Microsoft AZ-800 Actual Free Exam Questions & Community Discussion
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the domain controllers shown in the following table.
You need to ensure that if an attacker compromises the computer account of RODC1, the attacker cannot view the Employee-Number AD DS attribute. Which partition should you modify?
You need to ensure that if an attacker compromises the computer account of RODC1, the attacker cannot view the Employee-Number AD DS attribute. Which partition should you modify?
Correct Answer: C
Vote an answer
Explanation: Only visible for EduDump members. You can sign-up / login (it's free).
You have a server named Server1 that runs Windows Server Server1 has a just-a-bunch-of-disks (JBOD) enclosure attached.
You plan to create a storage pool on Server1 and a virtual disk that will use a mirror layout.
You are considering whether to use a two-way or a three-wa y mirror layout.
What is the minimum number of disks required for each type of minor layout? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You plan to create a storage pool on Server1 and a virtual disk that will use a mirror layout.
You are considering whether to use a two-way or a three-wa y mirror layout.
What is the minimum number of disks required for each type of minor layout? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:
Explanation:
Two-way mirror: 2
Three-way mirror: 5
In the Administering Windows Server Hybrid Core Infrastructure materials, the Storage Spaces guidance explains that mirror layouts keep multiple copies of each slab of data across different physical drives in a pool. A two-way mirror maintains two copies, so the pool must contain at least two physical disks to place each copy on a separate disk. This provides protection from a single disk failure with continuous availability.
For higher resiliency, a three-way mirror maintains three copies of every write. The Windows Server implementation requires a minimum of five physical disks in the pool to create a three-way mirror virtual disk. The extra drives beyond the three copies are needed to satisfy the layout/columning rules used by Storage Spaces for performance striping and to ensure there is sufficient distribution to sustain a failure and still have capacity and parallelism for repair operations. The curriculum emphasizes that mirror spaces are recommended for workloads needing fast writes and quick recovery, while parity spaces trade performance for capacity efficiency. Therefore, when planning a JBOD-backed storage pool on a single Windows Server, you must allocate at least 2 disks for a two-way mirror and at least 5 disks for a three-way mirror to meet the platform's resiliency and layout requirements.
Task 1
You need to ensure that DC2 is the schema master for contoso.com.
You need to ensure that DC2 is the schema master for contoso.com.
Correct Answer:
See the solution of this Task below.
Explanation:
Step-by-Step Guide: Seizing/Transferring the Schema Master Role to DC2
# Step 1: Log in to DC2
Use an account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins groups.
# Step 2: Register the Schema Snap-in
The Schema snap-in is not loaded by default.
Open Command Prompt as Administrator.
Type the following command to regist er the schema management DLL:
powershell
Copy
regsvr32 schmmgmt.dll
# Step 3: Open MMC (Microsoft Management Console)
Press Windows + R, type mmc, and hit Enter.
In MMC, go to File > Add/Remove Snap-in.
Select Active Directory Schema, then click Add > OK.
# Step 4: Connect to DC2
In the Active Directory Schema console, right-click Active Directory Schema and select Change Active Directory Domain Controller.
In the dialog box, select DC2 and click OK.
This will connect the console to DC2.
# Step 5: Transfer the Schema Master Role
Right-click Active Directory Schema again and select Operations Master.
In the Change Schema Master dialog box, confirm that DC2 is shown as the target.
Click the Change button to transfer the Schema Master role to DC2.
Click Yes whe n prompted to confirm the transfer.
# Step 6: Verify the Transfer
In the same dialog box, ensure that DC2 is now listed as the Schema Master.
Optionally, run the following command in PowerShell to verify:
netdom query fsmo
The Schema Master should now be DC2.
Explanation:
Step-by-Step Guide: Seizing/Transferring the Schema Master Role to DC2
# Step 1: Log in to DC2
Use an account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins groups.
# Step 2: Register the Schema Snap-in
The Schema snap-in is not loaded by default.
Open Command Prompt as Administrator.
Type the following command to regist er the schema management DLL:
powershell
Copy
regsvr32 schmmgmt.dll
# Step 3: Open MMC (Microsoft Management Console)
Press Windows + R, type mmc, and hit Enter.
In MMC, go to File > Add/Remove Snap-in.
Select Active Directory Schema, then click Add > OK.
# Step 4: Connect to DC2
In the Active Directory Schema console, right-click Active Directory Schema and select Change Active Directory Domain Controller.
In the dialog box, select DC2 and click OK.
This will connect the console to DC2.
# Step 5: Transfer the Schema Master Role
Right-click Active Directory Schema again and select Operations Master.
In the Change Schema Master dialog box, confirm that DC2 is shown as the target.
Click the Change button to transfer the Schema Master role to DC2.
Click Yes whe n prompted to confirm the transfer.
# Step 6: Verify the Transfer
In the same dialog box, ensure that DC2 is now listed as the Schema Master.
Optionally, run the following command in PowerShell to verify:
netdom query fsmo
The Schema Master should now be DC2.
You have a Docker host.
You need to create a Windows Server container image that will include an installation of Python. How should you complete the Dockerfile? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You need to create a Windows Server container image that will include an installation of Python. How should you complete the Dockerfile? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Correct Answer:
Explanation:
You have four testing devices that are configured with static IP addresses as shown in the following table.
The test devices are turned on once a month.
You need to prevent Server1 from assigning the IP addresses allocated to the test devices to other devices when the test devices are offline. The solution must minimize administrative effort.
What should you do?
The test devices are turned on once a month.
You need to prevent Server1 from assigning the IP addresses allocated to the test devices to other devices when the test devices are offline. The solution must minimize administrative effort.
What should you do?
Correct Answer: B
Vote an answer
Explanation: Only visible for EduDump members. You can sign-up / login (it's free).
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains two servers named Server1 and Server2 and the users shown in the following table.
Which users can establish a PowerShell remoting session from Server1 to Server2?
Which users can establish a PowerShell remoting session from Server1 to Server2?
Correct Answer: B
Vote an answer
Explanation: Only visible for EduDump members. You can sign-up / login (it's free).
Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and adatum.com. A two-way external trust exists between contoso.com and adatum.com. The forests contain the servers shown in the following table.
You need to ensure that us ers from contoso.com can access only shared resources hosted on SRV1. The solution must meet the following requirements:
* Ensure that users from adatum.com can access the resources hosted in contoso.com.
* Prevent the contoso.com users from accessing any other resources in adatum.com.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You need to ensure that us ers from contoso.com can access only shared resources hosted on SRV1. The solution must meet the following requirements:
* Ensure that users from adatum.com can access the resources hosted in contoso.com.
* Prevent the contoso.com users from accessing any other resources in adatum.com.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:
Explanation:
Modify the trust on : DC2
* Modify the permissions for the : Computer object of SRV1
In an Active Directory Domain Services (AD DS) environment involving multiple forests and external trusts, managing granular access across domain boundaries is achieved through Selective Authentication .
According to official documents for Administering Windows Server Hybrid Core Infrastructure, there are two primary authentication settings for a trust: Domain-wide authentication and Se lective authentication .
When you need to restrict users from a trusted forest (contoso.com) so they can only access specific resources in the trusting forest (adatum.com), you must configure the trust to use Selective Authentication . This configuration must be performed in the resource domain (the trusting domain). Based on the provided table, DC2 is the domain controller for adatum.com , which is where the shared resources (SRV1) reside.
Therefore, you must modify the trust properties on DC2 to enable Selective Authentication for the incoming trust from contoso.com.
Once Selective Authentication is enabled, Windows does not automatically grant the " Authenticated Users " SID to the user ' s access token for resources in the local domain. Instead, administrators must explicitly grant the Allowed to Authenticate permission on the specific resource ' s computer object. In this scenario, since the requirement is to restrict access specifically to resources on SRV1 , you must modify the security permissions on the Comput er object of SRV1 in Active Directory Users and Computers. By granting the contoso.com users (or a group containing them) this permission, they can successfully authenticate against SRV1 while being blocked from all other servers in the adatum.com forest. This satisfies the requirement to prevent access to any other resources while maintaining the ability of adatum.com users to access contoso.
com (as the 2-way trust remains intact).
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are planning the deployment of DNS to a new network.
You have three internal DNS servers as shown in the following table.
The contoso.local zone contains zone delegations for east.contoso.local and west.contoso.local. All the DNS servers use root hints.
You need to ensure that all the DNS servers can resolve the names of all the internal namespaces and internet hosts.
Solution: On Server2, you create a conditional forwarder for contoso.local and west.contoso.local. On Server3, you create a conditional forwarder for contoso.local and east.contoso.local .
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are planning the deployment of DNS to a new network.
You have three internal DNS servers as shown in the following table.
The contoso.local zone contains zone delegations for east.contoso.local and west.contoso.local. All the DNS servers use root hints.
You need to ensure that all the DNS servers can resolve the names of all the internal namespaces and internet hosts.
Solution: On Server2, you create a conditional forwarder for contoso.local and west.contoso.local. On Server3, you create a conditional forwarder for contoso.local and east.contoso.local .
Does this meet the goal?
Correct Answer: A
Vote an answer
Explanation: Only visible for EduDump members. You can sign-up / login (it's free).
You have a server named Server1 that has the Hyper-V server role installed. Server1 hosts the virtual machines shown in the following e xhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Correct Answer:
Explanation:
[Answer choice] can have production checkpoints. = VM1, VM2, and VM3
[Answer choice] can be hibernated. = Only VM1 and VM2
You have a server named Server1 that runs Windows Server and contains three volumes named C, D, and E.
Files are stored on Server1 as shown in the following table.
For volume D, Data Deduplication is enabled and set to General purpose file server.
You perform the following actions:
* Move File1 to volume D.
* Copy File2 to volume D and name the copy File4.
* Move File3 to volume E
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Files are stored on Server1 as shown in the following table.
For volume D, Data Deduplication is enabled and set to General purpose file server.
You perform the following actions:
* Move File1 to volume D.
* Copy File2 to volume D and name the copy File4.
* Move File3 to volume E
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Correct Answer:
Explanation:
< File1 is deduplicated after the deduplication job runs. - YES
File3 is deduplicated after the deduplication job runs. - NO
File4 is deduplicated after the deduplication job runs. - NO
The Administering Windows Server Hybrid Core Infrastructure materials explain that Data Deduplication operates per-volume and only processes files on volumes where the role is enabled. The guide states that deduplication "is applied only to NTFS/ReFS volumes on which the Data Deduplication role is enabled," and that the General-purpose file server usage type applies default policies for typical data shares. It further specifies the file size limits: "Files smaller than 32 KB are not deduplicated; supported files are 32 KB up to multiple terabytes," and clarifies that optimization jobs process eligible files during scheduled runs.
Applying those rules:
* Volume D has Data Deduplication enabled (General-purpose). After moving File1 (500 KB) from C: to D:, it resides on a deduplicated volume and exceeds the minimum size threshold, so it will be deduplicated by the next optimization job.
* File3 (1 MB) is moved off the deduplicated volume (to E:), and dedup only affects enabled volumes; therefore it will not be deduplicated.
* File4 is a copy of File2 (10 KB) on D:. Because the file is smaller than the 32-KB minimum, it is not deduplicated even though it is on a deduplicated volume.
Thus the correct outcomes are YES for File1, NO for File3, and NO for File4.
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD ) tenant You have several Windows 10 devices that are Azure AD hybrid-joined.
You need to ensure that when users sign in to the devices, they can use Windows Hello for Business.
Which optional feature should you select in Azure AD Connect?
You need to ensure that when users sign in to the devices, they can use Windows Hello for Business.
Which optional feature should you select in Azure AD Connect?
Correct Answer: A
Vote an answer
Explanation: Only visible for EduDump members. You can sign-up / login (it's free).
Task 8
You need to deploy a new primary DNS zone named fabrikam.com to DC1. The zone must be signed.
You need to deploy a new primary DNS zone named fabrikam.com to DC1. The zone must be signed.
Correct Answer:
See the solution of this Task below.
Explanation:
To deploy a n ew primary DNS zone named fabrikam.com to DC1 and sign the zone, you can follow these steps:
Step 1: Create the Primary DNS Zone Use the Add-DnsServerPrimaryZone PowerShell command to create the primary zone:
Add-DnsServerPrimaryZone -Name " fabrikam.com " -ZoneFile " fabrikam.com.dns " -DynamicUpdate Secure This command creates a primary zone for fabrikam.com with a DNS file named fabrikam.com.dns and allows secure dynamic updates.
Step 2: Sign the Zone To sign the zone, you can use the DNS Manager or Windows PowerShell. Here's how to sign the zone using PowerShell:
Add-DnsServerSigningKey -ZoneName " fabrikam.com " -Type KeySigningKey -CryptoAlgorithm RsaSha256 Set-DnsServerDnsSecZoneSetting -ZoneName " fabrikam.com " -DenialOfExistence NSEC3 - NSEC3Parameters 1,0 ,10, " " These commands add a signing key to the zone and set DNSSEC settings with NSEC3 parameters.
Step 3: Publish the Signed Zone After signing the zone, ensure that it is published and available for DNS queries. You can verify the zone signing status usi ng the following command:
Get-DnsServerZone -Name " fabrikam.com "
Note: Ensure that you have the appropriate permissions to perform these actions on DC1 and that the DNS Server role is installed and properly configured. Also, replace " fabrikam.com.dns " with the actual path to your DNS file if it's different12.
By following these steps, you should be able to deploy and sign the new primary DNS zone fabrikam.com on DC1.
Explanation:
To deploy a n ew primary DNS zone named fabrikam.com to DC1 and sign the zone, you can follow these steps:
Step 1: Create the Primary DNS Zone Use the Add-DnsServerPrimaryZone PowerShell command to create the primary zone:
Add-DnsServerPrimaryZone -Name " fabrikam.com " -ZoneFile " fabrikam.com.dns " -DynamicUpdate Secure This command creates a primary zone for fabrikam.com with a DNS file named fabrikam.com.dns and allows secure dynamic updates.
Step 2: Sign the Zone To sign the zone, you can use the DNS Manager or Windows PowerShell. Here's how to sign the zone using PowerShell:
Add-DnsServerSigningKey -ZoneName " fabrikam.com " -Type KeySigningKey -CryptoAlgorithm RsaSha256 Set-DnsServerDnsSecZoneSetting -ZoneName " fabrikam.com " -DenialOfExistence NSEC3 - NSEC3Parameters 1,0 ,10, " " These commands add a signing key to the zone and set DNSSEC settings with NSEC3 parameters.
Step 3: Publish the Signed Zone After signing the zone, ensure that it is published and available for DNS queries. You can verify the zone signing status usi ng the following command:
Get-DnsServerZone -Name " fabrikam.com "
Note: Ensure that you have the appropriate permissions to perform these actions on DC1 and that the DNS Server role is installed and properly configured. Also, replace " fabrikam.com.dns " with the actual path to your DNS file if it's different12.
By following these steps, you should be able to deploy and sign the new primary DNS zone fabrikam.com on DC1.
0
0
0
10