Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
You need to identify which server is the PDC emulator for the domain.
Solution: From Active Directory Domains and Trusts, you right-click Active Directory Domains and Trusts in the console tree, and then select Operations
Master.
Does this meet the goal?
Answer:
B
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
You need to identify which server is the PDC emulator for the domain.
Solution: From a command prompt, you run netdom.exe query fsmo.
Does this meet the goal?
Answer:
A
Reference:
https://activedirectorypro.com/how-to-check-fsmo-roles/
You have an on premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant.
You plan to implement self-service password reset (SSPR) in Azure AD.
You need to ensure that users that reset their passwords by using SSPR can use the new password resources in the AD DS domain.
What should you do?
Answer:
B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback
You have an Azure Active Directory Domain Services (Azure AD DS) domain named contoso.com.
You need to provide an administrator with the ability to manage Group Policy Objects (GPOs). The solution must use the principle of least privilege.
To which group should you add the administrator?
Answer:
B
Only the Domain Admins group and the Enterprise Admins group can fully manage GPOs. Members of the Group Policy Creator Owners group can create new
GPOs but they can't link the GPOs to sites, the domain or OUs and they cannot manage existing GPOs.
You have an on premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. The domain contains two servers named Server1 and Server2.
A user named Admin1 is a member of the local Administrators group on Server1 and Server2.
You plan to manage Server1 and Server2 by using Azure Arc. Azure Arc objects will be added to a resource group named RG1.
You need to ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc.
What should you do first?
Answer:
B
Reference:
https://docs.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal
HOTSPOT -
Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Each forest contains a single domain.
The domains contain the servers shown in the following table.
You need to configure resource based constrained delegation so that the users in contoso.com can use Windows Admin Center on Server1 to connect to Server2.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview https://docs.microsoft.com/en-us/powershell/module/activedirectory/set-adcomputer?view=windowsserver2022-ps
HOTSPOT -
You have a server named Server1 that runs Windows Server and has the Hyper-V server role installed.
You need to limit which Hyper-V module cmdlets helpdesk users can use when administering Server1 remotely.
You configure Just Enough Administration (JEA) and successfully build the role capabilities and session configuration files.
How should you complete the PowerShell command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/register-jea?view=powershell-7.2
You have an Azure virtual machine named VM1 that runs Windows Server.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You need to ensure that you can use the Azure Policy guest configuration feature to manage VM1.
What should you do?
Answer:
C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/guest-configuration
HOTSPOT -
You have an Azure subscription named sub1 and 500 on-premises virtual machines that run Windows Server.
You plan to onboard the on-premises virtual machines to Azure Arc by running the Azure Arc deployment script.
You need to create an identity that will be used by the script to authenticate access to sub1. The solution must use the principle of least privilege.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal
You have an Azure virtual machine named VM1 that has a private IP address only.
You configure the Windows Admin Center extension on VM1.
You have an on-premises computer that runs Windows 11. You use the computer for server management.
You need to ensure that you can use Windows Admin Center from the Azure portal to manage VM1.
What should you configure?
Answer:
B
Reference:
https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm
