Microsoft Microsoft Certifications MS-203 Questions & Answers

• Question 21:

  You have a hybrid deployment between a Microsoft Exchange Online tenant and an on-premises Exchange Server 2019 server.

  Users report that the email they send to external recipients is marked as spam.

  You need to validate the Reverse DNS and Sender ID data for the on-premises server.

  What should you use in the Microsoft Remote Connectivity Analyzer?

  A. Exchange Online Custom Domains DNS Connectivity Test

  B. Message Analyzer

  C. Inbound SMTP Email

  D. Outbound SMTP Email

  Correct Answer: D

  Outbound SMTP E-Mail: This test checks your outbound IP address for certain requirements. This includes Reverse DNS, Sender ID, and RBL checks. Reference: https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/remote-connectivity-analyzer-tests

• Question 22:

  You have a hybrid deployment between a Microsoft Exchange Online tenant and an on-premises Exchange Server 2019 organization. The deployment contains an Exchange Server 2019 server named Server1.

  Server1 has a public certificate named Cert1 that is bound to the SMTP protocol. Cert1 will expire soon.

  You replace Cert1 with a new certificate named Cert2 from a different public certification authority (CA).

  After you replace the certificate, you discover that email delivery between Server1 and the Exchange Online tenant fails.

  You need to ensure that messages can be delivered successfully.

  What should you do on Server1?

  A. Recreate the certificate and include an exportable private key.

  B. Restart the MSExchangeTransport service.

  C. Rerun the Hybrid Configuration wizard.

  D. Bind a self-signed certificate to the SMTP protocol

  Correct Answer: A

  To renew a certificate that was issued by a CA, you create a certificate renewal request, and then you send the request to the CA. The CA then sends you the actual certificate file that you need to install on the Exchange server.

  Use the Exchange Management Shell to renew an Exchange self-signed certificate To renew a self-signed certificate, use the following syntax: PowerShell

  Get-ExchangeCertificate -Thumbprint | New-ExchangeCertificate [-Force] [-PrivateKeyExportable <$true | $false>]

  To find the thumbprint value of the certificate that you want to renew, run the following command:

  PowerShell

  Get-ExchangeCertificate | where {$_.IsSelfSigned -eq $true} | Format-List FriendlyName,Subject,CertificateDomains,Thumbprint,NotBefore,NotAfter

  This example renews a self-signed certificate on the local Exchange server, and uses the following settings:

  The thumbprint value of the existing self-signed certificate to renew is BC37CBE2E59566BFF7D01FEAC9B6517841475F2D

  The Force switch replaces the original self-signed certificate without a confirmation prompt.

  The private key is exportable. This allows you to export the certificate and import it on other servers.

  PowerShell

  Get-ExchangeCertificate -Thumbprint BC37CBE2E59566BFF7D01FEAC9B6517841475F2D | New-ExchangeCertificate -Force

  Reference: https://learn.microsoft.com/en-us/exchange/architecture/client-access/renew-certificates

• Question 23:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have a hybrid deployment between a Microsoft Exchange Online tenant and an on-premises Exchange Server 2019 organization. The deployment uses Azure AD Connect. All incoming email is delivered to Exchange Online.

  You have 10 mail-enabled public folders hosted on an on-premises Mailbox server.

  Customers receive an error when an email message is sent to a public folder.

  You need to ensure that all the mail-enabled public folders can receive email messages from the internet. The solution must ensure that messages can be delivered only to valid recipients.

  Solution: Run the Sync-MailPublicFolder.ps1 script.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  Configure Exchange Server public folders for a hybrid deployment

  In a hybrid deployment, your users can be in Exchange Online, on-premises, or both, and your public folders are either in Exchange Online or on-premises. Sometimes your online users may need to access public folders in your Exchange

  Server on-premises environment.

  An Exchange Online, Microsoft 365, or Office 365 user must be represented by a MailUser object in the Exchange on-premises environment in order to access Exchange Server public folders. This MailUser object must also be local to the

  target Exchange Server public folder hierarchy.

  Solution:

  Step 1: Download the scripts

  Step 2: Synchronize mail-enabled public folder objects to Exchange Online

  Step 3: Configure Exchange Online users to access Exchange Server on-premises public folders

  Step 1: Download the scripts

  Download the following files from Exchange 2013/2016 Public Folders Migration Scripts:

  Sync-ModernMailPublicFolders.ps1

  SyncModernMailPublicFolders.strings.psd1

  Step 2: Synchronize mail-enabled public folder objects to Exchange Online

  Azure AD Connect sync doesn't synchronize mail-enabled public folders to Exchange Online. Running the following script will synchronize the mail-enabled public folders across your on-premises environment and Exchange Online.

  On the Exchange server, run the following command in the Exchange Management Shell to synchronize mail-enabled public folders from your local on-premises Active Directory to Office 365:

  PowerShell

  .\Sync-ModernMailPublicFolders.ps1 -CsvSummaryFile:sync_summary.csv

  Reference: https://learn.microsoft.com/en-us/exchange/hybrid-deployment/set-up-modern-hybrid-public-folders

• Question 24:

  You have a Microsoft 365 E5 subscription and an on premises Microsoft Exchange Server 2019 organization that contains the servers shown in the following table.

  

  You run the Hybrid Configuration wizard on EXCH1.

  After running the wizard, you discover that Outlook on the web redirection.

  You need to disable Outlook on the web redirection.

  What should you do?

  A. Run the Update-HybridConfiguration cmdlet.

  B. Reconfigure Azure AD Connect.

  C. Rerun the Hybrid Configuration wizard.

  D. Run the Set-HybridConfiguration cmdlet.

  Correct Answer: D

  Use the Set-HybridConfiguration cmdlet to modify the hybrid deployment between your on-premises Exchange organization and Exchange Online in a Microsoft 365 for enterprises organization.

  The -Features parameter

  The Features parameter specifies the features enabled for the hybrid configuration. One or more of the following values separated by commas can be entered. When using the Hybrid Configuration wizard, all features are enabled by default.

  *

  OWARedirection: Enables automatic Microsoft Outlook on the web redirection to either the on-premises Exchange or Exchange Online organizations depending on where the user mailbox is located.

  *

  etc.

  Example

  PowerShell

  Set-HybridConfiguration -Features OnlineArchive,MailTips,OWARedirection,FreeBusy,MessageTracking

  This example disables the secure mail and centralized transport hybrid deployment features, but keeps the Exchange Online Archive, MailTips, Outlook on the web redirection, free/busy and message tracking features enabled between the

  on-premises Exchange and Exchange Online organizations.

  Incorrect:

  Not A: Use the Update-HybridConfiguration cmdlet to define the credentials that are used to update the hybrid configuration object.

  Reference: https://learn.microsoft.com/en-us/powershell/module/exchange/set-hybridconfiguration

• Question 25:

  You have a hybrid deployment that contains a Microsoft Exchange Online tenant and an on-premises Exchange Server 2019 server named Server1.

  Server1 uses a certificate from a third-party certification authority (CA). The certificate is enabled for the SMTP service.

  You replace the certificate with a new certificate.

  You discover that delivery fails for all email messages sent from Server1 to your Microsoft 365 tenant.

  You receive the following error message for all the queued email messages: “450 4.4.101 Proxy session setup failed on Frontend with 451 4.4.0 Primary target IP address responded with 451 5.7.3 STARTTLS is required to send mail.”

  You need to ensure that the messages are delivered successfully from Server1 to the Microsoft 365 tenant.

  What should you do?

  A. From Server1, enable a self-signed certificate for the SMTP service.

  B. From Server1, enable the new certificate for the IMAP4 service.

  C. From Server1, run the iisreset command.

  D. Run the Exchange Hybrid Configuration wizard.

  Correct Answer: A

  Resolution

  Make sure that the new certificate is enabled for SMTP. If it's not, run the following command to enable the SMTP service on the newly installed certificate.

  PowerShell

  Enable-ExchangeCertificate -services SMTP

  Note: Symptoms

  After you install a new Exchange certificate in an Exchange Server hybrid environment, you experience the following symptoms:

  You cannot receive mail from the Internet or from Microsoft 365 when you use Transport Layer Security (TLS).

  If you use Telnet (for example, telnet localhost 25) to examine Simple Mail Transfer Protocol (SMTP) communications, you notice that the STARTTLS command is missing.

  If you examine the Application log in Event Viewer, you see an event entry that resembles the following:

  Log Name: Application

  Source: MSExchangeFrontEndTransport

  Date: MM/DD/YYYY 0:00:00 AM

  Event ID: 12014

  Task Category: TransportService

  Level: Error

  Keywords: Classic

  User: N/A

  Computer: .contoso.com

  Description:

  Microsoft Exchange could not find a certificate that contains the domain name CN=Certificate Name, OU=, O=Certificate Provider, C=USCN=mail.contoso.com, OU=IT, O=contoso, L=location, S=location, C=US in

  the personal store on the local computer.

  The check connectivity test to the on-premises server fails, and you receive the following error message:

  450 4.4.101 Proxy session setup failed on Frontend with '451 4.4.0 Primary target IP address responded with "451 5.7.3 STARTTLS is required to send mail." Attempted failover to alternate host, but that did not succeed. Either there are no

  alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was '.

  Cause

  This issue occurs if the TlsCertificateName property of the hybrid server's receive connector contains incorrect certificate information after a new Exchange certificate is installed and old certificate that is used for hybrid mail flow is removed.

  Reference: https://learn.microsoft.com/en-us/exchange/troubleshoot/email-delivery/cannot-receive-mail-with-new-certificate

• Question 26:

  You have two servers named EXCH1 and EXCH2 that run Windows Server 2012 R2 and have Microsoft Exchange Server 2016 installed.

  You purchase a Microsoft 365 subscription. You plan to configure a hybrid deployment between an Exchange Online tenant and the on-premises Exchange Server organization.

  You need to identify the prerequisites to installing the Microsoft Hybrid Agent on EXCH1 and EXCH2.

  Which two prerequisites should you identify? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Enable TLS 1.2.

  B. Upgrade the operating system of EXCH1 and EXCH2 to Windows Server 2019.

  C. Enable Hybrid Modem Authentication (HMA).

  D. Allow outbound HTTPS connections to Microsoft Online Services.

  Correct Answer: AD

  Microsoft Hybrid Agent System requirements

  The Hybrid Agent has multiple methods of installation with different requirements. In all cases, the core computer requirements are the same as described in the following list:

  Windows Server 2012 R2, Windows Server 2016, or Windows Server 2019

  .NET Framework 4.6.2 or later, as supported by the version of Exchange version.

  TLS 1.2 enabled.

  Azure Application Proxy

  Capable of establishing outbound HTTPS connections to the internet.

  Capable of establishing HTTPS connections to the Exchange Server chosen for hybrid configuration.

  Reference: https://learn.microsoft.com/en-us/exchange/hybrid-deployment/hybrid-agent

• Question 27:

  You have a hybrid deployment between a Microsoft Exchange Online tenant and an on-premises Exchange Server 2019 organization.

  In Exchange Online, you create a shared mailbox named Mailbox1.

  Users report that they cannot open Mailbox1 in Microsoft Outlook.

  You discover that there is no entry in the address list for Mailbox 1 in the Exchange Server organization.

  You need to create Mailbox1 on-premises and enable the mailbox for hybrid management

  Which PowerShell cmdlet should you run?

