AZ-801 Question #63: Real Exam Question with Answer & Explanation

Question

Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the organizational units (OUs) shown in the following table. [Table: Name, Contents: Domain Controllers, All the domain controllers in the domain; Domain Servers, All the servers that run Windows Server in the domain; Domain Client Computers, All the client computers that run Windows 10 in the domain; Domain Users, All the users in the domain] In the domain, you create the Group Policy Objects (GPOs) shown in the following table. [Table: Name, IPsec setting: GPO1, Require authentication by using Kerberos V5 for inbound connections; GPO2, Request authentication by using Kerberos V5 for inbound connections; GPO3, Require authentication by using X.509 certificates for inbound connections; GPO4, Request authentication by using X.509 certificates for inbound connections] You need to implement IPsec authentication to ensure that only authenticated computer accounts can connect to the members in the domain. The solution must minimize administrative effort. Which GPOs should you apply to the Domain Controllers OU and the Domain Servers OU? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Explanation

This question tests knowledge of IPsec connection security rule modes ('Require' vs 'Request') and authentication methods (Kerberos V5 vs X.509 certificates) in a Windows Server AD DS environment. The correct answer is to apply GPO1 (Require Kerberos V5) to both the Domain Controllers OU and the Domain Servers OU.

Approach. GPO1 ('Require authentication using Kerberos V5') is correct for both OUs for two reasons. First, 'Require' enforces strict authentication - it blocks any inbound connection that cannot authenticate, which is the only way to guarantee that ONLY authenticated computer accounts can connect; 'Request' (GPO2/GPO4) is a soft mode that falls back to unauthenticated traffic if the peer doesn't support IPsec, failing the stated security goal. Second, Kerberos V5 is the native authentication protocol for AD DS domain-joined machines - every domain controller and domain server already participates in Kerberos with no additional infrastructure required, minimizing administrative effort. X.509 certificates (GPO3/GPO4) would require deploying and maintaining a PKI (Certificate Authority), which adds significant administrative overhead.

Concept tested. IPsec Connection Security Rules in Group Policy - specifically the behavioral difference between 'Require Authentication' (blocks unauthenticated peers) and 'Request Authentication' (allows fallback to clear text), combined with the trade-off between Kerberos V5 (zero additional infrastructure for domain-joined machines) and X.509/certificate-based authentication (requires PKI deployment).

Reference. Microsoft Learn: 'Connection Security Rules' and 'IPsec Policy Design' under Windows Server Group Policy / Windows Defender Firewall with Advanced Security documentation.

No community discussion yet for this question.