Microsoft Microsoft Certified: Windows Server Hybrid Administrator Associate AZ-800 Questions & Answers

• Question 31:

  Your network contains a single-domain Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains the servers shown in the following exhibit table.

  

  You plan to install a line-of-business (LOB) application on Server1. The application will install a custom Windows service.

  A new corporate security policy states that all custom Windows services must run under the context of a group managed service account (gMSA). You deploy a root key.

  You need to create, configure, and install the gMSA that will be used by the new application.

  Which two actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point

  A. On Server1, run the setspncommand.

  B. On DC1, run the New-ADServiceAccountcmdlet.

  C. On Server1, run the Install-ADServiceAccountcmdlet.

  D. On Server1, run the Get-ADServiceAccountcmdlet.

  E. On DC1, run the Set-ADComputercmdlet.

  F. On DC1, run the Install-ADServiceAccountcmdlet.

  Correct Answer: BE

  Step 1: Provisioning group Managed Service Accounts

  (B) Create a gMSA using the New-ADServiceAccount cmdlet.

  Step 2: Configuring service identity application service If using security groups for managing member hosts, add the computer account for the new member host to the security group (that the gMSA's member hosts are a member of). To add member hosts using the Set-ADServiceAccount cmdlet

  1.

  On the Windows Server 2012 domain controller (DC1, not Server1), run Windows PowerShell from the Taskbar.

  2.

  At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

  3.

  Get-ADServiceAccount [-Identity] -Properties PrincipalsAllowedToRetrieveManagedPassword

  4.

  (E) At the command prompt for the Windows PowerShell Active Directory module, type the following commands, and then press ENTER:

  5.

  Set-ADServiceAccount [-Identity] -PrincipalsAllowedToRetrieveManagedPassword

  6.

  Etc.

  Reference: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/getting-started-with-group-managed-service-accounts

• Question 32:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.

  You need to identify which server is the PDC emulator for the domain.

  Solution: from Active Directory Users and Computers, you right-click contoso.com in the console tree, and then select Operations Master

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  As xrisimix said; Operation Masters and then PDC tab

• Question 33:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using

  DEFAULTIPSITELINK.

  You open a new branch office that contains only client computers.

  You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.

  Solution: You create a new subnet object that is associated to Site1.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  Yes, creating a new subnet object that is associated with Site1 would meet the goal of ensuring that client computers in the new office are primarily authenticated by the domain controllers in Site1. When a client computer requests authentication, Active Directory will use the subnet-to-site association to determine which site the client computer is in, and will then direct the authentication request to a domain controller in that site. By associating the new subnet with Site1, client computers in the new office will be directed to authenticate with domain controllers in Site1.

• Question 34:

  Your company has a main office and a branch office. The two offices are connected by using a WAN link. Each office contains a firewall that filters WAN traffic.

  The network in the branch office contains 10 servers that run Windows Server. All servers are administered from the main office only.

  You plan to manage the servers in the branch office by using a Windows Admin Center gateway.

  On a server in the branch office, you install the Windows Admin Center gateway by using the defaults settings.

  You need to configure the firewall in the branch office to allow the required inbound connection to the Windows Admin Center gateway.

  Which inbound TCP port should you allow?

  A. 443

  B. 3389

  C. 5985

  D. 6516

  Correct Answer: A

• Question 35:

  You have an Azure virtual machine named VM1 that has a private IP address only.

  You configure the Windows Admin Center extension on VM1.

  You have an on-premises computer that runs Windows 11. You use the computer for server management.

  You need to ensure that you can use Windows Admin Center from the Azure portal to manage VM1.

  What should you configure?

  A. an Azure Bastion host on the virtual network that contains VM1.

  B. a VPN connection to the virtual network that contains VM1.

  C. a private endpoint on the virtual network that contains VM1.

  D. a network security group (NSG) rule that allows inbound traffic on port 443.

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/manage-vm

• Question 36:

  You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant.

  You plan deploy 100 new Azure virtual machines that will run Windows Server.

  You need to ensure that each new virtual machine is joined to the AD DS domain.

  What should you use?

  A. an Azure Resource Manager (ARM) template

  B. a Group Policy Object (GPO)

  C. Azure AD Connect

  D. an Azure management group

  Correct Answer: A

  Reference: https://www.ludovicmedard.com/create-an-arm-template-of-a-virtual-machine-automatically-joined-to-a-domain/

• Question 37:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You are planning the deployment of DNS to a new network.

  You have three internal DNS servers as shown in the following table.

  

  The contoso.local zone contains zone delegations for east.contoso.local and west.contoso.local. All the DNS servers use root hints.

  You need to ensure that all the DNS servers can resolve the names of all the internal namespaces and internet hosts.

  Solution: On Server2, you create a conditional forwarder for west.contoso.local. On Server3, you create a conditional forwarder for east.contoso.local.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

• Question 38:

  You have an on-premises server named Server1 that runs Windows Server.

  You have an Azure virtual network that contains an Azure virtual network gateway.

  You need to connect only Server1 to the Azure virtual network.

  What should you use?

  A. a Site-to-Site VPN

  B. Azure Network Adapter

  C. an ExpressRoute circuit

  D. Azure Extended Network

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/use-azure-network-adapter

• Question 39:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using

  DEFAULTIPSITELINK.

  You open a new branch office that contains only client computers.

  You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.

  Solution: You create an organization unit (OU) that contains the client computers in the branch office. You configure the Try Next Closest Site Group Policy Object (GPO) setting in a GPO that is linked to the new OU.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

• Question 40:

  You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant.

  You have several Windows 10 devices that are Azure AD hybrid-joined.

  You need to ensure that when users sign in to the devices, they can use Windows Hello for Business.

  Which optional feature should you select in Azure AD Connect?

  A. Device writeback

  B. Group writebeack

  C. Azure AD app and attribute filtering

  D. Password writeback

  E. Directory extension attribute sync

  Correct Answer: D

  Reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs