NEW QUESTION 1
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your network contains an Active Directory domain named contoso.com. The domain contains a single site named Site1. All computers are in Site1.
The Group Policy objects (GPOs) for the domain are configured as shown in the exhibit. (Click the Exhibit button.)

The relevant users and client computer in the domain are configured as shown in the following table.

End of repeated scenario.
You are evaluating what will occur when you remove the Authenticated Users group from the Security Filtering settings of A5.
Which GPO or GPOs will apply to User1 when the user signs in to Computer1 after Security Filtering is configured?

• A. A1 and A7 only
• B. A3 and A1 only.
• C. A3, A1, A6 and A7
• D. A7 only

Answer: A

NEW QUESTION 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. The forest contains a member server named Server1 that runs Windows Server 2021. All domain controllers run Windows Server 2012 R2.
Contoso.com has the following configuration. PS C:> (Get-ADForest).ForestMode Windows2008R2Forest
PS C:> (Get-ADDomain).DomainMode Windows2008R2Domain
PS C:>
You plan to deploy an Active Directory Federation Services (AD FS) farm on Server1 and to configure device registration.
You need to configure Active Directory to support the planned deployment. Solution: You run adprep.exe from the Windows Server 2021 installation media. Does this meet the goal?

• A. Yes
• B. No

Answer: A

Explanation: Device Registration requires Windows Server 2012 R2 forest schema.

NEW QUESTION 3
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your network contains an Active Directory domain named contoso.com. The domain contains a single site named Site1. All computers are in Site1.
The Group Policy objects (GPOs) for the domain are configured as shown in the exhibit. (Click the Exhibit button.)

The relevant users and client computer in the domain are configured as shown in the following table.

End of repeated scenario.
You are evaluating what will occur when you disable the Group Policy link for A6.
Which GPOs will apply to User2 when the user signs in to Computer1 after the link for A6 is disabled?

• A. A1 and A5 only
• B. A3, A1, and A5 only
• C. A3, A1, A5, and A4 only
• D. A3, A1, A5, and A7

Answer: C

NEW QUESTION 4
Your network contains an Active Directory domain named contoso.com.
You plan to deploy a new Active Directory Rights Management Services (AD RMS) cluster on a server named Server1.
You need to create the AD RMS service account. The solution must use the principle of least privilege. What should you do?

• A. Create a domain user account and add the account to the Administrators group on Server1.
• B. Create a local user account on Server1 and add the account to the Administrators group on Server1.
• C. Create a domain user account and add the account to the Domain Users group in the domain
• D. Create a domain user account and add the account to the Account Operators group in the domain.

Answer: A

NEW QUESTION 5
Your network contains an Active Directory forest named contoso.com
Your company plans to hire 500 temporary employees for a project that will last 90 days.
You create a new user account for each employee. An organizational unit (OU) named Temp contains the user accounts for the employees.
You need to prevent the new users from accessing any of the resources in the domain after 90 days. What should you do?

• A. Run the Get-ADUser cmdlet and pipe the output to the Set-ADUser cmdlet.
• B. Create a group that contains all of the users in the Temp O
• C. Create a Password Setting object (PSO) for the new group.
• D. Create a Group Policy object (GPO) and link the GPO to the Temp O
• E. Modify the Password Policy settings of the GPO.
• F. Run the GET-ADOrganizationalUnit cmdlet and pipe the output to the Set-Date cmdlet.

Answer: A

NEW QUESTION 6
Note: This question is part of a series of questions that use the same or similar answer choices. An answer
choice may be correct for more than one question in the series. Each question is independent of the other questions in this series.
Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains 5,000 user accounts.
You have a Group Policy object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit (OU).
You need to ensure that all of the client computers on the network automatically download and install Windows updates.
What should you do?

• A. From the Computer Configuration node of DCPolicy, modify Security Settings.
• B. From the Computer Configuration node of DomainPolicy, modify Security Settings.
• C. From the Computer Configuration node of DomainPolicy, modify Administrative Templates.
• D. From the User Configuration node of DCPolicy, modify Security Settings.
• E. From the User Configuration node of DomainPolicy, modify Folder Redirection.
• F. From user Configuration node of DomainPolicy, modify Administrative Templates.
• G. From Preferences in the User Configuration node of DomainPolicy, modify Windows Settings.
• H. From Preferences in the Computer Configuration node of DomainPolicy, modify Windows Settings.

Answer: F

NEW QUESTION 7
You deploy a new enterprise certification authority (CA) named CA1. You plan to issue certificates based on the User certificate template.
You need to ensure that the issued certificates are valid for two years and support autoenrollment. What should you do first?

• A. Run the certutil.exe command and specify the resubmit parameter.
• B. Duplicate the User certificate template.
• C. Add a new certificate template for CA1 to issue.
• D. Modify the Request Handling settings for the CA.

Answer: B

NEW QUESTION 8
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com.
You need to limit the number of Active Directory Domain Services (AD DS) objects that a user can create in the domain.
Which tool should you use?

• A. Dsadd quota
• B. Dsmod
• C. Active Directory Administrative Center
• D. Dsacls
• E. Dsamain
• F. Active Directory Users and Computers
• G. Ntdsutil
• H. Group Policy Management Console

Answer: A

NEW QUESTION 9
You have an Active Directory Rights Management Services (AD RMS) server named RMS1. Multiple documents are protected by using RMS1.
RMS1 fails and cannot be recovered.
You install the AD RMS server role on a new server named RMS2. You restore the AD RMS database from RMS1 to RMS2.
Users report that they fail to open the protected documents and to protect new documents. You need to ensure that the users can access the protected content.
What should you do?

