NEW QUESTION 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory forest named contoso.com. The forest contains a member server named Server1 that runs Windows Server 2021. All domain controllers run Windows Server 2012 R2.
Contoso.com has the following configuration. PS C:> (Get-ADForest).ForestMode Windows2008R2Forest
PS C:> (Get-ADDomain).DomainMode
Windows2008R2Domain PS C:>
You plan to deploy an Active Directory Federation Services (AD FS) farm on Server1 and to configure device registration.
You need to configure Active Directory to support the planned deployment. Solution: You upgrade a domain controller to Windows Server 2021.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: Device Registration requires Windows Server 2012 R2 forest schema.

NEW QUESTION 2
Your network contains two network domains sales.fabrikam.com, and contoso.com, You recently added a site named Europe.
The forest contains four users who are members of the groups shown in the following table.

You need to create a Group Policy object (GPO) named GP01 and to link GPO1 to the Europe site. Which users can perform each task? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point

Answer:

Explanation:

NEW QUESTION 3
Your network contains a signle-domin Active Directory forest named contoso.com. The forest functional level is Windows Server 2021. The forest has Dynamic Access Control enabled.
The domin contains two domain controllers named DC1 and DC2. Privileged user accounts used to manage Active Directory reside in a group named ContosoAD_Admins.
You create an authentication policy named Policy1 and an authentication policy silo named Silo1.
You need to ensure that the accounts in the ContosoAD-Admins group can sign in to the domain controllers only.
Which three configurations should you perform? Each correction answer presents part of the solution.

• A. Create an access control condition in Policy1.
• B. Create a managed service account and add the account to Permitted Accounts in Silo1.
• C. Add the domain controllers to the ContosoAD_Admins group.
• D. Add the privileged user accounts and the domain controllers to Permitted Accounts in Silo1.
• E. Assign Silo1 to the privileged user accounts and the domain controllers.

Answer: ADE

NEW QUESTION 4
You network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA).
A user named Admin1 is a member of the Domain Admins group.
You need to ensure that you can archive keys on the CA. The solution must use Admin1 as a key recovery agent.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

NEW QUESTION 5
Your company has two offices. The offices are located in Montreal and Seattle. The network contains an Active Directory forest named contoso.com.
The forest contains three domain controllers configured as shown in the following table.

The company physically relocates Server2 from the Montreal office the Seattle office.
You discover that both Server1 and Server2 authenticate users who sign in to the client computers in the Montreal office. Only Server3 authentications users who sign in to the computers in the Seattle office.
You need to ensure that Server2 authenticates the users in the Seattle office during normal network operations. What should you do?

• A. From Windows Power Shell, run the Move-AD Directory Server cmdlet.
• B. From Active Directory Users and Computers, modify the Location property of Server2.
• C. From Windows PowerShell, run the Set-ADReplicationSite cmdlet.
• D. From Network Connections on Server2, modify the Internet Protocol Version 4 (TCP/IPv4) configuration.

Answer: C

NEW QUESTION 6
Your network contains an Active Directory domain named contoso.com.
You need to view a list of all the domain user accounts that are enabled. But whose users have not signed in during the last 30 days.
Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION 7
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. A user named User1 is in an organizational unit (OU) named OU1.
You are troubleshooting a folder access issue for User1.
You need a list of groups to which User1 is either a direct member or ab indirect member. Solution: You run Get-ADGroup –Identity User1 –Property MemberOf.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

Explanation: The Get-ADGroup cmdlet does not include the MemberOf property. The command above is, therefore, not valid.
References:
https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adgroup?view=win10-ps

NEW QUESTION 8
Your network contains an Active Directory domain named contoso.com. The domain contains a member
server named Server1 that runs Windows Server 2021.
Server1 has IP Address Management (IPAM) installed. IPAM uses a Windows Internal Database. You install Microsoft SQL Server on Server1.
You plan to move the IPAM database to SQL Server.
You need to create a SQL Server login for the IPAM service account.
For which user should you create the login? To answer, select the appropriate options in the answer area.

Answer:

Explanation: References:
https://blogs.technet.microsoft.com/yagmurs/2014/07/31/moving-ipam-database-from-windows-internal-databas

NEW QUESTION 9
Your network contains an Active Directory domain named contoso.com. The domain contains three servers named Server1, Server2, and Server3 that run Windows Server 2021.
Server1 has IP Address Management (IPAM) installed. Server2 and Server3 have the DHCP Server role installed and have several DHCP scopes configured. The IPAM server retrieves data from Server2 and Server3.
A domain user named User1 is a member of the groups shown in the following table.