  A. Set-OnPremisesOrganization with the -OrganizationRelationship parameter

  B. Enable-Remotemailbox with the -Shared parameter

  C. New-Remotemailbox with the -Shared parameter

  D. Upgrade-HybridConfiguration with the -ForceUpgrade parameter

  Correct Answer: C

  Cause These issues can occur if the shared mailbox is created by using the Exchange Online management tools. In this situation, the on-premises Exchange environment has no object to reference for the shared mailbox. Therefore, all queries for that SMTP address fail.

  Solution

  For on-premises environments that use Exchange Server 2013 (CU21 or later versions) or Exchange Server 2016 (CU10 or later versions), do the following:

  Create an on-premises object for the cloud mailbox by using the New-RemoteMailbox cmdlet with the -Shared switch in Exchange Management Shell.

  This object must have the same name, alias, and user principal name (UPN) as the cloud mailbox. For more information, see New-RemoteMailbox.

  For example, run the following command:

  PowerShell

  New-Remotemailbox -Name "" -Alias -UserPrincipalName -Remoteroutingaddress -Shared

  Reference: https://learn.microsoft.com/en-us/exchange/troubleshoot/user-and-shared-mailboxes/cannot-access-mailbox

• Question 28:

  You have 1,000 user accounts that are each licensed for Microsoft 365. Each user account has a Microsoft Exchange Online mailbox.

  Ten of the user accounts are configured as service accounts for applications. The applications send event notifications to the mailboxes of the service accounts by using SMTP. The developers of each application have delegated access to the mailbox of their respective application. You need to ensure that all the event notifications sent by the applications are retained in the service account mailboxes so that new developers can review older notifications. The developers must be able to view only the notifications for their

  respective application. The solution must minimize licensing costs. What should you do?

  A. Convert the service account mailboxes into shared mailboxes.

  B. Replace the service account mailboxes with a mail-enabled group.

  C. Convert the service account mailboxes into mail-enabled contacts.

  D. Convert the service account mailboxes into mail-enabled users.

  Correct Answer: A

  When you convert a user's mailbox to a shared mailbox, all of the existing email and calendar is retained. Only now it's in a shared mailbox where several people will be able to access it instead of one person. Reference: https://docs.microsoft.com/en-us/microsoft-365/admin/email/convert-user-mailbox-to-shared-mailbox?view=o365-worldwide

• Question 29:

  You have a Microsoft 365 subscription that contains a user named User1.

  You need to ensure that User1 can only manage eDiscovery cases that she creates and export the search results. The solution must use the principle of least privilege.

  To which role should you add User1?

  A. Communications Compliance

  B. Compliance Administrator

  C. eDiscovery Manager

  D. eDiscovery Administrator

  Correct Answer: C

  An eDiscovery Manager can use eDiscovery search tools to search content locations in the organization, and perform various search-related actions such as preview and export search results. Members can also create and manage cases in

  Microsoft Purview eDiscovery (Standard) and Microsoft Purview eDiscovery (Premium), add and remove members to a case, create case holds, run searches associated with a case, and access case data. eDiscovery Managers can only

  access and manage the cases they create. They can't access or manage cases created by other eDiscovery Managers.

  Incorrect:

  Not B: eDiscovery Administrator - An eDiscovery Administrator is a member of the eDiscovery Manager role group, and can perform the same content search and case management-related tasks that an eDiscovery Manager can perform.

  Additionally, an eDiscovery Administrator can:

  Access all cases that are listed on the eDiscovery (Standard) and eDiscovery (Premium) pages in the compliance portal.

  Etc.

  Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/assign-ediscovery-permissions

• Question 30:

  You have a Microsoft Exchange Online tenant.

  You create a connector to a partner company named Contoso as shown in the following exhibit.

  

  You need to ensure that email messages containing the word Confidential and sent to contoso.com recipients are sent by using the TLS to Contoso connector. What should you do?

  A. Create a data loss prevention (DLP) policy.

  B. Configure a new rule.

  C. Configure Organization Sharing.

  D. Add contoso.com as a remote domain.

  Correct Answer: B

  When to use the connector.

  Use only when I have transport rule set up that redirections messages to this connector.