Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You network contains an Active Directory forest named contoso.com. The forest contains an Active Directory Rights Management Services (AD RMS) deployment.
Your company establishes a partnership with another company named Fabrikam, Inc. The network of Fabrikam contains an Active Directory forest named fabrikam.com and an AD RMS deployment.
You need to ensure that the users in contoso.com can access rights protected documents sent by the users in fabrikam.com.
Solution: From AD RMS in fabrikam.com, you configure contoso.com as a trusted publisher domain.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Contoso needs to trust Fabrikam.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You network contains an Active Directory forest named contoso.com. The forest contains an Active Directory Rights Management Services (AD RMS) deployment.
Your company establishes a partnership with another company named Fabrikam, Inc. The network of Fabrikam contains an Active Directory forest named fabrikam.com and an AD RMS deployment.
You need to ensure that the users in contoso.com can access rights protected documents sent by the users in fabrikam.com.
Solution: From AD RMS in contoso.com, you configure fabrikam.com as a trusted publisher domain.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You network contains an Active Directory forest named contoso.com. The forest contains an Active Directory Rights Management Services (AD RMS) deployment.
Your company establishes a partnership with another company named Fabrikam, Inc. The network of Fabrikam contains an Active Directory forest named fabrikam.com and an AD RMS deployment.
You need to ensure that the users in contoso.com can access rights protected documents sent by the users in fabrikam.com.
Solution: From AD RMS in contoso.com, you configure fabrikam.com as a trusted user domain.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Contoso would need to be the Trusted User Domain.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. The forest contains a member server named Server1 that runs Windows Server 2016. All domain controllers run Windows Server 2012 R2.
Contoso.com has the following configuration.
PS C:> (Get-ADForest).ForestMode Windows2008R2Forest
PS C:> (Get-ADDomain).DomainMode
Windows2008R2Domain PS C:> You plan to deploy an Active Directory Federation Services (AD FS) farm on Server1 and to configure device registration. You need to configure Active Directory to support the planned deployment.
Solution: You run adprep.exe from the Windows Server 2016 installation media.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Device Registration requires Windows Server 2012 R2 forest schema.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. The forest contains a member server named Server1 that runs Windows Server 2016. All domain controllers run Windows Server 2012 R2.
Contoso.com has the following configuration.
PS C:> (Get-ADForest).ForestMode
Windows2008R2Forest PS C:> (Get-ADDomain).DomainMode Windows2008R2Domain PS C:>
You plan to deploy an Active Directory Federation Services (AD FS) farm on Server1 and to configure device registration. You need to configure Active Directory to support the planned deployment.
Solution: You upgrade a domain controller to Windows Server 2016.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Device Registration requires Windows Server 2012 R2 forest schema.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. The forest contains a member server named Server1 that runs Windows Server 2016. All domain controllers run Windows Server 2012 R2.
Contoso.com has the following configuration.
PS C:> (Get-ADForest).ForestMode Windows2008R2Forest PS C:> (Get-ADDomain).DomainMode
Windows2008R2Domain PS C:> You plan to deploy an Active Directory Federation Services (AD FS) farm on Server1 and to configure device registration. You need to configure Active Directory to support the planned deployment.
Solution: You raise the domain functional level to Windows Server 2012 R2.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Device Registration requires Windows Server 2012 R2 forest schema (not just domain schema).
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016. The computer account for Server1 is in organizational unit (OU) named OU1.
You create a Group Policy object (GPO) named GPO1 and link GPO1 to OU1.
You need to add a domain user named User1 to the local Administrators group on Server1.
Solution: From a domain controller, you run the Set-AdComputer cmdlet.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016. The computer account for Server1 is in organizational unit (OU) named OU1.
You create a Group Policy object (GPO) named GPO1 and link GPO1 to OU1. You need to add a domain user named User1 to the local Administrators group on Server1.
Solution: From the Computer Configuration node of GPO1, you configure the Local Users and
Groups preference.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016. The computer account for Server1 is in organizational unit (OU) named OU1.
You create a Group Policy object (GPO) named GPO1 and link GPO1 to OU1.
You need to add a domain user named User1 to the local Administrators group on Server1.
Solution: From the Computer Configuration node of GPO1, you configure the Account Policies settings.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named Server1.
You recently restored a backup of the Active Directory database from Server1 to an alternate Location.
The restore operation does not interrupt the Active Directory services on Server1.
You need to make the Active Directory data in the backup accessible by using Lightweight Directory Access Protocol (LDAP).
Which tool should you use?
- A . Dsadd quota
- B . Dsmod
- C . Active Directory Administrative Center
- D . Dsacls
- E . Dsamain
- F . Active Directory Users and Computers
- G . Ntdsutil
- H . Group Policy Management Console
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com.
