Your network contains an Active Directory forest named contoso.com. The forest contains the root domain and two child domains named childl.contoso.com and child2.contoso.com. Child1 contains three domain controllers named DC1, DC2, and DC3. Child2 contains one domain controller named
You have two accounts named Child1\Admin1 and Child2\Admin2 that you use to perform administrative tasks. Currently, the accounts can manage only the member servers in their respective domain.
You plan to demote DC3 and to remove the Child2 domain.
You need to ensure that Admin1 can demote DC3 and that Admtn2 can demote DC4. The solution must use the principle of least privilege.
To which groups should you add Admin1 and Admin2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Solution:
Admin1: Contoso\Domain Admins Admin2: Child2\Server Operators
Does this meet the goal?
Correct Answer:
A
Your network contains an Active Directory domain. The domain contains an Active Directory Rights Management Services (AD RMS) cluster and a certification authority (CA).
You need to ensure that all the documents that are protected by using AD RMS can be decrypted if the account used to encrypt the documents is deleted.
What should you do?
Correct Answer:
D
https://social.technet.microsoft.com/wiki/contents/articles/9111.disaster-recovery-guide-for-active-directory-righ
Your network contains an Active Directory domain named contoso.com. The domain contains four servers named Server1, Server2, Server3, and Server4 that run Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. Server2, Server3, and Server 4 have the DHCP Server role installed. IPAM manages Server2, Server3, and Server4.
A domain user named User1 is a member of the groups shown in the following table.
< ><>>< >
Solution:
Box 1: Can be performed by User1
DHCP Administrators can create DHCP scopes. Box 2: Cannot be performed by User1
DHCP Users cannot create scopes. Box 3: Cannot be performed by User1 IPAM users cannot creates copes.
References: https://technet.microsoft.com/en-us/library/dn741281(v=ws.11).aspx#create_access_scope
Does this meet the goal?
Correct Answer:
A
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named TestOU that contains test computers.
You need to enable a technician named Tech1 to create Group Policy objects (GPOs) and to link the GPOs to TestOU. The solution must use the principle of least privilege.
Which two actions should you perform? Each correct answer presents part of the solution.
Correct Answer:
AB
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2016.
Server1 has IP Address Management (IPAM) installed. IPAM is configured to use the Group Policy based provisioning method. The prefix for the IPAM Group Policy objects (GPOs) is IP.
From Group Policy Management, you manually rename the IPAM GPOs to have a prefix of IPAM. You need to modify the GPO prefix used by IPAM.
What should you do?
Correct Answer:
B
The Set-IpamConfiguration cmdlet modifies the configuration for the computer that runs the IPAM server. The -GpoPrefix<String> parameter specifies the unique Group Policy object (GPO) prefix name that IPAM
uses to create the group policy objects. Use this parameter only when the value of the ProvisioningMethod parameter is set to Automatic.
References: https://technet.microsoft.com/en-us/library/jj590816.aspx
