High quality 70-744 Dumps Questions 2021

NEW QUESTION 1
Note: This question is port of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question In the series. Each question is Independent of the other questions In this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021 and a Nano Server named Nano1. Nano1 has two volumes named C and D.
You are signed in to Server1.
You need to configure Data Deduplication on Nano1. Which tool should you use?

• A. File Explorer
• B. Shared Folders
• C. Server Manager
• D. Disk Management
• E. Storage Explorer
• F. Computer Management
• G. System Configuration
• H. File Server Resource Manager (FSRM)

Answer: C

Explanation: Either use PowerShell Remoting to Nano1 and use “Enable-DedupVolume” cmdlet, however ,there is no such choice for this question; or
From Server1, connect it’s server manager to remotely manage Nano1 and enable Data Deduplication for
volumes on Nano1
https://channel9.msdn.com/Series/Nano-Server-Team/Server-Manager-managing-Nano-Server

NEW QUESTION 2
Your network contains an Active Directory domain named contoso.com. The domain contains five servers. All servers run Windows Server 2021.
A new secunty policy states that you must modify the infrastructure to meet the following requirements:
*Limit the nghts of administrators.
*Minimize the attack surface of the forest
*Support Multi-Factor authentication for administrators.
You need to recommend a solution that meets the new secunty policy requirements. What should you recommend deploying?

• A. an administrative forest
• B. domain isolation
• C. an administrative domain in contoso.com
• D. the Local Administrator Password Solution (LAPS)

Answer: A

Explanation: You have to “-Minimize the attack surface of the forest”, then you must create another forest for administrators.
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securingprivilegedaccess- reference-material#ESAE_BM
This section contains an approach for an administrative forest based on the Enhanced Security Administrative
Environment (ESAE) reference architecture deployed
by Microsoft’s cybersecurity professional services teams to protect customers against cybersecurity attacks.
Dedicated administrative forests allow organizations to host administrative accounts, workstations, and groups in an environment that has stronger security controls than the production environment.

NEW QUESTION 3
You have the Windows Server 2021 operating system images as following table.

Your company’s security policy states that you must minimize the attack surface when provisioning new servers.
You need to deploy a Host Guardian Service cluster. Which image should you use for the deployment?

• A. image1
• B. image2
• C. image3
• D. image4

Answer: C

Explanation: https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/ guarded-fabricprepare-for-hgs
Prerequisites
Hardware: HGS can be run on physical or virtual machines, but physical machines are recommended. If you want to run HGS as a three-node physical cluster (for availability), you must have three physical servers.
(As a best practice for clustering, the three servers should have very similar hardware.)
Operating system: Windows Server 2021, Standard or Datacenter edition. <—- so you cannot use Server Core or Nano Server for running Host
Guardian Service.
Server Roles: Host Guardian Service and supporting server roles.
Configuration permissions/privileges for the fabric (host) domain: You will need to configure DNS forwarding
between the fabric (host) domain and the HGS domain.
If you are using Admin-trusted attestation (AD mode), you will need to configure an Active Directory trust
between the fabric domain and the HGS domain.

NEW QUESTION 4
You have a server named Server1 that runs Windows Server 2021.
You need to identify the default action for the inbound traffic when Server1 connects to the domain. Which cmdlet should you use?

• A. Get-NetIPSecRule
• B. Get-NetFirewallRule
• C. Get-NetFirewallProfile
• D. Get-NetFirewallSetting
• E. Get-NetFirewallPortFilter
• F. Get-NetFirewallAddressFilter
• G. Get-NetFirewallApplicationFilter

Answer: C

NEW QUESTION 5
Your network contains two single-domain Active Directory forests named contoso.com and contosoadmin.com. Contosoadmin.com contains all of the user accounts used to manage the servers in contoso.com.
You need to recommend a workstation solution that provides the highest level of protection from vulnerabilities and attacks.
What should you include in the recommendation?

• A. Provide a Privileged Access Workstation (PAW) for each user account in both forest
• B. Join each PAW to the contoso.com domain.
• C. Provide a Pnvileged Access Workstation (PAW) for each user in the contoso.com forest Join each PAW to the contoso.com domain.
• D. Provide a Pnvileged Access Workstation (PAW) for each administrato
• E. Join each PAW to the contoso.com domain.
• F. Provide a Pnvileged Access Workstation (PAW) for each administrato
• G. Join each PAW to the contosoadmin.com domain.

Answer: D

Explanation: https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securingprivilegedaccess- reference-material

NEW QUESTION 6
DRAG DROP
You have two servers named Server1 and Server2 that run Windows Server 2021. The servers are in a workgroup.
You need to create a security template that contains the security settings of Server1 and to apply the template to Server2. The solution must minimize administrative effort.
Which snap-in should you use for each server? To answer, drag the appropriate snap-ins to the correct servers. Each snap-in may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Answer:

Explanation: References:
https://www.windows-server-2012-r2.com/security-templates.html

NEW QUESTION 7
Note: This question is part of a series of questions that use the same or similar answer choices. An answer choice may be correct for more than one question in the series. Each question Is independent of the other questions in this series. Information and details provided in a question apply only to that question.
Your network contains an Active Directory domain named contoso.com The domain contains a file server named Server1 that runs Windows Server 2021.
You need to create Work Folders on Server1. Which tool should you use?

• A. File Explorer
• B. Shared Folders
• C. Server Manager
• D. Disk Management
• E. Storage Explorer
• F. Computer Management
• G. System Configuration
• H. File Server Resource Manager (FSRM)

Answer: C

NEW QUESTION 8
HOTSPOT
Your network contains an Active Directory domain named contoso.com.
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain. You install the ATA Gateway on a server named Server1.
To assist in detecting Pass-the-Hash attacks, you plan to configure ATA Gateway to collect events. You need to configure the query filter for event subscriptions on Server1.
How should you configure the query filter? To answer, select the appropriate options in the answer aree.

Answer:

Explanation: https://docs.microsoft.com/en-us/advanced-threat-analytics/configure-event-collection
To enhance detection capabilities, ATA needs the following Windows events: 4776, 4732, 4733, 4728, 4729, 4756, 4757.These can either be read automatically by the ATA Lightweight Gateway or in case the ATA Lightweight
Gateway is not deployed,
it can be forwarded to the ATA Gateway in one of two ways, by configuring the ATA Gateway to listen for SIEM events or by configuring Windows Event Forwarding.

Event ID: 4776 NTLM authentication is being used against domain controller Event ID: 4732 A User is Added to Security-Enabled DOMAIN LOCAL Group, Event ID: 4733 A User is removed from Security-Enabled DOMAIN LOCAL Group Event ID: 4728 A User is Added or Removed from Security-Enabled Global Group Event ID: 4729 A User is Removed from Security-Enabled GLOBAL Group
Event ID: 4756 A User is Added or Removed From Security-Enabled Universal Group Event ID: 4757 A User is Removed From Security-Enabled Universal Group

NEW QUESTION 9
Your network has an internal network and a perimeter network. Only the servers on the perimeter network can access the Internet. You create a Microsoft Operations Management Suite (OMS) instance in Microsoft Azure.
You deploy Microsoft Monitoring Agent to all the servers on both the networks. You discover that only the servers on the perimeter network report to OMS. You need to ensure that all the servers report to OMS.
What should you do?

• A. Install a Web Application Proxy on the perimeter network and install an OMS Gateway on the internal networ
• B. Publish the OMS Gateway from the Web Application Proxy.
• C. Install a Web Application Proxy and an OMS Gateway on the perimeter networ
• D. Publish the OMS Gateway from the Web Application Proxy.
• E. Configure the network firewalls to allow the internal servers to access the IP addresses of the Azure OMS instance by using TCP port 443.
• F. On the internal servers, run the Add-AzureRmUsageConnect cmdlet and specify the –AdminUri parameter.

Answer: A

Explanation: References:
https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway

NEW QUESTION 10
HOTSPOT
You are implementing Privileged Access Management (PAM) for an Active Directory forest named contoso.com.
You install a bastion forest named adatum.com, and you establish a trust between the forests.
You need to create a group in contoso.com that will be used by Microsoft Identity Manager to create groups in adatum.com.
How should you configure the group? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

Explanation: References:
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment
Production forest is contoso.com Bastion forest is adatum.com
https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment A security group on the local domain (contoso.com)
There must be a group in the existing domain, whose name is the NetBIOS domain name followed by three dollar signs, e.g., CONTOSO$$$.
The group scope must be domain local and the group type must be Security.
This is needed for groups to be created in the dedicated administrative forest (adatum.com) with the same
Security identifier as groups in this domain (contoso.com).
Create this group with the following
New-ADGroup -name ‘CONTOSO$$$’ -GroupCategory Security -GroupScope DomainLocal – SamAccountName ‘CONTOSO$$$’
After this, MIM could create “Shadow Group” in bastion adatum.com forest.

NEW QUESTION 11
HOTSPOT
Note: This question is part of a series of questions that use the same scenario. For your convenience, the scenario is repeated in each question. Each question presents a different goal and answer choices, but the text of the scenario is exactly the same in each question in this series.
Start of repeated scenario.
Your network contains an Active Directory domain named contoso.com. The functional level of the forest and the domain is Windows Server 2008 R2.
The domain contains the servers configured as shown in the following table.

All servers run Windows Server 2021. All client computers run Windows 10.
You have an organizational unit (OU) named Marketing that contains the computers in the marketing department. You have an OU named Finance that contains the computers in the finance department. You have an OU named AppServers that contains application servers. A Group Policy object (GPO) named GP1 is linked to the Marketing OU. A GPO named GP2 is linked to the AppServers OU. You install Windows Defender on Nano1.
End of repeated scenario.
You need to configure Nano1 as a Hyper-V host.
Which command should you run? To answer, select the appropriate options in the answer area.