You need to limit the number of Active Directory Domain Services (AD DS) objects that a user can create in the domain.
Which tool should you use?
- A . Dsadd quota
- B . Dsmod
- C . Active Directory Administrative Center
- D . Dsacls
- E . Dsamain
- F . Active Directory Users and Computers
- G . Ntdsutil
- H . Group Policy Management Console
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows Server 2012 R2.
You need to ensure that a domain administrator can recover a deleted Active Directory object quickly.
Which tool should you use?
- A . Dsadd quota
- B . Dsmod
- C . Active Directory Administrative Center
- D . Dsacls
- E . Dsamain
- F . Active Directory Users and Computers
- G . Ntdsutil
- H . Group Policy Management Console
You have users that access web applications by using HTTPS. The web applications are located on the servers in your perimeter network. The servers use certificates obtained from an enterprise root certification authority (CA). The certificates are generated by using a custom template named WebApps. The certificate revocation list (CRL) is published to Active Directory.
When users attempt to access the web applications from the Internet, the users report that they receive a revocation warning message in their web browser. The users do not receive the message when they access the web applications from the intranet.
You need to ensure that the warning message is not generated when the users attempt to access the web applications from the Internet.
What should you do?
- A . Install the Certificate Enrollment Web Service role service on a server in the perimeter network.
- B . Modify the WebApps certificate template, and then issue the certificates used by the web application servers.
- C . Install the Web Application Proxy role service on a server in the perimeter network. Create a publishing point for the CA.
- D . Modify the CRL distribution point, and then reissue the certificates used by the web application servers.
You network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA) named CA1.
You have a test environment that is isolated physically from the corporate network and the Internet.
You deploy a web server to the test environment. On CA1, you duplicate the Web Server template, and you name the template Web_Cert_Test.
For the web server, you need to request a certificate that does not contain the revocation information of CA1.
What should you do first?
- A . From the properties of CA1, allow certificates to be published to the file system.
- B . From the properties of CA1, select Restrict enrollment agents, and then add Web_Cert_Test to the restricted enrollment agent.
- C . From the properties of Web_Cert_Test, assign the Enroll permission to the guest account.
- D . From the properties of Web_Cert_Test, set the Compatibility setting of CA1 to Windows Server 2016.
Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The domain contains a server named Server1.
An administrator named Admin01 plans to configure Server1 as a standalone certification authority (CA).
You need to identify to which group Admin01 must be a member to configure Server1 as a standalone CA. The solution must use the principle of least privilege.
To which group should you add Admin01?
- A . Administrators on Server1.
- B . Domain Admins in contoso.com
- C . Cert Publishers on Server1
- D . Key Admins in contoso.com
Your network contains an Active Directory forest named contoso.com. The forest contains several domains.
An administrator named Admin01 installs Windows Server 2016 on a server named Server1 and then joins Server1 to the contoso.com domain.
Admin01 plans to configure Server1 as an enterprise root certification authority (CA).
You need to ensure that Admin01 can configure Server1 as an enterprise CA. The solution must use the principle of least privilege.
To which group should you add Admin01?
- A . Server Operators in the contoso.com domain
- B . Cert Publishers on Server1
- C . Enterprise Key Admins in the contoso.com domain
- D . Enterprise Admins in the contoso.com domain.
Your network contains an enterprise root certification authority (CA) named CA1. Multiple computers on the network successfully enroll for certificates that will expire in one year.
The certificates are based on a template named Secure_Computer. The template uses schema version 2. You need to ensure that new certificates based on Secure_Computer are valid for three years.
What should you do?
- A . Modify the Validity period for the certificate template.
- B . Instruct users to request certificates by running the certreq.exe command.
- C . Instruct users to request certificates by using the Certificates console.
- D . Modify the Validity period for the root CA certificate.
You deploy a new enterprise certification authority (CA) named CA1. You plan to issue certificates based on the User certificate template. You need to ensure that the issued certificates are valid for two years and support autoenrollment.
What should you do first?
- A . Run the certutil.exe command and specify the resubmit parameter.
- B . Duplicate the User certificate template.
- C . Add a new certificate template for CA1 to issue.
- D . Modify the Request Handling settings for the CA.
Your network contains an Active Directory forest named contoso.com. The forest contains three domains named contoso.com, corp.contoso.com, and ext.contoso.com. The forest contains three Active Directory sites named Site1, Site2, and Site3.
You have the three administrators as described in the following table.
You create a Group Policy object (GPO) named GPO1.
Which administrator or administrators can link GPO1 to Site2?
- A . Admin1 and Admin2 only
- B . Admin1, Admin2, and Admin3
- C . Admin3 only
- D . Admin1 and Admin3 only
D
Explanation:
References: https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx
Your network contains an Active Directory domain named contoso.com. The domain contains a Group Policy object (GPO) named GPO1.
You configure the Internet Settings preference in GPO1 as shown in the exhibit. (Click the Exhibit button.)
A user reports that the homepage of Internet Explorer is not set to http://www.contoso.com. You confirm that the other settings in GPO1 are applied. You need to configure GPO1 to set the Internet Explorer homepage.
What should you do?
- A . Edit the GPO1 preference and press F5.
- B . Modify Security Settings for GPO1.
- C . Modify WMI Filtering for GPO1.
- D . Modify the GPO1 preference to use item-level targeting.
A
Explanation:
The red dotted line under the homepage URL means that setting is disabled. Pressing F5 enables all settings.
You network contains an Active Directory domain named contoso.com. The domain contains 1,000 desktop computers and 500 laptops. An organizational unit (OU) named OU1 contains the computer accounts for the desktop computers and the laptops.
You create a Windows PowerShell script named Script1.ps1 that removes temporary files and cookies. You create a Group Policy object (GPO) named GPO1 and link GPO1 to OU1.
You need to run the script once weekly only on the laptops.
What should you do?
- A . In GPO1, create a File preference that uses item-level targeting.
- B . In GPO1, create a Scheduled Tasks preference that uses item-level targeting.
- C . In GPO1, configure the File System security policy. Attach a WMI filter to GPO1.
- D . In GPO1, add Script1.ps1 as a startup script. Attach a WMI filter to GPO1.
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named TestOU that contains test computers.
You need to enable a technician named Tech1 to create Group Policy objects (GPOs) and to link the GPOs to TestOU. The solution must use the principle of least privilege.
Which two actions should you perform? Each correct answer presents part of the solution.
- A . Add Tech1 to the Group Policy Creator Owners group.
- B . From Group Policy Management, modify the Delegation settings of the TestOU OU.
- C . Add Tech1 to the Protected Users group.
- D . From Group Policy Management, modify the Delegation settings of the contoso.com container.
- E . Create a new universal security group and add Tech1 to the group.
Your company recently deployed a new child domain to an Active Directory forest.
You discover that a user modified the Default Domain Policy to configure several Windows components in the child domain.
A company policy states that the Default Domain Policy must be used only to configure domain-wide security settings.
You create a new Group Policy object (GPO) and configure the settings for the Windows components in the new GPO.
You need to restore the Default Domain Policy to the default settings from when the domain was first installed.
What should you do?
- A . From Group Policy Management, click Starter GPOs, and then click Manage Backups.
- B . From a command prompt, run the dcgpofix.exe command.
- C . From Windows PowerShell, run the Copy-GPO cmdlet.
- D . Run ntdsutil.exe to perform a metadata cleanup and a semantic database analysis.
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named OU1 that contains the computer accounts of two servers and the user account of a user named User1. A Group Policy object (GPO) named GPO1 is linked to OU1.
You have an application named App1 that installs by using an application installer named App1.exe.
You need to publish App1 to OU1 by using Group Policy.
What should you do?
- A . Create a Config.zap file and add a file to the File System node to the Computer Configuration node of GPO1.
- B . Create a Config.xml file and add a software installation package to the User Configuration node of GPO1.
- C . Create a Config.zap file and add a software installation package to the User Configuration node of GPO1.
- D . Create a Config.xml file and add a software installation package to the Computer Configuration node of GPO1.
Your network contains an Active Directory domain named contoso.com.
You open Group Policy Management as shown in the exhibit. (Click the Exhibit button.)
You discover that some of the settings configured in the A1 Group Policy object (GPO) fail to apply to the users in the OU1 organizational unit (OU).
You need to ensure that all of the settings in A1 apply to the users in OU1.
What should you do?
- A . Enable loopback policy processing in A1.
- B . Block inheritance on OU1.
- C . Modify the policy processing order for OU1.
- D . Modify the GPO Status of A1.
Your network contains an Active Directory domain named contoso.com.
You have a Group Policy object (GPO) named GPO1. GPO1 is linked to an organizational unit (OU) named OU1. GPO1 contains several corporate desktop restrictions that apply to all computers. You plan to deploy a printer to the computers in OU1. You need to ensure that any user who signs in to a computer that runs Windows 10 in OU1
receives the new printer. All of the computers in OU1 must continue to apply the corporate desktop restrictions from GPO1.
What should you configure?
- A . a user preference and a WMI filter on GPO1.
- B . a computer preference that uses item-level targeting
- C . a computer preference and WMI filter on GPO1
- D . a user preference that uses item-level targeting
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is
independent of the other questions in this series.
Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains 5,000 user accounts.
You have a Group Policy object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit (OU).
You need to use the application control policy settings to prevent several applications from running on the network.
What should you do?
- A . From the Computer Configuration node of DCPolicy, modify Security Settings.
- B . From the Computer Configuration node of DomainPolicy, modify Security Settings.
- C . From the Computer Configuration node of DomainPolicy, modify Administrative Templates.
- D . From the User Configuration node of DCPolicy, modify Security Settings.
- E . From the User Configuration node of DomainPolicy, modify Folder Redirection.
- F . From user Configuration node of DomainPolicy, modify Administrative Templates.
- G . From Preferences in the User Configuration node of DomainPolicy, modify Windows Settings.
- H . From Preferences in the Computer Configuration node of DomainPolicy, modify Windows Settings.
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series.
Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains 5,000 user accounts.
You have a Group Policy object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit (OU).
You need to configure the Documents folder of every user to be stored on a server named FileServer1.
What should you do?
- A . From the Computer Configuration node of DCPolicy, modify Security Settings.
- B . From the Computer Configuration node of DomainPolicy, modify Security Settings.
- C . From the Computer Configuration node of DomainPolicy, modify Administrative Templates.
- D . From the User Configuration node of DCPolicy, modify Security Settings.
- E . From the User Configuration node of DomainPolicy, modify Folder Redirection.
- F . From user Configuration node of DomainPolicy, modify Administrative Templates.
- G . From Preferences in the User Configuration node of DomainPolicy, modify Windows Settings.
- H . From Preferences in the Computer Configuration node of DomainPolicy, modify Windows Settings.
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series.
Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains 5,000 user accounts.
You have a Group Policy object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit (OU).
You need to force users to change their account password at least every 30 days.
What should you do?
- A . From the Computer Configuration node of DCPolicy, modify Security Settings.
- B . From the Computer Configuration node of DomainPolicy, modify Security Settings.
- C . From the Computer Configuration node of DomainPolicy, modify Administrative Templates.
- D . From the User Configuration node of DCPolicy, modify Security Settings.
- E . From the User Configuration node of DomainPolicy, modify Folder Redirection.
- F . From user Configuration node of DomainPolicy, modify Administrative Templates.
- G . From Preferences in the User Configuration node of DomainPolicy, modify Windows Settings.
- H . From Preferences in the Computer Configuration node of DomainPolicy, modify Windows Settings.
Note: This question is part of a series of questions that use the same scenario. For you convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
You work for a company named Contoso, Ltd.
The network contains an Active Directory forest named contoso.com. A forest trust exists between contoso.com and an Active Directory forest named adatum.com.
The contoso.com forest contains the objects configured as shown in the following table.
Group1 and Group2 contain only user accounts.
Contoso hires a new remote user named User3. User3 will work from home and will use a computer named Computer3 that runs Windows 10. Computer3 is currently in a workgroup. An administrator named Admin1 is a member of the Domain Admins group in the contoso.com domain.
From Active Directory Users and Computers, you create an organizational unit (OU) named OU1 in the contoso.com domain, and then you create a contact named Contact1 in OU1. An administrator of the adatum.com domain runs the Set-ADUser cmdlet to configure a user
named User1 to have a user logon name of User1@litwareinc.com. End of repeated scenario. You need to ensure that User2 can add Group4 as a member of Group5.
What should you modify?
- A . the group scope of Group5
- B . the Managed By settings of Group4
- C . the group scope of Group4
- D . the Managed By settings of Group5
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
You work for a company named Contoso, Ltd.
The network contains an Active Directory forest named contoso.com. A forest trust exists between contoso.com and an Active Directory forest named adatum.com.
The contoso.com forest contains the objects configured as shown in the following table.
Group1 and Group2 contain only user accounts.
Contoso hires a new remote user named User3. User3 will work from home and will use a computer named Computer3 that runs Windows 10. Computer3 is currently in a workgroup.
An administrator named Admin1 is a member of the Domain Admins group in the contoso.com domain.
From Active Directory Users and Computers, you create an organizational unit (OU) named OU1 in the contoso.com domain, and then you create a contact named Contact1 in OU1.
An administrator of the adatum.com domain runs the Set-ADUser cmdlet to configure a user named User1 to have a user logon name of User1@litwareinc.com. End or repeated scenario. You need to ensure that Admin1 can add Group2 as a member of Group3.
What should you modify?
- A . Modify the Security settings of Group3.
- B . Modify the group scope of Group3.
- C . Modify the group type of Group3.
- D . Set Admin1 as the manager of Group3.
HOTSPOT
Note: This question is part of a series of questions that use the same scenario. For you convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
You work for a company named Contoso, Ltd.
The network contains an Active Directory forest named contoso.com. A forest trust exists between contoso.com and an Active Directory forest named adatum.com.
The contoso.com forest contains the objects configured as shown in the following table.
Group1 and Group2 contain only user accounts.
Contoso hires a new remote user named User3. User3 will work from home and will use a computer named Computer3 that runs Windows 10. Computer3 is currently in a workgroup. An administrator named Admin1 is a member of the Domain Admins group in the contoso.com domain.
From Active Directory Users and Computers, you create an organizational unit (OU) named OU1 in the contoso.com domain, and then you create a contact named Contact1 in OU1. An administrator of the adatum.com domain runs the Set-ADUser cmdlet to configure a user named User1 to have a user logon name of User1@litwareinc.com. End or repeated scenario. You need to join Computer3 to the contoso.com domain by using offline domain join.
Which command should you use in the contoso.com domain and on Computer3? To answer, select the appropriate options in the answer area.
DRAG DROP
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your network contains an Active Directory domain named contoso.com. The domain contains a single site named Site1. All computers are in Site1.
The Group Policy objects (GPOs) for the domain are configured as shown in the exhibit. (Click the Exhibit button.)
The relevant users and client computer in the domain are configured as shown in the following table.
End of repeated scenario. You plan to enforce the GPO link for A6.
Which five GPOs will apply to User1 in sequence when the user signs in to Computer1 after the link is enforced? To answer, move the appropriate GPOs from the list of GPOs to the answer area and arrange them in the correct order.
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your network contains an Active Directory domain named contoso.com. The domain contains a single site named Site1. All computers are in Site1.
The Group Policy objects (GPOs) for the domain are configured as shown in the exhibit. (Click the Exhibit button.)
The relevant users and client computer in the domain are configured as shown in the following table.
End of repeated scenario.
You are evaluating what will occur when you block inheritance on OU4.
Which GPO or GPOs will apply to User1 when the user signs in to Computer1 after block inheritance is configured?
- A . A1, A5, and A6
- B . A3, A1, A5, and A7
- C . A3 and A7 only
- D . A7 only
DRAG DROP
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your network contains an Active Directory domain named contoso.com. The domain contains a single site named Site1. All computers are in Site1.
The Group Policy objects (GPOs) for the domain are configured as shown in the exhibit. (Click the Exhibit button.)
The relevant users and client computer in the domain are configured as shown in the following table.
End of repeated scenario.
Which five GPOs will apply to User1 in sequence when the user signs in to Computer1? To answer, move the appropriate GPOs from the list to the answer area and arrange them in the correct order.
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your network contains an Active Directory domain named contoso.com. The domain contains a single site named Site1. All computers are in Site1.
The Group Policy objects (GPOs) for the domain are configured as shown in the exhibit. (Click the Exhibit button.)
The relevant users and client computer in the domain are configured as shown in the following table.
End of repeated scenario.
You are evaluating what will occur when you disable the Group Policy link for A6.
Which GPOs will apply to User2 when the user signs in to Computer1 after the link for A6 is disabled?
- A . A1 and A5 only
- B . A3, A1, and A5 only
- C . A3, A1, A5, and A4 only
- D . A3, A1, A5, and A7
HOTSPOT
You have a server named Server1 that runs Windows Server 2016. Server1 has the Windows Application Proxy role service installed.
You need to publish Microsoft Exchange ActiveSync services by using the Publish New Application Wizard. The ActiveSync services must use preauthentication.
How should you configure Server1? To answer, select the appropriate options in the answer area.
Your network contains an Active Directory forest named contoso.com.
You have an Active Directory Federation Services (AD FS) farm. The farm contains a server named Server1 that runs Windows Server 2012 R2.
You add a server named Server2 to the farm. Server2 runs Windows Server 2016. You remove Server1 from the farm. You need to ensure that you can use role separation to manage the farm.
Which cmdlet should you run?
- A . Set-AdfsFarmInformation
- B . Update-AdfsRelyingPartyTrust
- C . Set-AdfsProperties
- D . Invoke-AdfsFarmBehaviorLevelRaise
D
Explanation:
AD FS for Windows Server 2016 introduces the ability to have separation between server administrators and AD FS service administrators.
After upgrading our ADFS servers to Windows Server 2016, the last step is to raise the Farm Behavior Level using the Invoke-AdfsFarmBehaviorLevelRaise PowerShell cmdlet.
To upgrade the farm behavior level from Windows Server 2012 R2 to Windows Server 2016 use the Invoke-ADFSFarmBehaviorLevelRaise cmdlet.
References: https://technet.microsoft.com/en-us/library/mt605334(v=ws.11).aspx
Your network contains an Active Directory forest named contoso.com. The forest contains a member server named Server1 that runs Windows Server 2016. Server1 is located in the perimeter network.
You install the Active Directory Federation Services server role on Server1. You create an Active Directory Federation Services (AD FS) farm by using a certificate that has a subject name of sts.contoso.com.
You need to enable certificate authentication from the Internet on Server1.
Which two inbound TCP ports should you open on the firewall? Each correct answer presents part of the solution.
