ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam 70-742 All Questions

View all questions & answers for the 70-742 exam
Go to Exam

Exam 70-742 topic 1 question 65 discussion

Actual exam question from Microsoft's 70-742
Question #: 65
Topic #: 1
[All 70-742 Questions]

HOTSPOT -
Your network contains an Active Directory forest named contoso.com. The forest contains the root domain and two child domains named child1.contoso.com and child2.contoso.com.
Child1 contains three domain controllers named DC1, DC2, and DC3. Child2 contains one domain controller named DC4.
You have two accounts named Child1\Admin1 and Child2\Admin2 that you use to perform administrative tasks. Currently, the accounts can manage only the member servers in their respective domain.
You plan to demote DC3 and to remove the Child2 domain.
You need to ensure that Admin1 can demote DC3 and that Admin2 can demote DC4. The solution must use the principle of least privilege.
To which groups should you add Admin1 and Admin2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Show Suggested Answer Hide Answer
Suggested Answer:
References:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/demoting-domain-controllers-and-domains--level-200-
by minajahan at Nov. 2, 2019, 7:18 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ITGEEK
Highly Voted 5 years, 4 months ago
I believe answer is correct. 1.Admin1: child1\domain admins --Demoting a domain controller requires Domain Admin credentials 2.Admin2: Contoso\EnterpriseAdmins -- Since in Child2 there is only one domain controller, Demoting the last domain controller in a domain requires Enterprise Admins group membership, as this removes the domain itself. https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/identity/ad-ds/deploy/AD-DS-Installation-and-Removal-Wizard-Page-Descriptions.md
upvoted 18 times
...
VeiN
Most Recent 4 years, 9 months ago
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/demoting-domain-controllers-and-domains--level-200- In Demotion and role removal with PowerShell part is written: The -credential argument is only required if you are not already logged on as a member of the Enterprise Admins group (demoting last DC in a domain) or the Domain Admins group (demoting a replica DC) Those requirements are the same for every method of demoting so the answer is correct.
upvoted 2 times
...
AZ764
5 years, 2 months ago
Updated info link: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/demoting-domain-controllers-and-domains--level-200- Answer is correct. Removing DC4 removes the entire domain. You would need enterprise admin privileges since you are now modifying the forest, and not just the domain
upvoted 4 times
lbs
5 years ago
I agree. Answer is correct
upvoted 2 times
...
...
adasko
5 years, 3 months ago
the key is last privilege. So the answer is correct. As to only remove a dc3 requires child domain membership
upvoted 2 times
...
Ozguraydin
5 years, 5 months ago
My opinion is the answer should be Child1\Domain Admin, Contoso\Domain Admin.
upvoted 3 times
...
coleman
5 years, 6 months ago
given answer is wrong .. Admin1: Contoso \Enterprise Admins Admin2: Child2 \Domain Admins
upvoted 1 times
coleman
5 years, 6 months ago
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/demoting-domain-controllers-and-domains--level-200- "Admin2 can demote DC4." Demoting a replica domain controller DC4 requires only Domain Admins membership at the "child2.contoso.com" child domain. "Admin1 can demote DC3 to remove the Child2 domain". Demoting the last domain controller DC3 in a domain requires Enterprise Admins group membership at the forest root domain "contoso.com"
upvoted 1 times
simcauley
5 years, 5 months ago
I think you have confused yourself. Admin1 is demoting DC3 in Child1 and there are still 2 other DCs so Domain Admins is fine. Admin2 is demoting DC4 which will remove the last DC in the Child2 domain therefore we require Enterprise Admins.
upvoted 18 times
...
...
...
minajahan
5 years, 7 months ago
Both admins have same things to do; why they have to be in different groups?
upvoted 2 times
minajahan
5 years, 7 months ago
So it "remove the Child2 domain" that Admin2 has to do.... So should be Enterprise Admin.
upvoted 3 times
GenjamBhai
4 years, 10 months ago
Ans is lk Admin1 is demoting DC3 in Child1 and there are still 2 other DCs = Domain Admins Admin2 is demoting DC4 which will remove the last DC in the Child2 domain = Enterprise Admins.
upvoted 5 times
...
...
Honken
5 years, 6 months ago
Since DC4 is the only DC in Child2, this will remove the domain as well.
upvoted 4 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel