Microsoft Microsoft Certifications AZ-800 Questions & Answers

• Question 141:

  You have an Azure virtual machine named Server1 that runs a network management application. Server1 has the following network configurations:

  1.

  Network interface: Nic1

  2.

  IP address: 10.1.1.1/24

  3.

  Connected to: Vnet1/Subnet1

  You need to connect Server1 to an additional subnet named Vnet1/Subnet2.

  What should you do?

  A. Modify the IP configurations of Nic1.

  B. Add an IP configuration to Nic1.

  C. Add a network interface to Server1.

  D. Create a private endpoint on Subnet2.

  Correct Answer: C

  First add another network interface to Server1, then connect it to Subnet2.

  Virtual network and subnets.

  A subnet is a range of IP addresses in the virtual network. You can divide a virtual network into multiple subnets for organization and security. Each NIC in a VM is connected to one subnet in one virtual network. NICs connected to subnets

  (same or different) within a virtual network can communicate with each other without any extra configuration.

  Reference:

  https://docs.microsoft.com/en-us/azure/virtual-network/network-overview

• Question 142:

  Your network contains an Active Directory domain named contoso.com. The domain contains the computers shown in the following table.

  

  On Server3, you create a Group Policy Object (GPO) named GPO1 and link GPO1 to contoso.com. GPO1 includes a shortcut preference named Shortcut1 that has item-level targeting configured as shown in the following exhibit.

  

  To which computer will Shortcut1 be applied?

  A. Server3 only

  B. Computer1 and Server3 only

  C. Server2 and Server3 only

  D. Server1, Server2, and Server3 only

  Correct Answer: A

  You can use item-level targeting to change the scope of individual preference items, so they apply only to selected users or computers. Within a single Group Policy object (GPO), you can include multiple preference items, each customized for selected users or computers and each targeted to apply settings only to the relevant users or computers.

  From the exhibit we see operating system targeting with Product being Windows Server 2022 Family. Only Server3 has the Windows Server 2022 Operating System.

  Operating System targeting An Operating System targeting item allows a preference item to be applied to computers or users only if the processing computer's operating system's product name, release, edition, or computer role matches those specified in the targeting item.

  Reference: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789189(v=ws.11)

• Question 143:

  You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. Group writeback is enabled in Azure AD Connect.

  The AD DS domain contains a server named Server1. Server1 contains a shared folder named share1.

  You have an Azure Storage account named storage2 that uses Azure AD-based access control. The storage2 account contains a share named share2.

  You need to create a security group that meets the following requirements:

  1.

  Can contain users from the AD DS domain

  2.

  Can be used to authorize user access to share1 and share2 What should you do?

  A. In the Azure AD tenant, create a security group that has assigned membership.

  B. In the AD DS domain, create a universal security group.

  C. In the Azure AD tenant, create a security group that has dynamic membership.

  D. In the Azure AD tenant, create a Microsoft 365 group.

  Correct Answer: B

• Question 144:

  Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three domains. Each domain contains 10 domain controllers.

  You plan to store a DNS zone in a custom Active Directory partition.

  You need to create the Active Directory partition for the zone. The partition must replicate to only four of the domain controllers.

  What should you use?

  A. Windows Admin Center

  B. DNS Manager

  C. Active Directory Sites and Services

  D. ntdsutil.exe

  Correct Answer: B

  You can create a custom Active Directory partition by using the DnsCmd command.

  Note: Dnsmgmt.msc can be used to open the DNS Manager from PowerShell.

  Note: Configure the replication scope of your DNS zones to that of the new application directory partition

  Use the DNS management tool, Dnsmgmt.msc, to configure the replication scope of your Active Directory integrated DNS zones to that of the new application directory partition CustomDNSPartition. To do this, follow these steps:

  1.

  On one of the domain controllers that hosts the new application directory partition that you created, start the DNS management tool. For example, on DC-1, click Start, click Run, type dnsmgmt.msc, and then click OK.

  2.

  Under DNS, expand DC-1, expand Forward Lookup Zones, and then click your Active Directory integrated DNS zone.

  3.

  On the Action menu, click Properties.

  4.

  Click the Change button that corresponds to Replication.

  5.

  Click To all domain controllers specified in the scope of the following application directory partition, click CustomDNSPartition.contoso.com in the Application directory partition name list, and then click OK.

  Note:

  This new application directory partition is also available when you create a new Active Directory integrated DNS zone.

  6.

  Click Apply, and then click OK.

  After you configure the DNS zone replication scope to use this new custom application directory partition, other domain controllers that host this custom application directory partition automatically receive the new replication scope that you configured in step 5. To manually force this change, you can reload the DNS zone. To do this, right-click the DNS zone that you want to reload, and then click Reload.

  Reference: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/create-apply-custom-application-directory-partition

• Question 145:

  Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com and the servers shown in the following table.

  

  Contoso.com contains a user named User1.

  You add User1 to the built-in Backup Operators group in contoso.com.

  Which servers can User1 back up?