- A . 389
- B . 443
- C . 3389
- D . 8531
- E . 49443
You have a server named Server1 that runs Windows Server 2016. You need to configure Server1 as a Web Application Proxy.
Which server role or role service should you install on Server1?
- A . Remote Access
- B . Active Directory Federation Services
- C . Web Server (IIS)
- D . DirectAccess and VPN (RAS)
- E . Network Policy and Access Services
DRAG DROP
You network contains an Active Directory forest. The forest contains an Active Directory Federation Services (AD FS) deployment.
The AD FS deployment contains the following:
– An AD FS server named server1.contoso.com that runs Windows Server 2016
– A Web Application Proxy used to publish AD FS
– A LIPN that uses the contoso.com suffix
– A namespace named adfs.contoso.com
You create a Microsoft Office 365 tenant named contoso.onmicrosoft.com. You use Microsoft Azure Active Directory Connect (AD Connect) to synchronize all of the users and the UPNs from the contoso.com forest to Office 365.
You need to configure federation between Office 365 and the on-premises deployment of Active Directory.
Which three commands should you run in sequence from Server1? To answer, move the appropriate commands from the list of commands to the answer area and arrange them in the correct order.
HOTSPOT
You have a server named Server1 that runs Windows Server 2016. Server1 has the Web Application Proxy role service installed.
You are publishing an application named App1 that will use Integrated Windows authentication as shown in the following graphic.
Use the drop-down menus to select the answer area choice that completes each statement based on the information presented in the graphic.
HOTSPOT
Your network contains an Active Directory forest. The forest contains one domain named contoso.com. The domain contains two domain controllers named DC1 and DC2. DC1 holds all of the operations master roles.
During normal network operations, you run the following commands on DC2: Move-ADDirectoryServerOperationMasterRole -Identity “DC2” -OperationMasterRole PDCEmulator Move- ADDirectoryServerOperationMasterRole CIdentity “DC2” -OperationMasterRole RIDMaster DC1 fails.
You remove DC1 from the network, and then you run the following command: Move-ADDirectoryServerOperationMasterRole CIdentity “DC2” -OperationMasterRole SchemaMaster
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Your network contains an Active Directory forest named contoso.com
Your company plans to hire 500 temporary employees for a project that will last 90 days.
You create a new user account for each employee. An organizational unit (OU) named Temp contains the user accounts for the employees.
You need to prevent the new users from accessing any of the resources in the domain after 90 days.
What should you do?
- A . Run the Get-ADUser cmdlet and pipe the output to the Set-ADUser cmdlet.
- B . Create a group that contains all of the users in the Temp OU. Create a Password Setting object (PSO) for the new group.
- C . Create a Group Policy object (GPO) and link the GPO to the Temp OU. Modify the Password Policy settings of the GPO.
- D . Run the GET-ADOrganizationalUnit cmdlet and pipe the output to the Set-Date cmdlet.
A
Explanation: References: https://docs.microsoft.com/en-us/powershell/module/addsadministration/setadaccountexpiration?view=win10-ps
Your network contains an Active Directory forest. The forest contains two domains named litwarenc.com and contoso.com. The contoso.com domain contains two domains controllers named LON-DC01 and LON-DC02. The domain controllers are located in a site named London that is associated to a subnet of 192.168.10.0/24
You discover that LON-DC02 is not a global catalog server.
You need to configure LON-DC02 as a global catalog server.
What should you do?
- A . From Active Directory Sites and Services, modify the properties of the 192.168.10.0/24 IP subnet.
- B . From Windows PowerShell, run the Set-NetNatGlobal cmdlet.
- C . From Active Directory Sites and Services, modify the NTDS Settings object of LON-DC02.
- D . From Windows PowerShell, run the Enable-ADOptionalFeature cmdlet.
Your network contains an Active Directory domain named contoso.com. The domain functional level is Windows Server 2012 R2.
You need to secure several high-privilege user accounts to meet the following requirements:
What should you do?
- A . Create a universal security group for the user accounts and modify the Security settings of the group.
- B . Add the users to the Windows Authorization Access Group group.
- C . Add the user to the Protected Users group.
- D . Create a separate organizational unit (OU) for the user accounts and modify the Security settings of the OU.
HOTSPOT
Your network contains an Active Directory domain named contoso.com.
Some user accounts in the domain have the P.O. Box attribute set.
You plan to remove the value of the P.O. Box attribute for all of the users by using Ldifde.
You have a user named User1 who is located in the Users container.
How should you configure the LDIF file to remove the value of the P.O. Box attribute for User1? To answer, select the appropriate options in the answer area.
DRAG DROP
Your company has multiple offices.
The network contains an Active Directory domain named contoso.com. An Active Directory site exists for each office. All of the sites connect to each other by using DEFAULTIPSITELINK. The company plans to open a new office. The new office will have a domain controller and 100 client computers.
