You have an Active Directory Rights Management Services (AD RMS) server named RMS1.
Multiple documents are protected by using RMS1.
RMS1 fails and cannot be recovered.
You install the AD RMS server role on a new server named RMS2.
You restore the AD RMS database from RMS1 to RMS2.
Users report that they fail to open the protected documents and to protect new documents.
You need to ensure that the users can access the protected content.
What should you do?

Note: This question is part of a series of questions that use the same scenario. For you convenience,
the scenario is repeated in each question. Each question presents a different goal and answer choices,
but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
You work for a company named Contoso, Ltd.
The network contains an Active Directory forest named contoso.com. A forest trust exists between
contoso.com and an Active Directory forest named adatum.com.
The contoso.com forest contains the objects configured as shown in the following table.

Group1 and Group2 contain only user accounts.
Contoso hires a new remote user named User3. User3 will work from home and will use a computer named
Computer3 that runs Windows 10. Computer3 is currently in a workgroup.
An administrator named Admin1 is a member of the Domain Admins group in the contoso.com domain.
From Active Directory Users and Computers, you create an organizational unit (OU) named OU1 in the
contoso.com domain, and then you create a contact named Contact1 in OU1.
An administrator of the adatum.com domain runs the Set-ADUser cmdlet to configure a user named User1 to
have a user logon name of User1@litwareinc.com.
End of repeated scenario.
You need to ensure that Admin1 can convert Group1 to a global group.
What should you do?

Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You deploy a new Active Directory forest.
You need to ensure that you can create a group Managed Service Account (gMSA) for multiple member
servers.Solution: From Windows PowerShell on a domain controller, you run the Set-KdsConfiguration cmdlet.
Does this meet the goal?

Your network contains an Active Directory domain named contoso.com.
Domain users use smart cards to sign in to their client computer.
Some users report that it takes a long time to sign in to their computer and that the logon attempt times out, so
they must restart the sign in process.
You discover that the issues to checking the certificate revocation list (CRL) of the smart card certificates.
You need to resolve the issue without diminishing the security of the smart card logons.
What should you do?

You network contains one Active Directory domain named adatum.com.
The domain contains a DNS server named Server1 that runs Windows Server 2016.
All domain computers use Server1 for DNS.
You sign adatum.com by using DNSSEC.
You need to configure the domain computers to validate DNS responses for adatum.com records.
What should you configure in Group Policy?

Your network contains an Active Directory forest named contoso.com. Users frequently access the website of
an external partner company.
The URL of the website is http://partners.adatum.com.
The partner company informs you that it will perform maintenance on its Web server and that the IP addresses
of the Web server will change.
After the change is complete, the users on your internal network report that they fail to access the website.
However, some users who work from home report that they can access the website.
You need to ensure that your DNS servers can resolve partners.adatum.com to the correct IP address
immediately.
What should you do?

You need to ensure that clients will check at least every 30 minutes as to whether a certificate has been
revoked.
Which of the following should you configure to accomplish this goal?

Which of the following CA types would you deploy if you wanted to deploy a CA at the top of a hierarchy that
could issue signing certificates to other CAs and which would be taken offline if not issuing, renewing, or
revoking signing certificates?

You are configuring AD FS. Which server should you deploy on your organization’s perimeter network?

You have an enterprise certification authority (CA) named CA1.
You have a certificate template named UserAutoEnroll that is based on the User certificate template. Domain
users are configured to autoenroll for UserAutoEnroll.
A user named User1 has an email address defined in Active Directory. A user named User2 does not have an
email address defined in Active Directory.
You discover that User1 was issued a certificate based on UserAutoEnroll template automatically.
A request by user2 for a certificate based on the UserAutoEnroll template fails.
You need to ensure that all users can autoenroll for certificated based on the UserAutoEnroll template.
Which setting should you configure from the properties on the UserAutoEnroll certificate template?