Microsoft AZ-801 Online Practice Questions and Exam Preparation

Microsoft AZ-801 Online Questions & Answers

• Question 91:

  DRAG DROP

  You have a server named Server1 that runs Windows Server and contains two volumes named C and

  D. You connect a disk to Server1 that is encrypted by using BitLocker and contains a volume named

  E.

  You need to ensure that after a restart, the data on volume E can be accessed without providing a password or a recovery key.

  Which three actions should you perform on Server1 in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  

  ---

  To allow a BitLocker-encrypted data volume (E:) to be accessed automatically after a restart without requiring a password or recovery key, BitLocker auto-unlock must be configured. This requires specific prerequisites.

  Step 1: Install the BitLocker Drive Encryption feature BitLocker must be installed on the server to manage encrypted volumes. Without this feature, you cannot configure BitLocker or auto-unlock.

  Step 2: Encrypt volume C

  Auto-unlock for data volumes (like E:) requires that the operating system volume (C:) is already protected by BitLocker. This is because the OS volume stores the keys needed to automatically unlock other data volumes during startup.

  Step 3: Turn on auto-unlock Once BitLocker is enabled on the OS volume, you can enable auto-unlock for the data volume (E:). This ensures that after a reboot, volume E will be unlocked automatically without user intervention.

  Why not other options:

  - Encrypt volume D: Not required, only the OS volume (C:) must be encrypted.

  -

  Install BitLocker Drive Encryption Administration Utilities: These are management tools, not required for functionality.

  -

  Install BitLocker Network Unlock: Used for domain-joined computers with TPM in enterprise scenarios, not needed here.

  This configuration ensures seamless access to the encrypted data volume after restart.

• Question 92:

  You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server.

  You enable Microsoft Defender for Servers Plan 2.

  You need to implement File Integrity Monitoring (FIM).

  What should you create first?

  A. a Log Analytics workspace
  B. a private endpoint
  C. a storage account
  D. a data collection rule (DCR)
  A. a Log Analytics workspace

  ---

  Explanation

  To implement File Integrity Monitoring (FIM) for a Windows Server Azure VM with Microsoft Defender for Servers Plan 2, enable Defender for Servers Plan 2, then navigate to Defender for Cloud > Environment settings > relevant subscription, toggle File Integrity Monitoring to "On" and select Edit configuration to choose a Log Analytics workspace or create a new Workspace. Next, configure recommended and custom rules under the FIM settings by enabling them and selecting the desired change types for files and registries.

  Step-by-Step Implementation:

  1. Ensure Defender for Servers Plan 2 is Enabled:

  2. Enable File Integrity Monitoring:

  3. Configure FIM Settings:

  Select Edit configuration.

  Choose a Log Analytics workspace: to store the FIM change data. You can use an existing one or create a new one.

  Edit the Recommended to monitor rule

  4. Apply Changes:

  Select Apply to save your configuration changes and enable FIM for your selected resources.

  References:

  https://learn.microsoft.com/en-us/azure/defender-for-cloud/file-integrity-monitoring-enable-defender-endpoint

• Question 93:

  HOTSPOT

  You have an Active Directory Domain Services (AD DS) domain that contains 1,000 users.

  The domain has the following password requirements:

  The minimum password length must be 12 characters.

  Passwords must expire in 90 days.

  Passwords must be complex.

  You need to ensure that the members of a security team have passwords that meet the following requirements:

  The minimum password length must be 16 characters.

  Passwords must expire in 60 days.

  Passwords must be complex.

  The solution must minimize the impact on users who are NOT members of the security team.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  

  

  ---

  Box 1: Fine Grained Password Policies Implement

  Configure fine grained password policies for Active Directory Domain Services Fine Grained Password Policies provide you with a way to define different password and account lockout policies for different sets of users in a domain. You can use fine grained password policies to specify multiple password policies within a single domain. You can also apply different restrictions for password and account lockout policies to different sets of users in a domain. For example, you can apply stricter settings to privileged accounts and less strict settings to the accounts of other users. Fine-grained password policies apply only to global security groups and user objects. By default, only members of the Domain Admins group can set fine grained password policies. However, you can also delegate the ability to set these policies to other users.

