NEW QUESTION 1
Your network contains an Active Directory domain named contoso.com.
You plan to deploy a new Active Directory Rights Management Services (AD RMS) cluster on a server named Server1.
You need to create the AD RMS service account. The solution must use the principle of least privilege What should you do?

• A. Create a domain user account and add the account to the Account Operators group in the domain.
• B. Create a local user account on Server1 and add the account to the Administrators group on Server1.
• C. Create a domain user account and add the account to the Domain Users group in the domain.
• D. Create a domain user account and add the account to the Administrators group on Server1.

Answer: C

NEW QUESTION 2
Your network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA) named CA1.
You duplicate the Computer certificate template, and you name the template Cont_Computers.
You need to ensure that all of the certificates issued based on Cont_Computers have a key size of 4,096 bits. What should you do?

• A. From the properties of CA1, modify the Security settings.
• B. From the properties of CA1, modify the Request Handling settings.
• C. From the properties of the Computer template, modify the Key Attestation settings.
• D. From the properties of Cont_Computers, modify the Cryptography settings.

Answer: C

NEW QUESTION 3
Your company has a marketing department and a security department.
The network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA).
You have two organizational units (OUs) named MKT_UsersOU and MKT_ComputersOU. MKT_UsersOU contains the user accounts for the users in the marketing department. MKT_ComputersOU contains the computer accounts for the computers in the marketing department.
A Group policy object (GPO) named GPO1 is linked to MKT_UsersOU. A GPO named GPO2 linked to MKT_ComputersOU.
You plan to deploy a web application for the marketing department users. The application will require certificates for authentication.
The security department configures the CA to support the planned deployment.
You need to ensure that the web application can authenticate the marketing department users. What should you do?

• A. From the User Configuration node of GPO1, create an Internet Setting preference.
• B. From the User Configuration node of GPO1, configure the Certificate Services Client - Auto enrollment settings.
• C. From the Computer Configuration node of GPO2, configure the Certificate Services Client - Certificate Enrollment Policy settings.
• D. From the Computer Configuration node of GPO2, create the Automatic Certificate Request Settings.

Answer: A

NEW QUESTION 4
Your network contains an Active Directory domain named contoso.com.
The user account for a user named User1 is in an organizational unit (OU) named OU1. You need to enable User1 to sign in as user1@adatum.com.
Solution: From Active Directory Domains and Trusts, you configure an alternative UPN suffix, From Active Directory Administrative Center, you configure the User UPN logon property of User1.
Does this meet the goal?

• A. Yes
• B. No

Answer: A

NEW QUESTION 5
Your network contains an Active Directory forest named contoso.com. They connect to the forest by using ldp.exe and receive the output as shown in the following exhibit.

Use drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 6
Your network contains an Active Directory forest. The forest contains two domains named litwareinc.com and contoso.com. The contoso.com domain contains two domain controllers named LON-DC01 and LON-DC02. The domain controllers are located in a site named London that is associated to a subnet of 192.168.10.0/24.
You discover that LON-DC02 is not a global catalog server. You need to configure LON-DC02 as a global catalog server.
What should you do?

• A. From Active Directory Sites and Services, modify the NTDS Settings object of the London site.
• B. From Windows Power Shell, run the Enable-ADOptionalFeature cmdlet.
• C. From the properties of the LON-DC02 computer account in Active Directory Users and Computers modify the NTDS settings.
• D. From the properties of the LON-DC02 computer account in Active Directory Users and Computers, modify the City attribute.

Answer: C

NEW QUESTION 7
Your network contains an Active Directory forest named contoso.com. The forest contains 10 domains. The root domain contains a global catalog server named DC1.
You remove the global catalog server role from DC1.
You need to decrease the size of the Active Directory database on DC1.
Solution:You restart DC1 in Directory Services Repair Mode. You run compact.exe, and then restart DC1. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
You need to run ntdsutil.exe with the ‘compact to’ option. References:
https://theitbros.com/active-directory-database-compact-defrag/

NEW QUESTION 8
Your network contains an Active Directory domain. All client computers run Windows 10.
A client computer named Computer1 was in storage for five months and was unused during that time. You attempt to sign in to the domain from Computer1 and receive an error message.
You need to ensure that you can sign in to the domain from Computer1. What should you do?

