AZ-800 Question #312: Real Exam Question with Answer & Explanation

Question

Your network contains an Active Directory Domains Services (AD DS) forest named adatum.com. Adatum.com contains the users shown in the following table. You deploy a workgroup server named RODC1 that runs Windows Server. RODC1 contains a user named User4 that is a member of the local Administrators group. You pre-create a read-only domain controller (RODC) account named RODC1 in east.adatum.com and delegate RODC installation and administration permissions to User3. You sign-in to RODC1 as User4. Which credentials can be used to promote RODC1 to a RODC in east.adatum.com?

Options

• AUser3 only
• BUser3 and User1 only
• CUser3 and User2 only
• DUser1, User2, and User3

Explanation

{"question_number": 1, "correct_answer": "C", "explanation": "When an RODC computer account is pre-created in a domain (east.adatum.com) and installation/administration is delegated to a specific user (User3), only two sets of credentials can complete the RODC promotion: (1) the explicitly delegated user - User3, and (2) a Domain Admin of that specific child domain - User2. User4 is only a local workgroup administrator on RODC1 and holds no domain privileges whatsoever, so User4's credentials cannot promote the server. User1 is a Domain Admin in the parent domain (adatum.com) but not in the child domain (east.adatum.com), so User1 lacks the required administrative authority in that specific domain partition. The pre-staged delegation model is intentionally restrictive: it allows a non-admin user (User3) to attach the server without granting broad enterprise credentials, while also allowing the domain's own admins (User2) to do so.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.