FREE AZ 800: Administering Windows Server Hybrid MCQ Questions and Answers
The domain contoso.com belongs to your Azure Active Directory Domain Services (Azure AD DS) account.
An administrator must be given access to manage Group Policy Objects (GPOs). The least privilege principle must be applied to the solution.
Which group should the administrator be added to?
GPOs can only be completely managed by the Enterprise Admins group and the Domain Admins group. Members of the Group Policy Creator Owners group have the ability to create new GPOs, but they are not able to manage or link existing GPOs to sites, domains, or OUs.
You have an Azure Active Directory (Azure AD) tenant that syncs with an on-premises Active Directory Domain Services (AD DS) domain.
You have a number of Windows 10 devices that are hybrid-joined to Azure AD.
You must make sure that users may use Windows Hello for Business to sign in to the devices.
Which Azure AD Connect optional feature should you choose?
To ensure that users can use Windows Hello for Business when signing in to Azure AD hybrid-joined Windows 10 devices, you should select the "Password writeback" optional feature in Azure AD Connect.
Windows Hello for Business provides a more secure and convenient way for users to authenticate to their devices using biometric or PIN-based authentication. By enabling the "Password writeback" feature, the new passwords set by users in Azure AD will be synchronized back to the on-premises AD DS domain.
In Azure AD, you intend to deploy a self-service password reset (SSPR).
You must make sure that users who reset their passwords using SSPR can access the AD DS domain's new password resources.
What ought you to do?
To ensure that users who reset their passwords using Self-Service Password Reset (SSPR) in Azure AD can use the new passwords in the Active Directory Domain Services (AD DS) domain, you should run the Microsoft Azure Active Directory Connect wizard and select the "Password writeback" option.
A multi-site Active Directory Domain Services (AD DS) forest exists on your network. Both automatically generated connections and manually set site links are used to connect each Active Directory site.
The convergence time for Active Directory changes needs to be kept to a minimum.
What ought you to do?
Modifying the replication schedule for each site link can help minimize the convergence time for changes to Active Directory in a multi-site environment. By customizing the replication schedule for each site link, you can control when replication occurs, allowing you to optimize network bandwidth and reduce convergence time for changes to Active Directory in your multi-site environment.
An Active Directory Domain Services (AD DS) domain with the name contoso.com is present on your network.
You must determine which server is the domain's PDC emulator.
Solution: You can execute the netdom.exe query fsmo from a command prompt.
Is the objective being met?
By running the command "netdom.exe query fsmo" from a command prompt, you will obtain a list of Flexible Single Master Operations (FSMO) role holders in the domain, including the PDC emulator. The output will display the server name that is currently holding the PDC emulator role.
An Active Directory Domain Services (AD DS) domain exists on your network. 20 domain controllers, 100 member servers, and 100 client computers are also part of the network.
Group Policy preferences are contained in a Group Policy Object (GPO) called GPO1 that you have.
You want to connect the domain to GPO1.
The preference in GPO1 must ONLY apply to domain member servers and NOT to domain controllers or client computers. Each computer must be affected by all other Group Policy settings in GPO1. The answer must require the least amount of administration.
Which kind of item-level targeting ought to be employed?
To ensure that the preference in GPO1 applies only to domain member servers and not to domain controllers or client computers, while still allowing all other Group Policy settings in GPO1 to apply to all computers, you can use Item Level Targeting with the "Operating System" setting.
Active Directory Domain Services (AD DS) forest contoso.com is a part of your network. A server with the name server1.contoso.com is present in the forest root domain.
There is a two-way forest trust between the contoso.com forest and the fabrikam.com AD DS forest. There are 10 child domains in the fabrikam.com forest.
You must make sure that only those who are a part of the group fabrikamGroup1 are able to log in to server1.contoso.com.
What ought you start with?
To ensure that only the members of the fabrikam\Group1 group can authenticate to server1.contoso.com, you should enable Selective authentication for the forest trust between the contoso.com and fabrikam.com forests.
Selective authentication allows you to control which users or groups from a trusted forest can access resources in the local forest. By default, a forest trust grants authentication permissions to all users and groups in the trusted forest. Enabling Selective authentication allows you to restrict authentication to specific groups.