is an IP Address Management (IPAM) server that collects
DHCP and DNS logs and events for your en re network.
You need to get the IP addresses that were assigned to a client computer named Computer1 during the last week.
Explana on:
The Get-IpamIpAddressAuditEvent cmdlet gets all IP address audit events from an IP Address management (IPAM) server over a me
interval. IPAM enables IP address tracking through correla on of Dynamic Host Configura on Protocol (DHCP) lease events on
managed DHCP servers with user and computer authen ca on events on managed domain controllers and Network Policy Server
(NPS) servers. You can search correlated events by IP address, client ID, hostname, or username. Use DCHP events between a start
date and an end date to correlate data. The data returned includes data for both the start date and the end date.
The cmdlet returns only the top 10,000 rows if the query results exceed more than 10,000 rows. The cmdlet will display a warning if
this occurs. You can avoid this situa on if you narrow the search criteria to limit the results.
Example: Get all IP address audit events
$Today = Get-Date
$LastMonth = $Today.AddDays(-30)
$IpamIpAddressAuditEvents = Get-IpamIpAuditEvent -StartDate $LastMonth -EndDate $Today
Right answer: D
A From the IPAM node in Server Manager, click IP Address Space, and then review the IP Address Inventory.
B Open Event Viewer and click Windows Logs. Filter the Security log for Computer1.
C Run the Get-IpamDhcpConfigura onEvent cmdlet.
D Run the Get-IpamIpAddressAuditEvent cmdlet.
4/29/2019 Training
Microsoft - 70-741

in this series.
service on Server2.
You need to ensure that computers in the domain can resolve names as follows:
The name server2.contoso.com to the name nat.contoso.com.

The 192.168.10.50 IP address to the name host7.fabrikam.com.
The name server7.tailspintoys.com to the 192.168.100.101 IP address.
Which types of DNS records should you use?
(To answer, drag the appropriate DNS record types to the correct requirements. Each DNS record type may be used once, more than
one, or not at all.)
4/29/2019 Training
Explana on:
An Alias record indicates an alternate or alias DNS domain name for a name already specified in other resource record types used in
this zone. The record is also known as the canonical name (CNAME) record type.
A Pointer (PTR) record points to a loca on in the domain name space. PTR records are typically used in special domains to perform
reverse lookups of address-to-name mappings. Each record provides simple data that points to some other loca on in the domain
name space (usually a forward lookup zone). Where PTR records are used, no addi onal sec on processing is implied or caused by
their presence.
A Host address (A or AAAA) record maps a DNS domain name to a 32-bit IP version 4 address or a 128-bit IP version 6 address.
Reference: List of DNS record types
Right answer: B
server2.contoso.com to nat.contoso.com: Alias (CNAME)
A 192.168.10.50 to host7.fabrikam.com: Host (A)
server7.tailspintoys.com to 192.168.100.101: Host (AAAA)

B 192.168.10.50 to host7.fabrikam.com: Pointer (PTR)
server7.tailspintoys.com to 192.168.100.101: Host (A)

C 192.168.10.50 to host7.fabrikam.com: Pointer (PTR)
server7.tailspintoys.com to 192.168.100.101: Host (AAAA)
server2.contoso.com to nat.contoso.com: Name server (NS)

D 192.168.10.50 to host7.fabrikam.com: Pointer (PTR)
server7.tailspintoys.com to 192.168.100.101: Alias (CNAME)
server2.contoso.com to nat.contoso.com: Pointer (PTR)

E 192.168.10.50 to host7.fabrikam.com: Service loca on (SRV)
F
4/29/2019 Training
server2.contoso.com to nat.contoso.com: Pointer (PTR)

192.168.10.50 to host7.fabrikam.com: Host (AAAA)
4/29/2019 Training
Microsoft - 70-741

You have a DHCP server named Server1 that runs Windows Server 2016. You run Get-DhcpServerv4Scope, and you receive the
following results.
You run Get-DhcpServerv4FilterList, and you receive the following results.
You run Get-DhcpServerv4Filter, and you receive the following results.
(NOTE: Each selec on is worth one point.)
4/29/2019 Training
Explana on:
Allow filters are deac vated and do not apply. Deny filters are ac vated and prevent the device that has a MAC address of
BBCCDDEEFFAA to obtain an IP address from Server1.
Right answer: D
A device that has a MAC address of AABBCCDDEEFF can obtain an IP address from Server1: Yes
A A device that has a MAC address of BBCCDDEEFFAA can obtain an IP address from Server1: Yes
A device that has a MAC address of CCDDEEFFAABB can obtain an IP address from Server1: Yes
B A device that has a MAC address of BBCCDDEEFFAA can obtain an IP address from Server1: Yes
A device that has a MAC address of CCDDEEFFAABB can obtain an IP address from Server1: No
A device that has a MAC address of AABBCCDDEEFF can obtain an IP address from Server1: No
C A device that has a MAC address of BBCCDDEEFFAA can obtain an IP address from Server1: Yes
D A device that has a MAC address of BBCCDDEEFFAA can obtain an IP address from Server1: No
E A device that has a MAC address of BBCCDDEEFFAA can obtain an IP address from Server1: Yes
F A device that has a MAC address of BBCCDDEEFFAA can obtain an IP address from Server1: No
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The func onal level of the forest and the domain is Windows
Server 2008 R2. All servers in the domain run Windows Server 2016 Standard.
The domain contains 300 client computers that run either Windows 8.1 or Windows 10. The domain contains nine servers that are
configured as shown in the following table.
The virtual machines are configured as follows:
Each virtual machine has one virtual network adapter.

VM1 and VM2 are part of a Network Load Balancing (NLB) cluster.
All of the servers on the network can communicate with all of the virtual machines.
You need to install the correct edi on of Windows Server 2016 to support the planned changes for Server2, Server3, Server4, and
Server6.
Which edi on should you choose for each server?
(To answer, drag the appropriate edi ons to the correct servers. Each edi on may be used once, more than once, or not at all.)
4/29/2019 Training
Explana on:
Support for Storage Spaces Direct (S2D) requires Windows Server 2016 Datacenter. S2D is not available in Windows Server 2016
Standard.
Support for shielded virtual machines requires the Host Guardian Service (HGS) server role. The role is included in both Windows
Server 2016 Standard and Windows Server 2016 Datacenter but shieled VMs require Windows Server 2016 Datacenter.
The Ac ve Directory Federa on Services (AD FS) server role is included in both Windows Server 2016 Standard and Windows Server
2016 Datacenter.
Right answer: B
Server2: Standard or Datacenter
A
Server6: Datacenter only

B

C

D
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. You have a Microso Azure subscrip on and an on-premises network.
To the on-premises network, you deploy a new server named Server1 that runs Windows Server 2016. In Azure, you configure a virtual
gateway on an Azure virtual network.
You need to ensure that the computers on the on-premises network can access virtual machines on the Azure virtual network.
Explana on:
A cross-premises Azure virtual network is connected to your on-premises network, extending your network to include subnets and
virtual machines hosted in Azure infrastructure services. This connec on allows computers on your on-premises network to directly
access virtual machines in Azure and vice versa.
To set up the VPN connec on between your Azure virtual network and your on-premises network, do the following steps:
1. On-premises: Define and create an on-premises network route for the address space of the Azure virtual network that points to
your on-premises VPN device.
2. Microso Azure: Create an Azure virtual network with a site-to-site VPN connec on.
3. On premises: Configure your on-premises hardware or so ware VPN device to terminate the VPN connec on, which uses
Internet Protocol security (IPsec).
A er you establish the site-to-site VPN connec on, you add Azure virtual machines to the subnets of the virtual network.
You can use the Rou ng and Remote Access Service (RRAS) in Windows Server 2016 or Windows Server 2012 to establish an IPsec site-
to-site VPN connec on between the on-premises network and the Azure virtual network. You can also use other op ons, such as Cisco
or Juniper Networks VPN devices.
Right answer: A
Install the Remote Access server role. From the Rou ng and Remote Access Server Setup Wizard, select Secure
A
connec on between two private networks.
B Install the Data Center Bridging (DCB) feature, and then run the Install-RemoteAccess cmdlet.
Install the Remote Access server role. From the Rou ng and Remote Access Server Setup Wizard, select Virtual private
C
network (VPN) access and NAT.
D Install the Data Center Bridging (DCB) feature, and then run the Enable- RemoteAccessRou ngDomain cmdlet.
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain. The domain contains a cer fica on authority (CA) and a Network Policy Server
(NPS) server.
You plan to deploy Remote Access Always On VPN.
Which authen ca on method should you use?
Explana on:
The Remote Access Always On VPN configura on requires an Ac ve Directory–based public key infrastructure (PKI). The CA enrolls
cer ficates that are used for PEAP client–server authen ca on.
See also: Remote Access Always On VPN Deployment Overview
Right answer: C
A Microso : EAP-TTLS
B Microso : Secured password
C Microso : Protected EAP
D Microso : EAP-AKA
4/29/2019 Training
Microsoft - 70-741

You have a DNS server named Server1 that runs Windows Server 2016. Server1 has an Ac ve Directory-integrated zone named
adatum.com.
All client computers run Windows 10.
You recently encountered unexpected responses to DNS client queries in the adatum.com zone. You need to log all the records wri en
to the zone.
Which cmdlet should you run?
Explana on:
The Set-DnsServerDiagnos cs cmdlet sets debugging and logging parameters on a Domain Name System (DNS) server.
Reference: Set-DnsServerDiagnos cs
Right answer: C
A Add-DnsServerQueryResolu onPolicy
B Set-DnsServerDsSe ng
C Set-DnsServerDiagnos cs
D Set-DnsServer
4/29/2019 Training
Microsoft - 70-741

You are implemen ng IPv6 addressing for your company by using the following specifica ons:
The global address space is 2001:db8:1234.

The company has 100 loca ons worldwide.
Each loca on has up to 300 subnets.
64 bits will be used for hosts.
You need to iden fy how many bits to use for the loca ons and the subnets.
How many bits should you iden fy?
(To answer, drag the appropriate amounts to the correct targets. Each amount may be used once, more than once, or not at all. NOTE:
Each correct selec on is worth one point.)
Explana on:
The company has 100 loca ons (branches). In order to provide a separate address range for each branch, at least 7 bits (2 ^ 7 = 128)
are required.
Each branch has up to 300 subnets. To provide a separate address space for each subnet within a branch, at least 9 bits (2 ^ 9 = 512)
are required.
Right answer: E
Loca ons: 33
A
Subnets: 25
Loca ons: 17
B
Subnets: 25
C
4/29/2019 Training
Loca ons: 17
Subnets: 17
Loca ons: 17
D
Subnets: 9
Loca ons: 7
E
Subnets: 9
Loca ons: 9
F
Subnets: 9
4/29/2019 Training
Microsoft - 70-741

a correct solu on.
Solu on: You authorize the server.
Right answer: B
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

Solu on: You connect VM1 to External1. You install the Remote Access server role on Server1, and you configure NAT in the Rou ng
and Remote Access console.
Explana on:
Private virtual networks are used where you want to allow communica ons between virtual machine to virtual machine on the same
physical server.
External virtual networks are used where you want to allow communica ons between a VM and the rest of the world.
Configuring Server1 for network address transla on could be a valid solu on. But in order to make this configura on work, VM1 needs
to use Server1 as a default gateway.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

in this series.
service on Server2.
You need to ensure that when computers query for records in tailspintoys.com, the query results are based on the subnet of the
computer that generates the query.
What should you do?
4/29/2019 Training
Explana on:
You can use DNS Policy for Geo-Loca on based traffic management, intelligent DNS responses based on the me of day, to manage a
single DNS server configured for split-brain deployment, applying filters on DNS queries, and more. The following items provide more
detail about these capabili es.
Applica on Load Balancing. When you have deployed mul ple instances of an applica on at different loca ons, you can use
DNS policy to balance the traffic load between the different applica on instances, dynamically alloca ng the traffic load for the
applica on.
Geo-Loca on Based Traffic Management. You can use DNS Policy to allow primary and secondary DNS servers to respond to
DNS client queries based on the geographical loca on of both the client and the resource to which the client is a emp ng to
connect, providing the client with the IP address of the closest resource.
Split Brain DNS. With split-brain DNS, DNS records are split into different Zone Scopes on the same DNS server, and DNS clients
receive a response based on whether the clients are internal or external clients. You can configure split-brain DNS for Ac ve
Directory integrated zones or for zones on standalone DNS servers.
Filtering. You can configure DNS policy to create query filters that are based on criteria that you supply. Query filters in DNS
policy allow you to configure the DNS server to respond in a custom manner based on the DNS query and DNS client that sends
the DNS query.
Forensics. You can use DNS policy to redirect malicious DNS clients to a non-existent IP address instead of direc ng them to the
computer they are trying to reach.
Time of day based redirec on. You can use DNS policy to distribute applica on traffic across different geographically distributed
instances of an applica on by using DNS policies that are based on the me of day.
In order to create policies to support the scenarios listed above, it is necessary to be able to iden fy groups of records in a zone,
groups of clients on a network, among other elements. These elements are represented by the following new DNS objects:
Client subnet: a client subnet object represents an IPv4 or IPv6 subnet from which queries are submi ed to a DNS server. You
can create subnets to later define policies to be applied based on what subnet the requests come from. For instance, in a split
brain DNS scenario, the request for resolu on for a name such as www.microso .com can be answered with an internal IP
address to clients from internal subnets, and a different IP address to clients in external subnets.
Recursion scope: recursion scopes are unique instances of a group of se ngs that control recursion on a DNS server. A recursion
scope contains a list of forwarders and specifies whether recursion is enabled. A DNS server can have many recursion scopes.
DNS server recursion policies allow you to choose a recursion scope for a set of queries. If the DNS server is not authorita ve for
certain queries, DNS server recursion policies allow you to control how to resolve those queries. You can specify which
forwarders to use and whether to use recursion.
Zone scopes: a DNS zone can have mul ple zone scopes, with each zone scope containing their own set of DNS records. The
same record can be present in mul ple scopes, with different IP addresses. Also, zone transfers are done at the zone scope level.
That means that records from a zone scope in a primary zone will be transferred to the same zone scope in a secondary zone.
Reference: DNS Policies Overview
Right answer: B
A Modify the Priority se ngs of each resource record.
B Configure DNS policies.
C Create zone delega on records.
D Enable DNS round robin.
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

You have a Hyper-V host named Server1. Server1 has a network adapter that has virtual machine queue (VMQ) enabled. The network
adapter connects at 10 Gbps and has an Ipv4 address.
Server1 hosts a virtual machine named VM1. VM1 has a single network adapter and four processors.
You need to distribute the network processing load across the VM1 processors.
What should you do?
Explana on:
The Enable-NetAdapterRss cmdlet enables receive side scaling (RSS) on a network adapter. RSS is a scalability technology that
distributes the receive network traffic among mul ple processors by hashing the header of the incoming packet. Without RSS in
firstref_longhorn and later, network traffic is received on the first processor which can quickly reach full u liza on limi ng receive
network throughput.
This command enables RSS on the network adapter named MyAdapter and restarts the network adapter.
Enable-NetAdapterRss -Name "MyAdapter"
Enable-NetAdapterRss
Right answer: B
A From Device Manager on Server1, configure TCP Checksum Offload (IPv4).
B From Windows PowerShell on VM1, run the Enable-NetAdapterRSS cmdlet.
C From Windows PowerShell on Server1, run the Enable-NetAdapterPacketDirect cmdlet.
D From Windows PowerShell on VM1, run the Enable-NetAdapterPacketDirect cmdlet.
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1. Server1 runs Windows Server 2016 and will be used as a VPN server.
You need to configure Server1 to support VPN Reconnect.
Explana on:
VPN Reconnect refers to the support in Rou ng and Remote Access service (RRAS) for IPsec Tunnel Mode with Internet Key Exchange
version 2 (IKEv2), which is described in RFC 4306. With the func onality provided by the IKEv2 Mobility and Mul homing protocol
(MOBIKE), which is described in RFC 4555, this tunneling protocol offers inherent advantages in scenarios where the client moves from
one IP network to another (for example, from WLAN to WWAN). Specifically, for mobile phones and other mobility scenarios, this
tunneling method enables the VPN tunnel to stay alive even when the client moves from one access point or loca on to another.
When using other VPN protocols, and the network connec on is interrupted for any reason, the user typically loses the VPN tunnel
completely and must manually reestablish the VPN tunnel. VPN Reconnect allows the underlying network connec on to be
interrupted for a configurable amount of me, without losing the tunnel. As soon as network connec vity is reestablished, even
through a different network interface, the tunnel is automa cally restored with no interac on required from the user. For example,
this permits a user with an ac ve IKEv2 VPN tunnel to disconnect a laptop from a wired connec on, walk down the hall to a
conference room, connect to a wireless network, and have the IKEv2 VPN tunnel automa cally reconnected with no no ceable
interrup on to the user.
Right answer: B
A SSTP
B IKEv2
C PPTP
D L2TP
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
a correct solu on.
Server2.
Solu on: On Server2, you modify the StartRange IP address of the scope.
4/29/2019 Training
Explana on:
Right answer: A
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Solu on: From Windows PowerShell on Server1, you run the Export-DnsServerDnsSecPublicKey cmdlet.
Explana on:
The Export-DnsServerDnsSecPublicKey cmdlet exports delega on signer (DS) or Domain Name System public key (DNSKEY)
informa on for a Domain Name System Security Extensions (DNSSEC)-signed zone..
Expor ng these informa on does not ensure that client computers perform DNSSEC valida on.
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

You are implemen ng a secure network. The network contains a DHCP server named Server1 that runs Windows Server 2016.
You create a DHCP allow filter that contains all of the computers on the network that are authorized to receive IP addresses.
You discover that unauthorized computers can receive an IP address from Server1.
You need to ensure that only authorized computers can receive an IP address from Server1.
Solu on: You run the following command.
Set-DhcpServerv4FilterList –ComputerName DC1 –Allow $False –Deny $True
Explana on:
Windows Server 2016 includes the ability to explicitly Allow or Deny DHCP requests to defined MAC addresses. This allows you to
prevent unknown devices from obtaining DHCP access to the network by crea ng a Block List and/or an Allow list.
Enable the Allow list will cause DCHP to operate on a "Whilelist" which require you to create an Allow List entry for every MAC address
that should be given an IP address. By default, DHCP operates ona "Blacklist" which allows all MAC addresses to be given an IP except
for ones expecitly defined on the Deny List.
The Cmdlet shown in the solu on disables the allow filter and enables the deny filter. Since the allow filter is disabled the authorized
computers cannot receive an IP address from Server1.
Reference: Set-DhcpServerv4FilterList
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Add-DHCPServer4Filter –ComputerName Server1 –MacAddress * -List Allow
Explana on:
The Add-DhcpServerv4Filter cmdlet adds the specified MAC address filter to the Dynamic Host Configura on Protocol (DHCP) server
service. The MAC address can be added to the allow list or the deny list. The MacAddress parameter does not accept wildcard
characters.
Reference: Add-DhcpServerv4Filter
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Add-DHCPServer4Filter –ComputerName Server1 –MacAddress * -List Deny
Explana on:
The Add-DhcpServerv4Filter cmdlet adds the specified MAC address filter to the Dynamic Host Configura on Protocol (DHCP) server
service. The MAC address can be added to the allow list or the deny list. The MacAddress parameter does not accept wildcard
characters.
Reference: Add-DhcpServerv4Filter
Right answer: B
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

You have an IP Address Management (IPAM) server named IPAM1 that runs Windows Server 2016. IPAM1 manages all of the DHCP
servers on your network.
You are troubleshoo ng an issue for a client that fails to receive an IP address from DHCP.
You need to ensure that from IPAM1, you can view all of the event data for the DHCP leases from the last 24 hours.
Solu on: From Windows PowerShell, you run the Invoke-IpamServerProvisioning cmdlet.
Explana on:
In order to retrieve event data for DHCP leases we can use the Event Catalog sec on within the IPAM console which resides in Server
Manager or we can use the Get-IpamIpAddressAuditEvent cmdlet.
The Event Catalog sec on has three subsec ons:
IPAM Configura on Events – This view will provide all the events related to you IPAM Server itself.
DHCP Configura on Events – This will show you event related to DHCP Servers managed by the IPAM Server.
IP Address Tracking –This is where all the IP address related informa on appears. You can use subsec ons available here to see
events by IP Address, Client ID, Host Name or User Name.
The following example gets all IP address audit events that occured within the last 30 days:
$Today = Get-Date
Right answer: B
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

Solu on: From Windows PowerShell, you run the Set-IpamDHCPServer cmdlet.
Explana on:
$Today = Get-Date
Right answer: B
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

Solu on: From Server Manager, you run Retrieve Event Catalog Data.
Explana on:
$Today = Get-Date
Right answer: A
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

Solu on: From Windows PowerShell, you run the Get-IpamIpAddressAuditEvent cmdlet.
Explana on:
$Today = Get-Date
Right answer: A
A Yes
B No
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
You have two servers named Server1 and Server2. Server1 is a DNS server. Server2 is configured to use Server1 as the primary DNS
server.
You run ipconfig /displaydns on Server2 and receive the following output.
An administrator modifies the records in adatum.com as shown below:
The proper es of the DNS record for ComputerA are shown below.
4/29/2019 Training
Explana on:
The ipconfig /displaydns command shows the conten of the local DNS resolver cache. The DNS client checks the chache first. If the
cache does not contain relevant informa on, the DNS resolver queries the configured DNS Server.
Right answer: D
If Server2 a empts to connect to computera.adatum.com immediately, Server2 will connect to 172.16.0.100: Yes
A If Server2 a empts to connect to computera.adatum.com in 15 minutes, Server2 will connect to 172.16.0.100: Yes
If Server2 a empts to connect to computerb.adatum.com immediately, the connec on will suceed: Yes
If Server2 a empts to connect to computera.adatum.com immediately, Server2 will connect to 172.16.0.100: Yes
B If Server2 a empts to connect to computera.adatum.com in 15 minutes, Server2 will connect to 172.16.0.100: Yes
If Server2 a empts to connect to computerb.adatum.com immediately, the connec on will suceed: No
If Server2 a empts to connect to computera.adatum.com immediately, Server2 will connect to 172.16.0.100: No

C If Server2 a empts to connect to computera.adatum.com in 15 minutes, Server2 will connect to 172.16.0.100: Yes

D If Server2 a empts to connect to computera.adatum.com in 15 minutes, Server2 will connect to 172.16.0.100: yes

E If Server2 a empts to connect to computera.adatum.com in 15 minutes, Server2 will connect to 172.16.0.100: No

F If Server2 a empts to connect to computera.adatum.com in 15 minutes, Server2 will connect to 172.16.0.100: No
4/29/2019 Training
Microsoft - 70-741

You have two servers named Server1 and Server2 that run Windows Server 2016. Server1 and Server2 have the Network Policy Server
role service installed.
Server1 is configured to forward connec on requests to Server2.
Incoming connec on requests to Server1 contain the User Name a ribute. The User Name a ribute does not contain the domain
name suffix.
You need to ensure that the User Name a ribute will be replaced by using a format of username@contoso.com.
How should you configure the a ribute manipula on rule on Server1?
Explana on:
The following example describes the use of the pa ern-matching syntax to manipulate realm names for the User Name a ribute,
which is located on the A ribute tab in the proper es of a connec on request policy.
To replace user with *user@specific_domain*
Find:$
Replace: @specific_domain
Reference: Examples for manipula on of the realm name in the User Name a ribute
Right answer: A
Find: $
A
Replace with: @contoso.com
Find: $
B
Replace with: @$2
4/29/2019 Training
C Find: \
Replace with: contoso.com
Find: \
D
Replace with: @$2
Find: ^
E
Replace with: contoso.com
Find: ^
F
Replace with: @contoso.com
4/29/2019 Training
Microsoft - 70-741

You are an administrator for a company. Your network contains mul ple subnets.
On one of the subnets, you install a server named Server1 that runs Windows Server 2016. Server1 has the following IPv6 addresses:
ff00:e378:8000::63bf:3fff:fdd2
fe80::200:5aee:feaa:20a2
fc00:fdf8:f53b:82e4::53
2000:1516::6c:2348
Which IPv6 address is used when Server1 communicates with different hosts?
4/29/2019 Training
Explana on:
IPv6 has three types of addresses, which can be categorized by type and scope:
Unicast addresses. A packet is delivered to one interface.

Mul cast addresses. A packet is delivered to mul ple interfaces.
Anycast addresses. A packet is delivered to the nearest of mul ple interfaces (in terms of rou ng distance).
IPv6 does not use broadcast messages.
Unicast and anycast addresses in IPv6 have the following scopes (for mul cast addresses, the scope is built into the address structure):
Link-local. The scope is the local link (nodes on the same subnet).
Site-local. The scope is the organiza on (private site addressing).
Global. The scope is global (IPv6 Internet addresses).
In addi on, IPv6 has special addresses such as the loopback address. The scope of a special address depends on the type of special
address.
Unicast global addresses
IPv6 unicast global addresses are similar to IPv4 public addresses. Also known as aggregatable global unicast addresses, global
addresses are globally routable.
The prefix 2000::/3 belongs to the global unicast range.
Unicast link-local addresses (FE80::/64)
IPv6 unicast link-local addresses are similar to IPv4 APIPA addresses used by computers running Microso Windows. Hosts on the
same link (the same subnet) use these automa cally configured addresses to communicate with each other. Neighbor Discovery
provides address resolu on. The prefix for link-local addresses is FE80::/64.
Reference (see scenario 3):
IPv6 for the Windows Administrator: How Name Resolu on Works in a Dual IPv4/IPv6 Scenario
Right answer: C
When Server1 connects to Internet hosts, the following IP address is used: fe80::200:5aee:feaa:20a2
A
When Server1 connects to hosts on the same subnet, the following IP address is used: fc00:fdf8:f53b:82e4::53
When Server1 connects to Internet hosts, the following IP address is used: ff00:e378:8000::63bf:3fff:fdd2
B
When Server1 connects to hosts on the same subnet, the following IP address is used: fe80::200:5aee:feaa:20a2
When Server1 connects to Internet hosts, the following IP address is used: 2000:1516::6c:2348
C
When Server1 connects to hosts on the same subnet, the following IP address is used: 2000:1516::6c:2348
When Server1 connects to Internet hosts, the following IP address is used: fc00:fdf8:f53b:82e4::53
D
When Server1 connects to hosts on the same subnet, the following IP address is used: fe80::200:5aee:feaa:20a2
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains a Hyper-V host.
You are deploying So ware Defined Network (SDN) by using Windows Server 2016.
You deploy a virtual machine that runs Windows Server 2016, and you install the Network Controller server role.
You need to configure the virtual machine as the network controller.
What should you do?
Explana on:
To configure the Network Controller applica on, type the following command at the Windows PowerShell command prompt, and then
press ENTER. Ensure that you add values for each parameter that are appropriate for your deployment.
Install-NetworkController –Node <NetworkControllerNode[]> –ClientAuthen ca on <ClientAuthen ca on> [-

ClientCer ficateThumbprint <string[]>] [-ClientSecurityGroup <string>] -ServerCer ficate <X509Cer ficate2> [-RESTIPAddress
<String>] [-RESTName <String>] [-Creden al <PSCreden al>][-Cer ficateThumbprint <String> ] [-UseSSL]
The ClientAuthen ca on parameter specifies the authen ca on type that is used for securing the communica on between REST and
Network Controller. The supported values are Kerberos, X509 and None. Kerberos authen ca on uses domain accounts and can only
be used if the Network Controller nodes are domain joined. If you specify X509-based authen ca on, you must provide a cer ficate in
the NetworkControllerNode object. In addi on, you must manually provision the cer ficate before you run this command.
Reference: Configure the Network Controller applica on
Right answer: D
A Run the Install-NetworkControllerCluster cmdlet and set ClientAuthen ca on to X509.
B Run the Install-NetworkController cmdlet and set ClientAuthen ca on to None.
C Run the Install-NetworkControllerCluster cmdlet and set ClientAuthen ca on to None.
D Run the Install-NetworkController cmdlet and set ClientAuthen ca on to Kerberos.
4/29/2019 Training
Microsoft - 70-741

Your company has five departments, including a web research department.
You have a DHCP server named Server1 and two DNS servers named DNS1 and DNS2.
Server1 has an Ipv4 scope named Scope1. All client computers are configured to use DNS1 for name resolu on.
You need to ensure that users in the web research department use DNS2 for name resolu on.
Explana on:
The DHCP server role in Windows Server 2012 introduces DHCP Policies also referred as Policy Based Assignment (PBA), a feature that
enables users to create policies at scope or server level for assigning IPv4 addresses and op ons to DHCP clients based on a ributes
like Vendor Class, User Class, MAC Address etc.

Right answer: F
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

You have a DNS server named Server1 that runs Windows Server 2016. Server 1 has a forward lookup zone for Contoso.com. The
records in the zone are shown below:
You run the following commands on Server1.
Add-DnsServerClientSubnet -Name "Subnet1" -Ipv4Subnet "172.16.0.0/24"
Add-DnsServerClientSubnet -Name "Subnet2" -Ipv4Subnet "172.16.1.0/24"
Add-DnsServerZoneScope -ZoneName "Contoso.com" -Name "Scope1"
Add-DnsServerResourceRecord -ZoneName "Contoso.com" -A -Name "Host2" -IPv4Address "172.16.99.99" -ZoneScope "Scope1"
Add-DnsServerQueryResolu onPolicy -Name "Policy1" -Ac on ALLOW -ClientSubnet "EQ,Subnet1" -ZoneScope "Scope1,1" -
ZoneName "Contoso.com"
Add-DnsServerQueryResolu onPolicy -Name "Policy2" -Ac on IGNORE -ClientSubnet "NE,Subnet2" -FQDN

"EQ,host1.contoso.com"
What are two results of the configura on?
(Each correct answer presents a complete solu on. NOTE: Each correct selec on is worth one point.)
Right answer: B, D
When a client computer that has an IP address of 172.16.0.10 a empts to resolve host1.contoso.com,
A
host1.contoso.com resolves to 172.16.99.99.
When a client computer that has an IP address of 172.16.0.10 a empts to resolve host1.contoso.com, the name
B
resolu on fails to return an IP address.
C
D
4/29/2019 Training
When a client computer that has an IP address of 172.16.1.56 a empts to resolve host1.contoso.com, the name
E
resolu on fails to return an IP address.
F
4/29/2019 Training
Microsoft - 70-741

You have an IP Address Management (IPAM) server named Server1 that runs Windows Server 2016. You have five DHCP servers.
Server1 manages all of the DHCP servers.
On Server1, an administrator uses Purge Event Catalog Data to remove all of the events from the last 30 days.
You need to view all lease requests that were denied during the last two days.
What should you do?
Explana on:
The Purge Event Catalog Data ac on deletes the collected events on the IPAM-Server only. You can s ll view the events on the
corresponding DHCP servers.
Right answer: D
On each DHCP server, run the \Microso \Windows\Server Manager\CleanUpOldPerfLogs scheduled task, and then
A
review the event catalog on Server1.
B On Server1, run the Purge Event Catalog Data ac on and then open Event Viewer on Server1.
C Review the log data in C:\Windows\System32\ipam\Database on Server1.
D On each DHCP server, review the DHCP Server opera onal event log.
4/29/2019 Training
Microsoft - 70-741

You implement So ware Defined Networking (SDN) by using the Network Controller server role. You have a virtual network named
VNET1 that contains servers used by developers.
You need to ensure that only devices from the 192.168.0.0/24 subnet can access the virtual machine in VNET1.
What should you configure?
Explana on:
You can filter network traffic between resources in a virtual network using a network security group. A network security group
contains several default security rules that allow or deny traffic to or from resources. A network security group can be associated to a
network interface, the subnet the network interface is in, or both. To simplify management of security rules, it's recommended that
you associate a network security group to individual subnets, rather than individual network interfaces within the subnet, whenever
possible.
Right answer: A
A A network security group (NSG)
B Role-based access control
C A universal security group
D Dynamic Access Control
4/29/2019 Training
Microsoft - 70-741

You have a Hyper-V host named Server1 that runs Windows Server 2016. Server1 has mul ple network adapters that have virtual
machine queue (VMQ) enabled.
On Server1, you create a virtual machine named VM1. The se ngs of VM1 are shown below.
You need to ensure that you can use virtual Receive-side Scaling (vRSS) on VM1.
What should you do?
4/29/2019 Training
Explana on:
You can use Virtual Receive Side Scaling (vRSS) to configure a virtual network adapter to load balance incoming network traffic across
mul ple logical processor cores in a VM or mul ple physical cores for a host virtual Network Interface Card (vNIC).
This configura on allows the load from a virtual network adapter to be distributed across mul ple virtual processors in a virtual
machine (VM), allowing the VM to process more network traffic more rapidly than it can with a single logical processor.
You can use vRSS in VMs on Hyper-V hosts that have mul ple processors, a single mul ple core processor, or more than one mul ple
core processors installed and configured for VM use.
vRSS is compa ble with all other Hyper-V networking technologies. vRSS is dependent on Virtual Machine Queue (VMQ) in the Hyper-
V host and RSS in the VM or on the host vNIC.
vRSS is enabled by default, however you can disable vRSS in a VM by using Windows PowerShell commands.
Reference: Virtual Receive Side Scaling (vRSS)
Right answer: B
A Add addi onal memory.
B Add addi onal processors.
C Add addi onal network adapters.
D Enable the Data Exchange integra on service.
4/29/2019 Training
Microsoft - 70-741

You have a virtual machine named Server1 that runs Windows Server 2016. You plan to use Server1 as part of a So ware Defined
Networking (SDN) solu on.
You need to implement the Border Gateway Protocol (BGP) on Server1.
What should you install?
Right answer: B
A The Peer Name Resolu on Protocol (PNRP) feature
B The Rou ng role service
C The Network Device Enrollment Service role service
D The Network Policy and Access Services server role
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory forest named contoso.com. The forest contains the VPN servers configured as shown in the
following table.
You are configuring a Network Policy Server (NPS) server named Server1. Server1 has the following RADIUS clients.
All three VPN servers are configured to use Server1 for RADIUS authen ca on.
All of the users in contoso.com are allowed to establish a VPN connec on.
For each of the following statements, select YES if the statement is true. Otherwise, select No.
4/29/2019 Training
Explana on:
The output of the Get-NpsRadiusClient cmdlet shows that on Server1, only the VPN server with the P-address 172.16.1.254 (VPN2) has
a valid and enabled RADUS client configured.
Right answer: C
The contoso.com users can authen cate successfully when they establish a VPN connec on to VPN1: Yes
A The contoso.com users can authen cate successfully when they establish a VPN connec on to VPN2: Yes
B The contoso.com users can authen cate successfully when they establish a VPN connec on to VPN2: Yes
The contoso.com users can authen cate successfully when they establish a VPN connec on to VPN3: No
C The contoso.com users can authen cate successfully when they establish a VPN connec on to VPN2: Yes
D The contoso.com users can authen cate successfully when they establish a VPN connec on to VPN2: Yes
E The contoso.com users can authen cate successfully when they establish a VPN connec on to VPN2: No
F The contoso.com users can authen cate successfully when they establish a VPN connec on to VPN2: No
4/29/2019 Training
Microsoft - 70-741

You have a Nano Server that has one network interface. The server is configured to obtain an IP address automa cally.
You need to configure the server to have the following IP configura ons:
IP address: 172.16.3.100
Default gateway: 172.16.3.1
Subnet mask: 255.255.255.0
Explana on:
The New-NetIPAddress cmdlet creates and configures an IP address. To create a specific IP address object, specify either an IPv4
address or an IPv6 address, and an interface index or interface alias. We recommend that you define the prefix length, also known as a
subnet mask, and a default gateway.
If you run this cmdlet to add an IP address to an interface on which DHCP is already enabled, then DHCP is automa cally disabled. If
Duplicate Address Detec on (DAD) is enabled on the interface, the new IP address is not usable un l DAD successfully finishes, which
confirms the uniqueness of the IP address on the link.
Reference: New-NetIPAddress
Right answer: B
Netsh -InterfaceAlias Ethernet -IPAddress 172.16.3.100 -DefaultGateway 172.16.3.1 -AddressFamily IPv4 -PrefixLength
A
16
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 172.16.3.100 -DefaultGateway 172.16.3.1 -AddressFamily IPv4

B
-PrefixLength 24
Set-NetIPAddress -InterfaceAlias Ethernet -IPAddress 172.16.3.100 -DefaultGateway 172.16.3.1 -AddressFamily IPv4 -

C
PrefixLength 24
4/29/2019 Training
Netsh -InterfaceAlias Ethernet -IPAddress 172.16.3.100 -DefaultGateway 172.16.3.1 -AddressFamily IPv6 -PrefixLength
D
8
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 172.16.3.100 -DefaultGateway 172.16.3.1 -AddressFamily IPv6

E
-PrefixLength 32
Set-NetIPAddress -InterfaceAlias Ethernet -IPAddress 172.16.3.100 -DefaultGateway 172.16.3.1 -AddressFamily IPv6 -

F
PrefixLength 24
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 has the following IP configura on.
You need to configure the default gateway on Server1 to allow for connec vity to other subnets via IPv6.
4/29/2019 Training
Explana on:
The New-NetRoute cmdlet creates an IP route in the IP rou ng table. Specify the des na on prefix, and specify an interface by using
the interface alias or the interface index.
-Des na onPrefix<String>
Specifies a des na on prefix of an IP route. A des na on prefix consists of an IP address prefix and a prefix length, separated by a
slash (/). A value of 0.0.0.0/0 for IPv4 or ::/0 for IPv6 indicates that the value of the NextHop parameter is a default gateway. The prefix
length of the local host must match the prefix specified in this parameter, with all remaining address fields set to zero.
-InterfaceIndex<UInt32>
Specifies the index of a network interface. The cmdlet adds a route for the interface located at the index that you specify.
-NextHop<String>
Specifies a next hop for the IP rou ng table entry. The NextHop is the IP address of the next hop in the route. A NextHop of 0.0.0.0 for
IPv4 or :: for IPv6 would indicate that the route is on-link. When the new rou ng table entry is created, the next hop IP address is also
added as a neighbor cache entry.
Reference: New-NetRoute
Right answer: D
$var1: "0.0.0.0/0"
A $var2: "10"
$var3: "::1/128"
$var1: "::1/128"
B $var2: "2"
$var3: "fe80::253"
$var1: "2001::/32"
C $var2: "3"
$var3: "0.0.0.0"
$var1: ::/0
D $var2: 6
$var3: ::
4/29/2019 Training
Microsoft - 70-741

Solu on: From Task Scheduler, you run the Microso \Windows\IPAM\Audit task.
Explana on:
The scheduled task, Microso \Windows\IPAM\Audit, runs every hour. The task collects opera onal events from DHCP and IPAM
servers, and events from domain controllers and Network Policy and DHCP servers for IP address tracking. Manually execu ng the task
ensures that even the most up-to-date data is available for inspec on.
$Today = Get-Date
Right answer: A
4/29/2019 Training
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Solu on: From Network Policy Server, you modify the Network Policies on Server1.
Explana on:
We should use Network Policy (NPS) to create or modify the Network Access Policy.
4/29/2019 Training
Right answer: A
A Yes
B No
4/29/2019 Training
Microsoft - 70-741

Your company owns the public Internet IP address range of 131.107.20.0 to 131.107.20.255.
You need to create a subnet that supports four hosts. The solu on must minimize the number of addresses available to the subnet.
Which subnet should you use?
Explana on:
The subnet mask 255.255.255.248 has 29 bits. A 29-bit subnet mask leaves 3 bits for host addressing. This allows 2^3 - 2 = 6 host
addresses.
Right answer: A
A 131.107.20.16 with subnet mask 255.255.255.248
B 131.107.20.16/28
C 131.107.20.0/27
D 131.107.20.16/30
4/29/2019 Training
Microsoft - 70-741

You have Hyper-V host named Server1. Server1 has a network adapter that has virtual machine queue (VMQ) enabled. The network
adapter connects at 10 Gbps and has an IPV4 address.
Server1 hosts a virtual machine named VM1. VM1 has a single network adapter and four processors.
You need to distribute the network processing load across the VM1 processors.
What should you do?
Explana on:
We have to enable receive side scaling (RSS) on the network adapter of VM1. RSS is a scalability technology that distributes the receive
network traffic among mul ple processors by hashing the header of the incoming packet. Without RSS in firstref_longhorn and later,
network traffic is received on the first processor which can quickly reach full u liza on limi ng receive network throughput.
We can use the Enable-NetAdapterRss cmdlet or the proper es of the network adapter to enbale RSS.
Right answer: C
A From Windows PowerShell on Server1, run the Enable-NetAdapterPacketDirect cmdlet.
B From Windows PowerShell on VM1, run the Enable-NetAdapterPacketDirect cmdlet.
4/29/2019 Training
C From Device Manager on VM1, configure Receive Side Scaling.
D From Windows PowerShell on Server1, run the Enable-NetAdapterRSS cmdlet.
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 is an IP Address Management (IPAM) server that collects
DHCP and DNS logs and events for your en re network.
You need to get the IP addresses that were assigned to a client computer named Computer1 during the last week.
Explana on:
We can use the Get-IpamIpAddressAuditEvent cmdlet or the IP Address Tracking in Event Catalog of the IPAM management in Server
Manager.
Right answer: A
A From the IPAM node in Server Manager, click Event Catalog, and then review the IP Address Tracking.
B Open Event Viewer and click Windows Logs. Filter the Security log for Computer1.
4/29/2019 Training
C Run the Export-IpamAddress cmdlet.
D From the IPAM node in Server Manager, click IP Address Space, and then review the IP Address Inventory.
E Run the Get-IpamDhcpConfigura onEvent cmdlet.
4/29/2019 Training
Microsoft - 70-741

in this series.
service on Server2.
You need to configure an administrator named admin@fabrikam.com as the contact person for the fabrikam.com zone.
What should you modify?
4/29/2019 Training
Explana on:
The responsible contact person for a DNS zone is stored in the SOA entry. The record type is "Responsible Persons (RP).
Right answer: D
Record type to modify: Host Informa on (HINFO)
A
Record value to modify: Text
Record type to modify: Mailbox Informa on (MINFO)

B
Record value to modify: Error Mailbox
Record type to modify: Start of Authority (SOA)

C
Record value to modify: Text
Record type to modify: Start of Authority (SOA)

D
Record value to modify: Responsible Person
Record type to modify: Text (TXT)

E
Record value to modify: Responsible Mailbox
Record type to modify: Text (TXT)

F
Record value to modify: Responsible Person
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

Server1 has IP Address Management (IPAM) installed. Server2 has the DHCP Server role installed. The IPAM server retrieves data from
Server2.
You create a domain user account named User1.
You need to ensure that User1 can use IPAM to manage DHCP.
Which command should you run on Server1?
4/29/2019 Training
Explana on:
IPAM Users - IPAM Users is a local security group on an IPAM server that is created when you install the IPAM feature. Members
of this group can view all informa on in server inventory, IP address space, and the monitor and manage IPAM console nodes.
IPAM Users can view IPAM and DHCP opera onal events under in the Event Catalog node, but cannot view IP address tracking
data.
IPAM MSM Administrators - IPAM MSM Administrators is a local security group on an IPAM server that is created when you
install the IPAM feature. Members of this group have all the privileges of the IPAM Users security group, and can perform server
monitoring and management tasks in addi on to IPAM common management tasks.
IPAM ASM Administrators - IPAM ASM Administrators is a local security group on an IPAM server that is created when you install
the IPAM feature. Members of this group have all the privileges of the IPAM Users security group, and can perform IP address
space tasks in addi on to IPAM common management tasks.
IPAM IP Audit Administrators - IPAM IP Audit Administrators is a local security group on an IPAM server that is created when you
install the IPAM feature. Members of this group have all the privileges of the IPAM Users security group. They can view IP
address tracking data and perform IPAM common management tasks.
IPAM Administrators - IPAM Administrators is a local security group on an IPAM server that is created when you install the IPAM
feature. Members of this group have privileges to view all IPAM data and perform all IPAM tasks.
Right answer: E
A Set-ADGroup "Server2\DHCP Administrators" User1 /add
B Set-ADGroup "Server1\IPAM IP Users" User1 /add
C Set-ADGroup "Server1\IPAM IP Audit Administrators" User1 /add
D net localgroup "Server2\Administrators" User1 /add
E net localgroup "Server1\IPAM MSM Administrators" User1 /add
F net localgroup "Server2\DHCP Administrators" User1 /add
4/29/2019 Training
Microsoft - 70-741

in this series.


Which VPN protocol should you configure on Server2?
4/29/2019 Training
Explana on:
The Security Policy of Contoso states that only TCP ports 80 and 443 are allowed from the internet to server2. Therefore we have to
use SSTP as VPN protocol.
Right answer: D
A L2TP
B IKEv2
C PPTP
D SSTP
4/29/2019 Training
Microsoft - 70-741

4/29/2019 Training
in this series.


You deploy a computer named ComputerA to Subnet1. ComputerA has an IP address of 10.10.0.129 and a subnet mask of
255.255.255.0.
You plan to use ComputerA to access the resources on Web1.
Which IP address should you use as the default gateway on ComputerA?
Explana on:
The router for Subnet1 is Server1. The network interface of the router connected to Subnet1 is configured with the IP address
10.10.0.224.
Right answer: B
4/29/2019 Training
A 10.10.1.1
B 10.10.0.224
C 131.107.0.223
D 172.16.128.193
4/29/2019 Training
Microsoft - 70-741

You have a DNS server named Server1 that runs Windows Server 2016. Server1 has two Ac ve Directory-integrated zones named
contoso.com and adatum.com.
All client computers run Windows 10.
Server1 recently experienced millions of erroneous DNS queries causing a denial of service.
You need to reduce the likelihood that a similar a ack will cause a denial of service. The solu on must ensure that Server1 con nus to
resolve names for clients.
What should you do?
Explana on:
RRL, or Response Rate Limi ng, tries to extenuate the DNS amplifica on a acks. In a DNS amplifica on a ack, the a ackers forge the
IP address of the vic m network and send a lot of queries to the DNS servers. The tradi onal DNS server responds back to all the
queries it receives and as a result the vic m network gets a huge amount of unwanted DNS responses . The a ackers can orchestrate
this a ack to involve mul ple DNS servers all of which start sending unsolicited responses to the vic m network, which chokes down
on the high volume of inbound packets, slows down and eventually collapses.
Apart from this, DNS brings an element of amplifica on (more so with DNSSEC). The a acker can send small queries that can result in
large responses. Certain DNS servers that act as "Open Resolvers" on internet are specifically vulnerable to facilitate this kind of a ack,
as they can be easily made to respond with highly amplified response. Even purely authorita ve servers respond with amplified
referral responses, or amplified responses for 'ANY' queries. This makes it easier for the a acker to orchestrate a reflec on a ack with
smaller number of queries.
In Windows Server 2016, the DNS server will provide an op on to enable Response Rate Limi ng. Response Rate Limi ng intends to
prevent the abuse of Windows DNS servers for orchestra ng an amplifica on a ack. Although there is no way to iden fy the
legi macy of a single query on UDP, but preven ve ac ons can be taken if the DNS servers can iden fy poten ally malicious queries.
As DNS clients and resolvers are expected to cache the responses, if a lot of queries originate from single source asking for similar
names within a specified me window, they can be flagged as poten ally malicious. With RRL enabled, Windows DNS servers will first
iden fy the poten ally malicious queries and then take preven ve ac ons. The obvious preven on is not to respond. The other op on
is to respond back with trunca on, so that the clients who are genuine revert back on TCP*, where the protocol ensures legi macy of
client via its three-way handshake. Overall, with RRL enabled, the Windows DNS server will put an upper limit to the number of similar
responses that it will send to clients from the same subnet.
By default RRL, is disabled on Windows DNS Server. To enable it use the Set-DnsServerResponseRateLimi ng cmdlet.
References:
Response Rate Limi ng in Windows DNS Server
Set-DnsServerResponseRateLimi ng
Right answer: B
4/29/2019 Training
A Implement DNS-based Authen ca on of Named En es (DANE).
B Enable Response Rate Limi ng (RRL) on Server1.
C Configure DNS policies on Server1.
D Sign both adatum.com and contoso.com zones.
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com that contains a domain controller named DC1. All DNS servers
for the network run BIND 10.
Your perimeter network contains a DHCP server named DHCP1 that runs Windows Server 2016. DHCP1 is a member of a workgroup
named WORKGROUP. DHCP1 provides IP address leases to guests accessing the Wi-Fi network.
Several engineers access the network remotely by using a VPN connec on to a remote access server that runs Windows Server 2016.
All of the VPN connec ons use cer ficate-based authen ca on and are subject to access policies in Network Policy Server (NPS).
Cer ficates are issued by an enterprise cer fica on authority (CA) named CA1.
All Windows computers on the network are ac vated by using Key Management Service (KMS). On-premises users use Remote
Desktop Services (RDS).
You plan to deploy IP Address Management (IPAM) to the network.
Which ac on can you perform on the network by using IPAM?
Explana on:
IPAM provides for administra on and monitoring of servers running Dynamic Host Configura on Protocol (DHCP) ,Domain Name
Service (DNS), Network Policy Server (NPS), Ac ve Directory controllers.
Features include:
Automa c IP address infrastructure discovery: IPAM discovers domain controllers, DHCP servers, and DNS servers in the domains
you choose. You can enable or disable management of these servers by IPAM.
Custom IP address space display, repor ng, and management: The display of IP addresses is highly customizable and detailed
tracking and u liza on data is available. IPv4 and IPv6 address space is organized into IP address blocks, IP address ranges, and
individual IP addresses. IP addresses are assigned built-in or user-defined fields that can be used to further organize IP address
space into hierarchical, logical groups.
Audit of server configura on changes and tracking of IP address usage: Opera onal events are displayed for the IPAM server and
managed DHCP servers. IPAM also enables IP address tracking using DHCP lease events and user logon events collected from
Network Policy Server (NPS), domain controllers, and DHCP servers. Tracking is available by IP address, client ID, host name, or
user name.
Monitoring and management of DHCP and DNS services: IPAM enables automated service availability monitoring for Microso
DHCP and DNS servers across the forest. DNS zone health is displayed, and detailed DHCP server and scope management is
available using the IPAM console.
Right answer: A
A Audit user and device logon event from NPS.
4/29/2019 Training
B Audit logon events on the RDS server.
C Audit configura on changes to the remote access server.
D Audit cer ficate enrollment requests on CA1.
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory forest named contoso.com. The forest contains five domains.
You manage DNS for the contoso.com domain only. You are not responsible for managing DNS for the child domains.
The DNS servers in a child domain named research.contoso.com are reconfigured o en.
You need to ensure that clients in contoso.com can resolve addresses in research.contoso.com. The solu on must minimize zone
replica on traffic.
What should you do?
Explana on:
A stub zone is a copy of a zone containing only the resource records required to iden fy the authorita ve Domain Name System (DNS)
servers for that zone.
A stub zone consists of the following elements:
The Status of Authority (SOA) resource record, the master DNS server resource records, and the Glue A resource records for the
delegated zone.
The Glue A resource records represent the IP addresses of the name servers (master DNS servers). Clients use the stub zone to obtain
the IP addresses of the name servers of the zone, and ul mately query one of these name servers for the IP addresses of the desired
resources.
Compared to a zone delega on, the stub zone has the advantage that the IP addresses of the name servers (the Glue A resource
records) are automa cally updated when changed.
Right answer: C
A Create a primary zone for research.contoso.com on the DNS servers of contoso.com.
B Create a secondary zone for research.contoso.com on the DNS servers of contoso.com.
C Create a stub zone for research.contoso.com on the DNS servers of contoso.com.
D Create a delega on for research.contoso.com.
4/29/2019 Training
Microsoft - 70-741

You are an administrator for your company. You have a server named Server1 that runs Windows Server 2016.
Server1 is in a workgroup and has the DNS Server role installed.
You need to enable DNS Analy cal Diagnos c logging on Server1.
What should you do?
4/29/2019 Training
Explana on:
If your DNS server is running Windows Server 2016 or later, diagnos c logging is already installed.
To enable DNS diagnos c logging
1. Type eventvwr.msc at an elevated command prompt and press ENTER to open Event Viewer.
2. In Event Viewer, navigate to Applica ons and Services Logs\Microso \Windows\DNS-Server.
3. Right-click DNS-Server, point to View, and then click Show Analy c and Debug Logs. The Analy cal log will be displayed.
4. Right-click Analy cal and then click Proper es.
5. Under When maximum event log size is reached, choose Do not overwrite events (Clear logs manually), select the Enable
logging checkbox, and click OK when you are asked if you want to enable this log. Click OK again to enable the DNS Server
Analy c event log.
6. Click OK again to enable the DNS Server Analy c event log.
By default, analy c logs are wri en to the file: %SystemRoot%\System32\Winevt\Logs\Microso -Windows-

