Nest 0 Cart
Nest Account
Popular Exams
All Categories...
Nest
Nest 0
Contact
Log In / Sign Up
Copyright 2024 © store. All rights reserved.
Home Microsoft AZ-800

Microsoft AZ-800 Exam Practice Questions (P. 3)

  • Full Access (305 questions)
  • One Year of Premium Access
  • Access to one million comments
  • Seamless ChatGPT Integration
  • Ability to download PDF files
  • Anki Flashcard files for revision
  • No Captcha & No AdSense
  • Advanced Exam Configuration
Get Contributor Access
Question #21
HOTSPOT -
Your network contains three Active Directory Domain Services (AD DS) forests as shown in the following exhibit.

The network contains the users shown in the following table.

The network contains the security groups shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise. select No.
NOTE: Each correct selection is worth one point.
Hot Area:


Correct Answer:

 Box 1: Yes -
User1 is in east.contoso.com. Group1 is Domain Local group in west.adutm.com.
Accounts from any domain or any trusted domain Global groups from any domain or any trusted domain can be members of Domain Local groups.
Accounts, Global groups, and Universal groups from other forests and from external domains can also be members of Domain Local groups.

Box 2: No -
User2 is in the fabrikam.com domain.
Group3 is a Universal group in east.contso.com.
Only accounts from any domain in the same forest can be added as members.

Box 3: Yes -
Group2 is a Universal group in contoso.com.
Group2 can grant permissions On any domain in the same forest or trusting forests.
Active Directory Domain Services add to Domain Local group.
Reference:
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups

Question #22
Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest root domain contains a server named server1.contoso.com.
A two-way forest trust exists between the contoso.com forest and an AD DS forest named fabrikam.com. The fabrikam.com forest contains 10 child domains.
You need to ensure that only the members of a group named fabrikam\Group1 can authenticate to server1.contoso.com.
What should you do first?
  1. A
    Add fabrikam\Group1 to the local Users group on server1.contoso.com.
  2. B
    Enable SID filtering for the trust.
  3. C
    Enable Selective authentication for the trust.
  4. D
    Change the trust to a one-way external trust.

Correct Answer:
C
Selective authentication restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. This authentication setting must be manually enabled.
Note: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.
Incorrect:
Not B: When SID Filtering is enabled, all the foreign SIDs will be removed (quarantined) from user's access token while accessing any resource through Forest
Trust. The most common impact of this is, a migrated user account which is still using any resource using old SID will not be able to access that resource anymore. This is because when SID Filtering is enabled, it will block (filter) SID History through a Forest Trust.
When we create a forest Trust, SID Filtering is enabled by default. In some cases, we need to disable SID Filtering.
Not D: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.
If a one way Forest Trust is created, where Forest A is Trusting Domain and Forest B is Trusted Domain, then Forest B can access resources within Forest A, however Forest A cannot access resources within Forest B.
Reference:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)

Question #23
HOTSPOT -
You have 10 on-premises servers that run Windows Server.
You plan to use Azure Network Adapter to connect the servers to the resources in Azure.
Which prerequisites do you require on-premises and in Azure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Correct Answer:

 Reference:
https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/use-azure-network-adapter

Question #24
DRAG DROP -
You have a server named Server1 that has Windows Admin Center installed. The certificate used by Windows Admin Center was obtained from a certification authority (CA).
The certificate expires.
You need to replace the certificate.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:


Correct Answer:

 Step 1: Run Windows Admin Center Setup and select Change.
Updating the certificate used by Windows Admin Center
When you have Windows Admin Center deployed as a service, you must provide a certificate for HTTPS. To update this certificate at a later time, re-run the installer and choose change.

Step 2: Obtain and install a new certificate.
Step 3: Copy the certificate thumbprint.
The final step is to copy the certificate's thumbprint into the setup soon after installing it into the local store.
Reference:
https://4sysops.com/archives/install-an-ssl-certificate-in-windows-admin-center/

Question #25
HOTSPOT -
You have an on-premises server named Server1 that runs Windows Server and has internet connectivity.
You have an Azure subscription.
You need to monitor Server1 by using Azure Monitor.
Which resources should you create in the subscription, and what should you install on Server1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Correct Answer:

 Reference:
https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-monitor

Question #26
You have an on premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. The domain contains two servers named Server1 and Server2.
A user named Admin1 is a member of the local Administrators group on Server1 and Server2.
You plan to manage Server1 and Server2 by using Azure Arc. Azure Arc objects will be added to a resource group named RG1.
You need to ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc.
What should you do first?
  1. A
    From the Azure portal, generate a new onboarding script.
  2. B
    Assign Admin1 the Azure Connected Machine Onboarding role for RG1.
  3. C
    Hybrid Azure AD join Server1 and Server2.
  4. D
    Create an Azure cloud-only account for Admin1.

Correct Answer:
B
Reference:
https://docs.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal

Question #27
HOTSPOT -
Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and fabrikam.com. A two-way forest trust exists between the forests. Each forest contains a single domain.
The domains contain the servers shown in the following table.

You need to configure resource based constrained delegation so that the users in contoso.com can use Windows Admin Center on Server1 to connect to Server2.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Correct Answer:

 Reference:
https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview https://docs.microsoft.com/en-us/powershell/module/activedirectory/set-adcomputer?view=windowsserver2022-ps

Question #28
HOTSPOT -
You have a server named Server1 that runs Windows Server and has the Hyper-V server role installed.
You need to limit which Hyper-V module cmdlets helpdesk users can use when administering Server1 remotely.
You configure Just Enough Administration (JEA) and successfully build the role capabilities and session configuration files.
How should you complete the PowerShell command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Correct Answer:

 Reference:
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/register-jea?view=powershell-7.2

Question #29
You have an Azure virtual machine named VM1 that runs Windows Server.
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You need to ensure that you can use the Azure Policy guest configuration feature to manage VM1.
What should you do?
  1. A
    Add the PowerShell Desired State Configuration (DSC) extension to VM1.
  2. B
    Configure VM1 to use a user-assigned managed identity.
  3. C
    Configure VM1 to use a system-assigned managed identity.
  4. D
    Add the Custom Script Extension to VM1.

Correct Answer:
C
Reference:
https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/guest-configuration

Question #30
HOTSPOT -
You have an Azure subscription named sub1 and 500 on-premises virtual machines that run Windows Server.
You plan to onboard the on-premises virtual machines to Azure Arc by running the Azure Arc deployment script.
You need to create an identity that will be used by the script to authenticate access to sub1. The solution must use the principle of least privilege.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Correct Answer:

 Reference:
https://docs.microsoft.com/en-us/azure/azure-arc/servers/onboard-service-principal

Previous Questions Next Questions

All Pages