Topic 1, Contoso Ltd
Overview
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more Information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements, if the case study has an All Information tab. note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
AD DS Environment
The network contains an on-premises Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains two domains named contoso.com and canada.contoso.com.
The forest contains the domain controllers shown in the following table.
All the domain controllers are global catalog servers.
Server Infrastructure
The network contains the servers shown in the following table.
A server named Server4 runs Windows Server and is in a workgroup. Windows Firewall on Servei4 uses the private profile.
Server2 hosts three virtual machines named VM1. VM2, and VM3.
VM3 is a file server that stores data in the volumes shown in the following table.
Group Policies
The contoso.com domain has the Group Policies Objects (GPOs) shown in the following table.
Existing Identities
The forest contains the users shown in the following table.
The forest contains the groups shown in the following table.
Current Problems
When an administrator signs in to the console of VM2 by using Virtual Machine Connection, and then disconnects from the session without signing out another administrator can connect to the console session as the currently signed-in user.
Requirements
Contoso identifies the following technical requirements:
• Change the replication schedule for all site links to 30 minutes.
• Promote Server1 to a domain controller in canada.contoso.com.
• Install and authorize Server3 as a DHCP server.
• Ensure that User! can manage the membership of all the groups in ContosoOU3.
• Ensure that you can manage Server4 from Server1 by using PowerShell removing.
• Ensure that you can run virtual machines on VM1.
• Force users to provide credentials when they connect to VM2.
• On VM3, ensure that Data Deduplication on all volumes is possible.
You need to meet the technical requirements for Server1.
Which users can currently perform the required tasks?
- A . Admin1 only
- B . Admin3 only
- C . Admin1 and Admin3 only
- D . Admin1 Admin2. and Admm3
You need to meet the technical requirements for the site links.
Which users can perform the required tasks?
- A . Admin1 only
- B . Admin1 and Admin3 only
- C . Admin1 and Admin2 only
- D . Admin3 only
- E . Admin1, Adrrun2. and Admin3
C
Explanation:
Membership in the Enterprise Admins group or the Domain Admins group in the forest root domain is required.
HOTSPOT
You need to meet the technical requirements for VM1.
Which cmdlet should you run first? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You need to meet the technical requirements for VM3
On which volumes can you enable Data Deduplication?
- A . D and E only
- B . C, D, E, and F
- C . D only
- D . C and D only
- E . D, E, and F only
A
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/storage/data-deduplication/interop
HOTSPOT
Which groups can you add lo Group3 and Groups? To answer, select the appropriate options in the answer area. NOTE Each correct selection is worth one point.
You need to meet the technical requirements for User1. The solution must use the principle of least privilege.
What should you do?
- A . Add Users1 to the Server Operators group in contoso.com.
- B . Create a delegation on contoso.com.
- C . Add Users1 to the Account Operators group in contoso.com.
- D . Create a delegation on OU3.
D
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-of-account-ous-and-resource-ous
HOTSPOT
Which groups can you add to Group3 and Group5? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups
HOTSPOT
You need to meet the technical requirements for Server4.
Which cmdlets should you run on Server1 and Server4? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://4sysops.com/wiki/enable-powershell-remoting/
You need to meet the technical requirements for VM2.
What should you do?
- A . Implement shielded virtual machines.
- B . Enable the Guest services integration service.
- C . Implement Credential Guard.
- D . Enable enhanced session mode.
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Topic 2, Fabrikam inc.
Overview
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more Information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements, if the case study has an All Information tab. note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Fabrikam, Inc. Is a manufacturing company that has a main office In New York and a branch office in Seattle.
On-premises Servers
The on-premises network contains servers that run Windows Server as shown in the following table.
DC1 hosts all the operation master roles.
WEB1 and WEB2 run an Internet Information Services (IIS) web app named Webapp1.
On-premises Network
The New York and Seattle offices are connected by using redundant WAN links.
The client computers in each office get IP addresses from their local DHCP server.
DHCP! contains a scope named Scope1 that has addresses for the New York office.
DHCP2 contains a scope named Scope2 that has addresses for the Seattle office.
Group Policy Object (GPOs)
The cwp.fabrikam.com domain contains the organizational units (OUs) and custom Group Policy Objects (GPOs) shown in the following table.
Requirements:
Fabrikam Identifies the following planned changes:
• Create a single Azure subscription named Sub1 that will contain a single Azure virtual network named Vnet1.
• Replace the WAN links between the Seattle and New York offices by using Azure Virtual
WAN and ExpressRoute. Both on-premises offices will be connected to Vnet1 by using ExpressRoute.
• Create three Azure file shares named newyorkfiles, seattfefiles, and companyfiles.
• Create a domain controller named dc3.corp.fabrikam,com in Vnet1.
• Deploy an Azure Virtual Desktop host pool lo Vnet1. The Azure Virtual Desktop session hosts will be hybrid Azure AD joined.
• License all servers for Microsoft Defender for servers.
• Use Azure Policy to enforce configuration management policies on the servers in Azure and on-premises.
Networking Requirements
Fabrikam identifies the following security requirements:
• Apply GP04 to the Azure Virtual Desktop session hosts. Ensure that Azure Virtual Desktop user sessions lock after being idle for 10 minutes. Users must be able to control the lockout lime manually from their client computer.
• Ensure that server administrators request approval before they can establish a Remote Desktop connection to an Azure virtual machine. If the request is approved, the connection must be established within two hours.
• Prevent user passwords from containing all or part of words that are based on the company name, such as Fab. fabrikam or fsbr! |.
• Ensure that all instances of Webapp1 use the same service account. The password of the service account must change automatically every 30 days.
• Prevent domain controllers from directly contacting hosts on the internet.
File Sharing Requirements
You need to configure the synchronization of Azure files to meet the following requirements:
• Ensure that seattlefiles syncs to FS2.
• Ensure that newyorkfiles syncs to FS1.
• Ensure that companyfiles syncs to both FS1 and FS2.
DRAG DROP
You need to meet the security requirements for passwords.
Where should you configure the components for Azure AD Password Protection? lo answer, drag the appropriate components to the correct locations. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
You need to implement a name resolution solution that meets the networking requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point
- A . Create an Azure private DNS zone named corp.fabhkam.com.
- B . Create a virtual network link in the coip.fabnkam.c om Azure private DNS zone.
- C . Create an Azure DNS zone named corp.fabrikam.com.
- D . Configure the DNS Servers settings for Vnet1.
- E . Enable autoregistration in the corp.fabnkam.com Azure private DNS zone.
- F . On DC3, install the DNS Server role.
- G . Configure a conditional forwarder on DC3.
DF
Explanation:
Virtual machines in an Azure virtual network receive their DNS configuration from the DNS settings configured on the virtual network. You need to configure the Azure virtual network to use DC3 as the DNS server. Then all virtual machines in the virtual network will use DC3 and their DNS server.
What should you implement for the deployment of DC3?
- A . Azure Active Directory Domain Services (Azure AD DS}
- B . Azure AD Application Proxy
- C . an Azure virtual machine
- D . an Azure AD administrative unit
C
Explanation:
Create a domain controller named dc3.corp.fabrikam.com in Vnet1.
In a hybrid network, you can configure Azure virtual machines as domain controllers. The domain controllers in Azure communicate with the on-premises domain controllers in the same way that on-premises domain controllers communicate with each other.
HOTSPOT
You need to configure Azure File Sync to meet the file sharing requirements.
What should you do? To answer, select the appropriate options in the answer area. NOTE Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning
You need to configure remote administration to meet the security requirements.
What should you use?
- A . just in time (JIT) VM access
- B . Azure AD Privileged Identity Management (PIM)
- C . the Remote Desktop extension for Azure Cloud Services
- D . an Azure Bastion host
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage?tabs=jit-config-asc%2Cjit-request-asc
You need to configure the Group Policy settings to ensure that the Azure Virtual Desktop session hosts meet the security requirements.