  Box 2: Active Directory Administrative Center By using

  Create a fine grained password policy

  Here's how to create a fine grained password policy using ADAC:

  1. Open Active Directory Administrative Center, either from the Tools menu of the Server Manager console or by running an elevated PowerShell session and typing dsac.exe.

  2. If the appropriate target domain isn't selected, choose Manage, choose Add Navigation Nodes, and select the appropriate target domain in the Add Navigation Nodes dialog box and then choose OK.

  3. In the ADAC navigation pane, open the System container, and then choose Password Settings Container.

  4. In the Tasks pane, choose New, and then choose Password Settings.

  5. Fill in or edit fields inside the property page to create a new Password Settings object. The Name and Precedence fields are required.

  6. Under Directly Applies To, choose Add, type the name of the group to which the fine grained password policy, and then choose OK.

  7. Choose OK to submit the creation.

  References:

  https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/fine-grained-password-policies

• Question 94:

  You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server. A network interface named NI1 is assigned to VM1.

  The Ethernet adapter on VM1 is disabled.

  You need to use the Azure portal to enable the adapter.

  What should you use from the portal?

  A. the Configuration settings for VM1
  B. the Reset password settings for VM1
  C. the IP configurations settings for NI1
  D. the Diagnostic settings for NI1
  E. the Diagnostic settings for VM1
  E. the Diagnostic settings for VM1

  ---

  Explanation

  Using Azure Portal to Enable a Disabled Network Adapter (Indirectly)

  1. Enable Boot Diagnostics:

  Go to the Azure portal and select your virtual machine.

  In the Help section, select Boot diagnostics.

  Go to the Settings tab.

  Ensure boot diagnostics is enabled with a managed or custom storage account.

  2. Access Command Prompt using

  Boot Diagnostics:

  Select the "Screenshot" option in the Boot Diagnostics view to see the current screen of the VM. If the network adapter is disabled, you will see a command prompt. If the VM is at the login screen, you may need to use a solution with the Azure portal to generate a new password to log in to the VM.

  3. Enable the Adapter:

  In the Command Prompt, type the following command: netsh interface set interface "Ethernet" admin=enable.

  The Ethernet is the default name for the adapter in Windows; if your adapter has a different name, you will need to use that name.

  4. Check and Verify:

  After executing the command, you can use netsh interface show interface to verify that the adapter is enabled.

  You should then be able to access the VM and verify the network adapter is active.

  References:

  https://www.youtube.com/watch?v=q3IJ1k7FnyU

• Question 95:

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains two virtual machines named VM1 and VM2 that run Windows Server.

  You plan to implement a failover cluster named Cluster1 that will use VM1 and VM2 as nodes.

  You need to ensure that Cluster1 can use floating IP addresses.

  Which two components should you deploy? Each correct answer presents part-of the solution.

  NOTE: Each correct selection is worth one point.

  A. Network Load Balancing (NLB)
  B. the Multipoint Services role
  C. the Network Controller role
  D. the Host Guardian Service role
  E. Software Load Balancer (SLB)
  A. Network Load Balancing (NLB)
  E. Software Load Balancer (SLB)

• Question 96:

  HOTSPOT

  You have an on-premises Active Directory Domain Services (AD DS) domain that contains the resources shown in the following table.

  

  The domain contains the domain controllers shown in the following table.

  

  You configure a site link between Site1 and Site2 and set the replication interval to 20 minutes.

  At 10:00 AM, connectivity between Site1 and Site2 fails.

  Administrators perform the actions shown in the following table.

  

  At 10:30 AM, connectivity between Site1 and Site2 is restored.

  For each of the following statements, select Yes if the statement is true. Otherwise, select No.

  NOTE: Each correct selection is worth dim point

  

  

• Question 97:

  You have an Azure subscription. The subscription contains a virtual machine named Server1 that runs Windows Server.

  You create a new Log Analytics workspace named Workspace1.

  You need to collect performance metrics for Server1 by using Azure Monitor.

  What should you do next?

  A. Regenerate the secondary key.
  B. Install the Azure Connected Machine agent.
  C. Create a data collection rule (DCR).
  D. Deploy and configure Windows Event Forwarding.
  B. Install the Azure Connected Machine agent.

  ---

  Explanation

  To monitor a Windows Server VM with Azure Monitor, you need the Azure Monitor agent installed on the VM, a Data Collection Rule (DCR) to specify what data to collect, and a Log Analytics workspace to store the data. You can often enable the necessary agents and a basic DCR automatically by activating VM insights for the virtual machine.