DNSServer%4Analy cal.etl.
Reference: DNS Logging and Diagnos cs
Right answer: E
A From Local Group Policy Editor, configure Audit Policy.
B From DNS Manager, configure Monitoring.
C From Windows PowerShell, run the Enable-DnsServerPolicy cmdlet.
D From DNS Manager, configure Event Logging.
E From Event Viewer, configure DNS-Server Applica ons and Services Logs.
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

You are an administrator for a company. You have the servers configured as shown in the following table.
Your network uses an internal address space of 10.10.0.0/24. Client computers are allocated addresses from 10.10.0.60 to
10.10.0.199.
Server4 has the IPv4 configura on shown in the following table.
You need to configure Server4 to provide Internet access to the computers on the network.
Which three ac ons should you perform in sequence?
(To answer, move the appropriate ac ons from the list of ac ons to the answer area and arrange them in the correct order.)
4/29/2019 Training
Explana on:
Network Address Transla on (NAT) is implemented by using the Rou ng and Remote Access snap-in. Rou ng and Remote Access is
part of the Remote Access server role.
The external interface, which acts as a NAT interface, has the IP address 131.12.11.121.
Right answer: A
A Sequence: 5, 6, 1
B Sequence: 5, 6, 4
C Sequence: 5, 7, 1
D Sequence: 5, 7, 4
E Sequence: 5, 2, 1
F Sequence, 5, 2, 4
4/29/2019 Training
Microsoft - 70-741

You have a Hyper-V host named Host1 that runs Windows Server 2016 Datacenter. Host1 has eight network adapters that support
Remote Direct Memory Access (RDMA).
You plan to configure Host1 as part of a four-node Hyper-V converged solu on.
You enable the Data Center Bridging (DCB) feature.
You need to enable Switch Embedded Teaming (SET) and RDMA.
Which three cmdlets should you run in sequence?
(To answer move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.)
4/29/2019 Training
Explana on:
To make use of RDMA capabilies on Hyper-V host virtual network adapters (vNICs) on a Hyper-V Virtual Switch that supports RDMA
teaming, you can use these example Windows PowerShell commands.
New-VMSwitch -Name SETswitch -NetAdapterName "SLOT 2","SLOT 3" -EnableEmbeddedTeaming $true
Add host vNICs:
Add-VMNetworkAdapter -SwitchName SETswitch -Name SMB_1 -managementOS Add-VMNetworkAdapter -

SwitchName SETswitch -Name SMB_2 -managementOS
Many switches won't pass traffic class informa on on untagged VLAN traffic, so make sure that the host adapters for RDMA are on
VLANs. This example assigns the two SMB_* host virtual adapters to VLAN 42.
Set-VMNetworkAdapterIsolation -ManagementOS -VMNetworkAdapterName SMB_1 -IsolationMode VLAN -

DefaultIsolationID 42 Set-VMNetworkAdapterIsolation -ManagementOS -VMNetworkAdapterName SMB_2 -
IsolationMode VLAN -DefaultIsolationID 42
Enable RDMA on Host vNICs:
Enable-NetAdapterRDMA "vEthernet (SMB_1)","vEthernet (SMB_2)" "SLOT 2", "SLOT 3"
Verify RDMA capabili es; ensure that the capabili es are non-zero:
Get-NetAdapterRdma | fl *
Reference: Remote Direct Memory Access (RDMA) and Switch Embedded Teaming (SET)
Right answer: C
A Sequence: 3, 4, 2
B Sequence: 3, 2, 4
C Sequence: 4, 5, 2
D Sequence: 4, 1, 2
4/29/2019 Training
Microsoft - 70-741

You have a remote access server named Server1 that runs Windows Server 2016. Server1 has DirectAccess enabled. A firewall
connects Server1 to the Internet.
You need to configure the firewall to ensure that DirectAccess clients can connect to Server1 by using Teredo, 6to4, and IP-HTTPS.
Which inbound port should be open on the firewall for each transi on technology?
(To answer, drag the appropriate ports and protocols to the correct transi on technologies. Each port and protocol may be used once,
more than once, or not at all. NOTE: Each correct selec on is worth one point.)
Explana on:
DirectAccess uses the following port für communica on with clients on the IPv4 Internet:
Teredo traffic: User Datagram Protocol (UDP) des na on port 3544 inbound, and UDP source port 3544 outbound.
6to4 traffic: IP Protocol 41 inbound and outbound.
IP-HTTPS: Transmission Control Protocol (TCP) des na on port 443, and TCP source port 443 outbound.
Reference: Direct Access and VPN ports
Right answer: B
Teredo: IP Protocol ID 41
A 6to4: UDP 3544
IP-HTTPS: TCP 443
Teredo: UDP 3544

B 6to4: IP Protocol ID 41
IP-HTTPS: TCP 443
Teredo: IP Protocol ID 41
C 6to4: TCP 443
IP-HTTPS: UDP 3544
D
4/29/2019 Training
Teredo: UDP 3544

6to4: TCP 443
IP-HTTPS: IP Protocol ID 41
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016. Server1 is a Hyper-V host.
You run the following commands:
New-VMSwitch -Name Team1 -NetAdapterName "NIC 1", "NIC 2" -EnableEmbeddedTeaming $True
Set-VMSwitch -Name Team1 -NetAdapterName "NIC 3"
Which statements are true?
(Use the drop-down menus to select the answer choice that completes each statement based on the informa on presented in the
graphic.)
4/29/2019 Training
Explana on:
The following command line creates a new switch and adds the network adapters NIC 1 and NIC 2 to the switch:
New-VMSwitch -Name Team1 -NetAdapterName "NIC 1", "NIC 2" -EnableEmbeddedTeaming $True
The next line fails and does not make any changes to the switch:
Set-VMSwitch -Name Team1 -NetAdapterName "NIC 3"
The following command line adds a third network card (NIC 4) to the switch:
Add-VMSwitchTeamMember -VMSwitchName Team1 -NetAdapterName "NIC 4"
Right answer: D
A er running the commands, Team1 contains one network adapters.
A If you run Add-VMSwitchTeamMember -VMSwitchName Team1 -NetAdapterName "NIC 4", Team1 will contain two
network adapters.
A er running the commands, Team1 contains one network adapters.

B If you run Add-VMSwitchTeamMember -VMSwitchName Team1 -NetAdapterName "NIC 4", Team1 will contain one
network adapters.
A er running the commands, Team1 contains two network adapters.

C If you run Add-VMSwitchTeamMember -VMSwitchName Team1 -NetAdapterName "NIC 4", Team1 will contain two
network adapters.
A er running the commands, Team1 contains two network adapters.

D If you run Add-VMSwitchTeamMember -VMSwitchName Team1 -NetAdapterName "NIC 4", Team1 will contain three
network adapters.
A er running the commands, Team1 contains three network adapters.

E If you run Add-VMSwitchTeamMember -VMSwitchName Team1 -NetAdapterName "NIC 4", Team1 will contain four
network adapters.
4/29/2019 Training
F A er running the commands, Team1 contains three network adapters.

If you run Add-VMSwitchTeamMember -VMSwitchName Team1 -NetAdapterName "NIC 4", Team1 will contain three
network adapters.
4/29/2019 Training
Microsoft - 70-741

You are deploying So ware Defined Networking (SDN) by using Windows Server 2016.
You plan to deploy a three-node Network Controller cluster. You plan to use virtual machines for the network controller and the
management client.
The virtual machines will NOT be domain-joined.
You need to configure authen ca on for the cluster.
Explana on:
When you configure authen ca on for Network Controller Northbound communica on, you allow Network Controller cluster nodes
and management clients to verify the iden ty of the device with which they are communica ng.
Network Controller supports the following three modes of authen ca on between management clients and Network Controller
nodes.
1. Kerberos. Use Kerberos authen ca on when joining both the management client and all Network Controller cluster nodes to an
Ac ve Directory domain. The Ac ve Directory domain must have domain accounts used for authen ca on.
2. X509. Use X509 for cer ficate-based authen ca on for management clients not joined to an Ac ve Directory domain. You must
enroll cer ficates to all Network Controller cluster nodes and management clients. Also, all nodes and management clients must
trust each others’ cer ficates.
3. None. Use None for tes ng purposes in a test environment and, therefore, not recommended for use in a produc on
environment. When you choose this mode, there is no authen ca on performed between nodes and management clients.
You can configure the Authen ca on mode for Northbound communica on by using the Windows PowerShell command Install-
NetworkController with the ClientAuthen ca on parameter.
Reference: Secure the Network Controller
Right answer: A
A Install-NetworkController -Node @{Node1, Node2, Node3} -ClientAuthen ca on X509
B Install-NetworkControllerCluster -Node @{Node1, Node1, Node3} -ClientAuthen ca on Kerberos
C Install-NetworkControllerCluster -Node @{Node1, Node1, Node3} -ClientAuthen ca on X509
D Install-NetworkControllerCluster -Node @{Node1, Node1, Node3} -ClientAuthen ca on None
E Install-NetworkController -Node @{Node1, Node2, Node3} -ClientAuthen ca on Kerberos
4/29/2019 Training
4/29/2019 Training
Microsoft - 70-741

