Microsoft AZ-800 Online Practice Questions and Exam Preparation

Microsoft AZ-800 Online Questions & Answers

• Question 151:

  HOTSPOT

  Your network contains a two-domain on-premises Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains the domain controllers shown in the following table.

  

  All domain controllers are backed up by using Azure Backup.

  You create an Active Directory site named Site3. Site1, Site2, and Site3 each has a dedicated site link to the Hub site.

  In Site3, you install a new server named Server1.

  You need to promote Server1 to an RODC in child.contoso.com by using the Install from Media (IFM) option. The solution must minimize network traffic.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

• Question 152:

  DRAG DROP

  You have a server named Server1 that has Windows Admin Center installed. The certificate used by Windows Admin Center was obtained from a certification authority (CA).

  The certificate expires.

  You need to replace the certificate.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  

  ---

  References:

  https://www.starwindsoftware.com/blog/change-the-windows-admin-center-certificate

• Question 153:

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains three servers that run Windows Server and have the Hyper-V server role installed. Each server has a Switch Embedded Teaming (SET) team.

  You need to verify that Remote Direct Memory Access (RDMA) and all the required Windows Server settings are configured properly on each server to support an Azure Stack HCI cluster.

  What should you use?

  A. Server Manager.
  B. The validate-DCB cmdtet.
  C. The Get-NetAdaptor cmdlet.
  D. Failover Cluster Manager.
  B. The validate-DCB cmdtet.

  ---

  Explanation

  References:

  https://github.com/Microsoft/Validate-DCB

• Question 154:

  HOTSPOT

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain named

  contoso.c6om. Contoso.com contains an organizational unit (OU) named OU1.

  You have an Azure subscription that is linked to a Microsoft Entra tenant named fabrikam.com.

  You need to sync contoso.com with fabrikam.com.

  The solution must meet the following requirements:

  1. Support Windows Hello for Business by using a hybrid certificate deployment.

  2. Ensure that the passwords in contoso.com do NOT sync to fabnkam.com.

  Which Microsoft Entra Connect feature should you use for each requirement? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Device writeback

  Support Windows Hello for Business by using a hybrid certificate deployment.

  Device registration and device write-back Windows devices must be registered in Microsoft Entra ID. Devices can be registered in Microsoft Entra ID using either Microsoft Entra join or Microsoft Entra hybrid join.

  Hybrid certificate trust deployments require the device write-back feature. Authentication to AD FS needs both the user and the device to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the device and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device write-back.

  Note: Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Microsoft Entra ID and Active Directory. Device write-back is used to update the msDS-KeyCredentialLink attribute on the computer object.

  Box 2: Pass-through authentication Ensure that the passwords in contoso.com do NOT sync to fabrikam.com.

  Microsoft Entra pass-through authentication allows your users to sign in to both on-premises and cloudbased applications using the same passwords. This feature provides your users a better experience - one less password to remember, and reduces IT helpdesk costs because your users are less likely to forget how to sign in. When users sign in using Microsoft Entra ID, this feature validates users' passwords directly against your on-premises Active Directory.

  

  Key benefits of using Microsoft Entra pass-through authentication include:

  * Secure

  --> On-premises passwords are never stored in the cloud in any form.

  Incorrect:

  * Password hash synchronization

  Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Microsoft Entra Connect synchronizes a hash of a user's password from an on-premises Active Directory instance to a cloud-based Microsoft Entra instance.

  Password hash synchronization is an extension to the directory synchronization feature implemented by Microsoft Entra Connect Sync. You can use this feature to sign in to Microsoft Entra services like Microsoft 365. You sign in to the service by using the same password you use to sign in to your on-premises Active Directory instance.

  

  References:

  https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybridcert-trust

  https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-pta

• Question 155:

  You have an Active Directory Domain Services (AD DS) domain that contains the domain controllers shown in the following table.

  

  The domain contains an app named App1 that uses a custom application partition to store configuration data.

  You decommission App1.

  When you attempt to remove the custom application partition, the process fails.

  Which domain controller is unavailable?

  A. DC1
  B. DC2
  C. DC3
  D. DC4
  C. DC3

  ---

  Explanation

  The Domain Naming Master is used to add and to remove domains and application partitions to and from the forest.

  - Must be online when domains and application partitions in a forest are added or removed.

  References:

  https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/fsmo-placement-and-optimization-on-ad-dcs

• Question 156:

  Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the offices shown in the following table.

  

  You need to deploy a Network Policy Server (NPS) named NPS1 to enforce network access policies for all remote connections.