  Note: Azure Connected Machine agent (ACMA) The Azure Connected Machine agent (ACMA) connects a non-Azure machine to Azure Arc for management, while the Azure Monitor agent (AMA) collects monitoring data from a machine's guest OS to send to Azure Monitor. The ACMA acts as a gateway to enable management and governance, whereas the AMA is a data collector for logs and metrics, and the two agents can be used together. The ACMA is a prerequisite for managing the machine, while the AMA is the data collection component for services like Azure Monitor, Microsoft Sentinel, and Microsoft Defender for Cloud.

  Azure Connected Machine agent (ACMA) 1. Primary Function Connects and provides a secure identity for non-Azure servers in Azure for management and governance.

  2. Purpose Enables management tasks like patch management, software updates, and other Azure Arc-based operations.

  3. Relationship to Other Agents Does not replace the Azure Monitor agent; it is a distinct and necessary component for managing hybrid machines.

  4. Key Benefit Establishes a secure link to Azure to manage hybrid machines as if they were native Azure resources.

  https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overviewReference:

• Question 98:

  DRAG DROP

  Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains two domain controllers named Server1 and Server2 and an organizational unit (OU) named OU. The domain is backed up once daily.

  You need to perform an authoritative restore of OU1.

  Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  

  ---

  Step 1: Restart Server1 in Directory Service Restore Mode (DSRM) Task 1: Perform a System State Restore Restart the domain controller you will be restoring from. Press F8 during startup to enter the Advanced Boot Options menu. Select Directory Services Restore Mode (DSRM) and log in with the DSRM password. [Step 1] Using your backup solution (like Windows Server Backup), restore the System State to the backup point where the OU was present. [Step 2]

  Step 2: Restore the system state.

  Step 3: From Server1, run ntdsutil.exe and mark OU1 as authoritative.

  Task 2: Perform the Authoritative Restore Once the System State is restored, run NTDSUTIL from an elevated command prompt. Enter activate instance ntds to activate the directory services instance. Type authoritative restore and press Enter to enter authoritative restore mode.

  Execute the command restore subtree "Distinguished Name of Deleted OU" (e.g., restore subtree "OU=DeletedOU,DC=YourDomain,DC=com") to mark the deleted OU and its contents for authoritative restoration.

  When prompted, confirm the restore operation.

  Step 4: Restart Server1

  Task 3. Complete the Process Exit the NTDSUTIL utility by typing quit.

  Restart the domain controller in normal mode. The restored OU will be replicated with an increased USN, ensuring it is considered the most up-to-date version by other domain controllers.

  References:

  https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732211(v=ws.11)

• Question 99:

  You have three servers named Server 1. Servers and Server3 that run Windows Server. The servers have the Hyper-V server rote installed and are configured in a Storage Spaces Deed cluster named Cluster1.

  Cluster1 hosts a virtual machine named VM1 that has Windows Admin Center Installed.

  You manage all servers and clusters by using Windows Admin Center.

  You purchase an Azure subscription.

  You need to configure email alerts in Azure Monitor for the following:

  1. Disk Capacity Utilization Over 80% for 10 Minutes

  2. Any critical alert in the cluster system event log

  3. Memory Utilization over 95% for 10 minutes

  4. Heartbeat fewer than 5 beats for 5 Minutes.

  5. CPU Utilization over 85 % for 10 Minutes.

  6. Any hearth service faults for the cluster

  The solution must use the minimum amount of administrative effort.

  What should you do?

  A. From Windows Admin Center, configure Azure Monitor and onboard Cluster1
  B. From Azure portal, configure Azure Monitor and onboard Cluster1 by using Azure Arc.
  C. Configure Azure Monitor and manually install the Microsoft Monitoring Agent on Server1, Server2 and Server3
  A. From Windows Admin Center, configure Azure Monitor and onboard Cluster1

• Question 100:

  You plan to migrate file shares from an on-premises server to another Windows Server. You must preserve share permissions and continuously synchronize changes after the initial copy.

  Administrative effort must be minimized.

  What should you use?

  A. robocopy
  B. xcopy
  C. Storage Migration Service
  D. Azure File Sync
  C. Storage Migration Service