On Server1, you create a security policy for User1. The policy grants the IPAM DHCP Scope Administrator Role with the Global access scope to the user.
Which actions can User1 perform? To answer, select the appropriate options in the answer area.

Answer:

Explanation: User1 is using Server Manager, not IPAM to perform the administration. Therefore, only the “DHCP Administrators” permission on Server2 and the “DHCP Users” permissions on Server3 are applied.
The permissions granted through membership of the “IPAM DHCP Scope Administrator Role” are not applied when the user is not using the IPAM console.

NEW QUESTION 10
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory domain named contoso.com. The domain contains two domain controllers named DC1 and DC2.
DC1 holds the RID master operations role. DC1 fails and cannot be repaired. You need to move the RID role to DC2.
Solution: On DC2, you open the command prompt, run dsmgmt.exe, connect to DC2, and use the Seize RID master opinion.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 11
Your company has multiple branch offices.
The network contains an Active Directory domain named contoso.com.
In one of the branch offices, a new technician is hired to add computers to the domain.
After successfully joining multiple computers to the domain, the technician fails to join any more computers to the domain.
You need to ensure that the technician can join an unlimited number of computers to the domain. What should you do?

• A. Run the Delegation of Control Wizard on the Computers container.
• B. Run the redircmp.exe command.
• C. Modify the Security settings of the technician’s user account.
• D. Add the technician to the Windows Authorization Access group.

Answer: A

NEW QUESTION 12
Your network contains an Active Directory forest. The forest contains one domain named contoso.com. The domain contains two domain controllers named DC1 and DC2. DC1 holds all of the operations master roles.
During normal network operations, you run the following commands on DC2:
Move-ADDirectoryServerOperationMasterRole -Identity “DC2” -OperationMasterRole PDCEmulator Move- ADDirectoryServerOperationMasterRole –Identity “DC2” -OperationMasterRole RIDMaster DC1 fails.
You remove DC1 from the network, and then you run the following command:
Move-ADDirectoryServerOperationMasterRole –Identity “DC2” -OperationMasterRole SchemaMaster For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Answer:

Explanation:

NEW QUESTION 13
Your network contains a single-domain Active Directory forest named contoso.com. The forest functional level is Windows Server 2021. The Active Directory Recycle Bin feature is enabled.
You need to design a procedure to restore the values of user object attributes if the values are changed accidentally.
Which cmdlets should you include in the procedure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION 14
You network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA) named CA1.
You have a test environment that is isolated physically from the corporate network and the Internet.
You deploy a web server to the test environment. On CA1, you duplicate the Web Server template, and you name the template Web_Cert_Test.
For the web server, you need to request a certificate that does not contain the revocation information of CA1. What should you do first?

• A. From the properties of CA1, allow certificates to be published to the file system.
• B. From the properties of CA1, select Restrict enrollment agents, and then add Web_Cert_Test to the restricted enrollment agent.
• C. From the properties of Web_Cert_Test, assign the Enroll permission to the guest account.
• D. From the properties of Web_Cert_Test, set the Compatibility setting of CA1 to Windows Server 2021.

Answer: D

NEW QUESTION 15
Your network contains an Active Directory domain named contoso.com.
You open Group Policy Management as shown in the exhibit. (Click the Exhibit button.)

You discover that some of the settings configured in the A1 Group Policy object (GPO) fail to apply to the users in the OU1 organizational unit (OU).
You need to ensure that all of the settings in A1 apply to the users in OU1. What should you do?

• A. Enable loopback policy processing in A1.
• B. Block inheritance on OU1.
• C. Modify the policy processing order for OU1.
• D. Modify the GPO Status of A1.

Answer: C

NEW QUESTION 16
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question is independent of the other questions in this series.
Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains 5,000 user accounts.
You have a Group Policy object (GPO) named DomainPolicy that is linked to the domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit (OU).
You need to configure the Documents folder of every user to be stored on a server named FileServer1. What should you do?

• A. From the Computer Configuration node of DCPolicy, modify Security Settings.
• B. From the Computer Configuration node of DomainPolicy, modify Security Settings.
• C. From the Computer Configuration node of DomainPolicy, modify Administrative Templates.
• D. From the User Configuration node of DCPolicy, modify Security Settings.
• E. From the User Configuration node of DomainPolicy, modify Folder Redirection.
• F. From user Configuration node of DomainPolicy, modify Administrative Templates.
• G. From Preferences in the User Configuration node of DomainPolicy, modify Windows Settings.
• H. From Preferences in the Computer Configuration node of DomainPolicy, modify Windows Settings.

Answer: E