An Azure Resource Manager (ARM) template is an Infrastructure as Code (IaC) file used to declaratively define and deploy Azure resources. To automate the deployment of 100 virtual machines and ensure they are joined to an on-premises Active Directory Domain Services (AD DS) domain, an ARM template is the most suitable tool. The template can include the JsonADDomainExtension virtual machine extension. This extension runs a script during the VM provisioning process that automatically joins the machine to the specified AD DS domain, providing a scalable and consistent deployment method.

A. Azure AD Connect: This tool synchronizes identity objects between an on-premises AD DS and Azure AD. It does not deploy or configure Azure virtual machines.

B. a Group Policy Object (GPO): GPOs apply configuration settings to computers that are already members of an AD DS domain. They cannot be used to perform the initial domain join action.

D. an Azure management group: Management groups are a governance tool for organizing Azure subscriptions and applying policies or access controls at scale. They do not directly deploy or configure resources.

1. Microsoft Docs

"JsonADDomainExtension for Windows": This document describes the VM extension used to join an Azure VM to an Active Directory domain. The "Template deployment" section explicitly states

"Azure VM extensions can be deployed with Azure Resource Manager templates."

Reference: Microsoft Corporation. (n.d.). JsonADDomainExtension for Windows. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/json-ad-domain-extension

2. Microsoft Docs

"Tutorial: Create an Azure VM that is joined to a domain": This official tutorial provides a step-by-step guide that uses an ARM template and the JsonADDomainExtension to automate the creation of a Windows Server VM and join it to a domain.

Reference: Microsoft Corporation. (n.d.). Tutorial: Create an Azure VM that is joined to a domain. Microsoft Learn. See the "Deploy the template" section. Retrieved from https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain#deploy-the-template

3. Microsoft Docs

"What is Azure AD Connect?": This document defines the purpose of Azure AD Connect

clarifying that it is for synchronizing on-premises directories with Azure AD and is not involved in resource deployment.

Reference: Microsoft Corporation. (n.d.). What is Azure AD Connect?. Microsoft Learn. See the "What is Azure AD Connect?" section. Retrieved from https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/whatis-azure-ad-connect

In an Azure Active Directory Domain Services (Azure AD DS) managed domain, the AAD DC Administrators group is specifically designed to delegate administrative tasks. Members of this group are granted permissions to perform domain administration, which includes creating, editing, and linking Group Policy Objects (GPOs) for custom Organizational Units (OUs). Assigning the administrator to this group provides the necessary permissions to manage GPOs without granting excessive privileges, thereby adhering to the principle of least privilege. Privileges for groups like Domain Admins and Enterprise Admins are reserved by the service and cannot be assigned to users.

B. Domain Admins: In Azure AD DS, users cannot be added to the Domain Admins group, as these permissions are reserved for the managed service to operate the domain.

C. Schema Admins: This group has permissions to modify the Active Directory schema, which is far beyond what is needed for GPO management and is a restricted group in Azure AD DS.

D. Enterprise Admins: Similar to Domain Admins, users cannot be added to the Enterprise Admins group in Azure AD DS; these elevated permissions are reserved for the service.

E. Group Policy Creator Owners: This group can create GPOs but can only manage the GPOs they create. It lacks the broader permissions to manage all GPOs or link them, which is required for full administration.

1. Microsoft Learn. (2023). Administer Group Policy on an Azure Active Directory Domain Services managed domain. In "Tutorials > Identity > Azure AD Domain Services". Retrieved from https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy.

Reference Point: In the "Before you begin" section

it explicitly states: "To create and configure GPOs

you need to be signed in to a user account that's a member of the AAD DC Administrators group in your Azure AD tenant."

2. Microsoft Learn. (2023). Administration concepts for an Azure Active Directory Domain Services managed domain. In "Concepts > Security". Retrieved from https://learn.microsoft.com/en-us/azure/active-directory-domain-services/concepts-delegation.

Reference Point: Under the "AAD DC Administrators group" section

it lists the privileges for members

including: "Create and administer Group Policy Objects (GPOs) in the custom GPO container."

3. Microsoft Learn. (2023). Frequently asked questions (FAQs) about Azure Active Directory Domain Services. In "Troubleshoot". Retrieved from https://learn.microsoft.com/en-us/azure/active-directory-domain-services/faqs.

Reference Point: Under the "Administration and operations" section

the FAQ "Can I get domain administrator or enterprise administrator privileges for the managed domain that Azure AD DS creates?" is answered with: "No. You aren't granted domain administrator or enterprise administrator permissions on the managed domain." This confirms options B and D are incorrect.

No: DC1 and DC3 are in non-adjacent sites (Site1 and Site3) separated by Site2. While replication is transitive (changes eventually reach DC3), they do not form a direct replication partnership (connection object) because they do not share a site or a direct site link.

No: Active Directory Inter-Site replication only load balances traffic if multiple paths have identical costs. In this scenario, the KCC will exclusively select SiteLink4 (Cost: 20) because it is cheaper than SiteLink3 (Cost: 60).

No: By default, the "Bridge all site links" option is enabled in the IP intersite transport container. This allows the KCC to treat the network as fully routed and automatically calculate a transitive replication path from Site4 to Site2 via Site1. As DC1 is the only bridgehead in Site1, traffic is naturally routed through it without requiring any configuration changes.

Microsoft Learn: Creating a Site Link Bridge Design. "By default, all site links are transitive... Bridge all site links (enabled by default)."

Microsoft Learn: Determining the Cost. "The KCC uses the cost to determine the cheapest route for replication... If multiple routes have the same cost, the KCC load balances..."

No: An Azure File Sync sync group must contain exactly one cloud endpoint (Azure file share). Since Group1 already uses share1, you cannot add share2 to it. You would need to create a new sync group for share2.

No: While a registered server can participate in multiple sync groups, a sync group can contain only one server endpoint per registered server. Since Server1 already has an endpoint (D:\Folder1) in Group1, you cannot add a second endpoint from the same server (E:\Folder2) to the same group.

Yes: The primary purpose of Azure File Sync is to sync files across multiple locations. You can add server endpoints from different registered servers (like Server2) to the same sync group to keep them in sync with the cloud endpoint.

Microsoft Learn - Planning for an Azure File Sync deployment: "A sync group defines the sync topology for a set of files... A sync group must contain one cloud endpoint, which represents an Azure file share and one or more server endpoints."

Source: https://learn.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning

Microsoft Learn - Create a sync group and a cloud endpoint: confirms the one-to-one relationship between a sync group and a cloud endpoint.

Source: https://learn.microsoft.com/en-us/azure/storage/file-sync/file-sync-deployment-guide?tabs=azure-portal#create-a-sync-group-and-a-cloud-endpoint

In an Active Directory Domain Services (AD DS) environment, the PDC Emulator (Primary Domain Controller Emulator) operations master role is responsible for acting as the authoritative time source for the domain. All other domain controllers synchronize their clocks with the PDC Emulator. Therefore, to configure DC3 as the authoritative time server, you must transfer the PDC Emulator role to it.

The PDC Emulator role is a domain-level Flexible Single Master Operation (FSMO) role. It is managed and transferred using the Active Directory Users and Computers console. You would right-click the domain object within this console, select "Operations Masters," and initiate the transfer under the PDC tab.

Microsoft Learn. (2024). FSMO placement and optimization on Active Directory domain controllers. Retrieved from https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/fsmo-placement-and-optimization-on-ad-dcs (Section: "PDC emulator")

Microsoft Learn. (2023). How to configure an authoritative time server in Windows Server. Retrieved from https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/configure-authoritative-time-server

Microsoft Learn. (2024). View and transfer FSMO roles. Retrieved from https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/view-transfer-fsmo-roles (Table: "FSMO roles and the snap-ins to manage them")

Yes: User1 is located in OU1, which is selected for synchronization in the "Domain and OU filtering" settings. Consequently, the user identity exists in Azure AD. The "Ready to configure" screen shows that Password writeback is enabled. Password writeback is a prerequisite for Self-Service Password Reset (SSPR) to function for synchronized users.

Yes: The configuration shows that Pass-through authentication (PTA) is being enabled. In the PTA method, when a user signs in, the password is validated directly against the on-premises Active Directory Domain Controller by an authentication agent. This contrasts with Password Hash Sync, where authentication occurs in the cloud.

No: User2 is located in OU2. In the "Domain and OU filtering" settings, OU2 is unchecked, meaning User2 is filtered out and not synchronized to the Azure AD tenant. You cannot add a user to an Azure AD group (Group1) if that user object does not exist in the Azure AD directory.

Microsoft Learn - Microsoft Entra Connect sync: Configure filtering:

Section: Domain and OU-based filtering

"The domain and OU-based filtering option allows you to select specific domains and OUs to synchronize... If an OU is not selected, the users and groups in that OU are not synchronized."

URL: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering#domain-and-ou-based-filtering

Microsoft Learn - User sign-in with Microsoft Entra Pass-through Authentication:

Section: Feature highlights

"Pass-through Authentication validates users' passwords directly against your on-premises Active Directory."

URL: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta

Microsoft Learn - Tutorial: Enable Microsoft Entra self-service password reset writeback:

Section: Enable password writeback in Microsoft Entra Connect

Confirming that enabling the "Password writeback" option in the synchronization settings is the required step to allow password changes in the cloud to be written back to the on-premises directory.

URL: https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-sspr-writeback

In Azure Active Directory Domain Services (Azure AD DS), the service manages the underlying domain controllers, so traditional "Domain Admin" or "Enterprise Admin" privileges are not available to users. Instead, administrative tasks—such as creating and linking Group Policy Objects (GPOs)—are delegated specifically to members of the AAD DC Administrators group. You must sign in with an account in this group to perform these actions.