You install Windows Server 2016 on a member server in the new office. The new server will become a domain controller. You need to deploy the domain controller to the new office. The solution must ensure that the client computers in the new office will authenticate by using the local domain controller.
Which three actions should you perform next in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Your network contains an Active Directory forest named contoso.com.
A partner company has a forest named fabrikam.com. Each forest contains one domain.
You need to provide access for a group named Research in fabrikam.com to resources in contoso.com. The solution must use the principle of least privilege.
What should you do?
- A . Create an external trust from fabrikam.com to contoso.com. Enable Active Directory split permissions in fabrikam.com.
- B . Create an external trust from contoso.com to fabrikam.com. Enable Active Directory split permissions in contoso.com.
- C . Create a one-way forest trust from contoso.com to fabrikam.com that uses selective authentication.
- D . Create a one-way forest trust from fabrikam.com to contoso.com that uses selective authentication.
HOTSPOT
Your network contains an Active Directory forest named contoso.com.
Your company has a custom application named ERP1. ERP1 uses an Active Directory Lightweight Directory Services (AD LDS) server named Server1 to authenticate users.
You have a member server named Server2 that runs Windows Server 2016. You install the Active Directory Federation Services (AD FS) server role on Server2 and create an AD FS farm.
You need to configure AD FS to authenticate users from the AD LDS server.
Which cmdlets should you run? To answer, select the appropriate options in the answer area.
Explanation:
To configure your AD FSfarm to authenticate users from an LDAP directory, you can complete the following steps:
Step 1: New-AdfsLdapServerConnection
First, configure a connection to your LDAP directory using the New-AdfsLdapServerConnection cmdlet:
$DirectoryCred = Get-Credential
$vendorDirectory = New-AdfsLdapServerConnection CHostName dirserver CPort 50000CSslMode None CAuthenticationMethod Basic CCredential $DirectoryCred
Step 2 (optional):
Next, you can perform the optional step of mapping LDAP attributes to the existing AD FS claims using the New-AdfsLdapAttributeToClaimMapping cmdlet.
Step 3: Add-AdfsLocalClaimsProviderTrust
Finally, you must register the LDAP store with AD FS as a local claims provider trust using the Add-AdfsLocalClaimsProviderTrust cmdlet:
Add-AdfsLocalClaimsProviderTrust CName “Vendors” CIdentifier “urn:vendors” CType L
References: https://technet.microsoft.com/en-us/library/dn823754(v=ws.11).aspx
HOTSPOT
You have a server named Server1 that runs Windows Server 2016. Server1 has the Web Application Proxy role service installed.
You need to publish Microsoft Exchange Server 2013 services through the Web Application Proxy. The solution must use preauthentication whenever possible.
How should you configure the preauthentication method for each service? To answer, select the appropriate options in the answer area.
Explanation:
Box 1: Pass-through
Box 2: Active Directory Federation Services (ADFS)
Box 3: Pass-through
The following table describes the Exchange services that you can publish through Web Application Proxy and the supported preauthentication for these services:
References: https://technet.microsoft.com/en-us/library/dn528827(v=ws.11).aspx
HOTSPOT
You have a server named Server1 that runs Windows Server 2016. Server1 has the Web
Application Proxy role service installed.
You publish an application named App1 by using the Web Application Proxy. You need to change the URL that users use to connect to App1 when they work remotely.
Which command should you run? To answer, select the appropriate options in the answer area.
Explanation:
The Set-WebApplicationProxyApplication cmdlet modifies settings of a web application published through Web Application Proxy. Specify the web application to modify by using its ID. Note that the method of preauthentication cannot be changed. The cmdlet ensures that no other applications are already configured to use any specified ExternalURL or BackendServerURL.
References: https://technet.microsoft.com/itpro/powershell/windows/wap/setwebapplicationproxyapplication
HOTSPOT
You have a server named Server1 that runs Windows Server 2016. Server1 has the Web Application Proxy role service installed.
You plan to deploy Remote Desktop Gateway (RD Gateway) services. Clients will connect to the RD Gateway services by using various types of devices including Windows, iOS and Android devices.
You need to publish the RD Gateway services through the Web Application Proxy.
Which command should you run? To answer, select the appropriate options in the answer area.
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains three servers named Server1, Server2, and Server3 that run Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. Server2 and Server3 have the DHCP Server role installed and have several DHCP scopes configured. The IPAM server retrieves data from Server2 and Server3.
A domain user named User1 is a member of the groups shown in the following table.
On Server1, you create a security policy for User1. The policy grants the IPAM DHCP Scope Administrator Role with the Global access scope to the user.
Which actions can User1 perform? To answer, select the appropriate options in the answer area.
