Knowledge Check 9A & B - Manage Hybrid Environment
You are the network administrator for your company. You are using Azure Arc to help manage your servers. To be able to view compliance, you have decided to assign a guest configuration policy to your server. In this lab, your task is to assign an Azure policy using the following information: · Azure Arc server: o NYC-SRV1 · Policy definition: o Configure Log Analytics extension on Azure Arc enabled Windows servers · Log Analytics workspace: o ws-corp-cloud-log-analytics
1. Access the NYC-SVR1 Azure server. a. Maximize the Google Chrome window for better viewing. b. Under Azure Services, select Azure Arc. c. From the left pane, under Infrastructure, select the Servers blade.A list of previously added servers is displayed. d. Select the server named NYC-SRV1. 2. Assign an Azure policy. a. From the left, under Operations, select the Policies blade. b. Select Assign policy. c. Under Basics, to the right of Policy definition, select the box containing "...". d. Type windows servers in the Search field. e. Select Configure Log Analytics extension on Azure Arc enabled Windows servers. f. From the bottom, click Select.The Policy definition and Assignment name fields are populated. g. From the bottom, select Next. h. Use the Log Analytics workspace drop-down menu to select ws-corp-cloud-log-analytics. i. Select Review + create. j. Select Create.
Your company has a Windows server located in the southern UK (United Kingdom). To help you manage this server from multiple locations, you want to add this server to Azure Arc. In this lab, your task is to use Azure Arc to generate a script that will add a single server to Azure Arc using the following information: Project details:Subscription: CorpNet ProductionResource group: CorpUK Server details:Region: (Europe) UK SouthOperating system: Windows Connectivity method:Public endpoint Download the script that was just created to onboard your Windows server. Verify that the OnboardingScript has been downloaded to the Downloads folder.
1. Add the server with the Azure Arc wizard. a. Maximize the Azure Services window. b. Under Azure Services, select Azure Arc. c. From the left pane, under Infrastructure, select Servers. d. From the menu bar, select Add. e. For Add a single server, select Generate script. 2. Configure the resource group details and tags. a. Review the prerequisites and then select Next. b. Configure the resource details as follows: § Subscription: CorpNet Production § Resource group: CorpUKThis is the resource group that will hold your metadata. § Region: (Europe) UK South § Operating system: Windows § Connectivity method: Public endpoint c. Select Next. d. Select Next skip the process of adding tags. 3. Download the script to onboard your Windows server. a. Review the script that has been generated. b. Select Download to download the default Azure Arc script. c. Select Close. d. From the Add servers with Azure Arc window, select the X in the upper right to close the view. 4. Verify that the script was download. a. Minimize or close Google Chrome. b. From the Windows taskbar, select File Explorer. c. From the left pane of File Explorer, select Downloads. d. Verify that the OnboardingScript is shown.
You are the network administrator for your company. You have decided to begin the configuration of Azure to help manage your network. As part of this setup, you need to create a virtual server in Azure. In this lab, your task is to create an Azure virtual machine using the following information: · Virtual machine type: Azure virtual machine · Project details: o Subscription name: CorpNet Production o Resource group name: CorpNetCloud · Instance details: o Virtual machine name: CorpCloud1 o Region: (US) West US2 o Image: Windows Server 2022 Datacenter: Azure Edition - Gen2 o Size: Standard_D4s_v3 - 4 vcpu, 16 GiB memory ($327.04/month) · Administrator account: o Username: CorpAdmin o Password: corpP@ssw0rd · Disk options: o Set Standard HDD as the OS disk type. o Make sure that the Delete with VM box is selected. · Use the default network parameters.
1. Configure the virtual machine's basic settings. a. Maximize the Google Chrome window for better viewing. b. Under Azure Services, select Virtual machines. c. From the menu bar, select Create > Azure virtual machine. d. Under Project details, configure the following: § Subscription: CorpNet Production § Resource group: CorpNetCloud e. Under Instance details, configure the following: § Virtual machine name: CorpCloud1 § Region: (US) West US2 § Image: Windows Server 2022 Datacenter: Azure Edition - Gen2 § Size: Standard_D4s_v3 - 4 vcpu, 16 GiB memory ($327.04/month) f. Under Administrator account, configure the following: § Username: CorpAdmin § Password: corpP@ssw0rd § Confirm password: corpP@ssw0rd 2. Configure the disks for the new virtual machine. a. From the bottom menu bar, select Next: Disks. b. Under Disk options, configure the following: § OS disk type: Standard HDD § Delete with VM: Make sure that this box is selected. 3. Configure the network connectivity for your virtual machine. a. From the bottom menu bar, select Next: Networking. b. Under Network Interface, verify the following settings: § Virtual network: (new) CorpNetCloud-vnet § Subnet: (new) default (10.0.0.0)/24) § Public IP: (new) CorpCloud1-ip 4. Review and validate the new virtual machine. a. From the bottom menu bar, select Review + create. b. Review the virtual machine details. 5. Create the virtual machine. a. From the bottom menu bar, select Create. b. Monitor the creation process until the deployment is complete. c. After the deployment is complete, select Go to resource and verify that the machine has been created.
You are a network technician for a large corporate network. Your office is in building A. An employee in Building B, named Jacob, is having trouble connecting to a required website. Before you spend too much time troubleshooting this issue, you want to see if Jacob's computer can connect to the internet service provider (ISP) being used for building B. Since Jacob works in another building across campus, you don't have time to walk to his office. In this lab, your task is to test Jacob's connection to the ISP using remote PowerShell commands. From Sales 1, acting as if you were Jacob:Use PowerShell to view the IP addresses assigned to Sales1.Answer Questions 1 and 2.Configure the Sales1 computer to receive PowerShell remote commands.In a live environment, you would call Jacob and tell him how to enable PowerShell remoting. From ITAdmin, as the network technician:Use PowerShell to view the IP addresses assigned to the ITAdmin computer.Answer Question 3.Start a PowerShell interactive session with 192.168.10.31 (Sales1).Use remote PowerShell to run the tracert 198.28.2.254 command on Jacob's computer. This is the IP address for the ISP for building B.Answer Question 4.
1. On Sales1, find the default router and enable PowerShell remoting. a. Right-click Start and then select Windows PowerShell (Admin). b. Type ipconfig /all and then press Enter. c. From the top right, select Answer Questions. d. Answer questions 1 and 2. Minimize questions window. e. From PowerShell, configure the Sales1 computer to receive PowerShell remote commands by typing Enable-PSRemoting and then press Enter. 2. On ITAdmin, start a PowerShell interactive session with Sales1 and test Sales1's connection to the ISP. a. From the top left, select Building B. b. Under Building A, select Floor 1. c. Under IT Administration, select ITAdmin. d. Right-click Start and then select Windows PowerShell (Admin). e. From PowerShell, type ipconfig /all and then press Enter. f. Answer Question 3. g. To start a PowerShell interactive session with Sales1, type Enter-PSSession 192.168.10.31 and then press Enter. h. From the PowerShell prompt, type tracert 198.28.2.254 (the IP address of the ISP for building B) and then press Enter. i. Answer Question 4. j. Run Exit-PSSession from the PowerShell prompt. k. Select Score Lab.
You are using Azure Update Management, and the update will affect the hosted virtual machines. How many days do you have to determine the best time to manually apply the updates?
35
The system and user worker type is limited to how many machines?
4000
An Azure Connected Machine agent sends a heartbeat message to the Azure Arc service. Which port would need to be allowed through the firewall for the message to be received?
443
Which of the following BEST describes a Kubernetes cluster?
A group of containerized applications.
When Defender for Cloud detects potential threats, the threat is classified into different levels. Match the threat level on the left with the description on the right. (Each item may be used once, more than once, or not at all.)
A hybrid network resource has most likely been compromised. correct answer: High Suspicious activity has been detected. correct answer: Medium A potential minor threat has been detected. correct answer: Low Additional information provided about a potential threat. correct answer: Informational This threat needs to be addressed immediately. correct answer: Medium
When assigning a policy in the Azure portal, you are asked to specify the scope and any exclusions. Which of the following describes the scope?
Allows the policy to be limited to a particular resource group.
Which of the following Azure Monitor Insights resources lets you detect which features are being used in an application?
Application Insights
Which of the following methods are used to deploy DSC using Azure Policy? (Select two.)
Arc-enabled servers using PowerShell to deploy the DSC. Virtual machines using a VM extension.
Once policies have been defined and configured, Azure Policy is used to audit network resources for compliance using the Guest Configuration policy. Which of the following ways can the policy be deployed? (Select two.)
