final
Which utility is used to make changes to the Local Group Policy Object (GPO)?
Microsoft Management Console (MMC) using the Group Policy Object Editor snap-in
To speed up the boot process for hosts in your domain, you want to reconfigure Group Policy processing so that computers download the latest version of your policies and store them locally. This way, domain hosts can read and process the local copy of the policy settings instead of downloading them from the network when they boot. Click the policy in Group Policy Management that you must enable to configure this functionality.
Click on "Enable Group Policy Caching for Servers"
You need to configure a Group Policy preference that configures notebook systems in the domain to use the Power Saver power plan when undocked. You have specified the appropriate power plan in the Advanced Settings tab of the Power Options Group Policy preference and have set it as the active power plan. Click on the option you must enable to apply the preference only to undocked notebook systems.
Click on Item-level targeting
You are the administrator of a single-domain network. The domain has an OU named Sales. All users in the Sales OU use an application named ContactTrack. You want this application to be available in the Add/Remove Programs applet of all computers in the Sales OU. You do not want a shortcut to the program to appear on users' Start menu. You create a GPO named Deploy Software, configure it to assign the ContactTrack application to users, and link the GPO to the Sales OU. However, after doing so, the shortcut appears in the Start menu for all Sales users. What should you do to prevent the shortcut from appearing?
Configure the Deploy Software GPO to publish rather than assign the ContactTrack software.
You are an administrator for a large corporation. Your department uses a single domain within the company's multi-tree forest. Your department uses the entire building and is the only domain on the local subnet. You have a high-speed connection to corporate headquarters. There is a global catalog server onsite. Because your department handles extremely sensitive information, a decision was made to require the use of smart cards within the domain. Your job is to modify the existing Windows infrastructure to require the use of smart cards for logon. You will need to provide certificate services for smart card logon as well as for EFS, but you will not need certificates for any other purposes. Which course of action should you take?
Implement an enterprise root CA.
You are the administrator of a small network with a single Active Directory domain. The information produced by your company is very valuable and could devastate your company's business if leaked to competitors. You want to tighten network security by requiring all network users and computers to use digital certificates. You decide to create a certification authority (CA) hierarchy that will issue certificates only for your organization. To provide maximum security for the company's new CA, you choose to host the CA on a computer that is not connected to the corporate domain. What should you do to set up the new CA?
Install a standalone root CA.
You manage a network with a single domain named eastsim.com. You have a single server running Windows Server 2016. The server is not a member of the domain. You want to use this server to issue certificates using the autoenrollment feature. What should you do first to configure the CA?
Join the computer to the domain.
Which type of Group Policy Object (GPO) controls computer configuration settings on a computer that is not contained in an Active Directory?
Local GPO
Your company has developed an in-house application that will not run unless several Windows environment settings are changed. None of these settings are user-specific. Fortunately, the application developers have provided you with a PowerShell script that will make the needed changes. It can be run during computer bootup. Click on the policy within the Custom App GPO that would be the best choice for accomplishing this task.
Under Computer Configuration, click on Scripts (Startup/Shutdown)
You manage certificate services for the northsim.com domain. You have a single CA named CA1 that is a standalone root CA. You would like to publish the Certificate Revocation List (CRL) to a file named ca1crl.crl. In the certificates issued by CA1, you want to include an HTTP URL to the CRL file. How should you configure this location?
Add http://ca1.northsim.com/CertEnroll/ca1crl.crl to the CDP extensions list.
You need to add administrative templates for Microsoft Office products to a Windows Server 2016 server. Where should the .admx and .adml files be copied to do this?
C:\Windows\PolicyDefinitions
You have enabled Group Policy caching in your domain. Using this feature, Group Policy settings are saved locally on each domain-joined host. In which folder are these settings stored?
C:\Windows\System32\GroupPolicy\datastore
You have decided to redirect the contents of the local Documents folder for all domain users on all workstations to a shared folder on your Windows Server 2012 system. The server is a member of the eastsim.com domain. You want users who are members of the Domain Users group to have their Documents folder redirected to C:\RegUsersShare and users who are members of the Domain Admins group to have their Documents folder redirected to C:\AdminUsersShare. Click on the setting in the folder redirection policy for Documents that you must configure to accomplish this task.
Click on "Basic - Redirect everyone's folder to the same location"
You are in charge of managing several servers. Your company requires many custom firewall rules in Windows Firewall with Advanced Security. What should you do?
Configure firewall settings in Group Policy. Apply the GPO so that it applies to all applicable servers.
You are the network administrator for the westsim.com domain. All client computers are running Windows 10, and all servers are running Windows Server 2016. Organizational Units (OUs) have been created for each department, and user and computer accounts have been moved into the department OUs. You have recently configured a Windows Server Update Services (WSUS) infrastructure on the network. All client computers are configured to download updates from your internal WSUS server. You have just received notification that the accounting software has a new update. The update is critical and must be deployed as quickly as possible to all computers in the accounting department. What should you do?
Create a GPO linked to the Accounting OU. Assign the .msi file included with the update to computers.
You are the network administrator for westsim.com. The network contains a single Active Directory domain. All the servers run Windows Server 2016. All the clients run Windows 10. Management has requested that you implement the Online Responder Service to provide certificate revocation information to clients. This information must remain available even in the event of a server failure. You create an Online Responder Array using three servers named OCSP1, OCSP2, OCSP3. You would like OCSP1 to help resolve synchronization conflicts and to apply updated revocation configuration information to the other Array members. What should you do?
Designate OCSP1 as the Array controller.
You are the administrator of a single domain Active Directory forest. Your domain controllers are running Windows 2016 and your clients are running a mix of Windows 7 and 8 Professional and Windows Vista Business. You deploy a standalone root CA on a Windows Server 2016 server. You want all of the 200 users in the Sales OU to be issued the Basic EFS certificate with the minimum amount of effort. What should you do?
Email the users with instructions on how to use the Web Enrollment page to request the certificate.
You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. From your workstation, you create a GPO that configures settings from a custom .admx file. You link the GPO to the Sales OU. You need to make some modifications to the GPO settings from the server console. However, when you open the GPO, the custom Administrative Template settings are not shown. What should you do?
Enable the Administrative Templates central store in Active Directory. Copy the .admx file to the central store location.