You have a remote access server named Server1 that runs Windows Server 2016. Server1 has DirectAccess enabled.
You have a proxy server named Server2. All computers on the internet connect to the Internet by using the proxy.
On Server1, you run the command Set-DAClient -ForceTunnel Enabled.
You need to ensure that when a Direct Access client connects to the network, the client accesses all the Internet resources through the
proxy.
What should you run on Server1?
Explana on:
The Set-DAClientDnsConfigura on cmdlet configures the DNS server and proxy server addresses of a Name Resolu on Policy Table
(NRPT) entry and configures the local name resolu on property.
To modify an NRPT entry the user needs to specify the DNS suffix, the new DNS IP address or the proxy server, or the new DNS IP
address and the proxy server for this suffix. To modify the local name resolu on se ng the Local parameter is used.
When an NRPT entry or local name resolu on property is modified in a mul -domain scenario, it is correspondingly updated in all of
the client Group Policy Objects (GPOs) in various domains. This is true for mul -site and firstref_server_7 GPOs as well.
The NRPT configura on is applicable globally to the en re DirectAccess (DA) deployment and therefore is not impacted by mul -site
deployment.
This example configures a proxy server for suffix contoso.com. Since NRPT entry se ngs in DA are global, this change will apply to all
of the DA clients.
Set-DAClientDNSConfiguration -DNSSuffix 'contoso.com' -ProxyServer 'webproxy.contoso.com:400'
Reference: Set-DAClientDnsConfigura on
Right answer: C
A Set-DAClient
B Set-DnsClientGlobalSe ng
C Set-DAClientDNSConfigura on
D Set-DAEntryPoint
4/29/2019 Training
Microsoft - 70-741

You have a server named Server1 that runs Windows Server 2016 and is configured as a domain controller.
You install the DNS Server serve role on Server1.
You plan to store a DNS zone in a custom Ac ve Directory par on. You need to create a new Ac ve Directory par on for the zone.
What should you use?
Explana on:
To create a custom Ac ve Directory par on you can use dnscmd.exe or ntdsu l.exe.
Right answer: D
A Set-DnsServer
B DNS Manager
C New-ADObject
D Ntdsu l.exe
E Ac ve Directory Sites and Services
4/29/2019 Training
Microsoft - 70-741

Your network contains an Ac ve Directory domain named contoso.com. The domain contains three servers named Server1, Server4,
and Server5 that run Windows Server 2016.
Distributed File System (DFS) is deployed as shown in the following exhibit.
You configure the replica on schedule for \\Contoso.com\Namespace1\Folder1 as shown in the Replica on Schedule exhibit.
Which statements are true?
(Use the drop-down menus to select the answer choice that completes each statement based on the informa on presented in the
graphics.)
4/29/2019 Training
Explana on:
The white highlighted area in the replica on schedule indicates mes when no replica on takes place. The blue highlighted area
indicates mes when replica on is taking place with full bandwidth u liza on.
The DFS folder named folder1 is replicated to the local folders C:\Folder on Server1 and C:\Folder1 on Server4. The different names of
the two local folders do not affect replica on.
Right answer: B
If you copy a file to \\Server1\Folder on Monday at 14:00, the file will never replicate to Server4.
A
If you copy a file to \\Server4\Folder1 on Friday at 06:00, the file will never replicate to Server1.
If you copy a file to \\Server1\Folder on Monday at 14:00, the file will start replica ng to Server4 at 20:00.
B
If you copy a file to \\Server4\Folder1 on Friday at 06:00, the file will start replica ng to Server1 immediately.
If you copy a file to \\Server1\Folder on Monday at 14:00, the file will start replica ng to Server4 immediately.
C
If you copy a file to \\Server4\Folder1 on Friday at 06:00, the file will start replica ng to Server1 at 20:00.
If you copy a file to \\Server1\Folder on Monday at 14:00, the file will start replica ng to Server4 the next day.
D
If you copy a file to \\Server1\Folder on Monday at 14:00, the file will start replica ng to Server4 at 20:00.
E
If you copy a file to \\Server1\Folder on Monday at 14:00, the file will start replica ng to Server4 immediately.
F
If you copy a file to \\Server4\Folder1 on Friday at 06:00, the file will start replica ng to Server1 immediately.
4/29/2019 Training
Microsoft - 70-741
Comments 0 Help Back Wrong Result

Your network contains an Ac ve directory forest named contoso.com. The forest has a Distributed File System (DFS) namespace
named \\contoso.com\namespace1.
The domain contains a file server named Server1 that runs Windows Server 2016.
You create a folder named Folder1 on Server1. You need to use Folder1 as a target for Namespace1.
Which two cmdlets should you use?
(Each correct answer presents part of the solu on. NOTE: Each correct selec on is worth one point.)
Right answer: D, E
A Grant-DfsnAccess
B New-DfsnFolder
C New-DfsReplicatedFolder
D New-DfsnFolderTarget
E New-SmbShare
F Install-WindowsFeature
Comments 0 Help Back Wrong Result

70 741 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

70 741 PDF

Uploaded by

Copyright:

Available Formats

4/27/2019 Training

Mark for review Ques on: 1 1 of 238

Comments 0 Help Next Wrong Result

Home : Training : Test Choice : Exam

You need to conﬁgure Server1 to use Server2 as a RADIUS server.

What should you do?

C From Server Manager, create an Access Policy.

Comments 0 Help Next Wrong Result

Mark for review Ques on: 2 2 of 238

Comments 3 Help Exhibit Back Next Wrong Result

Home : Training : Test Choice : Exam

Comments 3 Help Exhibit Back Next Wrong Result

Mark for review Ques on: 3 3 of 238

Comments 0 Help Back Next Wrong Result

Home : Training : Test Choice : Exam

You need to modify the GPO preﬁx used by IPAM.

What should you do?

<GPO-preﬁx>_DHCP: For managed DHCP servers.

<GPO-preﬁx>_DNS: For managed DNS servers.

<GPO-preﬁx>_DC_NPS: For managed domain controllers and NPS servers.

B Click Provision the IPAM server in Server Manager.

C Click Conﬁgure server discovery in Server Manager.

D Run the lnvoke-IpamGpoProvisioning cmdlet.

Comments 0 Help Back Next Wrong Result

Mark for review Ques on: 4 4 of 238

Comments 4 Help Exhibit Back Next Wrong Result

Home : Training : Test Choice : Exam

User1 can add a host(A) record to adatum.com: No

User1 can add a host(A) record to adatum.com: No

User1 can add a host(A) record to adatum.com: No

Comments 4 Help Exhibit Back Next Wrong Result

Mark for review Ques on: 5 5 of 238

Comments 0 Help Exhibit Back Next Wrong Result

Home : Training : Test Choice : Exam

What command should you run?

(To answer, select the appropriate op ons in the answer area.)

B Set-DnsServer -UseRootHint $false

C Set-DnsServer -Name *.* -PassThru

D Set-DnsServerForwarder -UseRootHint $false

E Set-DnsServerRootHint -IPAddress 10.0.0.10

F Set-DnsServerRootHint -Name *.* -PassThru

Comments 0 Help Exhibit Back Next Wrong Result

Mark for review Ques on: 6 6 of 238

Comments 0 Help Exhibit Back Next Wrong Result

Home : Training : Test Choice : Exam

You need to conﬁgure the environment for automa c IPAM provisioning.

Which cmdlet should you run?

(To answer, select the appropriate op ons in the answer area.)

B Enable-IpamCapability -Domain "contoso.com" -ProvisioningMethod "IPAM1"

C Invoke-IpamGpoProvisioning -Domain "contoso.com" -GpoPreﬁxName "IPAM1"

D Set-IpamConﬁgura on -Domain "contoso.com" -AssetTag "IPAM1"

Comments 0 Help Exhibit Back Next Wrong Result

Mark for review Ques on: 7 7 of 238

Comments 0 Help Exhibit Back Next Wrong Result

Home : Training : Test Choice : Exam

You need to integrate IPAM and VMM.

Which types of objects should you create on each server?

Reference: h ps://msdn.microso .com/en-gb/library/dn783349(v=ws.11).aspx

Server1: Network Service

Server1: Run As Account

Server1: Access Policy

Comments 0 Help Exhibit Back Next Wrong Result

Mark for review Ques on: 8 8 of 238

C Set-DnsServer -Name . -PassThru

F Set-DnsServerRootHint -Name . -PassThru