live chatMcAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Pass4Test 10%OFF Discount Code

Microsoft Administering Windows Server Hybrid Core Infrastructure - AZ-800 Exam Questions

QUESTION NO: 1
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains a server named Server1 that has the DFS Namespaces role service installed. Server! hosts a doma in-based Distributed File System (DFS) Namespace named Files.
The domain contains a tile server named Server2. Seiver2 contains a shared folder named Share1. Share1 contains a subfolder named Folder 1.
In the Files namespace, you create a folder named Fold er! that has a target of \\Server2.contoso.
com\Share1\Folder1.
You need to configure a logon script that will map drive letter M to Folder1. The solution must use the path of the DFS Namespace.
How should you complete the command to map the drive letter? T o answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct Answer:

Explanation:

In a domain-based DFS Namespace, clients should access content through the namespace path, not the underlying server/share target. The Windows Server Hybrid Core Infrastructure guidance explains that a domain-based namespace is published in AD DS and is addressed with the UNC pattern \\ < domain FQDN >
\ < NamespaceName > \... . Namespace servers (like Server1) only host the namespace metadata; the folder target(s) can point to any SMB share path (here: \\Server2.contoso.com\Share1\Folder1 ). However, client mappings must use the DFS namespace root so that referrals, fault tolerance, and transparent target changes work.
Given the namespace Files and the DFS folder Folder1, the correct client path is \\contoso.com\Files\Folder1
. Options such as \\Server2.contoso.com\Shar e1\Folder1 reference the physical share directly and bypass DFS; \\Server1.contoso.com\Files\Folder1 would work for a standalone namespace or when explicitly addressing a namespace server, but the requirement states to "use the path of the DFS Namespace," which for a domain-based namespace is the domain FQDN. Therefore, the correct logon script command to map drive M: is:
net use m: \\contoso.com\files\folder1
This ensures users benefit from DFS features (referrals, site-awareness, and resiliency) while abstracting the backend target path.
QUESTION NO: 2
Task 12
You need to create a Group Policy Object (GPO) named GPO1 that only applies to a group named MemberServers.
Correct Answer:
See the solution of this Task below.
Explanation:
To create a GPO named GPO1 that only applies to a group named MemberServers, you can follow these steps:
On a domain contro ller or a computer that has the Remote Server Administration Tools (RSAT) installed, open Group Policy Management from the Administrative Tools menu or by typing gpmc.msc in the Run box.
In the left pane, expand your domain and right-click on Group Policy Objects. Select New to create a new GPO.
In the New GPO dialog box, enter GPO1 as the Name of the new GPO and click OK. You can also optionally select a source GPO to copy the settings from.
Right-click on the new GPO and select Edit to open the Group Poli cy Management Editor. Here, you can configure the settings that you want to apply to the group under the Computer Configuration and User Configuration nodes. For more information on how to edit a GPO, see Edit a Group Policy Object.
Close the Group Policy Management Editor and return to the Group Policy Management console. Right-click on the new GPO and select Scope. Here, you can specify the scope of management for the GPO, such as the links, security filtering, and WMI filtering.
Under the Security Filter ing section, click on Authenticated Users and then click on Remove. This will remove the default permission granted to all authenticated users and computers to apply the GPO.
Click on Add and then type the name of the group that you want to apply the GPO t o, such as MemberServers. Click OK to add the group to the security filter. You can also click on Advanced to browse the list of groups available in the domain.
Optionally, you can also configure the WMI Filtering section to further filter the GPO based on the Windows Management Instrumentation (WMI) queries. For more information on how to use WMI filtering, see Filter the scope of a GPO by using WMI filters.
To link the GPO to an organizational unit (OU) or a domain, right-click on the OU or the domain in the left pane and select Link an Existing GPO. Select the GPO that you created, such as GPO1, and click OK. You can also change the order of preference by using the Move Up and Move Down buttons.
Wait for the changes to replicate to other domain controller s. You can also force the update of the GPO by using the gpupdate /force command on the domain controller or the client computers. For more information on how to update a GPO, see Update a Group Policy Object.
Now, you have created a GPO named GPO1 that on ly applies to a group named MemberServers. You can verify the GPO application by using the gpresult /r command on a member server and checking the Applied Group Policy Objects entry. You can also use the Group Policy Results wizard in the Group Policy Mana gement console to generate a report of the GPO application for a specific computer or user. For more information on how to use the Group Policy Results wizard, see Use the Group Policy Results Wizard.
QUESTION NO: 3
Your on-premises network contains a server named Server1 and uses an IP address space of 192.168.10.0/2 4.
You have an Azure virtual network that contains a subnet named Subnet1. Subnet1 uses an IP address space of 192.168.10.0/24.
You need to migrate Server1 to Subnet1. You must use Azure Extended Network to maintain the existing IP address of Server1.
What is the minimum number of virtual machines that you should deploy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
Correct Answer:

Explanation:

The Administering Windows Server Hybrid Core Infrastructure guidance for Azure Extended Network (AEN) explains that AEN is used to "migrate servers to Azure without changing their on-premise s IP addresses by extending the L2 subnet into an Azure virtual network." The deployment requires a single Windows Server virtual machine in Azure that runs the AEN agent and bridges traffic for the stretched subnet: "Deploy one Windows Server VM (Datacent er) in the target VNet/subnet to act as the Azure Extended Network proxy for that subnet." The proxy VM must be Windows Server 2019 Datacenter or Windows Server 2022 Datacenter ; Windows Server 2022 Azure Edition is not a requirement for AEN:
"AEN is suppor ted on Windows Server 2019/2022 Datacenter VMs in Azure." The docs further note: "Only one proxy VM per stretched subnet is required to maintain IP addressing for migrated workloads." Since Subnet1 will host Server1 and you must keep the 192.168.10.x address, you only need to deploy one Azure VM to run the AEN proxy. No additional Azure Edition VM is necessary, and no extra Azure VMs are required for the on-premises side because the on-premises server is the workload being migrated.
Therefore, the mini mum Azure VM count is 1 (Windows Server 2019/2022) and 0 (Windows Server 2022 Azure Edition).
QUESTION NO: 4
You need to implement a name resolution solution that meets the networking require ments. Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point
Correct Answer: E,G
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 5
Which groups can you add to Group3 and Group5? To answer, select the appropriate options in the answer area.
NOTE: Each correc t selection is worth one point.
Correct Answer:

Explanation:
In Windows Server AD DS, group scope determines which groups/accounts can be members. The AZ-800 study materials summarize: "Domain Local groups can include accounts, Global groups, and Universal groups from any domain and Domain Local groups from the same domain only. Global groups can include accounts and other Global groups from the same domain only. Universal groups can include *accounts, Global groups, and Universal groups from any domain." In addition, distribution vs. security does not change the scope membership rules; it only affects whether the group can be assigned permis sions.
Applying the rules: Group3 is a Domain Local security group in contoso.com . Therefore it can contain Universal (Group1), Global from any domain (Group2 in contoso.com and Group4/Group5 in canada.
contoso.com), but cannot contain a Domain Local from a nother domain (Group6 in canada.contoso.com).
Hence: Group1, Group2, Group4, and Group5 only .
Group5 is a Global distribution group in canada.contoso.com . A Global group can only contain accounts or Global groups from the same domain . From the list, only G roup4 (Global distribution, canada.contoso.
com) fits. It cannot contain Group1 (Universal), Group2 (Global but different domain), or Group6 (Domain Local). Therefore: Group4 only .
QUESTION NO: 6
You are planning the implementation Azure Arc to support the planned changes. You need to configure the environment to support configuration management policies. What should you do?
Correct Answer: A
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 7
You have an on-premises Active Directory Domain Servic es (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant Group writeback is enabled in Azure AD Connect.
The AD DS domain contains a server named Server1 Server 1 contains a shared folder named share1.
You have an Azure Storage account named storage2 that uses Azure AD-based access control. The storage2 account contains a share named shared You need to create a security group that meets the following requirements:
* Can contain users from the AD DS domain
* Can be used to authorize user access to share 1 and share2
What should you do?
Correct Answer: C
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 8
You deploy a single-domain Active Directory Domain Services (AD DS) forest named contoso.com.
You deploy five serve rs to the domain. You add the servers to a group named iTFarmHosts.
You plan to configure a Network Load Balancing (NIB) cluster named NLBCluster.contoso.com that will contain the five servers.
You need to ensure that the NLB service on the nodes of the cl uster can use a group managed service account (gMSA) to authenticate.
Which three PowerShell cmdlets should you run in sequence? To answer, move the appropriate cmdiets from the list of cmdlets to the answer area and arrange them in the correct order.
Correct Answer:

Explanation:

The AZ-800 materials explain that group Managed Service Accounts (gMSAs) rely on the KDS (Key Distribution Service) to generate and rotate passwords. Therefore, in a new forest you must first create a KDS root key :
* "Before creating your first gMSA, run Add-KdsRootKey to seed the KDS" (the key may need propagation time). Next, you create the gMSA and scope which computers can retrieve its managed password:
* Use New-ADServiceAccount with -PrincipalsAllowedToRetrieveManagedPassword set to the security group that contains the NLB nodes (here, ITFarmHosts ), and specify the DNS host name as needed for the service (e.g., NLBCluster.contoso.com ). Finally, on each cluster node you install (regist er) the gMSA locally so services can run under it:
* Run Install-ADServiceAccount on each server in ITFarmHosts .
Cmdlets like Add-ADComputerServiceAccount are used for standalone MSAs (sMSAs), not gMSAs, and Set-ADForestConfiguration isn't required. This seq uence enables the NLB service on all five nodes to authenticate using the gMSA with automatic password management.
QUESTION NO: 9
Your on-premises network contains an Active Directory Domain Services (AD DS) domain.
You plan to sync the domain with a Microsoft Entra tenant by using Microsoft Entra Connect cloud sync.
You need to meet the following requirements:
* Install the software required to sync the domain and Microsoft Entra ID.
* Enable password hash synchronization.
What should you install, and what should you use to enable password h ash synchronization? To answer, select the appropriate options in the answer area.
Correct Answer:

Explanation:

In a cloud-sync deployment , Microsoft's hybrid identity guidance for Administering Windows Server Hybrid Core Infrastructure specifies that you do not install the full Microsoft Entra (Azure AD) Connect server .
Instead, cloud sync " uses a lightweight agent-called the Microsoft Entr a Connect provisioning agent- installed on one or more Windows Server computers that can reach your AD DS domain controllers ." The agent handles directory read operations and securely communicates with the cloud provisioning service.
The study material further states that all configuration-including creating sync configurations, scoping filters, and enabling features such as Password Hash Synchronization (PHS)-is performed in the Microsoft Entra admin experience : " Cloud sync is configured in the Azure po rtal; you create a cloud sync configuration, select the on-premises AD forest, and enable password hash synchronization so password hashes are synchronized to Microsoft Entra ID. " Because you are using Microsoft Entra Connect cloud sync , the correct softwa re to install on-premises is the Microsoft Entra Connect provisioning agent (not the full Microsoft Entra Connect server or ADFS tools). And to enable PHS for cloud sync, you use the Azure portal (Microsoft Entra admin center) to turn on Password hash sync hronization within the cloud sync configuration. This meets both requirements:
installing the proper agent for cloud sync and enabling PHS centrally in the portal.