You manage Certificate Services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows Server 2016. You duplicate the Basic EFS certificate template and configure the CA to issue the certificate. You want to allow one of your assistants to manage certificates used for EFS. Your assistant needs to be able to edit the certificate template and modify all settings except for the permissions. You want to grant sufficient permissions to allow her to do this without granting too many permissions. What should you do?
Grant the Read and Write permissions to the certificate template.
Which tool produces a report of the GPOs and settings that apply to a single computer from the perspective of the domain controller?
Group Policy Results wizard
You manage a network with a single domain. Organizational units (OUs) have been created for each department. User and computer accounts for each department have been placed in their corresponding OUs. The network has three locations, Portland, Denver, and Phoenix. The Denver location is connected to Portland with a 1 Mbps WAN link. The Phoenix location is connected to Portland with a 256 Kbps WAN link. You want to implement a software installation policy to install an application on all computers in the Sales department. The application should be installed automatically and should be on the computer regardless of which user is logged on. The application should be installed, even across slow WAN links. User profiles should not be applied across slow links. What should you do? (Select two. Each choice is a part of the complete solution.)
In a GPO linked to the Sales OU, assign the software to computers, enable the Software Installation policy processing policy and select Allow processing across a slow network connection
What is the purpose of a Group Policy object (GPO)?
It allows administrators to apply a collection of configuration settings to objects within an Active Directory domain.
You are deploying two new applications to users in the company as follows: All computers should have Microsoft Word installed. All users in the Accounting department should have Microsoft Access installed. For other users in the company, you want to allow them to install Microsoft Access if desired by using the Add/Remove Programs applet in the Control Panel. Each department has its own organizational unit. How should you deploy these applications? (Select all that apply.)
Publish Microsoft Access in a GPO linked to the domain, assign Microsoft Word in a GPO linked to the domain, assign Microsoft Word in a GPO linked to the Accounting OU
You are the desktop administrator for your company. You manage a group of Windows 10 Professional computers used by a part-time sales staff. All computers are members of a single Active Directory domain. Each part-time sales employee might use a different computer every day. You configure roaming user profiles for each part time sales employee. After you implement roaming user profiles, some users complain that it takes an excessive amount of time to log on to a computer for the first time. You investigate the problem and discover that these users store large amounts of files in their Documents folders. You suspect that the increased log on times are due to the large amount of data being downloaded from the network. You want to decrease log on times for part-time sales employees. You also want to maintain access to each user's Documents folder when the user logs on to any computer. What should you do?
Redirect each part-time sales employee's Documents folder to a folder on a network share.
How can you create and link a Group Policy Object (GPO) at the same time in the Group Policy Management tool?
Right-click the Active Directory object and select Create a GPO in this domain and Link it here.
You are the network administrator for corpnet.com. corpnet.com is merging with another company named partner.com. As part of the consolidation, you need to decommission the partner.com enterprise CA. The partner.com enterprise CA has a number of custom templates that must remain available. You need to transfer the partner.com custom templates to the corpnet.com CA. What should you do?
Run the PKISync.ps1 command.
You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You would like to configure all computers in the Sales OU to prevent the installation of unsigned drivers. Which GPO category would you edit to make the necessary changes?
Security Options
You are the network administrator for your network. Your network consists of a single Active Directory domain. All servers run Windows Server 2016. Your company recently mandated the following user account criteria: User accounts must be deactivated after three unsuccessful logon attempts. User account passwords must be at least 12 characters long. User accounts must be manually reset by an administrator once they are locked out. You must make the changes so they affect everyone in the domain. You are editing the Default Domain Group Policy object. What should you do? (Select three. Each correct choice represents part of the solution.)
Set Account lockout duration to 0, set Minimum password length to 12, set Account lockout threshold to 3.
Which Active Directory objects can you link a Group Policy Object (GPO) to? (Select three).
Sites, Organizational Units, Domains
You manage Group Policy for the westsim.com. You have set up a lab with a separate forest named westsim.test. In the lab domain, you create a GPO named UserSettings. You test this GPO in the lab and then decide that you want to use it in your production domain. You need to move the GPO to the westsim.com domain. What should you do?
Take a backup of the UserSettings GPO. In westsim.com, create a new GPO. Import the settings from the backup.
You manage Group Policy for westsim.com. You have set up a lab with a separate forest named westsim.test. In the lab domain, you create a GPO named UserSettings. You test this GPO in the lab and then decide that you want to use it in your production domain. You need to move the GPO to the westsim.com domain. What should you do?
Take a backup of the UserSettings GPO. In westsim.com, create a new GPO. Import the settings from the backup.
You are the administrator for the widgets.com domain. Organizational Units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. You have two OUs that contain temporary users, TempSales and TempMarketing. For all users within these OUs, you want to restrict what the users are able to do. For example, you want to prevent them from shutting down the system or access computers through a network connection. Which GPO category would you edit to make the necessary changes?
User Rights
On a client computer, what command shows information about the GPOs that have been received from the domain.
gpresults /r
You manage the certificate services for the eastsim.com domain. You have a single CA named CA1 installed as a root enterprise CA. You configure the CA to issue certificates for user authentication. On the CA, you add the Web enrollment pages feature. You want to use the Web pages to request a user certificate. Which URL should you use?
http://ca1/certsrv
You have a Certification Authority installed on the CA1 server. You want to migrate the server to a new server with newer hardware. You have performed the necessary backup operations on CA1. You now need to perform the necessary steps to move the CA to the new server. What should you do? To answer, move the required steps from the left to the location on the right. Use only the necessary steps in the recommended order.
http://prnt.sc/12vsd2m
Drag the command on the left to the option on the right that best describes what it does. (certutil.exe)
https://prnt.sc/12vsbtk
You want to register a mobile device with an AD FS server. Which of the following are true regarding this device? (Select two.)
A device object has been created in Active Directory, a certificate has been installed on the device.
An AD RMS environment has several components. Your network consist of Windows 2016 Servers, and all workstations are Windows 10. Which are some of the components found in a typical AD RMS environment?
AD RMS Database, active Directory Domain Controller, AD RMS Server
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2012 R2. The network contains an Active Directory Rights Management Service (AD RMS) server and AD RMS has been configured for all of the client computers. westsim.com has gone into partnership with eastsim.com. eastsim.com also uses AD RMS to protect proprietary content. You add the eastsim.com domain to the list of trusted user domains to allow eastsim.com users to be authenticated by the AD RMS server. After several weeks, you notice that some users in the eastsim.com domain are being authenticated as westsim.com users. You need to prevent eastsim.com users from impersonating westsim.com users. What should you do?
Configure a trusted email domain.
You manage certificate services for the northsim.com domain. You have a CA hierarchy using an enterprise root CA named CA1. You have multiple subordinate CAs. You want to install Active Directory Certificate Services on Srv1 adding only the Online Responder role. Srv1 will respond to certificate revocation requests for all CAs. You need to configure the OCSP Response Signing certificate to allow Srv1 to obtain a certificate. You want to minimize administration for the certificate request. What should you do? (Select two. Each choice is a part of the complete solution.)
Configure each CA to issue the response signing template, grant Srv1 the Read and Enroll permissions to the template.
You use a Windows Server 2016 Server Core installation to host your organization's Certification Authority (CA). Your organization's security policy dictates that the entire CA be backed up on a regular basis. The following components must be included in the backup: CA database Keys Certificates The backup should be saved on a flash drive (N:\) in the CAback folder. What should you do?
Use the certutil.exe -backup N:\CAback command.
You use a Windows Server 2016 Server Core installation to host your organization's Certification Authority (CA). Your organization's security policy dictates that the the keys and certificates stored by the CA be backed up on a regular basis. The CA database should not be included in the backup. The backup should be saved on a flash drive (N:\) in the CAback folder. What should you do?
Use the certutil.exe -backupkey N:\CAback command.
This exclusion policy prevents user accounts, identified by their email address, from obtaining use licenses for protected content.
User Exclusion
You need to add Spanish language support for your administrative templates to a Windows Server 2016 system. Which administrative template component consists of language-dependent files that provide localized information when viewing template settings in the GPO?
.adml files
You manage certificate services for the northsim.com domain. You have a single CA named CA1 that is a standalone root CA. You have two servers, OR1 and OR2, that you would like to configure as online responders. Both servers should have the same Revocation Configuration information. You want information configured on OR2 to be copied to OR1. Any changes made to OR2 should be automatically copied to OR1. What should you do?
Create an online responder array. Designate OR2 as the master and OR1 as a member.
You manage Certificate Services for the widgets.com domain. You have just installed an enterprise root CA. You would like to archive the CA's private key. You plan on putting the private key on a USB drive and then store the USB drive in a safe deposit box. How should you perform the operation?
In the Certification Authority console, back up the CA.
You manage Certificate Services for the westsim.com domain. Your CA hierarchy contains a single CA named CA1. You want to save the private keys for all certificates issued by the CA so that they can be restored if the private keys are destroyed. What should you do?
In the Certification Authority console, enable key archival on the CA.
As a result of a recent security audit, you have made several critical changes to your domain's security configuration in Group Policy. You need these changes to be applied immediately. You've right-clicked the Workstations OU in the Group Policy Management console. Click the option you should use to refresh the Group Policy settings on all of the workstations in this OU.
Click on Group Policy Update...
You are the network administrator for westsim.com. The network consists of a single domain. All the servers run Windows Server 2016. All the clients run Windows 10. There is a main office located in New York and a branch office located in Los Angeles. You have been directed to set up wireless access for clients in the New York office. You create a new Group Policy object (GPO) that specifies the wireless network settings for the New York office and link it to the New York site. Users from the Los Angeles office complain that when they travel to New York, they are unable to connect to the wireless network in New York. You need to enable the traveling users to connect to the wireless network. What should you do?
Direct the visiting users to first connect to the New York network using a wired connection to receive the wireless network settings.
You manage a network with a single domain named eastsim.com. You have installed an enterprise root CA on the DC1 server. DC1 is also a domain controller. You want to configure Srv12 as an online responder for DC1. How should you configure certificates? (Select two. Each choice is a required part of the solution.)
On Srv12, import the certificate for DC1 into the trusted root CA store, on Srv12, request the OCSP Response Signing certificate.
Your company has developed an in-house application that will not run unless several Windows environment settings are changed. Some of these settings are user specific. Fortunately, the application developers have provided you with a PowerShell script that will make the needed changes. Each user will need to run the script, and the script may change from time to time. You want to run this script automatically instead of relying each user to run it manually. Click on the policy within the Custom App GPO that would be the best choice for accomplishing this task.
Under User Configuration, click on Scripts (Logon/Logoff)
You are the network administrator for corpnet.com. The previous network administrator published a template to the Enterprise CA that allows users to enroll for EFS certificates. The template was configured so that certificates based on the template are not published to Active Directory. Management has requested that all EFS certificates be published to Active Directory. You create a new EFS template and enable the Publish certificate in Active Directory option on the template. You need to ensure that users who attempt to renew their EFS certificates obtain new certificates based on the new template. Users must be able to continue to use their existing EFS certificates until all clients have obtained certificates based on the new template. What should you do?
Add the original EFS template to the Superseded Templates tab on the new EFS template and then publish the new template.
Your company has just purchased 120 licenses for a new application that will be used by all users. It is up to you to test and deploy the application as simply as possible. You decide to use a Group Policy object (GPO) to roll out the new application using the Windows Installer functionality. You create a software distribution point named Apps on the Server1 server and grant Read and Execute permissions to all users who will install the software. You then create a Group Policy object and edit the software installation properties under the User Configuration node. You configure the following properties: Default package location: C:\apps When adding new packages to user settings: Display the Deploy Software dialog box Installation user interface options: Maximum Uninstall the applications when they fall out of the scope of management: Enabled You create a software distribution package based on the above settings that assigns the appropriate Windows Installer package. However, when you test the package, Windows Installer doesn't execute and install the software. You need to find out why and make the appropriate changes. What should you do?
Change the Default package location setting to \\Server1\Apps\. Delete and recreate the software distribution package.
You have decided to redirect the contents of the local Documents folder for all domain users on all workstations to the C:\Shares shared folder on a Windows Server 2012 system named FS1. The server is a member of the eastsim.com domain. You configured a Basic redirection policy to redirect all users' local Documents folder to \\FS1\Shares on the server. You want to ensure that any existing files in users' Documents folders are automatically copied up to the share when the policy is applied. If the policy is removed at some point in the future, you want the users' files on the share redirected back to their local Documents directory. Click on the settings in the folder redirection policy for Documents that you need to configure to accomplish this task.
