Exams > Microsoft > AZ-800: Administering Windows Server Hybrid Core Infrastructure
AZ-800: Administering Windows Server Hybrid Core Infrastructure
Page 5 out of 13 pages Questions 41-50 out of 123 questions
Question#41

You have an Azure virtual machine named VM1 that runs Windows Server.
You need to configure the management of VM1 to meet the following requirements:
✑ Require administrators to request access to VM1 before establishing a Remote Desktop connection.
✑ Limit access to VM1 from specific source IP addresses.
✑ Limit access to VM1 to a specific management port.
What should you configure?

  • A. a network security group (NSG)
  • B. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
  • C. Microsoft Defender for Cloud
  • D. Azure Front Door
Discover Answer Hide Answer

Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc

Question#42

Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains a DNS server named Server1. Server1 hosts a DNS zone named fabrikam.com that was signed by DNSSEC.
You need to ensure that all the member servers in the domain perform DNSSEC validation for the fabrikam.com namespace.
What should you do?

  • A. On Server1, run the Add-DnsServerTrustAnchor cmdlet.
  • B. On each member server, run the Add-DnsServerTrustAnchor cmdlet.
  • C. From a Group Policy Object (GPO), add a rule to the Name Resolution Policy Table (NRPT).
  • D. From a Group Policy Object (GPO), modify the Network List Manager policies.
Discover Answer Hide Answer

Answer: C

Question#43

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are planning the deployment of DNS to a new network.
You have three internal DNS servers as shown in the following table.

The contoso.local zone contains zone delegations for east.contoso.local and west.contoso.local. All the DNS servers use root hints.
You need to ensure that all the DNS servers can resolve the names of all the internal namespaces and internet hosts.
Solution: On Server2, you create a conditional forwarder for contoso.local and west.contoso.local. On Server3, you create a conditional forwarder for contoso.local and east.contoso.local.
Does this meet the goal?

  • A. Yes
  • B. No
Discover Answer Hide Answer

Answer: B

Question#44

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains 10 servers that run Windows Server. The servers have static
IP addresses.
You plan to use DHCP to assign IP addresses to the servers.
You need to ensure that each server always receives the same IP address.
Which type of identifier should you use to create a DHCP reservation for each server?

  • A. NetBIOS name
  • B. MAC address
  • C. fully qualified domain name (FQDN)
  • D. universally unique identifier (UUID)
Discover Answer Hide Answer

Answer: B
Reference:
https://docs.microsoft.com/en-us/powershell/module/dhcpserver/add-dhcpserverv4reservation?view=windowsserver2022-ps

Question#45

DRAG DROP -
You create a new Azure subscription.
You plan to deploy Azure Active Directory Domain Services (Azure AD DS) and Azure virtual machines.
You need to ensure that the virtual machines can join to Azure AD DS.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Discover Answer Hide Answer

Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance

Question#46

HOTSPOT -
You have an Azure Active Directory Domain Services (Azure AD DS) domain.
You create a new user named Admin1.
You need Admin1 to deploy custom Group Policy settings to all the computers in the domain. The solution must use the principle of least privilege.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
Hot Area:

Discover Answer Hide Answer

Answer:
Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy https://docs.microsoft.com/en-us/azure/active-directory-domain-services/create-ou

Question#47

DRAG DROP -
Your network contains a single domain Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains a single Active Directory site.
You plan to deploy a read only domain controller (RODC) to a new datacenter on a server named Server1. A user named User1 is a member of the local
Administrators group on Server1.
You need to recommend a deployment plan that meets the following requirements:
✑ Ensures that a user named User1 can perform the RODC installation on Server1
✑ Ensures that you can control the AD DS replication schedule to the Server1
✑ Ensures that Server1 is in a new site named RemoteSite1
Uses the principle of least privilege

Which three actions should you recommend performing in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Discover Answer Hide Answer

Answer:
Box 1.
We need to create a site and subnet for the remote site. The new site will be added to the Default IP Site Link so we don't need to create a new site link. You configure the replication schedule on the site link.
Box 2.
When we pre-create an RODC account, we can specify who is allowed to attach the server to the prestaged account. This means that the User1 does not need to be added to the Domain Admins group.
Box3.
User1 can connect the RODC to the prestaged account by running the AD DS installation wizard.
Reference:
https://mehic.se/2018/01/02/how-to-install-and-configure-read-only-domain-controller-rodc-2016/

Question#48

Your network contains an Active Directory Domain Services (AD DS) domain. The network also contains 20 domain controllers, 100 member servers, and 100 client computers.
You have a Group Policy Object (GPO) named GPO1 that contains Group Policy preferences.
You plan to link GPO1 to the domain.
You need to ensure that the preference in GPO1 apply only to domain member servers and NOT to domain controllers or client computers. All the other Group
Policy settings in GPO1 must apply to all the computers. The solution must minimize administrative effort.
Which type of item level targeting should you use?

  • A. Domain
  • B. Operating System
  • C. Security Group
  • D. Environment Variable
Discover Answer Hide Answer

Answer: B
Reference:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v=ws.11)#operating-system-targeting

Question#49

HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the VPN servers shown in the following table.

You have a server named NPS1 that has Network Policy Server (NPS) installed. NPS1 has the following RADIUS clients:

VPN1, VPN2, and VPN3 use NPS1 for RADIUS authentication. All the users in contoso.com are allowed to establish VPN connections.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Discover Answer Hide Answer

Answer:
It is important to remember that the client computers that are connecting to the VPNs are not RADIUS clients. The VPN servers are the RADIUS clients. You configure the RADIUS clients on the RADIUS server (NPS1) server to allow the VPN servers to use NPS1 to authenticate the connections.

Box 1: No -
NPSClient1 is not enabled.

Box 2: Yes -
NPSClient2 is configured correctly. It is enabled and has the correct IP address of VPN2.

Box 3: No -
NPSClient3 has an incorrect IP address configured for VPN3.

Question#50

You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. The on-premises network is connected to Azure by using a Site-to-Site VPN.
You have the DNS zones shown in the following table.

You need to ensure that names from fabrikam.com can be resolved from the on-premises network.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Create a stub zone for fabrikam.com on DC1.
  • B. Create a conditional forwarder for fabrikam.com on DC1.
  • C. Create a secondary zone for fabrikam.com on DC1.
  • D. Deploy an Azure virtual machine that runs Windows Server. Modify the DNS Servers settings for the virtual network.
  • E. Deploy an Azure virtual machine that runs Windows Server. Configure the virtual machine as a DNS forwarder.
Discover Answer Hide Answer

Answer: BE
Reference:
https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder

chevron rightPrevious Nextchevron right