Answer:

Explanation:
References:
https://docs.microsoft.com/en-us/windows-server/get-started/deploy-nano-server

NEW QUESTION 12
Your network contains an Active Directory domain named contoso.com. You create a Microsoft Operations Management Suite (OMS) workspace. You need to connect several computers directly to the workspace.
Which two pieces of information do you require? Each correct answer presents part of the solution.

• A. the ID of the workspace
• B. the name of the workspace
• C. the URL of the workspace
• D. the key of the workspace

Answer: A

NEW QUESTION 13
Your network contains an Active Directory domain named contoso.com.
The domain contains a member server named Servers that runs Windows Server 2021. You need to configure Servers as a Just Enough Administration (JEA) endpoint.
Which two actions should you perform? Each correct answer presents part of the solution.

• A. Create and export a Windows PowerShell session.
• B. Deploy Microsoft Identity Manager (MIM) 2021
• C. Create a maintenance Role Capability file
• D. Generate a random Globally Unique Identifier (GUID)
• E. Create and register a session configuration file.

Answer: CE

Explanation: https://docs.microsoft.com/en-us/powershell/jea/role-capabilities https://docs.microsoft.com/en-us/powershell/jea/register-jea

NEW QUESTION 14
Your company has an accounting department.
The network contains an Active Directory domain named contoso.com. The domain contains 10 servers.
You deploy a new server named Server11 that runs Windows Server 2021.
Server11 will host several network applications and network shares used by the accounting department.
You need to recommend a solution for Server11 that meets the following requirements:
-Protects Server11 from address spoofing and session hijacking
-Allows only the computers in We accounting department to connect to Server11 What should you recommend implementing?

• A. AppLocker rules
• B. Just Enough Administration (JEA)
• C. connection security rules
• D. Privileged Access Management (PAM)

Answer: C

Explanation: In IPsec connection security rule, the IPsec protocol verifies the sending host IP address by utilize integrity
functions like Digitally signing all packets.
If unsigned packets arrives Server11, those are possible source address spoofed packets, when using connection security rule in-conjunction with inbound firewall
rules, you can kill those un-signed packets with the action “Allow connection if it is secure” to prevent spoofing and session hijacking attacks.

NEW QUESTION 15
Your network contains an Active Directory domain named contoso.com. The domain contains a server named Server1 that runs Windows Server 2021.
You have an organizational unit (OU) named Administration that contains the computer account of Server1.
You import the Active Directory module to Server1.
You create a Group Policy object (GPO) named GPO1. You link GPO1 to the Administration OU. You need to log an event each time an Active Directory cmdlet executed successfully from Server1. What should you do?

• A. From Advanced Audit Policy in GPO1. configure auditing for other privilege use events.
• B. Run the Add-NetEventProvider -Name “Microsoft-Active-Directory” -MatchAnyKeyword PowerShell command.
• C. From Advanced Audit Policy in GPO1, configure auditing for directory service changes.
• D. From Administrative Templates in GPO1, configure a Windows PowerShell polic

Answer: D

Explanation: In the following GPO location, you can enable the setting “Turn on Module Logging” to record an
event each
time the PowerShell executes a cmdlet of a specific PowerShell module, for example “ActiveDirectory”.
“Computer Configuration\Administrative Templates\Windows Components\Windows PowerShell”

NEW QUESTION 16
Your network contains an Active Directory domain named conioso.com. The domain contains 1,000 client computers that run Windows 8.1 and 1,000 client computers that run Windows 10.
You deploy a Windows Server Update Services (WSUS) server. You create a computer group tor each organizational unit (OU) that contains client computers. You configure all of the client computers to receive updates from WSUS.
You discover that all of the client computers appear m the Unassigned Computers computer group in the Update Services console.
You need to ensure that the client computers are added automatically to the computer group that corresponds to the location of the computer account in Active Directory.
Which two actions should you perform? Each correct answer presents part of the solution.

• A. From Group Policy objects (GPOs), configure the Enable client-side targeting setting.
• B. From the Update Services console, configure the Computers option.
• C. From Active Directory Users and Computers, create a domain local distribution group for each WSUS computer group.
• D. From Active Directory Users and Computers, modify the flags attnbute of each OU.
• E. From the Update Services console, run the WSUS Server Configuration Wizar

Answer: AB

NEW QUESTION 17
DRAG DROP
Your network contains an Active Directory domain named contoso.com. The domain contains several Hyper-V hosts.
You deploy a server named Server22 to a workgroup. Server22 runs Windows Server 2021. You need to configure Server22 as the primary Host Guardian Service server.
Which three cmdlets should you run in sequence? To answer move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.

Answer:

Explanation: References:
https://docs.microsoft.com/en-us/windows-server/virtualization/guarded-fabric-shieldedvm/ guarded-fabric-setting-up-the-host-guardian-service-hgs