Click on "Move the contents of Documents to the new location" and/or "Redirect the folder back to the local userprofile location when policy is removed"
You are a domain administrator for a child domain in a multi-domain Active Directory forest. Your company does not presently have a certification authority (CA) hierarchy implemented. You want to install a CA that will issue certificates for smart card authentication to users in your domain. What should you do?
Have a member of the Enterprise Admins group install an enterprise root CA in your child domain and configure it to issue smart card certificates.
You manage certificate services for the eastsim.com domain. You have a single CA named CA1 that is an enterprise root CA. You have installed the online responder service on Srv1 and configured it to respond to certificate revocation requests for CA1. You would like to implement a solution to allow multiple servers to respond to online responder requests. Your solution should distribute certificate status requests evenly between all servers and allow for automatic fault tolerance in case one server fails. What should you do? (Select two. Each choice is a possible complete solution.)
Install multiple online responders. Configure an ISA reverse proxy listing all online responders as members, configure Srv1 as part of a Network Load Balancing (NLB) cluster. Add additional servers to the cluster.
Your network consists of a single Active Directory domain. The OU structure of the domain consists of a parent OU named HQ_West and child OUs named Research, HR, Finance, Sales, and Operations. You also want to ensure that all client computers have strong password policies applied and that an administrator is required to unlock locked user accounts for the Research and Human Resources departments. You create a Group Policy Object named DefaultSec, which applies security setting that are required for all users and computers. You create a second GPO named HiSec, which has the security settings that are required by the HR and the Research departments. Both GPOs use custom security templates. How should you link the GPOs to the OUs? (Select three.)
Link DefaultSec to the HQ_West OU, link HiSec to the HR and Research OUs, configure password policies on a GPO linked to the domain.
Susan is the administrator for a Windows 2016 domain named internal.widgets.com. This domain spans a single site (the Default-First-Site-Name site). She wants to configure password and account lockout policies that Active Directory domain controllers will enforce. She has created a Group Policy object with the settings she wants to apply. Most of the domain controllers are located in the Domain Controllers OU, although she has moved some domain controllers to a sub OU called Secure Domain Controllers. Where should Susan link the Group Policy object that she has created?
The internal.widgets.com domain.
Two companies are partnering on a large project. Both must have access to web-based applications on each others' networks. This communication must be secure and strictly controlled. Which of the following should you install and/or configure?
Active Directory Federation Services and Active Directory Rights Management Services
User exclusions prevent specified user accounts from receiving use licenses from the AD RMS server by not trusting the user's rights account certificates (RAC). How do you configure this process?
Add the user's email address to the user exclusion list.
Which of the following statements best describes the main purpose of Active Directory Federation Services (AD FS)?
Allow single sign-on access to web-based applications and resources, even when resources are in a different forest or a different network that belongs to another organization.
Active Directory Federation Services (AD FS) has a feature built in to upgrade your existing deployment to Windows Server 2016. Which features does upgrading to 2016 give you? (Select two.)
Allow users to gain access to AD FS resources that are protected depending on the device that they are using, allow Windows 10 Hello for Business to be enabled to use biometric credentials in place of passwords.
This exclusion policy uses the application's file name and its minimum and maximum version level.
Application Exclusion
Which templates are maintained to allow continued access to older documents already protected with them?
Archived rights policy templates
In addition to Primary Authentication methods, which additional method is required for Multi-Factor Authentication?
Azure MFA
You are configuring certificates for a federation trust. You've already issued SSL certificates to the root CAs in both the accounts and partner forests. Now you need to export both root root CAs' certificates so they can later be imported in the opposite forests. Click on the option you would use in the Certificates MMC console to accomplish this task.
Click on Personal
You are configuring certificates for a federation trust. You've already issued SSL certificates to the root CAs in both the accounts and partner forests and exported both root root CAs' certificates. Now you need to import these certificates in the opposite forests. The accounts partner's certificate needs to be imported into the resource partner's CA and vice-versa. Click on the option you would use in the Certificates MMC console to do this.
Click on Trusted Root Certification Authorities
In order to restore AD RMS from backup, you need to know which password?
Cluster Key Password
You are the network administrator for corpnet.com. The company has implemented Active Directory Rights Management Services (AD RMS). The company has a vendor named partner.com. partner.com does not have an AD RMS cluster. You need to enable users in the partner.com forest to access content protected by the AD RMS cluster in the corpnet.com forest. What should you do?
Create a federated trust.
You are the network administrator for corpnet.com. You have installed the Active Directory Federation Services (AD FS) Role on a server named ADFS1. The company hosts a web application named App1. You have created a Relying Party Trust that points to App1. You plan to allow users from a vendor named partner.com access to App1. partner.com has implemented AD FS and created a Relying Party Trust that will send the user's email addresses and group membership to your AD FS server. You need to configure AD FS to accept the claims coming from the partner.com AD FS server and send them to App1. What should you do?
Create a Claims Provider trust and then create an Acceptance Transform rule.
You need to configure WAP to forward requests to AD FS servers that are not accessible from the internet. Arrange the WAP configuration tasks that you need to complete on the left in the appropriate order on the right.
https://prnt.sc/12vt9js
An AD RMS configuration can be a very complicated procedure, so it is best practice to do what immediately after installation?
Create a backup of your configuration.
Match the following AD RMS database and licenses with their usage.
https://prnt.sc/12vtee2
You are the network administrator for corpnet.com. You have implemented Active Directory Federation Services (AD FS) to enable single sign-on to a web application named WApp1. You need to enable internet users to access WApp1 using AD FS. You install WAP in the perimeter network. You need to enable internet users to contact the federation proxy server. What should you do first?
Create an A record in the corpnet.com zone hosted on the internet.
You are the network administrator for corpnet.com. The company has two Active Directory forests. Each forest has an Active Directory Rights Management Services (AD RMS) root cluster. Users in both forests must be able to access AD RMS protected content from either forest. You intend to implement AD RMS trusts to enable to share content. You need to create the necessary AD RMS trusts. What should you do? (Select two.)
Create two AD RMS Trusted User domains, create two AD RMS Trusted Publishing domains.
Which of the following is a feature that allows non-domain-joined devices to access claims-based resources?
Device Registration
Which template(s) can users employ to protect documents and messages?
Distribute rights policy template
You are the network administrator for corpnet.com. You have implemented Active Directory Federation Services (AD FS). A vendor named partner.com has a web application named App1 that your users will access using AD FS. You need to export the AD FS metadata so that the administrator at partner.com can create a Claims Provider Trust. Which node in the AD FS management console should you use?
Endpoints
You are configuring a server that will be used by an external organization. What is required when you install the AD FS role on a Windows 2016 Server?
IIS to be installed, a server certificate from a third-party CA
You manage the northsim.com domain. Your company produces components that are used in military and government products. For an upcoming project, your company will be working with the Widgets Incorporated company. They have a single Active Directory domain named widgets.com. You would like documents for the project to be available and managed through Active Directory Rights Management Services (AD RMS). What should you do? (Select two. Each choice is a required part of the solution.)
Implement AD RMS together with Active Directory Federation Services (AD FS), configure the AD RMS cluster address to use SSL.
You are the manager for the westsim.com domain. Your company has just started a collaborative effort with a partner company. Their network has a single domain named eastsim.com. Users in your domain must be able to run an application located in the eastsim.com domain. The application must authenticate users and then control access within the application. You want to implement a single sign-on solution so that users do not need to have different user credentials or supply those credentials multiple times. You need to configure this solution without allowing too many permissions. What should you do?
Implement Active Directory Federation Services (AD FS).
You are the network administrator for corpnet.com. The company has implemented Active Directory Rights Management Services (AD RMS). A vendor named partner.com has also implemented AD RMS. Company policy prohibits creating a federated trust with external companies. You need to allow users who have obtained rights account certificates from the partner.com AD RMS cluster to consume content protected by the corpnet.com AD RMS cluster. What should you do?
Implement a Trusted User Domain.
AD FS can be integrated with other authentication services and online applications. Which of the following features authenticated users to access and manage directory information?
LDAP
You are the manager for the westsim.com domain. Your company has just started a collaborative effort with a partner company. Their network has a single domain named eastsim.com. You decide to implement Active Directory Federation Services (AD FS) to allow users in the partner organization to access a Web application running on your network. You have three servers available, Srv1, Srv2, and Srv3. Srv3 is a web server that runs the claims-aware application. You want to use the Federation Service Web Application Proxy service in your design. You want to use the least number of servers possible. What should you do?
Install the Federation Service on Srv1. Install WAP and the claims-aware web agent on Srv3.
This exclusion policy specify what minimum AD RMS client version can obtain a use licenses from AD RMS.
Lockbox Version Exclusion
Which of the following should you configure if you want users to have access to AD FS-protected resources based on the credentials of the device they are using?
Microsoft Passport support
Match the AD FS configuration utility on the right with the Windows Azure integration configuration task it is used to complete on the left.
https://prnt.sc/12vt874
Which of the following is true about an AD RMS deployment?
The AD RMS service account must be a regular domain user so that it can communicate with other accounts.
You are in the process of integrating AD FS with Windows Azure cloud services. All prerequisite software has been installed on the Windows server along with the Windows Azure Pack. You now need to configure the AD FS server to support Windows Azure Pack. Which entities need to be added as relying parties on the AD FS server to do this? (Select two.)
The management portal for administrators, the management portal for tenants
You are configuring AD FS. Which server should you deploy on your organization's perimeternetwork to allow users to access web applications?
Web Appplication Proxy
Your need to restore a Certification Authority (CA) running on a Windows Server 2016 system from backup. You've located the backup directory and the password that was used protect the private key and certificate file. Arrange the tasks required to restore the CA on the left in the order they should be completed on the right.
http://prnt.sc/12vsex9
Match the appropriate Active Directory Federation Services (AD FS) partner type on the left with the task that partner is responsible for in a federation trust. Each partner type can be used more than once.
http://prnt.sc/12vsj0j
Match the Active Directory Federation Services (AD FS) component on the right with the appropriate description on the left.
http://prnt.sc/12vsl03
You have a Certification Authority installed on the CA1 server. You want to migrate the server to a new server with newer hardware. You have performed the necessary backup operations on CA1. You now need to perform the necessary steps to move the CA to the new server. What should you do? To answer, move the required steps from the left to the location on the right. Use only the necessary steps in the recommended order.
https://prnt.sc/12vsgaz
You are implementing a federated trust using Active Directory Federation Services (AD FS). Your organization is the accounts partner while the other organization is the resource partner. You've established a working relationship with a peer administrator in the resource partner organization. The AD FS servers in both organizations require a certificate for issuing tokens. Certificate services in both organizations are provided by an Active Directory Certification Authority (AD CA) running on Windows Server 2012 R2. You and your peer administrator need to configure both CAs to support the federated trust. Arrange the configuration tasks on the left that you need to complete in the correct order on the right.
https://prnt.sc/12vsm80
Match each AD FS authentication factor on the left with the appropriate description on the right. Each authentication factor may be used once, more than once, or not at all.
https://prnt.sc/12vt4pq
You need to integrate AD FS in your organization Windows Azure cloud services. Arrange the configuration tasks on the left in the appropriate order in which they should be completed on the right.
https://prnt.sc/12vt709
You are working as an administrator for a single Active Directory domain running in the Windows Server 2016 functional level. The network consists of multiple domain controllers and member servers running Windows Server 2016. On one of the member servers, you install an enterprise root CA. One of your tasks is to enroll smartcards for user accounts. To accomplish this task, you dedicate a workstation as a smartcard enrollment station. You create a separate group, GG-EnrollmentAgent, and add your user account as a member of this group. After you duplicate the smartcard enrollment agent certificate template, you add the certificate template to the list of issued certificate templates on the CA. You are trying to enroll a smartcard enrollment agent certificate through your web browser, but the certificate template is not listed. What should you do?
Add the group GG-EnrollmentAgent to the ACL of the certificate template and select the Read and Enroll permissions.
You have decided to redirect the contents of the local Documents folder for all domain users on all workstations to a Windows Server 2012 system named FS3. The server is a member of the eastsim.com domain. You want each user's Documents folder redirected to their home directory. Click on the settings in the folder redirection policy for Documents that you must configure to accomplish this task.
Click on the empty file location box underneath Target File location and/or the empty box at the top of the window
To meet the requirements of your organization's security policy, you have been instructed to implement GPOs that tightly control the software used on each domain user's workstation. The policies in the GPO must: Allow users to run only the applications you specify. Be applied to specific users or groups. Apply to all existing, future, or previous versions of an application. All workstations involved are running Windows 10. You have decided to configure and test local security policies to meet these requirements and then import them into the appropriate domain GPOs. Click on the GPO security setting category where these policies are located.