  What is the minimum number of RADIUS clients that you should add to NPS1?

  A. 1
  B. 3
  C. 8
  D. 180
  E. 188
  C. 8

  ---

  Explanation

  You configure a VPN server as a RADIUS client.

  We have eight VPN servers, so we need eights RADIUS clients.

  Note: Configure VPN server as a RADIUS client 1. On the NPS server, open your firewall rules to allow UDP ports 1812, 1813, 1645, and 1646 inbound.

  2. In the NPS console, double-click RADIUS Clients and Servers.

  3. Right-click RADIUS Clients and select New to open the New RADIUS Client dialog box.

  4. Verify that the Enable this RADIUS client check box is selected.

  5. In Friendly name, enter a display name for the VPN server.

  6. In Address (IP or DNS), enter the IP address or FQDN of the VPN server.

  7. Etc.

  References:

  https://learn.microsoft.com/en-us/windows-server/remote/remote-access/tutorial-aovpn-deploy-setup

• Question 157:

  HOTSPOT

  You need to meet the technical requirements for VM1.

  Which cmdlet should you run first? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  References:

  https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization

• Question 158:

  SIMULATION

  You need to replicate a read-only copy of a DNS zone named contoso.com D to SRV2.

  To complete this task, sign in the required computer or computers.

  A. See explanation below.
  B. PlaceHolder
  C. PlaceHolder
  D. PlaceHolder
  A. See explanation below.

  ---

  Explanation

  Replicate read-only copy DNS zone.

  Step 1: In DNS Manager log in to SRV2.

  Step 2: Right click Forward Lookup Zones, and select New Zone...

  

  Step 3: Select Secondary Zone

  

  Step 4: Select Secondary Zone

  

  Step 5: Enter the same domain name as the first DNS server. In our case: contoso.com

  

  Step 6: At the next screen enter the Hostname or IP address of the primary DNS server and hit Enter. In our case: contoso.com

  

  Step 7: Hit Next, Next, Finish - That's it, you're all done.

  The secondary server will now replicate changes FROM the first DNS server.

  References:

  https://cogenesis.com.au/blog/how-to-setup-windows-dns-replication-dns-manager

• Question 159:

  Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest root domain contains a server named server1.contoso.com.

  A two-way forest trust exists between the contoso.com forest and an AD DS forest named fabrikam.com. The fabrikam.com forest contains 10 child domains.

  You need to ensure that only the members of a group named fabrikam\Group1 can authenticate to server1.contoso.com.

  What should you do first?

  A. Add fabrikam\Group1 to the local Users group on server1.contoso.com.
  B. Enable SID filtering for the trust.
  C. Enable Selective authentication for the trust.
  D. Change the trust to a one-way external trust.
  C. Enable Selective authentication for the trust.

  ---

  Explanation

  Selective authentication restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. This authentication setting must be manually enabled.

  Note: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.

  Incorrect:

  Not B: When SID Filtering is enabled, all the foreign SIDs will be removed (quarantined) from user's access token while accessing any resource through Forest Trust. The most common impact of this is, a migrated user account which is still using any resource using old SID will not be able to access that resource anymore. This is because when SID Filtering is enabled, it will block (filter) SID History through a Forest Trust.

  When we create a forest Trust, SID Filtering is enabled by default. In some cases, we need to disable SID Filtering.

  Not D: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.

  If a one way Forest Trust is created, where Forest A is Trusting Domain and Forest B is Trusted Domain, then Forest B can access resources within Forest A, however Forest A cannot access resources within Forest B.

  References:

  https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)

• Question 160:

  You have 50 on-premises servers that run Windows Server.

  You have an Azure subscription.

  You plan to monitor the on-premises servers by using Azure Monitor.

  You need to collect event logs from the on-premises servers.

  What should you do first?

  A. From the Azure portal, create a storage account.
  B. From the Azure portal, create a Log Analytics workspace.
  C. From the on-premises servers, run azuremonitoragentclientsetup.msi.
  D. From the Azure portal, create a data collection rule (DCR) in Azure Monitor.
  B. From the Azure portal, create a Log Analytics workspace.

  ---

  Explanation

  To collect event logs from on-premises servers using Azure Monitor, the first step is to create a Log Analytics workspace. The Log Analytics workspace serves as the central repository for all logs and metrics gathered from the monitored systems. After creating the workspace, you can then install the Azure Monitor agent on the on-premises servers and configure data collection rules (DCR) to gather specific logs, such as event logs.