  A. DC1 only

  B. Server1 only

  C. DC1 and DC2 only

  D. DC1 and Server1 only

  E. DC1, DC2, Server1, and Server2

  Correct Answer: A

  A member of the Backup Operators group can perform backup operations for all domain controllers in the domain.

  Note: Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group can't be renamed, deleted, or removed. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Reference: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups

• Question 146:

  You have a server named Server1 that runs Windows Server.

  You plan to host applications in Windows containers.

  You need to configure Server1 to run containers.

  What should you install?

  A. Windows Admin Center

  B. Docker

  C. the Windows Subsystem for Linux

  D. Hyper-V

  Correct Answer: B

• Question 147:

  Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest root domain contains a server named server1.contoso.com.

  A two-way forest trust exists between the contoso.com forest and an AD DS forest named fabrikam.com. The fabrikam.com forest contains 10 child domains.

  You need to ensure that only the members of a group named fabrikam\Group1 can authenticate to server1.contoso.com.

  What should you do first?

  A. Add fabrikam\Group1 to the local Users group on server1.contoso.com.

  B. Enable SID filtering for the trust.

  C. Enable Selective authentication for the trust.

  D. Change the trust to a one-way external trust.

  Correct Answer: C

  Selective authentication restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the

  trusting domain or forest. This authentication setting must be manually enabled.

  Note: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.

  Incorrect:

  Not B: When SID Filtering is enabled, all the foreign SIDs will be removed (quarantined) from user's access token while accessing any resource through Forest Trust. The most common impact of this is, a migrated user account which is still

  using any resource using old SID will not be able to access that resource anymore. This is because when SID Filtering is enabled, it will block (filter) SID History through a Forest Trust.

  When we create a forest Trust, SID Filtering is enabled by default. In some cases, we need to disable SID Filtering.

  Not D: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.

  If a one way Forest Trust is created, where Forest A is Trusting Domain and Forest B is Trusted Domain, then Forest B can access resources within Forest A, however Forest A cannot access resources within Forest B.

  Reference:

  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)

• Question 148:

  You have a server named Server1 that runs Windows Server and contains two drives named C and D. Server1 hosts multiple file shares.

  You enable Data Deduplication on drive D and select the General purpose file server workload.

  You need to minimize the space consumed by files that were recently modified or deleted.

  What should you do?

  A. Run the set-dedupvolume cmdlet and configure the scrubbing job.

  B. Run the Set-DedupSchedule Cmdlet and configure a GarbageCollection job.

  C. Run the set-Dedupvoiume cmdlet and configure the InputOutputScale settings.

  D. Run the Set-DedupSchedule cmdlet and configure the optimization job.

  Correct Answer: B

  Reclaim disk space after deleting files from Windows Server Deduplication.

  Clean up a drive and empty it but still it shows space used.

  There is a command that need to execute to recover the disk space using PowerShell.

  Start-DedupJob -Type GarbageCollection -Volume R:

  Reference:

  https://infrontconsulting.asia/reclaim-disk-space-after-deleting-files-from-windows-server-deduplication

• Question 149:

  Your network contains an Active Directory Domain Services (AD DS) domain.

  The domain contains a user named User1 and the servers shown in the following table.

  

  You need to ensure that User1 can manage only Scope1 and Scope3. What should you do?

  A. Add User1 to the DHCP Administrators group on Server1 and Server2.

  B. Implement IP Address Management (IPAM).

  C. Add User1 to the DHCP Administrators domain local group.

  D. Implement Windows Admin Center and add connections to Server1 and Server2.

  Correct Answer: B

  IPAM provides highly customizable administrative and monitoring capabilities for the IP address and DNS infrastructure on an Enterprise or Cloud Service Provider (CSP) network. You can monitor, audit, and manage servers running Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) by using IPAM.

  Windows PowerShell support for Role Based Access Control You can now use Windows PowerShell to configure Role Based Access Control. You can use Windows PowerShell commands to retrieve DNS and DHCP objects in IPAM and change their access scopes. Because of this, you can write Windows PowerShell scripts to assign access scopes to the following objects.

  Reference: https://learn.microsoft.com/en-us/windows-server/networking/technologies/ipam/what-s-new-in-ipam

• Question 150:

  You have an Azure subscription that contains a virtual machine named VM1 as shown in the following exhibit.

  

  The subscription has the disks shown in the following table.

  

  Which disks can you attach as data disks to VM1?

  A. Disk2 only

  B. Disk4 only

  C. Disk1 and Disk2 only

  D. Disk2 and Disk4 only

  E. Disk1, Disk3, and Disk4 only

  F. Disk1, Disk2, Disk3. and Disk4

  Correct Answer: C

  Can I attach a disk to a VM in another region?

  No. All managed disks, even shared disks, must be in the same region as the VM they are attaching to.

  VM1 is in East US, Zone 1, resource group RG1.

  Disk1 is in East US. OK.

  Disk2 is in East US. OK.

  Disk3 is in West US. Not OK.

  Disk2 is in West US. Not OK.

  Reference:

  https://learn.microsoft.com/en-us/azure/virtual-machines/faq-for-disks