AZ-800: Administering Windows Server Hybrid Core Infrastructure

Ace your homework & exams now with Quizwiz!

If an administrator configures a DHCP scope with a lease length of four days, when will computers attempt to renew the lease for the first time? -1 day -2 days -3 days

2 days - DHCP clients attempt renewal at 1/2 TTL of the lease duration.

What can an administrator use to help automate container image creation and management? -docker pull -A dockerfile -Docker Hub

A dockerfile - A dockerfile is a text-based file used to automate tasks. It contains instructions on how to create a new container.

What is the default storage location for VM configuration files when a VM is being created in the New Virtual Machine Wizard in Hyper-V? -C:\ProgramData\Microsoft\windows\Hyper-V -C:\Program Files\Hyper-V -C:\Users\Public\Documents\Hyper-V\Virtual Hard Disks

C:\ProgramData\Microsoft\windows\Hyper-V - C:\ProgramData\Microsoft\windows\Hyper-V\ is the default storage location for VM configuration files when a VM is being created in the New Virtual Machine Wizard in Hyper-V.

Which DHCP high availability option supports hot standby to provide the DHCP service. -DHCP clustering -DHCP split scopes -DHCP Failover

DHCP Failover - The DHCP Failover feature allows two DHCP servers to work together to provide IP address information to clients. They can operate in two modes: Hot standby and Load balance.

Which of the following tools can be used to monitor and troubleshoot AD DS replication? -Nltest.exe -Dcdiag.exe -Netdom.exe

Dcdiag.exe -Dcdiag.exe supports several tests that allow you to monitor and troubleshoot replication.

Which IPAM security group can manage IP address blocks and IP address inventory? -IPAM ASM Administrator -IPAM DHCP Administrator -IPAM MSM Administrator

IPAM ASM Administrator - The IPAM ASM Administrator group can also perform this task.

When securing IPAM, which of the following can be used to determine which objects an IPAM administrator has access to? -IPAM roles -IPAM access scopes -IPAM access policies

IPAM access scopes - An access scope determines the objects to which an administrator has access.

A Kubernetes cluster contains at least one master node and which of the following? -kubectl -One or more worker nodes -kubeadm

One or more worker nodes - A Kubernetes cluster contains at least one master node and one or more Linux or Windows-based worker nodes.

Which of the following protocols enable an administrator to manage their IaaS VMs and are secured by Azure Bastion? -RDP. -TLS. -SSL.

RDP. - RDP is secured by Azure Bastion as a means for communicating with your IaaS VMs.

Which of the following procedures should an administrator employ to generalize a Windows VM in preparation for creating a managed image in Azure? -Run Sysprep.exe and accept the default values. -Run Sysprep.exe and select the Generalize check box. -Run Sysprep.exe, select the Generalize check box, and then in the Shutdown Options list, select Shutdown.

Run Sysprep.exe, select the Generalize check box, and then in the Shutdown Options list, select Shutdown. - Generalize isn't selected by default. Also, the default shutdown option is Reboot

Nested virtualization is supported in which VM configuration versions? -Version 6.0 and later -Version 7.0 and later -Version 8.0 and later

Version 8.0 and later -Nested virtualization is supported in Hyper-V configuration versions 8.0 and later.

Which tool can be used to create, list, and delete a custom application partition? -ntdsutil -netdom -disk part

ntdsutil - You can use ntdsutil to create, list, and delete a custom application partition.

Which PowerShell command could you use to add a user? -Get-ADUser -New-ADUser -Set-ADUser

New-ADUser - Use this cmdlet to create a new user account.

Which storage option provides an alternative to storing VMs on iSCSI or Fibre Channel SAN devices? -SMB 3.0 file shares -SMB 2.0 file shares -NFS file shares

SMB 3.0 file shares -SMB 3.0 file shares provide an alternative to storing VM files on iSCSI or Fibre Channel SAN devices.

Which of the following statements about DNS secondary zones is true? -The zone can be updated by client computers. -Zone transfers are automatically enabled between the primary and secondary servers. -Secondary zones are read-only.

Secondary zones are read-only. - Secondary zones are read-only and receive their zone records from another DNS server.

Contoso IT staff want to ensure that internal and external clients resolve names to internal and external IP addresses respectively. What do they need to do? -Set up split-horizon DNS by creating two DNS zones in Azure—one private and one public. The zones must have different names. -Set up split-horizon DNS by creating two DNS zones in Azure—one private and one public, both with the same name. -Set up split-horizon DNS by creating a single, private DNS zone in Azure.

Set up split-horizon DNS by creating two DNS zones in Azure—one private and one public, both with the same name. -They must create two zones—one public and one private. The zones must also have the same name, for example, Contoso.com.

Which of the following statements about installing DHCP is true? Select one. -To install the DHCP server role, the installer must be a member of Enterprise Admins. -The DHCP server must have a static IP address. -To authorize a newly deployed server, you must use Windows PowerShell.

The DHCP server must have a static IP address. - A DHCP must have a manually assigned static IP address.

Which of the following is a built-in container in an AD DS domain that can hold computer accounts? -The Domain Controllers OU -The IT OU -System

The Domain Controllers OU - Although the Domain Controllers OU is an OU, it is created by default and is therefore built in.

Which of the following options contains the GPO settings? -The Group Policy container -The Group Policy template

The Group Policy template - The Group Policy template contains the Group Policy settings.

Which container base image is used primarily to support .NET core APIs, and is good to use if the starting point is a very small base image? -The Nano Server container base image -The Windows Server Core container image -The IoT Core container image

The Nano Server container base image -The Nano Server container base image is the smallest Windows Server image, which supports the .NET Core APIs and some server roles.

Which of the following is used to prepare and encrypt a shielded VM template disk? -The Shielded Template Disk Creation Wizard -The Key Protection service -A shielding data file

The Shielded Template Disk Creation Wizard - The Shielded Template Disk Creation Wizard is a tool for preparing and encrypting a shielded VM template disk.

An administrator at Contoso is implementing a jump server configuration to improve security. They decide to virtualize the jump server and install the required administrative tools on that VM. What else should this administrator do? -The administrator should also configure a PAW. They should then move the jump server VM to this PAW. -The administrator should also configure a PAW. They should then configure MFA to connect to their jump server VM from their PAW. -The administrator doesn't need to complete any additional tasks.

The administrator should also configure a PAW. They should then configure MFA to connect to their jump server VM from their PAW. -This solution provides a robust security framework for administrative tasks.

What scope of group can be assigned permissions anywhere in an AD DS forest and can have members from anywhere in the forest? -Global -Universal -Domain local

Universal - Universal groups can be granted permissions anywhere in the forest, and can contain members from anywhere in the forest.

When creating shared drives for use in a guest cluster, the virtual hard disk drive can have one of two disk formats. Which of the following are the two possible disk formats? -.vhd and .vhdx -.vhdx and.vhds -Differencing and Dynamically expanding

.vhdx and.vhds - Shared virtual hard disks can be either .vhdx or a VHD Set, which is.vhds format.

Which of the following options is rarely, if ever, assigned as a Server level option? -003: Router -015: DNS domain name -006: DNS servers

003: Router - A router, or default gateway, is a subnet specific value. You would not configure this value at the Server level.

What does the global catalog contain? -A copy of all objects and their attributes from all domains in an AD DS forests -A copy of all objects and some of their attributes from all domains in an AD DS forest -A copy of all objects and all their attributes from all domains in an AD DS forest

A copy of all objects and some of their attributes from all domains in an AD DS forest - The global catalog contains the subset of attributes that are most likely to be useful in cross-domain searches.

Which of the following statements correctly describes the VMs in a guarded fabric? -A guarded fabric only supports shielded VMs. -A guarded fabric supports a mixture of regular VMs, shielded VMs, and encryption-supported VMs. -A guarded fabric doesn't support regular VMs.

A guarded fabric supports a mixture of regular VMs, shielded VMs, and encryption-supported VMs. - A guarded fabric supports a mixture of regular VMs, shielded VMs, and encryption-supported VMs.

Which of the following Azure CLI commands should an administrator run to start an image build using Azure Image Builder? -az resource create. -az resource invoke-action. -az vm create.

az resource invoke-action. -This command starts the image build process.

What type of trust relationship is automatically created between the domains Contoso.com and Seattle.Contoso.com? -A parent and child two-way transitive trust -A tree-root trust -A Shortcut trust

A parent and child two-way transitive trust -When you create a child domain in a forest, a two-way transitive trust is established between the parent and child domain automatically.

Which of the following statements best describes Azure Automation State Configuration? -A declarative management platform to configure, deploy, and control systems. -A service used to write, manage, and compile PowerShell DSC configurations, import DSC resources, and assign configurations to target nodes. -A service that manages the state configuration on each destination, or node.

A service used to write, manage, and compile PowerShell DSC configurations, import DSC resources, and assign configurations to target nodes. - Azure Automation State Configuration enables you to ensure that all the VMs in a collection are in the same consistent state.

Which of the following contains the encrypted secrets that are needed to deploy a shielded VM? -A shielding data file -A Trusted Computing Group Information log file -The code integrity policy

A shielding data file - A shielding data file contains the encrypted secrets that are needed to deploy a shielded VM, in addition to information about signed template disks.

Which role from the following groups in an Azure AD DS domain can administer DNS on the managed domain, create and administer custom OUs on the managed domain, and administer computers joined to the managed domain? -AAD DC Administrators. -Enterprise Admins. -Administrators.

AAD DC Administrators. - Members of the AAD DC Administrators group are granted administrator privileges on the Azure AD DS-managed domain.

Which of the following sign-in methods is NOT available for Contoso IT staff to combine with Seamless SSO? -Password Hash Synchronization. -AD FS. -Pass-through authentication.

AD FS. -You can combine Seamless SSO with both Password Hash Synchronization and Pass-Through Authentication, but not AD FS.

Which tool can you use to trigger an AD DS schema update? -ADSI.MSC -Active Directory Schema console -Active Directory Users and Computers console

ADSI.MSC - In the ADSI.MSC console, you can right-click or access the context menu on the Schema container, and then select Update Schema now. This will trigger an update.

What tool allows the transfer of the Infrastructure Master operations master role? -Active Directory Users and Computers -Active Directory Domains and Trusts -Active Directory Schema

Active Directory Users and Computers - You can use Active Directory Users and Computers to transfer all the domain-level masters roles.

What functionality does the transitivity of a two-way forest trust provide? -If you create a forest trust between Forest 1 and Forest 2 and you create a forest trust between Forest 2 and Forest 3, Forest 1 implicitly trusts Forest 3. -All domains in both trusted forests trust each other. -All users in the trusted forest can authenticate for services and access on all computers in the trusting forest.

All domains in both trusted forests trust each other. - When creating a trust, you specify the root domain of each forest. However, because forest trusts are transitive for all domains in each forest, you effectively establish a trust between each pair of domains across both forests.

Which of the following statements about implementing Azure Bastion is true? -An administrator must install the bastion host in its own VNet. VMs must be in a separate VNet -An administrator must configure an NSG for the bastion host. -An administrator must connect Azure Bastion to a subnet with the name AzureBastionSubnet.

An administrator must connect Azure Bastion to a subnet with the name AzureBastionSubnet. - The subnet that contains the bastion host must be called AzureBastionSubnet.

When you onboard servers with Azure Automation State Configuration, you set the configuration mode to one of the following. Which should you choose to enable remediation for servers so that they remain compliant automatically? -ApplyOnly. -ApplyandMonitor. -ApplyAndAutoCorrect.

ApplyAndAutoCorrect. - With this option, servers that drift from a compliant state are auto-remediated.

In the video, at time index 2:05, what does the script do in the Azure onboarding process? -At that point, the script is onboarding the VM. -At that point, the script is downloading the required agent on the VM. -At that point, the script is installing the required agent on the VM.

At that point, the script is downloading the required agent on the VM. -The script first downloads the agent, then installs it, and then onboards the device into Azure Arc.

What do container-based environments use an orchestrator to do? -Limit the types of applications the environment can support. -Automate and manage large numbers of containers and control how the containers interact with one another. -Create and manage Azure resources including Kubernetes clusters.

Automate and manage large numbers of containers and control how the containers interact with one another. - Container-based environments can use an orchestrator to automate and manage large numbers of containers and control how the containers interact with one another.

Which of the following statements about Azure AD is true? -Azure AD implements the same authentication protocols as on-premises AD DS. -Azure AD is essentially on-premises AD DS in the cloud. -Azure AD users and groups are created in a flat structure.

Azure AD users and groups are created in a flat structure. - Azure AD users and groups are created in a flat structure, and there are no OUs or GPOs. 2. Contoso IT staff have set up Azu

Which of the following statements is correct? -Azure Arc is only suitable for clusters in edge environments. -The Azure Monitor service isn't available to clusters in Azure Arc. -Azure Arc connects your Kubernetes clusters with Azure so you can manage your clusters.

Azure Arc connects your Kubernetes clusters with Azure so you can manage your clusters. - Azure Arc connects your Kubernetes clusters with Azure so you can manage your clusters.

What is the first step an administrator needs to perform when creating a managed image from a generalized VM that is in the Stopped (deallocated) status? -Create the image. -Capture the image. -Start the VM.

Capture the image. - The administrator must capture the image after it's been generalized and is stopped and deallocated.

Channa in IT support at Contoso has been tasked with running a script on an Azure Arc-managed VM hosted in an on-premises datacenter in the London office. Which of the following represents the best solution for this requirement? -Channa should onboard the machine to Azure Arc and then use a policy to configure the script. -Channa should onboard the machine to Azure Arc and then use a CustomScriptExtension VM extension to download and execute the script. -Channa should onboard the machine to Azure Arc and then Update management and execute the script.

Channa should onboard the machine to Azure Arc and then use a CustomScriptExtension VM extension to download and execute the script. -Using a VM extension, in this case the CustomScriptExtension, enables her to run the script.

Which of the following is the first step for a Windows 10 computer attempting to resolve a hostname into an IP address? -Broadcast a NetBIOS name query. -Check the DNS resolver cache. -Petition the configured DNS server.