Azure Arc servers have the client installed. Virtual machines use the Guest configuration VM extension.
Which of the following allows the administrator to write, manage, and compile PowerShell Desired State Configuration (DSC) scripts?
Azure Automation State Configuration
You are using Azure Arc to monitor the health and performance of your network resources and gather and analyze log files. Which of the following Azure Arc tools are you using to perform these tasks?
Azure Monitor
Which of the following BEST describes shared capabilities?
Azure resources that can be integrated into Azure Automation runbooks to make them more useful and powerful.
Which of the following are container runtimes supported by Azure Monitor Container Insights?
CRI compatible Moby
Which of the following monitors Azure resources, including Azure virtual machines, on-premises machines, and cloud environments?
Change Tracking and Inventory
What are the main components of Azure's configuration management? (Select two.)
Change Tracking and Inventory Automation State Configuration
Azure Policy can be used to apply the Desired State Configuration (DSC) for all Azure VMs, and Azure Arc-enabled servers. The Desired State Configuration defines what software should be installed and what customizations should be applied to these resources. Using Azure Policy to define and apply the DSC ensures that these resources will remain in compliance and avoids which of the following?
Configuration drift
Which of the following BEST describes a runbook?
Consist of multiple scripts that make up a workflow to complete a task.
You have a PowerShell script that starts a remote session on server, and then attempts to connect to a second computer to pull some necessary files for the script to complete successfully. However, this prevents Kerberos from passing along your credentials to the second machine and the script fails. This is known as a Kerberos second hop issue. You want to resolve the issue by caching your credentials on the first server so they can be encrypted and sent to the second server. Which of the following second hop solutions meets your requirements?
Credential Security Support Provider (CredSSP)
When assigning a policy, a required field specifies the policy definition. What are the two ways to assign a policy definition? (Select two.)
Custom policy definitions Build-in policy definitions
A network administrator is configuring PowerShell remoting to access a Windows 2008 server. What cmdlet must be executed on the remote server before PowerShell remoting can be used?
Enable-PSRemoting
Defender for Cloud Recommendations is based on Azure security policies. What are the two main policy types that are utilized? (Select two.)
Enforce Audit
The network administrator for CorpNet.xyz needs to start a PowerShell remoting session with an on-premises web server named CorpWeb. What cmdlet do you need to execute? (Include the option and parameters necessary to access the specified server.)
Enter-PSSession -ComputerName CorpWeb
Azure Policy evaluates a network resource when it is created or a policy assignment is updated, created, or assigned to a resource. How often is a resource evaluated after the initial evaluation?
Every 24 hours
As a network administrator, you have just registered two new on-premises servers in Azure Arc. How often will the Azure Connected Machine agent send a heartbeat message from the newly added servers to the Azure Arc service?
Every 5 minutes.
Which Windows Admin Center installation type is similar to a gateway server installation?
Failover cluster installation
You want to install Windows Admin Center (WAC) on your server cluster to make sure you always have access to the management system. Which of the following WAC installation types would work BEST for you?
Failover cluster installation
Which of the following are benefits of enrolling SQL databases into Azure Arc? (Select two.)
Flexible scaling options A platform as a service experience
What are the two methods to install the Hybrid Runbook Worker agent?.
For this method, before the Hybrid Runbook Worker agent is installed a Azure Monitor Log Analytics Workspace must be configured, and then the Log Analytics Agent must be installed. Correct answer:Physical server This method is the recommended option, as neither the Azure Monitor Log Analytics Workspace or Log Analytics Agent needs to be installed and configured. Correct Answer:Virtual Server
Windows Admin Center Gateway server was recently installed, and you want to access the web portal. Which web browsers are supported? (Select two.)
Google Chrome Microsoft Edge
Runbooks can be used with any Azure resource by default. To use a runbook with a non-Azure resource, what must be installed?
Hybrid Runbook Worker agent
Match each insight on the left with its associated description on the right. (Each item may be used once, more than once, or not at all.)
Identifies potential security issues that are currently being researched. correct answer: Preview Recommendations Can be automatically applied to fix the related security issue. correct answer: Fix Insights Can be configured to automatically deploy a policy that will fix a security issue as soon as a non-compliant resource is created. correct answer: Enforce Insights Can be configured to prevent non-compliant resources from being created. correct answer: Deny Insights
As a network administrator, you can click on the Defender for Cloud secure score and see a detailed report with recommendations to fix each security issue and improve the score. What are these fixes known as?
Insights
Which of the following is a method you can use to enable an application to be monitored by Azure Monitor Application Insights?
Install an SDK package into the application itself.
Defender for Cloud can actively monitor all hybrid network resources for potential security issues. Which of the following is an active monitoring technique?
Integrated threat intelligence
As the network administrator, you have implemented Kubernetes Clusters. You want to use Azure Arc to simplify the management of these clusters. Which of the following management capabilities does Azure Arc provide to control the cluster configuration and workloads? (Drag Kubernetes Clusters on the left to each applicable capability on the right. There may be some listed capabilities that do not apply.)
Inventory correct answer: Kubernetes Clusters Monitoring correct answer: Kubernetes Clusters Policy compliance correct answer: Kubernetes Clusters Security correct answer: Kubernetes Clusters User access correct answer: Kubernetes Clusters
Which of the following formats is used to create the Azure Policy definitions?
JavaScript Object Notation (JSON)
You have a PowerShell script that starts a remote session on server, and then attempts to connect to a second computer to pull some necessary files for the script to complete successfully. However, this prevents Kerberos from passing along your credentials to the second machine and the script fails. This is known as a Kerberos second hop issue. You want to resolve the issue by specifying what cmdlets and permissions you (and other network admins) can have access to in PowerShell. Which of the following second hop solutions meets your requirements?
Just Enough Administration (JEA)
You want to find specific information in the Azure resources logs. What can you use to run queries on the log information?
Kusto Query Language
Which Windows Admin Center (WAC) installation type works BEST for testing and small-scale deployments?
Local client installation
You want to install Windows Admin Center (WAC) directly onto one of the managed servers to remotely manage the server as well as the cluster it belongs to. Which WAC installation type would work BEST to meet your requirements?
Managed server installation
Azure policy definitions are defined and applied to Azure resources. Which items on the right can a policy definition be assigned to, and which cannot have a policy definition assigned? (Each item on the left may be used more than once.)
Management groups correct answer: Policy definitions can be assigned. Subscriptions correct answer: Policy definitions can be assigned. Resource groups correct answer: Policy definitions can be assigned. Azure VMs and Arc-enabled servers correct answer: Policy definitions can be assigned. Workspaces correct answer: Policy definitions cannot be assigned. App Services correct answer: Policy definitions cannot be assigned.
You are viewing different data types in line graphs and pinning these graphs to the Azure Dashboard. Which type of Azure Monitor data is being used to create the line graphs?
Metrics
In order to collect log data for Azure Monitor, you have installed the Azure Log Analytics Agent. Having this agent installed also makes it possible for the log data to be used by other services besides Azure Monitor. Which of the following are services that can use the log data when the Azure Log Analytics Agent is installed?
Microsoft Defender for Cloud Azure Automation
You are using Azure Arc to collect data from all network resources, detect and investigate threats using AI, and respond to incidents rapidly. Which of the following Azure Arc tools are you using to perform these tasks?
Microsoft Sentinel
Which of the following BEST describes Azure Monitor?
Monitors and collects data from hybrid network resources such as applications, containers, and virtual machines.
A network administrator wants to create a session configuration that will protect the computer and prevent unauthorized access while using PowerShell remoting. What command cmdlet is used to create a new session configuration file?
New-PSSessionConfigurationFile
When assigning a policy to a newly created resource, does a remediation task need to be specified?
No. The policy will take effect on newly created resources.
Azure Monitor VM Insights supports VMs that are hosted in which of the following? (Select two.)
On-premises Azure Arc
As part of the Windows Admin Center (WAC) configuration process, target computers need to be added. Which of the following target servers can be managed using WAC? (Each item may be used once, more than once, or not at all.)
Physical servers correct answer: Managed by Windows Admin Center Azure based servers correct answer: Managed by Windows Admin Center Hyper-V virtual servers correct answer: Managed by Windows Admin Center Server clusters correct answer: Managed by Windows Admin Center Hyper-Converged Infrastructure correct answer: Managed by Windows Admin Center
When installing Windows Admin Center, which inbound and outbound ports should be opened on the firewall? (Select two.)
Port 445 Inbound TCP Port 443 Outbound
Windows Admin Center (WAC) can be integrated with Azure Hybrid Services, allowing WAC to be accessed through the Azure portal. Many Azure tools can be consolidated into one central location, which allows Azure virtual machines to be created directly from WAC. Which tool can you use to perform these tasks through WAC?
PowerShell
A network administrator needs to run a command or set of commands on a remote machine and get the results back quickly without establishing a Remote Desktop session. Which of the follow is the BEST choice to accomplish this task? (Select two.)
PowerShell cmdlets PowerShell scripts
Which of the following occurs when you execute the Enable_PSRemoting cmdlet? (Select two.)
PowerShell session endpoints are defined. An HTTP listener is defined on the remote machine.
Your network is utilizing Windows Active Directory and Kerberos. You have a PowerShell script that performs several tasks using PowerShell remoting. You want to resolve any second hop issues by configuring delegation on a server object instead of on an account. Which of the following Kerberos delegation types would you need to use?
Resource-based delegation
You are using Azure Automation to run scripts with your onboarded Azure Arc network resources. What are you using to define the scripts and steps needed to complete a specific Azure Automation task?
Runbook
The Microsoft Defender for Cloud is accessed through the Azure portal. Which of the following are Cloud Security features that can be accessed through the portal? (Select two.)
Security posture Regulatory compliance
Defender for Cloud includes pre-built workbooks. Which of the following is an included workbook?
Security score over time
As part of the Defender for Cloud, Microsoft has security and data teams that constantly monitor the threat landscape. Which of the following technique is used by these teams?
Sharing insights between multiple teams and security specialists.
You are using Azure Arc to manage virtual machine extensions. Which of the following BEST describes virtual machine extensions?
Small applications that provide post-deployment configurations such as installing a specific program or service.
You have just registered two Linux virtual servers that you want to manage using Azure Arc. Which of the following happened during the registration process to make these servers manageable by Azure Arc? (Select two.)
The servers were assigned Resource IDs. The servers were placed into a resource group inside an Azure subscription.
Each Hybrid Runbook Worker server is assigned to a Hybrid Runbook Worker Group. Each of these groups can consist of a single worker or multiple if high availability is needed. What are the two types of workers?
This worker type supports a set of hidden runbooks that uses the Update Management feature and does not work with anything else. Correct Answer:System This worker type supports user-defined runbooks that are designed to run on Windows or Linux machines that are members of Runbook Worker Groups. Correct Answer:User
As the network administrator, you have implemented Defender for Cloud. Which of the following are the two main goals for Defender for Cloud? (Select two.)
Understand the current security posture. Improve the current security posture.
Policies can be assigned using Azure Arc. What ways can a policy be applied to Arc servers? (Select two.)
Universally Specific servers
You are the administrator of a hybrid server environment. You have a Windows Server 2012 machine you are planning to use to install Windows Admin Center. Which of the following do you need to update before installation?
Windows Management Framework (WMF)
Which of the following services must be enabled and set to auto-start for PowerShell remoting to work?
Windows Remote Management (Win-RM) service
Azure Monitor Containers Insights works clusters that are running on which versions of Windows Server?
Windows Server 2019 and newer
When a PowerShell remoting session involves a second hop to pull files from a second computer, Kerberos is unable to pass the administrator's credentials to the second machine. This is known as the Kerberos second hop problem. There are several solutions available for this type of issue. Match the solution on the left with the definition on the right.
Works with Active Directory and is more secure than CredSSP but is more complicated. correct answer: Kerberos delegation Used on the remote server to provide the necessary credentials and effectively ignores the second hop issue. correct answer: RunAsCredential parameter Passes the credentials to the remote server but requires some awkward syntax and is not ideal for running multiple commands. correct answer: Invoke-Command script block Limits which cmdlets and permissions a user will have access to in PowerShell. Is configured on every server along the path. correct answer: Just Enough Administration (JEA) Caches the credentials on the remote server and passes encrypted credentials to the second server. correct answer: Credential Security Support Provider (CredSSP)
As the network administrator, you want to add a non-Azure server to Defender for Cloud. Which of the following is required as part of the server onboarding process?
Workspace
Which of the following is a benefit of using Azure Monitor Insights?
You can view how a resource is performing and identify potential problems.
