1. A
Single forest with multiple domains allows regional offices to maintain independent IT management through separate domains while the forest structure enables centralized security policies through forest-wide schema and configuration partitions. This design provides the best balance of autonomy and central control.

2. B
The default and recommended maximum lifetime for Kerberos TGTs is 10 hours. This balances security (preventing replay attacks) with user experience (reducing frequent re-authentication). Shorter periods increase security but impact usability, while longer periods expose greater security risks.

3. C
Published to users deploys applications on-demand, installing only when a user opens an associated file type or selects the application from Add/Remove Programs. Assigned deployments install automatically, while published to computers is not a valid option.

4. B
The Archive attribute (or Archive bit) is set automatically by the system whenever a file is created or modified. Backup software uses this attribute to determine which files need to be backed up during incremental or differential backups, and it can be cleared after the backup completes.

5. B
Site links in Active Directory Sites and Services control how replication traffic flows between sites. By assigning costs to site links, administrators can optimize replication paths, with lower-cost links being preferred. This ensures efficient use of network bandwidth and controls when and how domain controllers replicate across WAN links.

6. B
Current industry best practices recommend a maximum validity period of 1 year (398 days) for publicly trusted SSL/TLS certificates. Major certificate authorities and browser vendors have moved toward shorter certificate lifespans to improve security by ensuring more frequent key rotation and reducing the window of exposure if a certificate is compromised. While internal PKI deployments may use longer periods, 1-2 years is considered best practice.

7. B
Routing and Remote Access Service (RRAS) with VPN capabilities provides encrypted site-to-site connections between branch offices and headquarters. While DirectAccess provides remote access, RRAS with VPN is the standard solution for site-to-site encryption.

8. C
Keeping the root CA offline significantly enhances security by limiting its exposure to network-based attacks. The root CA is only brought online when needed to issue certificates to subordinate CAs, reducing the attack surface.

9. C
Group Policy Results (gpresult) specifically identifies which GPOs are applying to a user or computer and shows processing times, making it ideal for troubleshooting slow logon issues caused by Group Policy processing delays.

10. C
Virtual Machine Checkpoints (formerly called snapshots) allow administrators to capture the state of a running VM without downtime. The checkpoint saves the VM’s memory, disk, and configuration state at a specific point in time.

11. B
Synchronizing once daily during off-peak hours balances the need for timely updates with server load management. This ensures updates are available without overwhelming the WSUS server or network bandwidth during business hours.

12. B
Volume Shadow Copy Service (VSS) creates point-in-time snapshots of volumes, enabling users to restore previous versions of files through the “Previous Versions” tab in file properties. This provides self-service file recovery capabilities.

13. C
Windows Server 2019 Hyper-V supports up to 240 virtual processors per Generation 2 virtual machine, allowing for highly scalable virtualized workloads. This is a significant increase from earlier versions.

14. B
The recommended best practice is to place all five FSMO roles on a single high-performance domain controller with proper backup procedures and a standby domain controller ready to assume the roles if needed. While this creates a single point of responsibility, it simplifies management and troubleshooting. The standby server can quickly assume roles through role seizure if the primary fails. Distributing roles unnecessarily can complicate administration without providing significant benefits in most environments.

15. B
Always On Availability Groups support multiple secondary replicas (up to 8 in SQL Server 2016 and later), allowing for multiple readable secondaries and geographic distribution. Database mirroring only supports one mirror server.

16. A
New-ADOrganizationalUnit is the correct PowerShell cmdlet for creating a new OU in Active Directory. The cmdlet follows PowerShell’s standard verb-noun naming convention where “New” is used for creating objects.

17. B
Hosted Cache Mode should be used when a Windows Server is available at the branch office. The server hosts the cached content centrally for all branch office clients, providing better cache utilization and management than Distributed Cache Mode.

18. B
Active Directory delegation of control allows granular permission assignment, enabling specific users or groups to perform tasks like password resets for specific OUs without granting excessive administrative privileges. This follows the principle of least privilege.

19. B
Active Directory Federation Services (AD FS) enables single sign-on (SSO) across organizational boundaries by establishing trust relationships between organizations. It allows users to authenticate once and access resources across multiple applications and organizations.

20. C
8 days is the recommended DHCP lease duration for networks with stable desktop computers. This balances IP address availability with reduced DHCP server traffic. Shorter leases increase server load, while longer leases may waste addresses.

21. B
Trusted Platform Module (TPM) is a hardware component that securely stores BitLocker encryption keys at the hardware level. TPM provides a hardware root of trust and protects keys from software-based attacks.

22. A
Active Directory Federation Services provides claims-based authentication that enables single sign-on across organizational boundaries without requiring forest trusts. Users authenticate to their home forest, and AD FS translates those credentials into claims that are trusted by other organizations. This provides the most seamless user experience while maintaining security boundaries between forests and avoiding the complexity of managing multiple forest trusts.

23. B
When Integration Services are not installed or are outdated, the virtual machines cannot properly communicate performance metrics to the host through the VMBus. This causes the host to show high processor utilization for handling I/O and system calls that would normally be optimized through Integration Services, while the guest operating system cannot accurately report its actual processor usage. Installing or updating Integration Services resolves this discrepancy.

24. B
Workplace Join (now called Azure AD Join for personal devices or Azure AD Register) allows users to connect personal devices to corporate resources without domain joining. This enables access to resources while maintaining separation between personal and corporate data.

25. B
Windows Server 2008 domain functional level introduced fine-grained password policies through Password Settings Objects (PSOs), allowing different password policies for different groups of users within the same domain.

26. C
Differential backup captures all data changed since the last full backup without marking files as backed up. This means each differential backup grows larger until the next full backup but requires only the last full and last differential for restoration.

27. C
Storage Spaces Direct requires a minimum of 4 servers to create a fault-tolerant storage pool using three-way mirroring or dual parity. While 2-node configurations are possible, they require special configuration and don’t provide the same fault tolerance.

28. B
Distributed File System (DFS) Namespace creates a virtual namespace that aggregates multiple file shares from different servers, presenting them as a single logical structure to users. This simplifies file share access and management.

29. B
RD Connection Broker is responsible for session load balancing, distributing user sessions across multiple RD Session Host servers, and reconnecting users to their existing sessions in an RDS deployment.