Your network contains an Active Directory domain named contoso.com. The domain contains five servers. All
servers run Windows Server 2016.
A new security policy states that you must modify the infrastructure to meet the following requirements:
-Limit the rights of administrators.
-Minimize the attack surface of the forest
-Support Multi-Factor authentication for administrators.
You need to recommend a solution that meets the new security policy requirements. What should you
recommend deploying?

A.
the Local Administrator Password Solution (LAPS)

B.
an administrative domain in contoso.com

C.
domain isolation

D.
an administrative forest

Explanation:
You have to “-Minimize the attack surface of the forest”, then you must create another forest for administrators.
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privilegedaccess-reference-material#ESAE_BM
This section contains an approach for an administrative forest based on the Enhanced Security Administrative
Environment (ESAE) reference architecture deployed
by Microsoft’s cybersecurity professional services teams to protect customers against cybersecurity attacks.
Dedicated administrative forests allow organizations to host administrative accounts, workstations, and groups
in an environment that has stronger security controls
than the production environment.