NEW QUESTION 1
You network contains an Active Directory forest. The forest contains an Active Directory Federation Services (AD FS) deployment.
The AD FS deployment contains the following:
* An AD FS server named server1.contoso.com that runs Windows Server 2021
* A Web Application Proxy used to publish AD FS
* A LIPN that uses the contoso.com suffix
* A namespace named adfs.contoso.com
You create a Microsoft Office 365 tenant named contoso.onmicrosoft.com. You use Microsoft Azure Active Directory Connect (AD Connect) to synchronize all of the users and the UPNs from the contoso.com forest to Office 365.
You need to configure federation between Office 365 and the on-premises deployment of Active Directory. Which three commands should you run in sequence from Server1? To answer, move the appropriate
commands from the list of commands to the answer area and arrange them in the correct order.

Answer:

Explanation:

NEW QUESTION 2
Your company implements Active Directory Federation Services (AD FS).
You confirm that the company meets all the prerequisites for using Microsoft Azure Multi-Factor Authentication (MFA) and AD FS.
You need to ensure that you can select MFA as the primary authentication method for AD FS.
Which three actions should you perform in sequence? To answer move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

NEW QUESTION 3
Your network contains an Active Directory domain named contoso.com.
The user account for a user named User1 is in an organizational unit (OU) named OU1. You need to enable User1 to sign in as user1@adatum.com.
Solution: From Active Directory Users and Computers, you set the E-mail property of User1 to user1@adatum.com.
Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 4
You deploy a new certification authority (CA) to a server that runs Windows Server 2021. You need to configure the CA to support recovery of certificates.
What should you do first?

• A. Modify the Recovery Agents settings from the properties of the CA.
• B. Assign the Request Certificates permission to the user account that will be responsible for recovering certificates.
• C. Configure the Key Recovery Agent template as a certificate template to issue.
• D. Modify the extensions of the OCSP Response Signing template.

Answer: C

Explanation: References:
http://markgossa.blogspot.co.uk/2021/03/enable-key-archival-in-server-2012-r2.html

NEW QUESTION 5
You have a server named Server1 in a workgroup.
You need to configure a Group Policy setting on Server1 that will apply to only non-administrative users. What should you do?

• A. Open Local Group Policy Edito
• B. From the File menu, modify the Options settings.
• C. Run mmc.exe Add the Group Policy Object Editor snap-in and change the Group Policy object (GPO).
• D. Open Local Group Policy Edito
• E. From the View menu, modify the Customize settings.
• F. Open Local Users and Groups, Create a new group Run New-GPO.

Answer: A

NEW QUESTION 6
Your network contains an Active Directory domain. The domain contains an Active Directory Rights Management Services (AD RMS) cluster and a certification authority (CA).
You need to ensure that all the documents that are protected by using AD RMS can be decrypted if the account used to encrypt the documents is deleted.
What should you do?

• A. Back up the AD RMS-protected files by using Windows Server Backup.
• B. Configure key archival on the CA.
• C. Manually configure the AD RMS cluster key password.
• D. Configure super users in the AD RMS deployment.

Answer: D

Explanation: https://social.technet.microsoft.com/wiki/contents/articles/9111.disaster-recovery-guide-for-active-directory-righ

NEW QUESTION 7
Your network contains an Active Directory domain named contoso.com.
The user account for a user named User1 is in an organizational unit (OU) named OU1. You need to enable User1 to sign in as user1@adatum.com.
Solution: From Active Directory Domains and Trusts, you configure an alternative UPN suffix, From Active Directory Administrative Center, you configure the User UPN logon property of User1.
Does this meet the goal?

• A. Yes
• B. No

Answer: A

NEW QUESTION 8
Your network contains an Active Directory domain named contoso.com. The domain contains a domain controller named DC1.
You create and link a Group Policy object (GPO) named SalesAppGPO to an organizational unit (OU) named SalesOU. All the computer accounts are in the Computers container. All the user accounts of the users in the sales department are in SalesOU.
You have a line-of-business application named SalesApp that is installed by using a Windows Installer package.
You need to make SalesApp available to only the sales department users.
Which three actions should you perform in sequence? To answer move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

NEW QUESTION 9
Your network contains an Active Directory forest named contoso.com. The forest contains an Active Directory Federation Services (AD FS) farm.
You install Windows Server 2021 on a server named Server2.
You need to configure Server2 as a node in the federation server farm.
Which cmdlets should you run? To answer, select the appropriate options in the answer area.

Answer:

Explanation:

NEW QUESTION 10
Your network contains an Active Directory forest named contoso.com.
A partner company has a forest named fabrikam.com. Each forest contains one domain.
You need to provide access for a group named Research in fabrikam.com to resources in contoso.com. The solution must use the principle of least privilege.
What should you do?

• A. Create an external trust from fabrikam.com to contoso.co
• B. Enable Active Directory split permissions in fabrikam.com.
• C. Create an external trust from contoso.com to fabrikam.co
• D. Enable Active Directory split permissions in contoso.com.
• E. Create a one-way forest trust from contoso.com to fabrikam.com that uses selective authentication.
• F. Create a one-way forest trust from fabrikam.com to contoso.com that uses selective authentication.