Check the DNS resolver cache. - Windows 10 computers check their DNS resolver cache before performing any other type of name resolution.

When considering DHCP options, which of the following has the highest precedence? -Server level options -Class level options -Scope level options

Class level options - Class options override both scope and server options.

Which of the following tasks can Azure AD DS domain administrators perform? -Add domain controllers to the managed domain. -Configure the built-in GPO for the AADDC Computers and AADDC Users containers in the managed domain. -Connect to domain controllers for the managed domain using Remote Desktop.

Configure the built-in GPO for the AADDC Computers and AADDC Users containers in the managed domain. - Administrators, that is, members of the AAD DC Administrators group, can also create and administer custom OUs on both the managed domain and administer computers joined to the managed domain.

In the Contoso.com domain, in the Marketing OU, an administrator creates a GPO called Folder Redirection. The administrator wants the policy to apply to all users in the Marketing OU, except for the Marketing managers. What should the administrator do to prevent the Folder Redirection GPO from applying to the managers, but allow all other GPOs linked to the Marketing OU to apply to the managers? -Create a WMI filter that identifies the managers' computers and use that filter to Deny the application of the GPO to the managers. -Move the marketing manager user accounts to their own child OU in Marketing, and then implement Block Inheritance on the child OU. -Create a global security group called Marketing Managers and add the marketing manager user accounts to the group. Then configure GPO security filtering to Deny the Apply Policy permission to this group.

Create a global security group called Marketing Managers and add the marketing manager user accounts to the group. Then configure GPO security filtering to Deny the Apply Policy permission to this group. - You can use security filtering to allow or deny the application of a GPO to specific users or groups.

One of the administrators in Contoso IT wants to delegate computer management to a small team in IT support. The computers are all in the Sales department, and their accounts reside in the Sales OU. Adhering to best practice, how should the administrator proceed? -Create a group for the sales computer management team, and then create a custom task delegation for that team on the Sales OU. The custom task will be for Computer objects. -Create a group for the sales computer management team, and then create a common task delegation for that team on the Sales OU. -Create a custom task delegation for the users in the sales computer management team on the Sales OU. The custom task will be for Computer objects.

Create a group for the sales computer management team, and then create a custom task delegation for that team on the Sales OU. The custom task will be for Computer objects. - This approach adheres to best practices.

From an internet-connected on-premises host, Pavel is unable to resolve an IP address from an FQDN for one of the internet-facing VMs in Azure. He created a private DNS zone. What does he need to do? -Troubleshoot DNS on the client by using a standard name resolution troubleshooting procedure. For example, empty the name cache, and then use nslookup to verify the resolution process. -Make sure that the appropriate IP address is added as a record set in the DNS zone. -Create a public DNS zone for the domain name that contains the record, and add the record set for the VM's FQDN.

Create a public DNS zone for the domain name that contains the record, and add the record set for the VM's FQDN. -A public DNS zone is required for this scenario.

An administrator chooses to use GPO provisioning in IPAM. Three GPOs are created and linked to the AD DS domain object. What must the administrator do to prevent the GPOs from applying to all computer objects in the domain? -Enable WMI filtering on the GPOs. -Link the GPOs to an OU that contains managed servers. -Enable security filtering on the GPOs.

Enable security filtering on the GPOs. - Security filtering prevents the GPOs from applying to all servers. When you select a server for IPAM to manage, that server is added to the security filtering for the GPO.

What's meant by declarative automation in the context of deploying VMs by using templates? -Defining the required resources in addition to the steps needed to create those resources. -Defining the required resources but not how to create those resources. -Defining the required resources with the system ensuring that those resources are always available.

Defining the required resources but not how to create those resources. -In the case of Resource Manager templates, Resource Manager takes care of these details for you.

Contoso want to deploy an LDAP-aware LOB application in Azure. Which of the following deployment models best suits this scenario? -Deploy a separate AD forest that's trusted by domains in their on-premises AD forest. -Deploy AD DS only on an Azure VM. -Deploy AD DS in an on-premises infrastructure and on an Azure VM.

Deploy AD DS in an on-premises infrastructure and on an Azure VM. -This scenario is common for apps that are LDAP-aware and that support Windows-integrated authentication.

Which of the following operations master is a forest-level operations master? -Infrastructure -Domain naming -RID

Domain naming - Domain naming master is a forest-level operations master.

The IT department in Adatum is deploying a new version of Microsoft Office in their on-premises environment. The administrator wants to configure settings with GPOs for Office. What should they do? -Download and install new .adml files and then configure the desired settings in the Administrative Templates node in the appropriate GPO. -Copy the content of the Windows\PolicyDefinitions folder to the Central Store. -Download and install new administrative template files and then configure the desired settings in the Administrative Templates node in the appropriate GPO.

Download and install new administrative template files and then configure the desired settings in the Administrative Templates node in the appropriate GPO. - You must update the .admx and .adml files together.

What cmdlet can be run on a remote Windows Server computer to enable PowerShell remoting? -Enable-PSRemoting. -New-PSSession. -Enter-PSSession.

Enable-PSRemoting. - You use the Enable-PSRemoting cmdlet to enable Windows Remote Management firewall exceptions and enable the WinRM listener service.

In addition to the name of the remote computer being connected to, which of the following must be specified when connecting to a JEA endpoint using remote PowerShell? -Endpoint configuration name -Session configuration file name -Role capability file name

Endpoint configuration name - You must specify both the computername and the endpoint configuration name when making a remote PowerShell connection using JEA.

What Generation version should be used to utilize the Secure Boot functionality in Hyper-V VMs? -Generation 1 -Generation 2 -Configuration Version 9.0

Generation 2 - Generation 2 VMs support Secure Boot.

Which of the following PowerShell cmdlets can be used to determine which built in JEA endpoints are available on a Windows Server computer? -Register-PSSessionConfiguration -Get-PSSessionConfiguration -Set-PSSessionConfiguration

Get-PSSessionConfiguration - You can use the Get-PSSessionConfiguration cmdlet to view existing JEA endpoints.

When deploying the first domain controller in a forest by running the Active Directory Domain Services Configuration Wizard, which of the following options is configured by default? -RODC -Global catalog -DNS name

Global catalog -This option is selected by default for the first domain controller in a forest.

In a guarded fabric, which component checks the validity of guarded hosts and releases the keys to start protected VMs? -AD DS security group -Microsoft Desktop Image Service Manager -HGS

HGS -In a guarded fabric, the HGS checks the validity of guarded hosts and releases the keys that are used to start protected VMs.

What is the correct term for the virtualization layer that's inserted into the boot process of the host machine that controls access to the physical hardware? -Hardware virtualization layer -Hypervisor -Unified Extensible Firmware Interface (UEFI) secure boot

Hypervisor - A software layer known as a hypervisor is inserted into the boot process. The hypervisor is responsible for controlling access to the physical hardware.

Which VPN tunneling protocol provides the best features for Contoso's mobile users? -PPTP -SSTP -IKEv2

IKEv2 - IKEv2 supports mobility, making it a good protocol choice for a mobile workforce.

Using Windows Admin Center, an administrator connects to the domain controller, SEA-DC1. The administrator wants to add a new user account to the Contoso.com AD DS domain. Which of the following procedures would not work? -In Windows Admin Center, connect to SEA-DC1 and then, in the navigation pane, select Active Directory. Select Create, then select User. Enter the required details and then select Create. -In Windows Admin Center, connect to SEA-DC1 and then, in the navigation pane, select Local users & groups. Select Create, then select User. Enter the required details and then select Create. -In Windows Admin Center, connect to SEA-DC1 and then, in the navigation pane, select PowerShell. After signing in, use the New-ADUser cmdlet to create a new user.

In Windows Admin Center, connect to SEA-DC1 and then, in the navigation pane, select Local users & groups. Select Create, then select User. Enter the required details and then select Create. -This is the right answer because you cannot use the Local users & groups node when connected to a domain controller. In addition, local users are not domain users.

What cmdlet is used to install Hyper-V via Windows PowerShell? -Install-WindowsFeature -Get-WindowsFeature -Enable-WindowsOptionalFeature

Install-WindowsFeature -You can use Install-WindowsFeature to install Hyper-V with Windows PowerShell.

When planning to implement Azure AD DS, which of the following statements are true? -It's possible to extend the schema for the Azure AD DS domain. -Nested OUs are supported. -It's not possible to target OUs with built-in GPOs.

It's not possible to target OUs with built-in GPOs. - Additionally, you cannot use WMI filters or security-group filtering.

What versions of Kubernetes and Windows Server are the minimum required to support running Window containers as worker nodes in a Kubernetes cluster? -Kubernetes version 1.12 and Windows Server 2012 R2. -Kubernetes version 1.13 and Windows Server 1607. -Kubernetes version 1.14 and Windows Server version 1809.

Kubernetes version 1.14 and Windows Server version 1809. -Kubernetes version 1.14 and Windows Server version 1809 or later are required to support the running of Window containers as worker nodes in a Kubernetes cluster.

Which component in DSC is responsible for applying the desired configuration to the target computer? -Configurations -LCM -Resources

LCM - The LCM is the engine that DSC uses to apply the configurations.

After creating a private zone in Azure DNS, what must an administrator do before their resources can use the zone? -Link their VNets to the zone. -Link their VMs to the zone. -Enable autoregistration on the VNet link to the zone.

Link their VNets to the zone. -When they link the zone to VNets, then resources attached to those VNets can access the zone.

