Securing Windows Server 2016 — Question 40

Your network contains an Active Directory domain named contoso.com.
You are deploying Microsoft Advanced Threat Analytics (ATA) to the domain.
You install the ATA Center on server named Server1 and the ATA Gateway on a server named Server2.
You need to ensure that Server2 can collect NTLM authentication events.
What should you configure?

Answer options

• A. the domain controllers to forward Event ID 4776 to Server2
• B. the domain controllers to forward Event ID 1000 to Server1
• C. Server2 to forward Event ID 1026 to Server1
• D. Server1 to forward Event ID 1000 to Server 2

Correct answer: A

Explanation

The correct answer is A because Event ID 4776 corresponds to NTLM authentication events, which are necessary for Server2 to collect. The other options reference different events that do not relate to NTLM authentication, thus failing to meet the requirement for Server2.