You have 10 domain controllers in a domain.

You need to prevent several members of domain admin groups from logging on the domain controller.

Which two objects should

you create and configure?

A. GPO to the domain

B. authentication policy

C. authentication policy silo

D. a central access policy

E. a user certificate

References:

New features in Active Directory Domain Services in Windows Server 2012 R2, Part 3: Authentication Policies and Authentication Policy Silos