The objective is to set a password policy for local user accounts on the virtual machines. Local account settings are controlled via the "Computer Configuration" section of a GPO. By default, when a virtual machine joins an Azure AD DS managed domain, its computer object is placed in the AADDC Computers organizational unit (OU). Therefore, to apply the GPO to these VMs, it must be linked to the AADDC Computers OU.

Microsoft Learn. "Administer Group Policy in an Azure Active Directory Domain Services managed domain." Microsoft Entra. Accessed February 10, 2026.

Relevance: Section "Before you begin" states: "You need a user account that's a member of the AAD DC Administrators group in your tenant to administer Group Policy."

Microsoft Learn. "Create and manage organizational units (OUs) in an Azure Active Directory Domain Services managed domain." Microsoft Entra. Accessed February 10, 2026.

Relevance: Section "Default OUs in a managed domain" confirms: "The AADDC Computers OU contains computer objects for all computers that are joined to the managed domain."

To create a Group Managed Service Account (gMSA), the New-ADServiceAccount cmdlet is required. The scenario states that "Group1 can use Account1." In the context of gMSAs, "using" the account implies the ability of a host (or group of hosts) to retrieve the managed password from Active Directory to start a service running as that account.

The parameter -PrincipalsAllowedToRetrieveManagedPassword specifies the security descriptor that defines which principals (users, groups, or computers) are authorized to retrieve the password for the managed service account. The parameter -PrincipalsAllowedToDelegateToAccount is incorrect as it relates to resource-based constrained delegation, not password retrieval rights.

Microsoft Learn (Official Documentation): "New-ADServiceAccount"

Source: learn.microsoft.com

Relevant Section: Description of -PrincipalsAllowedToRetrieveManagedPassword: "Specifies the set of principals allowed to retrieve the password of the group managed service account."

Microsoft Learn (Official Documentation): "Getting Started with Group Managed Service Accounts"

Source: learn.microsoft.com

Relevant Section: "To create the group managed service account... run the following command: New-ADServiceAccount -Name -DNSHostName -PrincipalsAllowedToRetrieveManagedPassword "

Statement 1 (No): When accessing a file via a network share, the most restrictive permission between Share and NTFS applies (Effective Permissions). While User1 has NTFS Full Control, the Share permissions for Domain Users are limited to Change and Read. The Change permission allows modification and deletion but does not grant the right to Take Ownership or change permissions; Full Control at the share level is required for that.

Statement 2 (Yes): The setting FolderEnumerationMode : AccessBased indicates Access-Based Enumeration (ABE) is enabled. ABE hides files unless a user has Read (or List) permissions. User2 has explicit NTFS Read permission, so the file is visible.

Statement 3 (No): User3 has explicit NTFS Write permission but lacks Read permission. The "Enable inheritance" button in the exhibit confirms inheritance is disabled, and the Domain Users group is not listed in the NTFS ACL, so User3 cannot inherit read rights. Since User3 implies "Write-only" (Drop-box scenario) and cannot read the file, ABE hides it from their view.

Microsoft Learn (Windows Server): Share and NTFS Permissions on a File Server. Explains that the most restrictive permission applies when accessing shared resources and that Change share permission does not include Full Control rights (like taking ownership).

Microsoft Learn (Windows Server): Enable Access-based Enumeration on a Namespace. Confirms that ABE displays only the files and folders that a user has permission to access (specifically requiring Read/List permissions).

Microsoft Official Courseware (AZ-800): Administering Windows Server Hybrid Core Infrastructure. Section on File and Storage Services, covering effective permissions and Access-Based Enumeration logic.

Box 1: An External virtual switch binds to a physical network adapter. The scenario states Server1 has a single network interface, which is already consumed by the existing external switch (VSwitch3, indicated by the network adapter name in the tree). Consequently, you cannot create another external switch. Private and Internal switches are purely software-based and do not require a dedicated physical interface, so multiple instances of these can still be created.

Box 2: Network connectivity for the management operating system (Server1) is determined by the switch type:

• Private (VSwitch1): Isolates VMs from the host. Server1 cannot access these VMs.
• Internal (VSwitch2): permits communication between VMs and the host. Server1 can access these VMs.
• External (VSwitch3): Connects to the physical network. On a single-NIC server, the "Allow management operating system to share this network adapter" setting is standard to maintain host connectivity, placing the host on the switch. Thus, Server1 can access these VMs.

Microsoft Learn. (2023). Create a virtual switch in Hyper-V. Windows Server. Retrieved from https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/connect-to-network

Microsoft Learn. (2022). Hyper-V Virtual Switch. Windows Server. Retrieved from https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-virtual-switch/hyper-v-virtual-switch