• A. Unjoin Computer1 from the domain, and then join the computer to the domain.
• B. From Active Directory Administrative Center, reset the computer account of Computer1.
• C. From Active Directory Administrative Center, disable Computer1, and then enable the computer account of Computer1.
• D. From Active Directory Users and Computers, run the Delegation of Control Wizard.

Answer: B

NEW QUESTION 9
Your network contains an Active Directory forest named contoso.com. The forest contains an Active Directory Federation Services (AD FS) farm.
You install Windows Server 2021 on a server named Server2.
You need to configure Server2 as a node in the federation server farm.
Which cmdlets should you run? To answer, select the appropriate options in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 10
Your network contains an Active Directory domain named contoso.com. All the accounts of the users in the sales department are in an organizational unit (OU) named SalesOU.
An application named App1 is deployed to the user accounts in SalesOU by using a Group Policy object (GPO) named Sales GPO.
You need to set the registry value of HKEY_CURRENT_USERSoftwareApp1Collaboration to 0. Solution: You add a computer preference that has a Create action.
Does this meet the goal?

• A. Yes
• B. NO

Answer: B

NEW QUESTION 11
You deploy a new certification authority (CA) to a server that runs Windows Server 2021. You need to configure the CA to support recovery of certificates.
What should you do first?

• A. Modify the extensions of the OCSP Response Signing template
• B. Modify the Recovery Agents settings from the properties of the CA.
• C. Assign the Request Certificates permission to the user account that will be responsible for recovering certificates.
• D. Configure the Key Recovery Agent template as a certificate template to issue.

Answer: A

NEW QUESTION 12
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series.
Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains 5,000 user accounts.
You have a Group Policy object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit (OU).
You need to configure the Documents folder of every user to be stored on a server named FileServer1. What should you do?

• A. From the Computer Configuration node of DCPolicy, modify Security Settings.
• B. From the Computer Configuration node of DomainPolicy, modify Security Settings.
• C. From the Computer Configuration node of DomainPolicy, modify Administrative Templates.
• D. From the User Configuration node of DCPolicy, modify Security Settings.
• E. From the User Configuration node of DomainPolicy, modify Folder Redirection.
• F. From user Configuration node of DomainPolicy, modify Administrative Templates.
• G. From Preferences in the User Configuration node of DomainPolicy, modify Windows Settings.
• H. From Preferences in the Computer Configuration node of DomainPolicy, modify Windows Settings.

Answer: E

NEW QUESTION 13
Your network contains an Active Directory domain named contoso.com. The domain contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2021.
Server1 has IP Address Management (IPAM) installed. Server2, Server3, and Server 4 have the DHCP Server role installed. IPAM manages Server2, Server3, and Server4.
A domain user named User1 is a member of the groups shown in the following table.

Which actions can User1 perform? To answer, select the appropriate options in the answer area.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:
Box 1: Can be performed by User1
DHCP Administrators can create DHCP scopes. Box 2: Cannot be performed by User1
DHCP Users cannot create scopes. Box 3: Cannot be performed by User1 IPAM users cannot creates copes.
References: https://technet.microsoft.com/en-us/library/dn741281(v=ws.11).aspx#create_access_scope

NEW QUESTION 14
A technician named Tech1 is assigned the task of joining the laptops to the domain. The computer accounts of each laptop must be in an organizational unit (OU) that is associated to the department of the user who will use that laptop. The laptop names must start with four characters indicating the department followed by a four-digit number
Tech1 is a member of the Domain Users group only. Tech1 has the administrator logon credentials for all the laptops.
You need Tech1 to join the laptops to the domain. The solution must ensure that the laptops are named correctly, and that the computer accounts of the laptops are in the correct OUs.
Solution: You instruct Tech1 to sign in to each laptop, to rename each laptop by using System in Control Panel, and then to join each laptop to the domain by using the Netdom join command.
Does this meet the goal?

• A. Yes
• B. No

Answer: A

NEW QUESTION 15
Your company has two offices. The offices are located in Montreal and Seattle. The network contains an Active Directory forest named contoso.com.
The forest contains three domain controllers configured as shown in the following table.

The company physically relocates Server2 from the Montreal office the Seattle office.
You discover that both Server1 and Server2 authenticate users who sign in to the client computers in the Montreal office. Only Server3 authentications users who sign in to the computers in the Seattle office.
You need to ensure that Server2 authenticates the users in the Seattle office during normal network operations. What should you do?

• A. From Windows Power Shell, run the Move-AD Directory Server cmdlet.
• B. From Active Directory Users and Computers, modify the Location property of Server2.
• C. From Windows PowerShell, run the Set-ADReplicationSite cmdlet.
• D. From Network Connections on Server2, modify the Internet Protocol Version 4 (TCP/IPv4) configuration.

Answer: C

NEW QUESTION 16
Your network contains an Active Directory domain named contoso.com. The domain contains five domain controllers.
You have a branch office that has a local support technician named Tech1. Tech1 installs Windows Server 2021 on a server named RODC1 in a workgroup.
You need Tech1 to deploy RODC1 as a read-only domain controller (RODC) in the contoso.com domain.
Which three actions should you perform? Each correct answer presents part of the solution.

• A. Instruct Tech1 to run the Active Directory Domain Services Configuration Wizard.
• B. Create an RODC computer account by using Active Administrative Center.
• C. Instruct Tech1 to run dcpromo.exe on RODC1.
• D. Instruct Tech1 to install the Active Directory Domain Services server role on RODC1.
• E. Modify the permissions of the Domain Controllers organizational unit (OU).

Answer: ACD

NEW QUESTION 17
Your network contains an Active Directory domain named contoso.com. All the accounts of the users in the sales department are in an organizational unit (OU) named SalesOU.
An application named App1 is deployed to the user accounts in SalesOU by using a Group Policy object (GPO) named Sales GPO.
You need to set the registry value of HKEY_CURRENT_USERSoftwareApp1Collaboration to 0. Solution: You add a computer preference that has a Replace action.
Does this meet the goal?

• A. Yes
• B. NO

Answer: A

NEW QUESTION 18
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
On Server1, you create a local user named User1. User1 is a member of the local Administrators group. Server1 has the following local Group Policies: K
• Local Computer Policy
• Local ComputerUser1Policy
• Local ComputerAdministrators Policy
You need to force User1 to change his password every 14 days.
Solution: You configure the Password Policy settings in a Group Policy object (GPO) that is linked to the Domain Controllers organizational unit (OU).

• A. Yes
• B. No

Answer: B

NEW QUESTION 19
Your network contains an Active Directory domain. The domain contains an Active Directory Rights Management Services (AD RMS) cluster and a certification authority (CA).
You need to ensure that all the documents that are protected by using AD RMS can be decrypted if the account used to encrypt the documents is deleted.
What should you do?

• A. Back up the AD RMS-protected files by using Windows Server Backup.
• B. Configure key archival on the CA.
• C. Manually configure the AD RMS cluster key password.
• D. Configure super users in the AD RMS deployment.

Answer: D

Explanation:
https://social.technet.microsoft.com/wiki/contents/articles/9111.disaster-recovery-guide-for-active-directory-righ

NEW QUESTION 20
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy a new Active Directory forest.
You need to ensure that you can create a group Managed Service Account (gMSA) for multiple member servers.
Solution: From Windows PowerShell on a domain controller, you run the Set-KdsConfiguration cmdlet. Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 21
Your network contains an Active Directory domain named contoso.com. The domain contains a read-only domain controller (RODC) named R0DC1.
You need to retrieve a list of accounts that have their password cached on RODC1. Which command should you run?

• A. netdom.exe
• B. ntdsutil.exe
• C. repadmin.exe
• D. dcdiag.exe

Answer: C

Explanation:
https://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy(v=

NEW QUESTION 22
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You network contains an Active Directory forest named contoso.com. The forest contains an Active Directory Rights Management Services (AD RMS) deployment.
Your company establishes a partnership with another company named Fabrikam, Inc. The network of Fabrikam contains an Active Directory forest named fabrikam.com and an AD RMS deployment.
You need to ensure that the users in contoso.com can access rights protected documents sent by the users in fabrikam.com.
Solution: From AD RMS in contoso.com, you configure fabrikam.com as a trusted user domain. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
Contoso would need to be the Trusted User Domain.

