Which two inbound TCP ports should you open on the firewall?
Your network contains an Active Directory forest named contoso.com. The forest contains a
member server named Server1 that runs Windows Server 2016. Server1 is located in the perimeter
network. You install the Active Directory Federation Services server role on Server1. You create
an Active Directory Federation Services (AD FS) farm by using a certificate that has a subject name
of sts.contoso.com. You need to enable certificate authentication from the Internet on Server1.
Which two inbound TCP ports should you open on the firewall? Each correct answer presents part
of the solution.
You need to prevent the new users from accessing any of…
Your network contains an Active Directory forest named contoso.com. Your company plans to hire
500 temporary employees for a project that will last 90 days. You create a new user account for
each employee. An organizational unit (OU) named Temp contains the user accounts for the
employees. You need to prevent the new users from accessing any of the resources in the domain
after 90 days. What should you do?
You need to provide access for a group named Research i…
Your network contains an Active Directory forest named contoso.com. A partner company has a
forest named fabrikam.com. Each forest contains one domain. You need to provide access for a
group named Research in fabrikam.com to resources in contoso.com. The solution must use the
principle of least privilege. What should you do?
What should you modify?
Note: This question is part of a series of questions that use the same scenario. For your
convenience, the scenario is repeated in each question. Each question presents a different
goal and answer choices, but the text of the scenario is exactly the same in each question
in this series.
Start of repeated scenario.
You work for a company named Contoso, Ltd. The network contains an Active Directory forest
named contoso.com. A forest trust exists between contoso.com and an Active Directory forest
named adatum.com. The contoso.com forest contains the objects configured as shown in the
following table:
Group1 and Group2 contain only user accounts. Contoso hires a new remote user named User3.
User3 will work from home and will use a computer named Computer3 that runs Windows 10.
Computer3 is currently in a workgroup. An administrator named Admin1 is a member of the Domain
Admins group in the contoso.com domain. From Active Directory Users and Computers, you create
an organizational unit (OU) named OU1 in the contoso.com domain, and then you create a contact
named Contact1 in OU1. An administrator of the adatum.com domain runs the Set-ADUser cmdlet
to configure a user named User1 to have a user logon name of User1@litwareinc.com.
End or repeated scenario.
You need to ensure that Admin1 can add Group2 as a member of Group3. What should you modify?
You need to use the application control policy settings…
Note: This question is part of a series of questions that use the same or similar answer
choices. An answer choice may be correct for more than one question in the series. Each
question is independent of the other questions in this series. Information and details
provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains 5,000
user accounts. You have a Group Policy object (GPO) named DomainPolicy that is linked to the
domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit
(OU). You need to use the application control policy settings to prevent several applications from
running on the network. What should you do?
Which administrator or administrators can link GPO1 to …
Your network contains an Active Directory forest named contoso.com. The forest contains three
domains named contoso.com, corp.contoso.com, and ext.contoso.com. The forest contains three
Active Directory sites named Site1, Site2, and Site3. You have the three administrators as
described in the following table:
You create a Group Policy object (GPO) named GPO1. Which administrator or administrators can
link GPO1 to Site2?
You need to ensure that new certificates based on Secur…
Your network contains an enterprise root certification authority (CA) named CA1. Multiple
computers on the network successfully enroll for certificates that will expire in one year. The
certificates are based on a template named Secure_Computer. The template uses schema version
2. You need to ensure that new certificates based on Secure_Computer are valid for three years.
What should you do?
What should you modify?
Note: This question is part of a series of questions that use the same scenario. For you
convenience, the scenario is repeated in each question. Each question presents a different
goal and answer choices, but the text of the scenario is exactly the same in each question
in this series.
Start of repeated scenario.
You work for a company named Contoso, Ltd. The network contains an Active Directory forest
named contoso.com. A forest trust exists between contoso.com and an Active Directory forest
named adatum.com. The contoso.com forest contains the objects configured as shown in the
following table:
Group1 and Group2 contain only user accounts. Contoso hires a new remote user named User3.
User3 will work from home and will use a computer named Computer3 that runs Windows 10.
Computer3 is currently in a workgroup. An administrator named Admin1 is a member of the Domain
Admins group in the contoso.com domain. From Active Directory Users and Computers, you create
an organizational unit (OU) named OU1 in the contoso.com domain, and then you create a contact
named Contact1 in OU1. An administrator of the adatum.com domain runs the Set-ADUser cmdlet
to configure a user named User1 to have a user logon name of User1@litwareinc.com.
End of repeated scenario.
You need to ensure that User2 can add Group4 as a member of Group5. What should you modify?
Does this meet the goal?
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution. After you answer a question in this section, you will NOT be able to return
to it. As a result, these questions will not appear in the review screen.
You network contains an Active Directory forest named contoso.com. The forest contains an Active
Directory Rights Management Services (AD RMS) deployment. Your company establishes a
partnership with another company named Fabrikam, Inc. The network of Fabrikam contains an
Active Directory forest named fabrikam.com and an AD RMS deployment. You need to ensure that
the users in contoso.com can access rights protected documents sent by the users in fabrikam.com.
Solution: From AD RMS in fabrikam.com, you configure contoso.com as a trusted publisher domain.
Does this meet the goal?
You need to force users to change their account passwor…
Note: This question is part of a series of questions that use the same or similar answer
choices. An answer choice may be correct for more than one question in the series. Each
question is independent of the other questions in this series. Information and details
provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains 5,000
user accounts. You have a Group Policy object (GPO) named DomainPolicy that is linked to the
domain and a GPO named DCPolicy that is linked to the Domain Controllers organizational unit
(OU). You need to force users to change their account password at least every 30 days. What
should you do?