X

AZ-800 / Q2 / T7

  • 21 views
Exam
Microsoft AZ-800
Case Study
Answer confirmed
Exam Topics Questions
Question

Overview
Contoso, Ltd. is a company that has a main office in Seattle and two branch offices in Los Angeles and Montreal.
Existing Environment
AD DS Environment
The network contains an on premises Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains two domains named contoso.com and canada.contoso.com.
The forest contains the domain controllers shown in the following table.

All the domain controllers are global catalog servers.
Server infrastructure
The network contains the servers shown in the following table.

A server named Server4 runs Windows Server and is in a workgroup. Windows Firewall on Server4 uses the private profile.
Server2 hosts three virtual machines named VM1, VM2, and VM3.
VM3 is a file server that stores data in the volumes shown in the following table.

Group Policies
The contoso.com domain has the Group Policies Objects (GPOs) shown in the following table.

Existing Identities
The forest contains the users shown in the following table.

The forest contains the groups shown in the following table.

Current Problems
When an administrator signs in to the console of VM2 by using Virtual Machine Connection, and then disconnects from the session without signing out, another administrator can connect to the console session as the currently signed in user.
Requirements
Technical Requirements
Contoso identifies the following technical requirements:
Change the replication schedule for all site links to 30 minutes.
Promote Server1 to a domain controller in canada.contoso.com.
Install and authorize Server3 as a DHCP server.
Ensure that User1 can manage the membership of all the groups in Contoso\OU3.
Ensure that you can manage Server4 from Server1 by using PowerShell remoting.
Ensure that you can run virtual machines on VM1.
Force users to provide credentials when they connect to VM2.
On VM3, ensure that Data Deduplication on all volumes is possible.
 

You need to meet the technical requirements for the site links.
Which users can perform the required tasks?

Proposed answer
  • A. Admin1, Admin2, and Admin3
  • B. Admin1 and Admin3 only
  • C. Admin1 only
  • D. Admin1 and Admin2 only
  • E. Admin3 only
Suggested answer
  • C. Admin1 only

 

Correct answer

The suggested answer is correct

For managing AD sites you should have Enterprise Admins rights

Comments
kijken

Highly Voted 2 years ago 

I experienced this is the real world. My account in the toplevel domain was unable to do any changes in this. Because I was domain admin in the toplevel domain, i was able to grant myself enterprise admin access. Then I was able to do the change in sites and services. So I go for enterprise admin only

upvoted 11 times 

Leocan

2 years ago 

If you want to have an equivalent of Domain Admin privileges in the child domain, use the Enterprise Admin group. https://social.technet.microsoft.com/Forums/Lync/en-US/a72dc036-3375-4124-9ef7-d30af104451a/enterprise-administrator-and-child-domain?forum=winserverDS

upvoted 2 times 

8de7bd1

Most Recent 2 months, 2 weeks ago 

Selected Answer: D

Taken from Copiolot : Yes, a domain admin in the forest root domain can change the replication schedule for site links in a child domain. To perform this procedure, the admin must be a member of the Domain Admins group in the forest root domain or the Enterprise Admins group in the forest

upvoted 2 times 

PrettyFlyWifi

5 months, 1 week ago 

Selected Answer: C

The key here is ALL site links, so the Domain Admin in canada cannot manage links in the parent as well, so it's Admin1 only, the Enterprise Admin.

upvoted 2 times 

SIAMIANJI

6 months, 4 weeks ago 

Selected Answer: C

C is correct

upvoted 2 times 

okkies

9 months, 3 weeks ago 

the answer is C. the question clearly states CURRENTLY, so not after an aditional step

upvoted 2 times 

Jools_SP

10 months, 1 week ago 

THIS ANSWER IS CORRECT. To create sites, you must log on as a member of the Enterprise Admins group or the Domain Admins group in the forest root domain https://www.toutwindows.com/adfaq_us.shtml

upvoted 2 times 

MR_Eliot

1 year, 2 months ago 

D is correct. tested this in lab

upvoted 2 times 

Gore

1 year, 7 months ago 

With the configuration described in the question only Admin1. However, Admin2 can assign Enterprise Admin group membership for them self, so the real question is what is the scenario looking for.

upvoted 1 times 

syu31svc

1 year, 8 months ago 

Selected Answer: C

Enterprise admin for sure so answer is C

upvoted 3 times 

syu31svc

1 year, 7 months ago 

Disregard this; I am changing my answer to D Membership in the Enterprise Admins group in the forest, or the Domain Admins group in the forest root domain, is the minimum required group membership to create and manage Active Directory sites which would include site links Answer is D (Admin 1 and 2)

upvoted 4 times 

raulgar

1 year, 8 months ago 

The links can be done by the enterprise administrator and the domain root administrator

upvoted 3 times 

empee1977

1 year, 9 months ago 

Selected Answer: C

In a child domain, the Domain Admins group will not have the necessary permissions to change the replication schedule for all site links by default. To do so, a member of the Domain Admins group would need to be delegated the necessary permissions by a member of the Enterprise Admins group.

upvoted 3 times 

Lu5ck

1 year, 11 months ago 

Selected Answer: C

It is important to understand site link span across at *least* two domains therefore the authority of a single domain is not enough to modify a link. Only enterprise admin has the authority that span across all domains therefore modify the link.

upvoted 3 times 

raffykian

2 years ago 

Admin 1 and admin 3

upvoted 2 times 

Burnie

2 years ago 

Selected Answer: C

Enterprise only, as the domain admins in child domain can't change anything on the parent domain.

upvoted 4 times 

johosofat

2 years ago 

Selected Answer: E

The power always resides in the root of the forest. that said- the child domain is isolated from the root so the root domain admin has not rights to canada like geert is saying- so the enterprise admin would be the correct choice - i think this also get to this point - https://serverfault.com/questions/305015/parent-domain-admins-for-child-domain-clients

upvoted 1 times 

JohnO1971

2 years, 1 month ago 

I believe you only need Domain Admin access to be able to change site links. So answer given is correct in my opinion.

upvoted 1 times 

[Removed]

2 years, 1 month ago 

I thing that a domain admin shouldn´t be able change configurations that affect to the all domains in the forest. Correct answer for me is C. Just de Enterprise admin can change site links configuration (tested in ma lab)

upvoted 2 times 

edykss

2 years, 1 month ago 

Answer D is correct

upvoted 1 times 

GeertVanAssen

2 years, 1 month ago 

I feel like this question could benefit from elaboration on the answer. I personally suspect that - given the answer on the previous question - because domain admins from the contoso domain tree cannot promote servers to DC's in the child domain, they would also not be able to administer the replication schedule for DC's in that child domain. Unless ofcourse it is implicitly true in this case that the PDC FSMO role would be installed in the contoso root domain. Or am I completely mistaking? Anybody with more knowledge or experience care to draw up a source?

upvoted 1 times