NEW QUESTION 23
Your network contains an Active Directory domain.
Users do not have administrative privileges to their client computer You modify a computer setting in a Group Policy object (GPO).
You need to ensure that the setting is applied to five client computers as soon as possible. What should you do?

• A. From a domain controller, run the gpudate.exe command and specify the Force parameter.
• B. From each client computer, run the gpresult.exe command and specify the /r parameter.
• C. From each client computer, run the Get-Gpo cmdlet and specify the -alt parameter.
• D. From a domain controller, run the Invoke-GPUpdate cmdlet.

Answer: D

Explanation:
https://technet.microsoft.com/en-us/library/hh852337(v=ws.11).aspx

NEW QUESTION 24
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series.
Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains 5,000 user accounts.
You have a Group Policy object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit (OU).
You need to use the application control policy settings to prevent several applications from running on the network.
What should you do?

• A. From the Computer Configuration node of DCPolicy, modify Security Settings.
• B. From the Computer Configuration node of DomainPolicy, modify Security Settings.
• C. From the Computer Configuration node of DomainPolicy, modify Administrative Templates.
• D. From the User Configuration node of DCPolicy, modify Security Settings.
• E. From the User Configuration node of DomainPolicy, modify Folder Redirection.
• F. From user Configuration node of DomainPolicy, modify Administrative Templates.
• G. From Preferences in the User Configuration node of DomainPolicy, modify Windows Settings.
• H. From Preferences in the Computer Configuration node of DomainPolicy, modify Windows Settings.

Answer: B

NEW QUESTION 25
Your network contains an Active Directory named contoso.com
You have three top-level organizational units (OUs) named OU1, OU2 and OU3. OU1 contains user accounts. OU2 contains the computer accounts for shared public computers. 0U3 contains the computer accounts for laptops.
You have two Group Policy objects (GPOs) named GPO1 and GP02. GPO1 is linked to OU1. GP02 is linked to OU2.
You need to prevent the user settings in GPO1 from being applied when a user signs in to a shared public computer. If a user signs in to a laptop, the user settings in GPO1 must be applied.
What should you configure?

• A. inheritance blocking
• B. Security Filtering
• C. loopback processing
• D. GPO link enforcement

Answer: C

NEW QUESTION 26
You have an enterprise certification authority (CA) named ContosoCA. Recovery agents are configured for ContosoCA.
You duplicate the User certificate template and name it Cont_User. You plan to issue the certificates based on Cont_User to provide users with the ability to encrypt email messages and files.
You need to ensure that the recovery agents can access any user-encrypted files and email messages if the users lose their certificate.
What should you do?

• A. Issue a certificate based on a key recovery agent certificate.
• B. Modify the Recovery Agents settings for ContosoCA.
• C. Modify the Request Handling settings for Cont_User.
• D. On ContosoCA, configure the Key Recovery Agent template as a certificate template to issue.

Answer: C

NEW QUESTION 27
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your network contains an Active Directory domain named contoso.com. The domain contains a single site named Site1. All computers are in Site1.
The Group Policy objects (GPOs) for the domain are configured as shown in the exhibit. (Click the Exhibit button.)

The relevant users and client computer in the domain are configured as shown in the following table.

End of repeated scenario.
You plan to enforce the GPO link for A6.
Which five GPOs will apply to User1 in sequence when the user signs in to Computer1 after the link is enforced? To answer, move the appropriate GPOs from the list of GPOs to the answer area and arrange them in the correct order.

• A. Mastered
• B. Not Mastered

Answer: A

Explanation:

NEW QUESTION 28
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You network contains an Active Directory forest named contoso.com. The forest contains an Active Directory Rights Management Services (AD RMS) deployment.
Your company establishes a partnership with another company named Fabrikam, Inc. The network of Fabrikam contains an Active Directory forest named fabrikam.com and an AD RMS deployment.
You need to ensure that the users in contoso.com can access rights protected documents sent by the users in fabrikam.com.
Solution: From AD RMS in fabrikam.com, you configure contoso.com as a trusted publisher domain. Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation:
Contoso needs to trust Fabrikam.

NEW QUESTION 29
......