Answer: C

NEW QUESTION 11
Your network contains an Active Directory named contoso.com
You have three top-level organizational units (OUs) named OU1, OU2 and OU3. OU1 contains user accounts. OU2 contains the computer accounts for shared public computers. 0U3 contains the computer accounts for laptops.
You have two Group Policy objects (GPOs) named GPO1 and GP02. GPO1 is linked to OU1. GP02 is linked to OU2.
You need to prevent the user settings in GPO1 from being applied when a user signs in to a shared public computer. If a user signs in to a laptop, the user settings in GPO1 must be applied.
What should you configure?

• A. inheritance blocking
• B. Security Filtering
• C. loopback processing
• D. GPO link enforcement

Answer: C

NEW QUESTION 12
Your network contains an Active Directory domain named contoso.com.
You have an organizational unit (OU) named OU1 that contains the computer accounts of two servers and the user account of a user named User1. A Group Policy object (GPO) named GPO1 is linked to OU1.
You have an application named App1 that installs by using an application installer named App1.exe. You need to publish App1 to OU1 by using Group Policy.
What should you do?

• A. Create a Config.zap file and add a file to the File System node to the Computer Configuration node of GPO1.
• B. Create a Config.xml file and add a software installation package to the User Configuration node of GPO1.
• C. Create a Config.zap file and add a software installation package to the User Configuration node of GPO1.
• D. Create a Config.xml file and add a software installation package to the Computer Configuration node of GPO1.

Answer: C

NEW QUESTION 13
Your network contains an Active Directory forest named contoso.com.
Your company has a custom application named ERP1. ERP1 uses an Active Directory Lightweight Directory Services (AD LDS) server named Server1 to authenticate users.
You have a member server named Server2 that runs Windows Server 2021. You install the Active Directory Federation Services (AD FS) server role on Server2 and create an AD FS farm.
You need to configure AD FS to authenticate users from the AD LDS server.
Which cmdlets should you run? To answer, select the appropriate options in the answer area.

Answer:

Explanation: To configure your AD FSfarm to authenticate users from an LDAP directory, you can complete the following steps:
Step 1: New-AdfsLdapServerConnection
First, configure a connection to your LDAP directory using the New-AdfsLdapServerConnection cmdlet:
$DirectoryCred = Get-Credential
$vendorDirectory = New-AdfsLdapServerConnection –HostName dirserver –Port 50000–SslMode None
–AuthenticationMethod Basic –Credential $DirectoryCred
Step 2 (optional):
Next, you can perform the optional step of mapping LDAP attributes to the existing AD FS claims using the New-AdfsLdapAttributeToClaimMapping cmdlet.
Step 3: Add-AdfsLocalClaimsProviderTrust
Finally, you must register the LDAP store with AD FS as a local claims provider trust using the Add-AdfsLocalClaimsProviderTrust cmdlet:
Add-AdfsLocalClaimsProviderTrust –Name “Vendors” –Identifier “urn:vendors” –Type L References: https://technet.microsoft.com/en-us/library/dn823754(v=ws.11).aspx

NEW QUESTION 14
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Web1 that runs Windows Server 2021.
You need to list all the SSL certificates on Web1 that will expire during the next 60 days. Solution: You run the following command.

Does this meet the goal?

• A. Yes
• B. No

Answer: B

NEW QUESTION 15
You have a server named Server1 in a workgroup.
You need to configure a Group Policy setting on Server1 that will apply to only non-administrative users. What should you do?

• A. Run mnc.ex
• B. Add the Group Policy Object Editor snap-in and change the Group Policy object (GPO)
• C. Open Local Group Policy Edito
• D. From the File menu, modify the Options settings.
• E. Open Local Users and Group
• F. Create a new group Run New.GPO.
• G. Open Local Group Policy Edito
• H. From the View menu, modify the Customize settings.

Answer: A

NEW QUESTION 16
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your network contains an Active Directory domain named contoso.com. The domain contains a single site named Site1. All computers are in Site1.
The Group Policy objects (GPOs) for the domain are configured as shown in the exhibit. (Click the Exhibit button.)

The relevant users and client computer in the domain are configured as shown in the following table.

End of repeated scenario.
You are evaluating what will occur when you disable the Group Policy link for A6.
Which GPOs will apply to User2 when the user signs in to Computer1 after the link for A6 is disabled?

• A. A1 and A5 only
• B. A3, A1, and A5 only
• C. A3, A1, A5, and A4 only
• D. A3, A1, A5, and A7

Answer: D

NEW QUESTION 17
Your network contains an Active Directory domain named contoso.com.
You need to view a list of all the domain user accounts that are enabled. But whose users have not signed in during the last 30 days.
Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION 18
A technician named Tech1 is assigned the task of joining the laptops to the domain. The computer accounts of each laptop must be in an organizational unit (OU) that is associated to the department of the user who will use that laptop. The laptop names must start with four characters indicating the department followed by a
four-digit number
Tech1 is a member of the Domain Users group only. Tech1 has the administrator logon credentials for all the laptops.
You need Tech1 to join the laptops to the domain. The solution must ensure that the laptops are named correctly, and that the computer accounts of the laptops are in the correct OUs.
Solution: You pre-create the computer account of each laptop in Active Directory users and computers. You instruct Tech1 to sign in to each laptop, and then to run djoin.exe.
Does this meet the goal?

• A. Yes
• B. No

Answer: B