What should you configure?
- A . security filtering for the link of GP04
- B . security filtering for the link of GPO1
- C . loopback processing in GPO4
- D . the Enforced property for the link of GP01
- E . loopback processing in GPO1
- F . the Enforced property for the link of GP04
You are planning the implementation Azure Arc to support the planned changes. You need to configure the environment to support configuration management policies.
What should you do?
- A . Hybrid Azure AD join all the servers.
- B . Create a hybrid runbook worker m Azure Automation.
- C . Deploy the Azure Connected Machine agent to all the servers.
- D . Deploy the Azure Monitor agent to all the servers.
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/azure-arc/servers/plan-at-scale-deployment
DRAG DROP
Which three actions should you perform in sequence to meet the security requirements for Webapp1? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview
HOTSPOT
You need to configure network communication between the Seattle and New York offices. The solution must meet the networking requirements.
What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-expressroute-portal
You need to implement an availability solution for DHCP that meets the networking requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . On DHCP1. create a scope that contains 25 percent of the IP addresses from Scope2.
- B . On the router in each office, configure a DHCP relay.
- C . DHCP2. configure a scope that contains 25 percent of the IP addresses from Scope 1 .
- D . On each DHCP server, install the Failover Clustering feature and add the DHCP cluster role.
- E . On each DHCP scope, configure DHCP failover.
BE
Explanation:
Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831385(v=ws.11)
You need to implement an availability solution for DHCP that meets the networking requirements.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . On DHCP1. create a scope that contains 25 percent of the IP addresses from Scope2.
- B . On the router in each office, configure a DHCP relay.
- C . DHCP2. configure a scope that contains 25 percent of the IP addresses from Scope 1 .
- D . On each DHCP server, install the Failover Clustering feature and add the DHCP cluster role.
- E . On each DHCP scope, configure DHCP failover.
BE
Explanation:
Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831385(v=ws.11)
HOTSPOT
You need to ensure that data availability on SSPace1 meets the technical requirements.
What is the maximum number of physical disks that can fail on each disk? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
DRAG DROP
You need to implement the planned change for Data1.
Which actions should you perform in sequence? To answer, drag the appropriate actions to the correct order. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
You need to implement the planned changes for Microsoft Entra users to sign in to Server1.
Which PowerShell cmdlet should you run?
- A . Add-ADComputerServiceAccount
- B . Set-AzVM
- C . Set-AzVMExtension
- D . New-ADComputer
You need to ensure that access to storage1 for the Marketing OU users meets the technical requirements.
What should you implement?
- A . Microsoft Entra Connect cloud sync
- B . Active Directory Federation Services (AD FS)
- C . Microsoft Entra Connect in staging mode
- D . Microsoft Entra Connect in active mode
HOTSPOT
You need to meet technical requirements for HyperV1.
Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You need to ensure that Automanage meets the technical requirements.
On which Azure virtual machines should you enable Automanage?
- A . Server1 only
- B . Server2 only
- C . Server1 and Server2 only
- D . Server2 and Server3 only
- E . Server1 and Server4 only
Which two languages can you use for Task1? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
- A . Java
- B . Bicep
- C . JavaScript
- D . Python
- E . PowerShell
You need to ensure that VM3 meets the technical requirements.
What should you install first?
- A . Enhanced Storage
- B . File Server Resource Manager (FSRM)
- C . Windows Standards-Based Storage Management
- D . the iSNS Server service
DRAG DROP
DC1 fails.
You need to meet the technical requirements for the schema master.
Yourunntdsutil.exe.
Which five commands should you run in sequence? To answer, move the appropriate commands from the list of commands to the answer area and arrange them in the correct order?
Topic 4, Misc Questions
You have an Azure virtual machine named VM1 that runs Windows Server.
You perform the following actions on VM1:
• Create a folder named Folder1 on volume C
• Create a folder named Folder2 on volume D.
• Add a new data disk to VM1 and create a new volume that is assigned drive letter E.
• Install an app named App1 on volume E.
You plan to resize VM1.
Which objects will present after you resize VM1?
- A . Folded and Folder2 only
- B . Folder1, volume E, and App1 only
- C . Folder1 only
- D . Folded. Folder2. App1, and volume E
HOTSPOT
You have a Windows Server container host named Server1 and an Azure subscription.
You deploy an Azure container registry named Registry1 to the subscription.
On Server1, you create a container image named image1.
You need to store imager in Registry1.
Which command should you run on Server1 ? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-docker-cli?tabs=azure-cli#push-the-image-to-your-registry
You have a Windows Server container host named Server 1 and a container image named Image1. You need to start a container from image1. The solution must run the container on a Hyper-V virtual machine.
Which parameter should you specify when you run the docker run command?
- A . –expose
- B . –privileged
- C . –runtime
- D . –entrypoint
- E . –isolation
D
Explanation:
Reference: https://docs.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container
You have a server named Server1 that hosts Windows containers. You plan to deploy an application that will have multiple containers. Each container will be You need to create a Docker network that supports the deployment of the application.
Which type of network should you create?
- A . transparent
- B . I2bridge
- C . NAT
- D . I2tunnel
A
Explanation:
Reference: https://docs.microsoft.com/en-us/virtualization/windowscontainers/container-networking/network-drivers-topologies
You plan to deploy a containerized application that requires .NET Core.
You need to create a container image for the application. The image must be as small as possible.
Which base image should you use?
- A . Nano Server
- B . Server Cote
- C . Windows Server
- D . Windows
A
Explanation:
Reference: https://techcommunity.microsoft.com/t5/containers/nano-server-x-server-core-x-server-which-base-image-is-the-right/ba-p/2835785
You haw an Azure virtual machine named VM1 that runs Windows Server
You need to configure the management of VM1 to meet the following requirements:
• Require administrators to request access to VM1 before establishing a Remote Desktop connection.
• Limit access to VM1 from specific source IP addresses.
• Limit access to VMI to a specific management port
What should you configure?
- A . a network security group (NSG)
- B . Azure Active Directory (Azure AD) Privileged identity Management (PIM)
- C . Azure Front Door
- D . Microsoft Defender for Cloud
D
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/defender-fo
You haw? a server named Host! that has the Hyper-V server role installed. Host! hosts a virtual machine named VM1.
You have a management server named Server! that runs Windows Server. You remotely manage Host1 from Server1 by using Hyper-V Manager.
You need to ensure that you can access a USB hard drive connected to Server1 when you connect to VM1 by using Virtual Machine Connection.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . From the Hyper-V Settings of Host1, select Allow enhanced session mode
- B . From Disk Management on Host1. attach a virtual hard disk.
- C . From Virtual Machine Connection, switch to a basic session.
- D . From Virtual Machine Connection select Show Options and then select the USB hard drive.
- E . From Disk Management on Host1, select Rescan Disks
A, D
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/learn-more/use-local-resources-on-hyper-v-virtual-machine-with-vmconnect
HOTSPOT
You plan to deploy an Azure virtual machine that will run Windows Server.
You need to ensure that an Azure Active Directory (Azure AD) user nameduserl@contoso.com can connect 10 the virtual machine by using the Azure Serial Console.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com The domain contains three servers that run Windows Server and have the Hyper-V server rote installed. Each server has a Switch Embedded Teaming (SET) team
You need to verity that Remote Direct Memory Access (RDMA) and all the required Windows Server
settings are configured properly on each server.
What should you use?
- A . Server Manager
- B . the validate-DCB cmdtet
- C . the Get-NetAdaptor cmdlet
- D . Failover Cluster Manager
B
Explanation:
Reference: https://github.com/Microsoft/Validate-DCB
HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain named adatum.com.
The domain contains a ‘He server named Server1 and three users named User1.
User2 and User), Server1 contains a shared folder named Share1 tha1 has the following configurations:
The share permissions for Share1 are configured as shown in the Share Permissions exhibit. (Click the Share Permissions tab.)
Share1 contains a file named Filel.txt. The advanced security settings for Filel.txt are configured as shown in the File Permissions exhibit. (Click the File Permissions tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: f ach correct selection is worth one point.
You have five tile servers that run Windows Server.
You need to block users from uploading video files that have the .mov extension to shared folders on the file servers. All other types of files must be allowed. The solution must minimize administrative effort.
What should you create?
- A . a Dynamic Access Control central access policy
- B . a file screen
- C . a Dynamic Access Control central access rule
- D . a data loss prevention (DLP) policy
B
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/storage/fsrm/file-screening-management
HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain named adatum.com. The domain contains a server named Server1 and the users shown
In the following table.
Server1 contains a folder named D:Folder1. The advanced security settings for Folder 1 are configured as shown in the Permissions exhibit. (Click the Permissions lab.)
Folder1 is shared by using the following configurations
HOTSPOT
You need to sync files from an on-premises server named Server1 to Azure by using Azure File Sync. You have a cloud tiering policy that is configured for 30 percent free space and 70 days. Volume f on Server1 is 500 GB.
A year ago. you configured E:Oata on Server1 to sync by using Azure File Sync.
The files that are visible in E:Data are shown in the following table.
Volume E does NOT contain any other files.
Where are File1 and flle3 located? To answer, select the appropriate options In the answer area.
HOTSPOT
You have a file server named Server1 that runs Windows Server and contains the volumes shown in the following table.
On which volumes can you use BitLocker Drive Encryption (BitLocker) and disk quotas? To answer select the appropriate options in the answer area. NOTE Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/storage/refs/refs-overview
HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
The domain contains a server named Server1 that has the DFS Namespaces role service installed.
Server! hosts a domain-based Distributed File System (DFS) Namespace named Files.
The domain contains a tile server named Server2. Seiver2 contains a shared folder named Share1.
Share1 contains a subfolder named Folder 1.
In the Files namespace, you create a folder named Folder! that has a target of \Server2.contoso.comShare1Folder1.
You need to configure a logon script that will map drive letter M to Folder1. The solution must use the path of the DFS Namespace.
How should you complete the command to map the drive letter? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You have a server named Server1 that runs Windows Server.
Server1 has the storage pools shown in the following table.
You plan to create a virtual disk named VDisk1 that will use storage tiers.
Which pools can you use to create VDisk1?
- A . Pool2 and Pool3 only
- B . Pool 2only
- C . Pool only
- D . Pool, Pool2, and Pool3
- E . Pool1 and Pool2 only
- F . Pool1 and Pool3 only
- G . Pool3 only
A
Explanation:
Storage tiering requires both standard HDDs and SSDs. We cannot use Pool1 because it does not have any SSDs.
DRAG DROP
You have two on-premises servers named Server1 and Servet2 that run Windows Server.
You have an Azure Storage account named storage1 that contains a file share named share’. Server1 syncs with share1 by using Azure File Sync
You need to configure Server2 to sync with share1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. You plan deploy 100 new Azure virtual machines that will run Windows Server. You need to ensure that each new virtual machine is joined to the AD DS domain.
What should you use?
- A . Azure AD Connect
- B . a Group Policy Object (GPO)
- C . an Azure Resource Manager (ARM) template
- D . an Azure management group
C
Explanation:
Reference: https://www.ludovicmedard.com/create-an-arm-template-of-a-virtual-machine-automatically-
joined-to-a-domain/
DRAG DROP
You deploy a single-domain Active Directory Domain Services (AD DS) forest named contoso.com.
You deploy five servers to the domain. You add the servers to a group named iTFarmHosts.
You plan to configure a Network Load Balancing (NIB) cluster named NLBCluster.contoso.com that will contain the five servers.
You need to ensure that the NLB service on the nodes of the cluster can use a group managed service account (gMSA) to authenticate.
Which three PowerShell cmdlets should you run in sequence? To answer, move the appropriate cmdiets from the list of cmdlets to the answer area and arrange them in the correct order.
Explanation:
Reference:
https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/create-the-key-distribution-services-kds-root-key
https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant
You have several Windows 10 devices that are Azure AD hybrid-joined.
You need to ensure that when users sign in to the devices, they can use Windows Hello for Business.
Which optional feature should you select in Azure AD Connect?
- A . Device writeback
- B . Group writeback
- C . Password writeback
- D . Directory extension attribute sync
- E . Azure AD app and attribute filtering
C
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs
Your network contains an on -premises Active Directory Domain Services (AD DS) domain named contoso.com.
The domain contains the objects shown in the following table.
You plan to sync contoso.com with an Azure Active Directory (Azure AD) tenant by using Azure AD Connect You need to ensure that all the objects can be used in Conditional Access policies.
What should you do?
- A . Change the scope of Group2 to Universal
- B . Clear the Configure device writeback option.
- C . Change the scope o’ Group1 and Group2 to Global
- D . Select the Configure Hybrid Azure AD join option.
D
Explanation:
Hybrid Azure AD join needs to be configured to enable Computer1 to be used in Conditional Access Policies. Synchronized users, universal groups and domain local groups can be used in Conditional Access Policies.
Your network contains a multi-site Active Directory Domain Services (AD DS) forest. Each Active Directory site is connected by using manually configured site links and automatically generated connections.
You need to minimize the convergence time for changes to Active Directory.
What should you do?
- A . For each site link, modify the options attribute.
- B . For each site link, modify the site link costs.
- C . For each site link, modify the replication schedule.
- D . Create a site link bridge that contains all the site links.
C
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/determining-the-interval
HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains a child domain named east.contoso.com.
in the contoso.com domain, you create two users named Admin1 and Admin2.
You need to ensure that the users can perform the following tasks:
• Admin1 can create and manage Active Directory sites.
• Admin2 can deploy domain controller to the easl.conloso.com domain.
The solution must use the principle of least privilege.
To which group should you add each user? To answer, select the appropriate options in the answer area.
NOTE Each correct selection is worth one point.
Explanation:
Reference:
https://docs.microsoft.com/en-us/windows-server/remote/remote-access/ras/multisite/configure/step-2-configure-the-multisite-infrastructure
Your network contains an Active Directory Domain Services (AD DS) domain- The domain contains 10 servers that run Windows Server. The servers have static IP addresses. You plan to use DHCP to assign IP addresses to the servers.
You need to ensure that each server always receives the same IP address.
Which type of identifier should you use to create a DHCP reservation for each server?
- A . universally unique identifier (UUID)
- B . fully qualified domain name (FQDN)
- C . NetBIOS name
- D . MAC address
D
Explanation:
Reference: https://docs.microsoft.com/en-us/powershell/module/dhcpserver/add-dhcpserverv4reservation?view=windowsserver2022-ps
You have an on-premises server named Server1 that runs Windows Server. You have an Azure virtual network that contains an Azure virtual network gateway. You need to connect only Server1 to the Azure virtual network.
What should you use?
- A . Azure Network Adapter
- B . a Site-to-Site VPN
- C . an ExpressRoute circuit
- D . Azure Extended Network
B
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/use-azure-network-adapter
HOTSPOT
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant
You have an on-premises web app named WebApp1 that only supports Kerberos authentication.
You need to ensure that users can access WebApp1 by using their Azure AD account. The solution must minimize administrative effort.
What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/application-proxy-add-on-premises-application
HOTSPOT
Your network contains two VLANs for client computers and one VLAN for a datacenter Each VLAN is assigned an IPv4 subnet Currently, all the client computers use static IP addresses. You plan to deploy a DHCP server to the VLAN in the datacenter.
You need to use the DHCP server to provide IP configurations to all the client computers.
What is the minimum number of scopes and DHCP relays you should create? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 3
You need a DHCP scope for each of the three subnets.
Box 2: 2
The two client VLANs need a DHCP Relay Agent to forward DHCP requests to the DHCP server. The datacenter VLAN that contains the DHCP server does not require a DHCP Relay Agent.
You have a server that runs Windows Server and has the DHCP Server role installed.
The server has a scope named Scope! that has the following configurations:
• Address range: 192.168.0.2 to 192.16B.1.2M. Mask 255.255.254.0
• Router: 192.168.0.1
• Lease duration: 3 days
• DNS server 172.16.0.254
You have 50 Microsoft Teams Phone devices from the same vendor. All the devices have MAC addresses within the same range.
You need to ensure that all the Teams Phone devices that receive a lease from Scope1 have IP addresses in the range of 192.168.1.100 to 192.168.1.200. The solution must NOT affect other DHCP clients that receive IP configurations from Scope1.
What should you create?
- A . a policy
- B . a scope
- C . a fitter
- D . scope options
A
Explanation:
Reference: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn425040(v=ws.11)
HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
The domain contains the VPN servers shown in the following table.
You have a server named NPS1 that has Network Policy Server (NPS) installed. NPS1 has the following RADIUS clients:
VPN1, VPN2, and VPN3 use NPS1 for RADIUS authentication. All the users in contoso.com are allowed to establish VPN connections. For each of the following statements, select Yes If the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant The on-premises network is connected to Azure by using a Site-to-Site VPN.
You have the DNS zones shown in the following table.
You need to ensure that names from (aDiifcam.com can be resolved from the on-premises network.
Which two actions should you perform? Each correct answer presents part of the solution, NOTE: Each correct selection Is worth one point
- A . Create a conditional forwarder for fabrikam.com on DC1.
- B . Create a stub zone for fabrikam.com on DC1.
- C . Create a secondary zone for fabnlcam.com on DO.
- D . Deploy an Azure virtual machine that runs Windows Server. Modify the DNS Servers settings for the virtual network.
- E . Deploy an Azure virtual machine that runs Windows Server. Configure the virtual machine &s a DNS forwarder.
AE
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns#on-premises-workloads-using-a-dns-forwarder
HOTSPOT
You have a server named Server1 that runs Windows Server and has the Hyper-V server role installed.
You need 10 limit which Hyper-V module cmdlets helpdesk users can use when administering Server
1 remotely.
You configure Just Enough Administration (JEA) and successfully build the role capabilities and session configuration files.
How should you complete the PowerShell command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/register-jea?view=powershell-7.2
HOTSPOT
Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Each forest contains a single domain.
The domains contain the servers shown in the following table.
You need to configure resources based constrained delegation so that the users. In contoso.com can use Windows Admin Center on Server) to connect to Server?
How should you complete the command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference:
https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
https://docs.microsoft.com/en-us/powershell/module/activedirectory/set-adcomputer?view=windowsserver2022-ps
Your company has a main office and a branch office. The two offices are connected by using a WAN link. Each office contains a firewall that filters WAN traffic.
The network in the branch office contains 10 servers that run Windows Server. All servers are administered from the main office only.
You plan to manage the servers in the branch office by using a Windows Admin Center gateway.
On a server in the branch office, you install the Windows Admin Center gateway by using the defaults settings.
You need to configure the firewall in the branch office to allow the required inbound connection to the Windows Admin Center gateway.
Which inbound TCP port should you allow?
- A . 443
- B . 3389
- C . 5985
- D . 6516
You have an Azure subscription that contains the following resources:
• An Azure Log Analytics workspace
• An Azure Automation account
• Azure Arc.
You have an on-premises server named Server1 that is onboaraed to Azure Arc You need to manage Microsoft updates on Server! by using Azure Arc
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point
- A . Add Microsoft Sentinel to the Log Analytics workspace
- B . On Server1, install the Azure Monitor agent
- C . From the Automation account, enable Update Management for Server1.