Explanation:
User1 is using Server Manager, not IPAM to perform the administration. Therefore, only the “DHCP Administrators” permission on Server2 and the “DHCP Users” permissions on Server3 are applied. The permissions granted through membership of the “IPAM DHCP Scope Administrator Role” are not applied when the user is not using the IPAM console.
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
You install IP Address Management (IPAM) on Server1.
You need to manually start discovery of servers that IPAM can manage in contoso.com.
Which three cmdlets should you run in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Explanation:
Step 1: Invoke-IpamServerProvisioning
Choose a provisioning method
The Invoke-IpamGpoProvisioning cmdlet creates and links three group policies specified in the Domain parameter for provisioningrequired access settingson the server roles managed by the computer running the IP Address Management (IPAM) server.
Step 2: Add-IpamDiscoveryDomain
Configure the scope of discovery
The Add-IpamDiscoveryDomain cmdlet adds an Active Directory discovery domain for an IP AddressManagement (IPAM) server. A discovery domain is a domain that IPAM searches to find infrastructure servers. An IPAM server uses the list of discovery domains to determine what type of servers to add. By default, IPAM discovers all domain controllers, Dynamic Host Configuration Protocol (DHCP) servers, and Domain Name System (DNS) servers.
Step 3: Start-ScheduledTask
Start server discovery
To begin discovering servers on the network, click Start server discovery to launch the IPAM ServerDiscovery task or use the Start-ScheduledTask command.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. IPAM is configured to use the Group Policy based provisioning method. The prefix for the IPAM Group Policy objects (GPOs) is IP.
From Group Policy Management, you manually rename the IPAM GPOs to have a prefix of IPAM.
You need to modify the GPO prefix used by IPAM.
What should you do?
- A . Click Configure server discovery in Server Manager.
- B . Run the Set-IpamConfiguration cmdlet.
- C . Run the Invoke-IpamGpoProvisioning cmdlet.
- D . Click Provision the IPAM server in Server Manager.
B
Explanation:
The Set-IpamConfiguration cmdlet modifies the configuration for the computer that runs the IPAM server. The -GpoPrefix<String> parameter specifies the unique Group Policy object (GPO) prefix name that IPAM uses to create the group policy objects. Use this parameter only when the value of the ProvisioningMethod parameter is set to Automatic.
References: https://technet.microsoft.com/en-us/library/jj590816.aspx
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. Server2 has Microsoft System Center 2016 Virtual Machine Manager (VMM) installed.
You need to integrate IPAM and VMM.
Which types of objects should you create on each server? To answer, drag the appropriate object types to the correct servers. Each object type may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Explanation:
Server 1 (IPAM): Access Policy
VMM must be granted permission to view and modify IP address space in IPAM, and to perform remote management of the IPAM server. VMM uses a “Run As” account to provide these permissions to the IPAM network service plugin. The “Run As” account must be configured with appropriate permission on the IPAM server.
To assign permissions to the VMM user account
In the IPAM server console, in the upper navigation pane, click ACCESS CONTROL, right-click Access Policies in the lower navigation pane, and then click Add AccessPolicy.
Etc.
Server 2 (VMM) #1: Network Service
Server 2 (VMM) #2: Run As Account
Perform the following procedure using the System Center VMM console.
To configure VMM (see step 1-3, step 6-7)
Etc.
References: https://technet.microsoft.com/en-us/library/dn783349(v=ws.11).aspx
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. Server2, Server3, and Server 4 have the DHCP Server role installed. IPAM manages Server2, Server3, and Server4.
A domain user named User1 is a member of the groups shown in the following table.
Which actions can User1 perform? To answer, select the appropriate options in the answer area.
Explanation:
Box 1: Can be performed by User1
DHCP Administrators can create DHCP scopes.
Box 2: Cannot be performed by User1
DHCP Users cannot create scopes.
Box 3: Cannot be performed by User1
IPAM users cannot creates copes.
References: https://technet.microsoft.com/en-us/library/dn741281(v=ws.11).aspx#create_access_scope
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains a
server named Server1 that runs Windows Server 2016.
You install IP Address Management (IPAM) on Server1. You select the automatic provisioning method, and then you specify a prefix of IPAM1. You need to configure the environment for automatic IPAM provisioning.
Which cmdlet should you run? To answer, select the appropriate options in the answer area.
HOTSPOT
Your network contains an Active Directory domain named contoso.com. The domain contains two
servers named Server1 and Server2 that run Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. Server2 has the DHCP Server role installed. The IPAM server retrieves data from Server2.
The domain has two users named User1 and User2 and a group named Group1. User1 is the only member of Group1.
Server1 has one IPAM access policy.
You edit the access policy as shown in the Policy exhibit. (Click the Exhibit button.)
The DHCP scopes are configured as shown in the Scopes exhibit. (Click the Exhibit button.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