Click on Application Control Policies
Your organization's security policy dictates that the security level of the Local Intranet and Trusted Sites zones in Internet Explorer be set to Medium-High on all user workstations. Rather than configure each workstation individually, you decide to use a Group Policy preference setting in a GPO to make the change. Click on the Control Panel Setting you would use to implement this configuration.
Click on Internet Settings
You have decided to redirect the contents of the local Documents folder for all domain users on all workstations to the C:\Shares shared folder on a Windows Server 2012 system named FS2. The server is a member of the eastsim.com domain. You configured Basic redirection to redirect all users' local Documents folder to C:\Shares on the server. However, after applying the policy, you find that shared folder on the server remains empty. Click on the setting in the folder redirection policy for Documents that is configured incorrectly.
Click on the file location box underneath Root Path
You manage the certificate services for the eastsim.com domain. You have a single CA named CA1 installed as a root enterprise CA. You have a Windows Server 2016 server that is a domain member and configured as a router. You want to obtain a certificate for this server in order to use IPsec. If this test is successful, you will use a similar method to obtain certificates for other network devices. For this reason, you would like the process to be as simple as possible. What should you do?
Configure a certificate template for autoenrollment. Issue the certificate on CA1. Restart the router to automatically request the certificate.
Your network consists of a single Active Directory domain. The OU structure of the domain consists of a parent OU named HQ_West and child OUs of Research, HR, Finance, Sales, and Operations. You also want to ensure that all client computers have strong password policies applied and that an administrator is required to unlock locked user accounts for the research and human resources departments. You create a Group Policy Object named DefaultSec, which applies security setting that are required for all users and computers. You create a second GPO named HiSec, which has the security settings that are required by the HR and the research departments. Both GPOs use custom security templates. How should you link the GPOs to the OUs? (Select three.)
Configure password policies on a GPO linked to the domain, Link HiSec to the HR and Research OUs, Link DefaultSec to the HQ_West OU
You are the administrator of a network with a single Active Directory domain. The domain includes two domain controllers. Your company's security policy requires that locked out accounts are unlocked by administrators only. Upon reviewing the account lockout policy, you notice an account lockout duration of 99999. You need to configure your domain's account lockout policy to comply with your company's security policy. What should you do next?
Configure the Account lockout duration to 0.
You manage certificate services for the northsim.com domain. You have a single CA named CA1 that is an enterprise root CA. To increase the security of your certificate solution, you would like information about revoked certificates to be made available within five hours of the certificate being revoked. What should you do? (Select two. Each choice is a complete solution.)
Configure the CA to publish CRLs more frequently, configure the CA to publish base CRLs less frequently and publish delta CRLs more frequently.
You are the network administrator for a network with a single Active Directory domain. The domain's functional level is Windows Server 2003. Users are divided into OUs named Sales, Accounting, and Management. You are using Group Policy software distribution for all corporate applications. A sales application is deployed as user-assigned in a GPO named Sales Applications that is linked to the Sales OU. Mary Hurd has been transferred to the sales department to the accounting department. You move the corresponding user account from the Sales OU to the Accounting OU. After logging on to a new computer in the accounting department, Mary reports that the sales application is still being applied. You do not want the sales application to be applied to the user. What should you do?
Configure the Uninstall this application when it falls out of the scope of management option for the sales application software package.
You manage Certificate Services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows Server 2016. You duplicate the IPsec certificate template and configure the CA to issue the certificate. You would like certificate requests for the IPsec template to be submitted and approved automatically. How should you complete the configuration of the certificate template? (Select two. Each choice is a required part of the complete solution.)
Configure the subject name to be built from Active Directory information, grant computers the Read, Enroll, and Autoenroll permissions.
You want to create a central store for the administrative templates on a Windows Server 2016 domain controller. What should you do?
Copy the local .admx and .adml files to C:\Windows\SYSVOL\domain_name\Policies\PolicyDefinitions.
You are the network administrator of a very large network. There are approximately 50 servers in the organization that all require the latest Microsoft service pack. You have acquired an MSI package that installs the latest service pack. All servers are located in an Active Directory OU called Servers. How should you deploy the service pack to all of the servers using the least administrative effort? (Select two. Each choice is a part of the complete solution.)
Create a Group Policy Object and link it to the Servers OU, assign the MSI package using Computer Configuration.
You are employed as a network administrator for northsim.com, which provides outsourced technical support for other companies. northsim.com has a single Active Directory domain named northsim.com. All of the servers run Windows Server 2016, and all of the clients run Windows 10. northsim.com has implemented Active Directory Certificate Services (AD CS) and has an enterprise root Certification Authority (CA) and several issuing CAs. You have been assigned to work on a project for widgets.com. The company has a single Active Directory domain named widgets.com. All of the servers run Windows Server 2016. widgets.com requires that all employees log on using a smart card. They do not wish to implement their own Public Key Infrastructure (PKI). They have requested that the smart card certificates be issued by the northsim.com certificate authorities. You must enable users from widgets.com to obtain certificates from the northsim.com certificate authorities. What should you do first?
Create a two-way forest trust between widgets.com and northsim.com.
You are the administrator for WestSim Corporation. The network has a single domain, westsim.com. Five domain controllers, all running Windows Server 2012 R2, are located on the network. Users in the shipping department have a special software program that helps them keep track of incoming products and match the SKU number with items in the order database. You have created an OU called shipping and have placed all computers and users for that department into the OU. You create a software GPO called SKUWare that publishes the software to all users in the department. All manager user objects have been placed in an OU called Managers. The shipping manager logs on to one of the computers in the shipping department. He calls you because the software package is not available to install on the workstation. You need to make the software package available so he can install it. You want to make sure that anyone else who logs on to any workstation in the shipping department can install the software. What should you do?
Enable loopback processing in the SKUWare GPO.
You are the network administrator of a small network consisting of three Windows Server 2016 computers and 100 Windows 10 workstations. Your network has a password policy in place with the following settings: Enforce password history: 10 passwords remembered Maximum password age: 30 days Minimum password age: 0 days Minimum password length: 8 characters Password must meet complexity requirements: Disabled Store password using reversible encryption: Disabled One day, while sitting in the cafeteria, you overhear a group of coworkers talk about how restrictive the password policy is and how they have found ways to beat it. When required to change the password, they simply change the password 10 times at the same sitting. Then they go back to the previous password. Your company has started a new security crackdown and passwords are at the top of the list. You thought you had the network locked down, but now you see that you need to put an end to this practice. Users need to have passwords that are a combination of letters and numbers and do not contain a complete dictionary word. Users should not be able to reuse a password immediately. What should you do? (Select. Each answer is part of the complete solution.)
Enable the Minimum password age setting, enable the Password must meet complexity requirements setting.
You manage Certificate Services for the widgets.com domain. You have installed a single CA named CA1 as an offline standalone root CA. You install a second CA in your hierarchy. You want to configure certificate templates so that the CA can automatically back up the private keys for every certificate it issues. How should you configure the certificate template?
For each user and computer certificate template, edit the security settings to add a recovery agent and grant Read and Enroll permissions.
You manage Certificate Services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows Server 2016. You duplicate the Basic EFS certificate template and configure the CA to issue the certificate. You want to save the private keys issued for all certificates issued by the CA so that they can be restored if the private keys are destroyed. You want to allow members of the EFSAdmins group to recover the private keys if necessary. How do you configure EFSAdmins as recovery agents? (Select two. Each choice is a part of the complete solution.)
For the CA, enable key archival and add the certificates for the recovery agents, duplicate the Recovery Agent certificate template and grant the Read and Enroll permissions to the EFSAdmins group. Have each user request a certificate using the new template
You manage a single domain named widgets.com. Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. What should you do?
Implement a fine-grained password policy for the users in the Directors OU. OR Create a granular password policy. Apply the policy to all users in the Directors OU.
You manage the network for the eastsim.com domain. You have three domain controllers that run Windows Server 2016. You have created several Group Policy objects (GPOs) for your domain and various OUs. You have also enabled the Administrative Templates central store. You want to take a backup of all GPOs and starter GPOs. You want to perform as few backups as possible, and the backup should contain these items and as little else as possible. What should you do?
In Group Policy Management, back up all GPOs. Back up all starter GPOs separately.
You manage Certificate Services for the westsim.com domain. Your CA hierarchy contains a single CA named CA1. You have configured key archival for all issued certificates and for the CA. Susan Wells calls to say that her hard disk crashed today, losing all files on the drive. The desktop administrator has configured a new computer and restored her files from backup. However, she is unable to open any of her encrypted files. You need to enable Susan to open her encrypted files. What should you do?
On CA1, log on as a recovery agent. Restore her private key. Copy the private key to her new computer.
You manage Certificate Services for the widgets.com domain. You have installed a single CA named CA1 as an offline standalone root CA. You are getting ready to install a second CA in your hierarchy. You want to use this CA to issue certificates to users and computers. You want to configure key archival for all user and computer certificates issued by the CA. What should you do? (Select two. Each choice is a part of the complete solution.)
On the CA properties, configure one or more recovery agents, install the CA as an enterprise subordinate CA.
You manage Certificate Services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows Server 2016. You want to allow users of the Research department to request certificates for EFS. You duplicate the Basic EFS certificate template, then grant the Research group the Read and Enroll permissions to the certificate template. You configure the certificate to require CA certificate manager approval. A user who is a member of the Research groups logs on and tries to request a certificate for EFS using the Web enrollment pages. The EFS certificate template you created does not appear in the list of certificates that can be requested. What should you do?
On the CA, issue the certificate template.
You are the administrator for a network with a single Active Directory domain named widgets.local. The widgets.local domain has an organizational unit object for each major department in the company, including the Information Systems department. User objects are located in their respective departmental OUs. Users who are members of the Domain Admins group belong to the Information Systems department. However, not all employees in the Information Systems department are members of the Domain Admins group. To simplify employees' computing environment and prevent problems, you link a Group Policy object (GPO) to the widgets.local domain that disables the Control Panel for users. You do not want this Group Policy object to apply to members of the Domain Admins group. What should you do?
On the Group Policy object's access control list, deny the Apply Group Policy permission for members of the Domain Admins group.
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All of the servers run Windows Server 2016. All of the clients run Windows 10. eastsim.com has one main office. There is an enterprise Certification Authority (CA) located in the main office that handles all certificate requests for the domain. The company also maintains an Internet Information Services (IIS) server that is a member of the domain. The IIS server is located in a perimeter network. eastsim.com has a high volume of independent contractors that need to connect to the company network using a VPN connection to an ISA 2006 Server running L2TP/IPSec. The contractors are traveling trainers who must be able to obtain machine certificates to be used for this purpose. Most of the computers do not belong to the Active Directory domain, and the contractors do not often visit the corporate office. Some contractors are retained for projects without ever visiting an eastsim.com site. You must configure the enterprise CA to grant machine certificates to the contractors. What should you do?
On the IIS server, install the Certificate Enrollment Web Service.
You are the network administrator for westsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2016. All the clients run Windows 10. You have modified the Default Domain Controllers group policy object. A new security policy in the company states that all Group Policy settings must be delivered using new group policy objects. You must reset the Default Domain Controllers policy to the default settings using the minimum administrative effort. What should you do?
Run the dcgpofix /target:dc command on a domain controller.
The desktop workstations you recently purchased for the employees in your organization's Denver office came with two network boards installed: A RealTek PCIe Fast Ethernet interface integrated into the motherboard. A Broadcom NetXtreme 57xx Gigabit Ethernet interface installed in a motherboard slot. You used the gigabit controller to connect these systems to the network. Because the integrated interface is not used, you set up a Devices Group Policy preference that disables the RealTek adapter. However, because this affects only the employees in the Denver office, you set up an item-level target that specifies that the preference only be applied to hosts in the Denver site in Active Directory. Which of the following is true concerning this Group Policy preference when it is applied?
The preference will be applied, but not enforced.
Your organization's security policy dictates that the security level for the Local Intranet and Trusted Sites zones in Internet Explorer be set to Medium-High on all user workstations. Rather than configure each workstation individually, you decide to use a Group Policy preference setting in a GPO to make the change. Which of the following is true concerning this Group Policy preference? (Select two.)
This preference is not available in Local Group Policy, the preference can be applied to specific systems based on the criteria you specify.
You need to add German language support for your administrative templates to a Windows Server 2016 system. Which administrative template component consists of language-independent files that store policy settings in XML format?
.admx files
You are the manager for the westsim.com domain. You have previously installed Active Directory Certificate Services on a Windows Server 2016 server named CA1. CA1 is configured as an enterprise root CA. You install a new CA named CA2 as a subordinate standalone CA to CA1. Following the installation, you are unable to start the Certificate Services service. The error message indicates that you can't establish a trust chain to CA1. What should you do?