• A. From Active Directory Rights Management, update the Service Connection Point (SCP) for RMS1.
• B. From DNS, create an alias (CNAME) record for RMS2.
• C. From DNS, modify the service location (SRV) record for RMS1.
• D. From RMS2, register a service principal name (SPN) in Active Directory.

Answer: D

NEW QUESTION 10
You have a server named Server1 in a workgroup.
You need to configure a Group Policy setting on Server1 that will apply to only non-administrative users. What should you do?

• A. Open Local Group Policy Edito
• B. From the File menu, modify the Options settings.
• C. Run mmc.exe Add the Group Policy Object Editor snap-in and change the Group Policy object (GPO).
• D. Open Local Group Policy Edito
• E. From the View menu, modify the Customize settings.
• F. Open Local Users and Groups, Create a new group Run New-GPO.

Answer: A

NEW QUESTION 11
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named OU1 that contains the computer accounts of two servers and the user account of a user named User1. A Group Policy object (GPO) named GPO1 is linked to OU1.
You have an application named App1 that installs by using an application installer named App1.exe. You need to publish App1 to OU1 by using Group Policy.
What should you do?

• A. Create a Config.zap file and add a file to the File System node to the Computer Configuration node of GPO1.
• B. Create a Config.xml file and add a software installation package to the User Configuration node of GPO1.
• C. Create a Config.zap file and add a software installation package to the User Configuration node of GPO1.
• D. Create a Config.xml file and add a software installation package to the Computer Configuration node of GPO1.

Answer: C

NEW QUESTION 12
Your network contains an Active Directory domain named contoso.com. The domain contains two servers named Server1 and Server2 that run Windows Server 2021.
Server1 has Microsoft System Center 2021 Virtual Machine Manager (VMM) installed. Server2 has IP Address Management (IPAM) installed.
You create a domain user named User1.
You need to integrate IPAM and VMM. VMM must use the account of User1 to manage IPAM. The solution must use the principle of least privilege.
What should you do on each server? To answer, select the appropriate options in the answer area.

Answer:

Explanation: References:
https://technet.microsoft.com/en-us/library/dn783349(v=ws.11).aspx

NEW QUESTION 13
Your network contains an Active Directory forest named contoso.com. The forest contains a member server named Server1 that runs Windows Server 2021. Server1 is located in the perimeter network.
You install the Active Directory Federation Services server role on Server1. You create an Active Directory Federation Services (AD FS) farm by using a certificate that has a subject name of sts.contoso.com.
You need to enable certificate authentication from the Internet on Server1.
Which two inbound TCP ports should you open on the firewall? Each correct answer presents part of the solution.

• A. 389
• B. 443
• C. 3389
• D. 8531
• E. 49443

Answer: BE

NEW QUESTION 14
Your network contains an Active Directory domain. All client computers run Windows 10.
A client computer named Computer1 was in storage for five months and was unused during that time. You attempt to sign in to the domain from Computer1 and receive an error message.
You need to ensure that you can sign in to the domain from Computer1. What should you do?

• A. Unjoin Computer1 from the domain, and then join the computer to the domain.
• B. From Active Directory Administrative Center, reset the computer account of Computer1.
• C. From Active Directory Administrative Center, disable Computer1, and then enable the computer account of Computer1.
• D. From Active Directory Users and Computers, run the Delegation of Control Wizard.

Answer: B

NEW QUESTION 15
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You deploy a new Active Directory forest.
You need to ensure that you can create a group Managed Service Account (gMSA) for multiple member servers.
Solution: From Windows PowerShell on a domain controller, you run the Set-KdsConfiguration cmdlet. Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 16
Your network contains an Active Directory forest named contoso.com.
Your company has a custom application named ERP1. ERP1 uses an Active Directory Lightweight Directory Services (AD LDS) server named Server1 to authenticate users.
You have a member server named Server2 that runs Windows Server 2021. You install the Active Directory Federation Services (AD FS) server role on Server2 and create an AD FS farm.
You need to configure AD FS to authenticate users from the AD LDS server.
Which cmdlets should you run? To answer, select the appropriate options in the answer area.

Answer:

Explanation: To configure your AD FSfarm to authenticate users from an LDAP directory, you can complete the following steps:
Step 1: New-AdfsLdapServerConnection
First, configure a connection to your LDAP directory using the New-AdfsLdapServerConnection cmdlet:
$DirectoryCred = Get-Credential
$vendorDirectory = New-AdfsLdapServerConnection –HostName dirserver –Port 50000–SslMode None
–AuthenticationMethod Basic –Credential $DirectoryCred
Step 2 (optional):
Next, you can perform the optional step of mapping LDAP attributes to the existing AD FS claims using the New-AdfsLdapAttributeToClaimMapping cmdlet.
Step 3: Add-AdfsLocalClaimsProviderTrust
Finally, you must register the LDAP store with AD FS as a local claims provider trust using the Add-AdfsLocalClaimsProviderTrust cmdlet:
Add-AdfsLocalClaimsProviderTrust –Name “Vendors” –Identifier “urn:vendors” –Type L References: https://technet.microsoft.com/en-us/library/dn823754(v=ws.11).aspx