"A" sounds so correct until you sit back and think, "Active Directory" isn't a thing on a LAN or WAN. It's an LDAP running on multiple domain controllers. "Monitor AD" isn't really a thing. Monitor Domain Controllers is.

D To ensure the most comprehensive mapping of users, you must monitor all domain controllers that process authentication for users you want to map. You might need to install multiple User-ID agents to efficiently monitor all of your resources.

Path: Device/User Identification/Server Monitoring and then as type: Microsoft Active Directory So answer A seems correct to me.

A is correct. In an AD environment, you can configure the User-ID agent to monitor the security logs for Kerberos ticket grants or renewals, Exchange server access (if configured), and file and print service connections. For these events to be recorded in the security log, the AD domain must be configured to log successful account login events. In addition, because users can log in to any of the servers in the domain, you must set up server monitoring for all servers to capture all user login events. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-concepts/user-mapping/server-monitoring.html#id89aad143-05b8-4805-8e7c-b123994edd30

D: "...To ensure the most comprehensive mapping of users, you must monitor all domain controllers that process authentication for users you want to map. You might need to install multiple User-ID agents to efficiently monitor all of your resources.>"

It's just a badly formulated question with questionable answers.

None of these answers are correct. The answer you're looking for is "Server Monitoring".

D is correct

A. Active Directory monitoring12 Active Directory monitoring allows the User-ID agent to monitor the security logs of Active Directory domain controllers for login events12. This information is used to map IP addresses to usernames12. The User-ID agent can monitor up to 100 servers, of which up to 50 can be syslog senders1. To collect all of the required mappings, the User-ID agent must connect to all servers that your users log in to in order to monitor the security log files on all servers that contain login events

I will go with D based on Palo's documentation: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent/configure-the-windows-based-user-id-agent-for-user-mapping

I'm thinking D for two reasons: 1. You don't find the phrase "Active Directory Monitoring" anywhere in the documentation (I stand to be corrected); and 2. domain controller monitoring fits with EDU 110 (https://www.routeprotocol.com/palo-altro-edu-110-user-id/). But honestly...this is a stupid question that should have had "Server Monitoring" as the straight answer. I guess the implicit thought is that a domain controller is a server so in a weird way domain controller monitoring = server monitoring.

I think D is the most accuratte following, accordin to this, https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-concepts/user-mapping/server-monitoring#id89aad143-05b8-4805-8e7c-b123994edd30

I think the correct answer should be "Server Monitoring"

D is correct you monitor domain controllers

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-concepts/user-mapping/server-monitoring.html#id89aad143-05b8-4805-8e7c-b123994edd30

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-mapping-using-the-windows-user-id-agent/install-the-windows-based-user-id-agent