Contoso IT staff have set up Azure AD Connect and are beginning to synchronize accounts. Maria in IT finds a new user account in Azure AD that has been created by the Azure AD Connect process. Which of the following accounts would Maria have found? -Maria found an account called MSOL_c778af008d92. -Marie found an account called Sync_CONTOSO- [email protected]. -Maria found an account called AAD_c778af008d92.

Marie found an account called [email protected]. -. An account with the prefix Sync is created in Azure AD as part of the Azure AD Connect setup.

What are the minimum permissions required to authorize a DHCP server in a multiple domain AD DS forest? -Member of Enterprise Admins group -Member of Domain Admins group -Member of local Administrators group on the DHCP server

Member of Enterprise Admins group - In an AD DS forest with multiple domains, you need permissions in all domains to authorize DHCP servers in all the domains.

When installing IPAM, which of the following is an invalid option for storing IPAM data? -Microsoft Access database -Windows Internal Database -Microsoft SQL Server database

Microsoft Access database - You can't use Access to store IPAM data.

Which of the following choices describes one of the differences between a container and a VM? -Container startup times are slower than VM startup times. -More containers can be run on the same host than VMs on the same host. -A container consumes more server resources than a VM.

More containers can be run on the same host than VMs on the same host. -A container enables you to run more containers on the same host than if you were to run VMs.

An administrator at Contoso wants to connect to SEA-DC1 using Remote Desktop. The administrator can successfully connect to SEA-DC1 using Server Manager and also Windows Admin Center. However, when they open Remote Desktop Connection and enter the computer name and user credentials, the connection fails. What does the administrator need to do? -The administrator must use the computer SEA-DC1's IP address to connect . -On SEA-DC1, the administrator should use Sconfig and select option 7, and enable Remote Desktop. -On SEA-DC1, the administrator should use Sconfig and select option 8, and reconfigure Network Settings.

On SEA-DC1, the administrator should use Sconfig and select option 7, and enable Remote Desktop.

How should a trust between an ESAE forest and a production forest be configured? -One-way with forest-wide authentication and the ESAE forest trusting the production forest -One-way with selective authentication and the production forest trusting the ESAE forest -One-way with the forest-wide authentication and the production forest trusting the ESAE forest

One-way with selective authentication and the production forest trusting the ESAE forest -The ESAE forest model uses one-way trust with selective authentication and the production forest trusting the ESAE forest.

An administrator at Contoso is using answer files to configure server settings during deployment. In which section of the answer file should the administrator define the Windows Server roles and features that should be deployed? -Components -Packages

Packages - This section defines the packages that are used to distribute updates, service packs, and language packs, and also Windows roles and features.

Which of the following tasks should an administrator perform first when deploying DNS? -Create the required DNS zones. -Install the required DNS servers. -Plan the DNS infrastructure.

Plan the DNS infrastructure. -An administrator must plan the DNS infrastructure, including determining which DNS zones and what type of zones are needed, before starting deployment.

What type of virtual switches will facilitate communication between the VMs running on the same Hyper-V host, but not between the VMs and the Hyper-V host? -External -Internal -Private

Private - A Private virtual switch facilitates communication between the VMs on the same Hyper-V host but not between the VMs and the Hyper-V host. It can be used only by the virtual machines that run on the physical host.

An administrator wants to create a reusable template that uses the custom script extension to configure web content on a VM. What's the best way to enable deployments to specify the script that configures web content? -Provide a variable that specifies the script location. -Provide a default script location in your template, and then use a nested template to override that location. -Provide a parameter that specifies the script location.

Provide a parameter that specifies the script location. -Parameters promote reuse. Their values are filled in when the template runs.

Why should Contoso use pull mode instead of push mode for DSC? -Pull mode is best for complex environments that need redundancy and scale. -Pull mode is easy to set up and doesn't need its own dedicated infrastructure. -Pull mode uses the LCM to make sure that the state on each node matches the state specified by the configuration.

Pull mode is best for complex environments that need redundancy and scale. -The LCM on each node automatically polls the pull server at regular intervals to get the latest configuration details. In push mode, an administrator manually sends the configurations toward the nodes.

Which of the following options reduces the amount of egress traffic when deploying AD domain controllers in Azure? -Active Directory sites. -Add trust relationships. -Read-only domain controllers.

Read-only domain controllers. -RODCs reduce the amount of egress traffic and the resulting Azure service charges. Because changes to directory objects are not allowed on RODCs, replication of directory objects from RODCs to other domain controllers don't occur.

Which of the following settings should be configured in a session configuration file to ensure that a special account with local administrative credentials is used during a JEA session instead of the connecting users account? -SessionType -RunAsVirtualAccount -RunAsVirtualAccountGroup

RunAsVirtualAccount - The RunAsVirtualAccount setting allows you to have the JEA session use a special virtual account with local administrative privileges.

An administrator wants to reconfigure the properties of some users in the Marketing OU of the Contoso.com domain. The administrator decides to use Windows PowerShell. Which of the following cmdlets would the administrator use to make changes? -Get-ADuser -Set-ADuser -New-ADuser

Set-ADuser - This cmdlet is used to commit changes to the selected objects.

Which Windows PowerShell cmdlet can be used to enable nested virtualization? -Get-VM -Enter-PSSession -Set-VMProcessor

Set-VMProcessor -To enable nested virtualization, this cmdlet can be run in a format such as: Set-VMProcessor -VMName \<VMName\> -ExposeVirtualizationExtensions $true. This command should be run from the physical Hyper-V host machine while the VM is in the off state.

Which port is used by the Windows Admin Center site by default? -TCP 6516 -TCP 80 -TCP 443

TCP 6516 -This is the default port for the Windows Admin Center website. However, you can change it during installation or subsequently.

In Adatum.com, there are two sites: London and Windsor. A single GPO (called London settings) is linked to London and another (Windsor settings) is linked to Windsor. In addition, there are two GPOs linked to the Adatum.com domain: The Default Domain GPO (which is Enforced) and a further policy: Adatum Folder Redirection (which has a link order value of 2). The Sales OU has a linked GPO called Sales Desktop settings. A user in the Sales department based in Windsor, whose user account and computer account reside in the Sales OU, is experiencing problems with settings on their computer. An administrator decides to investigate. The administrator suspects that there are conflicting settings in the various GPOs that apply to the user and their computer. Which GPO's settings take precedence? -The Default Domain GPO -The Windsor settings GPO -The Sales Desktop settings GPO

The Default Domain GPO -This policy takes precedence because it is Enforced.

In the demonstration video, at time index 3:25, the administrator selects an account to sign in with. What are the minimum permissions this account needs? -The account must be a member of the Azure Connected Machine Resource Administrator role. -The account must be a member of the Azure Connected Machine Onboarding role. -The account must be a member of the Global Administrator role.

The account must be a member of the Azure Connected Machine Onboarding role. -These are the required permissions.

An administrator has setup a standalone Windows 10 Enterprise computer in a workgroup as an administrative workstation. The administrator intends to use Windows PowerShell remoting to manage remote Windows Servers in the Contoso.com domain. The administrator is unable to establish a remote Windows PowerShell connection to the domain controller SEA-DC1. Assuming that all default settings have been applied, which of the following is the reason for this failure to connect? -The administrator must enable remoting on the Windows 10 computer by running Enable-PSremoting -force. -The administrator must enable remoting on the Windows Server domain controller computer SEA-DC1 by running Enable-PSremoting -force. -The administrator must add the SEA-DC1 computer as a trusted host by using the Set-Item WSMan:localhost\Client\TrustedHosts -Value 'SEA-DC1.Contoso.com' command.

The administrator must add the SEA-DC1 computer as a trusted host by using the Set-Item WSMan:localhost\Client\TrustedHosts -Value 'SEA-DC1.Contoso.com' command. -Because the Windows 10 computer is not part of the domain, Kerberos authentication cannot be used. Therefore the administrator must configure the target server as a trusted host.

An administrator wants to increase security by adjusting the default behavior of the UAC elevation prompt for standard users. Which of the following values in Group Policy would be appropriate to adjust to achieve this objective? -The administrator must change the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting. They must choose the option: Prompt for credentials. -The administrator must change the User Account Control: Behavior of the elevation prompt for standard users setting. They must choose the option: Automatically deny elevation requests. -The administrator must change the User Account Control: Behavior of the elevation prompt for standard users setting. They must choose the option: Prompt for credentials.

The administrator must change the User Account Control: Behavior of the elevation prompt for standard users setting. They must choose the option: Automatically deny elevation requests. - This is the most secure setting for standard user accounts.

An administrator creates a custom delegation using the Delegation of Control Wizard. The administrator delegates the Sales group administrative rights on computer objects in the Sales OU. Specifically, the group is granted Create selected objects in folder and Delete selected objects in folder, plus Full Control of computer objects. Later, the administrator wants to modify these delegated permissions. What must they do? -The administrator must run the Delegation of Control Wizard again, and this time, assign Deny permissions. Deny overrides Allow permissions. -The administrator must run the Delegation of Control Wizard again, and this time, choose the newly delegated permissions. -The administrator must review the security settings on the Sales OU by enabling Advanced Features in Active Directory Users and Computers. Then, they must review the advanced security settings for the OU.

The administrator must review the security settings on the Sales OU by enabling Advanced Features in Active Directory Users and Computers. Then, they must review the advanced security settings for the OU. - The administrator must edit or remove the permissions created by the delegation, and then, if necessary, rerun the Delegation of Control Wizard.

An administrator at Contoso must create a user account in the Contoso.com domain. Which of the following group memberships enable the administrator to perform the task without exceeding the required privilege? -The administrator should sign in using an account that belongs to Enterprise Admins. -The administrator should sign in using an account that belongs to the local Administrators group. -The administrator should sign in using an account that belongs to the domain local Account Operators group.

The administrator should sign in using an account that belongs to the domain local Account Operators group. - Members of the the domain local Account Operators group can add user accounts in the local domain.

Towards the end of the demonstration, the instructor tests DNS by using which procedure? -The instructor runs nslookup from a command line to verify DNS. -The instructor runs nslookup from Azure CLI to verify DNS. -The instructor runs nslookup from Windows PowerShell to verify DNS.

The instructor runs nslookup from Azure CLI to verify DNS.

Which of the following statements about Azure VM disks is true? -There will be only one operating system disk in each Azure VM, and its maximum size is 32 TB. -The maximum number of data disks you can attach to the Azure VM is dependent on the Azure VM size. -The number and disk size of temporary disks is dependent on the size of the Azure VM.

The maximum number of data disks you can attach to the Azure VM is dependent on the Azure VM size. - Different sizes offer different storage opportunities.

When planning deployment for AD domain controllers in Azure, how can an administrator at Contoso control Active Directory replication? -They must establish the appropriate trust relationships. -They must configure sites in AD DS. -Configure a static IP address for each VM.

They must configure sites in AD DS. -They must configure sites in AD DS so that they can control replication traffic between the on-premises and Azure-based domain controllers.

Which of the following settings should be configured in a role capability file to specify the exact PowerShell cmdlets that are available in a JEA session? -VisibleProviders -VisibleCmdlets -VisibleFunctions

VisibleCmdlets - Use this section of a role capability file to specify which PowerShell cmdlets can be used in a JEA session.

Which browser-based Hyper-V management method can be used to manage local or remote VMs, while providing summary and status information on events such as CPU and memory utilization? -Hyper-V Manager -PowerShell Direct -WAC

WAC - WAC can be used to manage local or remote VMs. It also provides summary and status information on events such as CPU and memory utilization.

In which of the following situations should an administrator at Contoso create a stub zone? -When integrating with autonomous systems such as partner organizations. -When providing for reverse lookups in the DNS infrastructure. -To provide for internet-based client computers that need to resolve internal DNS resource records.

When integrating with autonomous systems such as partner organizations. - The purpose of a stub zone is to provide a list of name servers that can be used to resolve information for a domain without synchronizing all the records locally.

When using Windows Admin Center, when might an administrator choose to configure trusted hosts? -When the Windows Admin Center workstation is not in the same AD DS forest as the resources it manages. -When the Windows Admin Center workstation is in the same AD DS forest as the resources it manages. -In all circumstances, the administrator must configure trusted hosts.

When the Windows Admin Center workstation is not in the same AD DS forest as the resources it manages. -When you connect to a remote computer, you must authenticate to that computer. Where Windows Admin Center isn't in the same AD DS forest as target hosts, you must configure the target computers as trusted hosts.

Which Windows 10 Enterprise feature helps to protect user credentials during the sign in process, and what is needed to enable this feature? -Windows Defender Credential Guard provides this protection. To implement Windows Defender Credential Guard, you require the Hyper-V feature, and ideally a TPM and Unified Extensible Firmware Interface (UEFI) lock. -Windows Defender Device Guard provides this protection. To implement Windows Defender Device Guard, you require the Hyper-V feature, Secure boot, and ideally a TPM and UEFI lock. -Windows Defender Credential Guard provides this protection. To implement Windows Defender Credential Guard, you require the Hyper-V feature, Secure boot, and ideally a TPM and UEFI lock.

Windows Defender Credential Guard provides this protection. To implement Windows Defender Credential Guard, you require the Hyper-V feature, Secure boot, and ideally a TPM and UEFI lock. - A TPM and UEFI lock are optional, but recommended.

Which of the following statements about JIT access in Azure is correct? -JIT is enabled on VMs by default providing those VMs are protected by Azure Bastion. -It's necessary to manually add commonly used management ports to the JIT VM access configuration in order to properly configure JIT. -You can enable JIT access for a VM when you attempt to connect to the VM from the VM's Connect blade.

You can enable JIT access for a VM when you attempt to connect to the VM from the VM's Connect blade. -In addition to using Security Center to enable JIT, you can select the link, To improve security, enable just-in-time access on this VM.


Related study sets

ISDS 3115 Chapter 11 Concept Questions

View Set

Intrapartal Period: Fetal Heart Rate Assessment (Ch 9)

View Set

Introductory: Reading and Vocabulary

View Set

Math 8H Chapter 5 Day 4 Writing Equations

View Set