AZ-800 Question #26: Real Exam Question with Answer & Explanation

Question

Drag and Drop Question Your network contains a single domain Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains a single Active Directory site. You plan to deploy a read only domain controller (RODC) to a new datacenter on a server named Server1. A user named User1 is a member of the local Administrators group on Server1. You need to recommend a deployment plan that meets the following requirements: Ensures that a user named User1 can perform the RODC installation on Server1 Ensures that you can control the AD DS replication schedule to the Server1 Ensures that Server1 is in a new site named RemoteSite1 Uses the principle of least privilege Which three actions should you recommend performing in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Answer:

Explanation

The correct deployment plan for an RODC in a new site with delegated installation and replication control involves setting up the AD site topology, configuring replication, and pre-staging the RODC account to ensure least privilege.

Approach. The correct approach requires selecting three actions from the combined list that fulfill all requirements in a logical sequence while adhering to the principle of least privilege.

1. Create a site and a subnet: This is the essential first step. To ensure 'Server1 is in a new site named RemoteSite1', a new Active Directory site must be created, and a subnet representing the new datacenter's network segment must be associated with it. This establishes the logical structure for the new physical location.

2. Create a site link: After creating the new site, a site link is necessary to connect 'RemoteSite1' to the existing Active Directory site(s). This directly addresses the requirement to 'control the AD DS replication schedule to the Server1', as replication schedules and costs between sites are defined on site links.

3. Pre-create an RODC account: This action is crucial for meeting the requirement that 'a user named User1 can perform the RODC installation on Server1' while using the 'principle of least privilege'. By pre-creating the RODC computer account in Active Directory, a Domain Administrator stages the RODC object, delegating the final installation process to a user with fewer privileges (User1, who is a local administrator on Server1). This avoids granting User1 unnecessary Domain Admin rights.

The action 'Instruct User1 to run the Active Directory Domain Services installation Wizard on Server1' is the final execution step, not a preparatory recommendation, and is typically not included in such 'three-action' preparatory sequences. The action 'Add User1 to the Contoso\Administrators group' is incorrect because it violates the principle of least privilege.

Common mistakes.

• common_mistake. A common mistake is to include 'Add User1 to the Contoso\Administrators group'. This action directly violates the 'principle of least privilege' requirement, as adding User1 to the Domain Admins group grants excessive permissions beyond what is needed for a delegated RODC installation. Another mistake is to omit 'Create a site link'. This would fail to meet the explicit requirement to 'control the AD DS replication schedule to the Server1', as site links are fundamental for defining inter-site replication parameters. Incorrect ordering, such as pre-creating the RODC account before establishing the site topology, is also a mistake because AD objects rely on a correctly defined site structure for proper placement and replication. Including 'Instruct User1 to run the Active Directory Domain Services installation Wizard on Server1' as one of the three steps is often wrong in these types of questions because the focus is typically on the preparatory configuration steps, not the final execution command itself.

Concept tested. Active Directory Domain Services (AD DS) site and replication topology management, Read-Only Domain Controller (RODC) deployment methods, delegation of administration, and the principle of least privilege in identity management.

No community discussion yet for this question.