- D . From the Virtual machines data source of the Log Analytics workspace, connect Server1.
BC
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-update-management
HOTSPOT
You have an Azure subscription named sub1 and 500 on-premises virtual machines that run Windows Server.
You plan to onboard the on-premises virtual machines to Azure Arc by running the Azure Arc deployment script
You need to create an identity that mil be used by the script to authenticate access to sub1. The solution must use the principle of least privilege.
How should you complete the command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal
You have an Azure virtual machine named VM1 that has a private IP address only.
You configure the Windows Admin Center extension on VM1.
You have an on-premises computer that runs Windows 11. You use the computer for server management.
You need to ensure that you can use Windows Admin Center from the Azure portal to manage VM1.
What should you configure?
- A . an Azure Bastion host on the virtual network that contains VM1.
- B . a VPN connection to the virtual network that contains VM1.
- C . a network security group 1NSG) rule that allows inbound traffic on port 443.
- D . a private endpoint on the virtual network that contains VM1.
B
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using DEFAULTIPSITELINK.
You open a new branch office that contains only client computers.
You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.
Solution: You create an organization unit (OU) that contains the client computers in the branch office. You configure the Try Next Closest Site Group Policy Object (GPO) setting in a GPO that is linked to the new OU.
Does this meet the goal?
- A . Yes
- B . No
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using DEFAULTIPSITELINK.
You open a new branch office that contains only client computers.
You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.
Solution: You configure the Try Next Closest Site Group Policy Object (GPO) setting in a GPO that is linked to Site1.
Does this meet the goal?
- A . Yes
- B . No
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using DEFAULTIPSITELINK.
You open a new branch office that contains only client computers.
You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.
Solution: You create a new subnet object that is associated to Site1.
Does this meet the goal?
- A . Yes
- B . No
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
You need to identify which server is the PDC emulator for the domain.
Solution: From a command prompt, you run netdom.exe query fsmo.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Reference: https://activedirectorypro.com/how-to-check-fsmo-roles/
Your network contains an Active Directory Domain Services (AD DS) domain named conioso.com.
You need to identify which server is the PDC emulator for the domain.
Solution: from Active Directory Users and Computers, you right-click contoso.com in the console tree, and then select Operations Master
Does this meet the goal?
- A . Yes
- B . No
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
You need to identify which server is the PDC emulator for the domain.
Solution: From Active Directory Sites and Services, you right-click Default-First-Site-Name in the console tree, and then select Properties.
Does this meet the goal?
- A . Yes
- B . No
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
You need to identify which server is the PDC emulator for the domain.
Solution: From Active Directory Domains and Trusts, you right-click Active Directory Domains and Trusts in the console tree, and then select Operations Master.
Does this meet the goal?
- A . Yes
- B . No
You have an on premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant.
You plan to implement self-service password reset (SSPR) in Azure AD.
You need to ensure that users that reset their passwords by using SSPR can use the new password resources in the AD DS domain.
What should you do?
- A . Deploy the Azure AD Password Protection proxy service to the on premises network.
- B . Run the Microsoft Azure Active Directory Connect wizard and select Password writeback.
- C . Grant the Change password permission for the domain to the Azure AD Connect service account.
- D . Grant the impersonate a client after authentication user right to the Azure AD Connect service account.
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr-writeback
You have an Azure Active Directory Domain Services (Azure AD DS) domain named contoso.com.
You need to provide an administrator with the ability to manage Group Policy Objects (GPOs). The solution must use the principle of least privilege.
To which group should you add the administrator?
- A . AAD DC Administrators
- B . Domain Admins
- C . Schema Admins
- D . Enterprise Admins
- E . Group Policy Creator Owners
B
Explanation:
Only the Domain Admins group and the Enterprise Admins group can fully manage GPOs. Members of the Group Policy Creator Owners group can create new GPOs but they can’t link the GPOs to sites, the domain or OUs and they cannot manage existing GPOs.