Add the certificate from CA1 to the trusted root store on CA2.
Outside sales employees in your organization use a VPN connection to access your internal network while traveling to customer sites. Currently, each user must manually create and manage the VPN connection settings on their notebook systems and frequently require Help Desk assistance. Rather than configure each workstation individually, you decide to use a Group Policy preference setting in a GPO to push down the correct VPN configuration settings for your organization's VPN server to the notebook systems. Click on the Control Panel Setting you would use to implement this process.
Click on Network Options
As a part of your organization's security policy, you have been instructed to lock down all workstations by restricting remote access via Remote Desktop Services to specific users and groups. You have decided to configure and test local security policies to meet this requirement and then import them into the appropriate domain GPOs. Click on the GPO security setting category where the required policies are located.
Click on User Rights Assignment
You are the network administrator for eastsim.com. The network consists of a single Active Directory domain. All the servers run Windows Server 2016. All the clients run Windows 10. The company has a main office in New York and several international locations, including facilities in Germany and France. You have been asked to build a domain controller that will be deployed to the eastsim.com office in Germany. The network administrators in Germany plan to use Group Policy Administrative Templates to manage Group Policy in their location. You need to install the German version of the Group Policy Administrative Templates so they will be available when the new domain controller is deployed to Germany. What should you do?
Copy the German .ADML files to the appropriate directory in the SYSVOL on a local domain controller.
You are the network administrator for corpnet.com. The company plans to require all files with personal identifiable information to be encrypted using the Encrypting File System (EFS). You duplicate the EFS certificate template and grant the domain users group the Read, Enroll, and Autoenroll rights to the new template. You then publish the new template on the Enterprise Certification Authority. You need to ensure that all users can automatically obtain EFS certificates based on the new template. What should you do?
Configure the Certificate Services Client - Auto-Enrollment setting in Group Policy.
You are the administrator of a single-domain network. The domain has an OU named Sales. All users in the Sales OU use an application named ContactTrack. You want to install this application to all computers in the Sales OU. You create a GPO named Deploy Software, configure it to assign the ContactTrack application to users, and link the GPO to the Sales OU. Although the shortcut appears in the Start menu for Sales users, the application is not installed until users click the shortcut. You want the GPO to install the application completely. What should you do?
Configure the Computer Configuration node rather than the User Configuration node of the Deploy Software GPO.
You manage the certificate services for the eastsim.com domain. You have a single CA named CA1 installed as a root enterprise CA. You want to enable autoenrollment for computer certificates. You duplicate the Computer certificate template, and grant the Authenticated Computers group the Read, Enroll, and Autoenroll permissions. You configure the CA to issue the new certificate. As a test, you reboot the computer, and then check the Certification Services console to see if the certificate has been issued. You do not see a request or an issued certificate, even after you wait for several minutes. What should you do?
Configure the Default Domain Policy GPO. In the Computer Configuration section, configure the Certificate Services Client - Auto-Enrollment policy.
You are the administrator of a single-domain network. All servers in the domain run Windows Server 2016. All client computers run Windows 10. The domain has an OU named Sales. All users in the Sales OU use an application named ContactTrack. You want all Sales users to have a shortcut to the ContactTrack application in their Start menu. The first time they click the shortcut, you want the ContactTrack application to be installed. You create a GPO named Deploy Software, configure it to publish the ContactTrack application to users, and link the GPO to the Sales OU. You soon discover that the shortcut does not appear in any user's Start menu. What should you do?
Configure the Deploy Software GPO to assign rather than publish the ContactTrack software.
You are a domain administrator for a single-domain network. The domain has several organizational units (OUs) that represent each department in the organization. You have delegated complete administration for each OU to appropriate users in each department. You have made these users members of the Group Policy Creator Owners group. You create a Group Policy object (GPO) named Corporate Desktop that configures the desktop environment for users in the company. You link the GPO to the domain. Later, you discover that some of the settings are not being applied to users in the Development department. How can you make sure that all settings in the Corporate Desktop GPO get applied to all users in the company?
Configure the Enforced option for the Corporate Desktop GPO.
You manage Certificate Services for the westsim.com domain. You have a single CA installed as an enterprise root CA that runs Windows Server 2016. You duplicate the Basic EFS certificate template and configure the CA to issue the certificate. You want users to request an EFS certificate using the Web enrollment pages. When a request is submitted, you want the certificate to be approved automatically. How should you complete the configuration of the certificate template? (Select two. Each choice is a required part of the solution.)
Configure the template not to require CA certificate manager approval, grant users the Read and Enroll permissions.
You are the administrator for the widgets.com domain. Organizational units (OUs) have been created for each company department. User and computer accounts for each department have been moved into their respective departmental OUs. As you manage Group Policy objects (GPOs), you find that you often make similar user rights, security options, and Administrative Template settings in different GPOs. Rather than make these same settings each time, you would like to create some templates that contain your most common settings. What should you do? (Select two. Each choice is a possible complete solution.)
Create GPOs with the common settings. Take a backup of each GPO. After creating new GPOs, import the settings from one of the backed up GPOs, create GPOs with the common settings. When creating new GPOs, copy one of the existing GPOs.
You are an administrator for a large corporation. Your department uses a single domain within the company's multi-tree forest. Your department uses the entire building and is the only domain on the local subnet. You have a high-speed connection to corporate headquarters. There is a Global Catalog server onsite. Because your department handles extremely sensitive information, a decision has been made to require the use of smart cards within the domain. Your job is to modify the existing Windows infrastructure to require the use of smart cards for logon. You will need to provide certificate services for smart card logon as well as for EFS, but you will not need certificates for any other purposes. What kind of certificate authority should you use?
Implement an enterprise root CA.
You are the administrator of the westsim.com Active Directory domain. You delegate administration of the Sales OU and Research OU to other administrators. You want to prevent the administrators of those OUs from creating any other Group Policy objects with settings that conflict with those you have configured for the domain. What should you do?
In Group Policy objects linked to the westsim.com domain, set the Enforced option.
You are the security administrator for your organization's Active Directory Forest. You have implemented a CA hierarchy using Windows Server 2016 servers. You need to make sure that you can restore your CAs and their databases in the case of a server failure. What should you do?
Perform a system state backup on the CA servers and secure the media.