Microsoft Administering Windows Server Hybrid Core Infrastructure - AZ-800 FREE EXAM DUMPS QUESTIONS & ANSWERS

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Som e question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are planning the deployment of DNS to a new network.
You have three internal DNS servers as shown in the following table.

The contoso.local zone contains zone delegations for east.contoso.local and west.contoso.local. All the DNS servers use root hints.
You need to ensure that all the DNS servers can resolve the names of all the internal namespaces and internet hosts.
Solution: On Server2, you create a conditional forwarder for west.contoso.local. On Server3, you create a conditional for warder for east.contoso.local.
Does this meet the goal?
Correct Answer: A Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com and the servers shown in the following table.

Contoso.com contains a user named User1.
You add User1 to the built-in Backup Operators group in contoso.com.
Which servers can User1 back up?
Correct Answer: C Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
You have a server named Server1 that runs Windows Server.
You plan to host applications in Windows containers.
You need to configure Server1 to run containers. What should you install?
Correct Answer: B Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
Task 6
You need to enable nested visualization for a virtual machine named VM1 onSRV1.
Correct Answer:
See the solution of this Task below.
Explanation:
TASK 6
# Objective:
Enable nested virtualization for a VM (VM1) on SRV1.
Step-by-Step Guide: Enable Nested Virtualization
# Step 1: Verify Requirements
Nested virtualization requires:
SRV1 to have a processor that supports Intel VT-x or AMD-V.
Hyper-V role installed on SRV1.
VM1 must be turned off.
# Step 2: Open PowerShell on SRV1
Log in to SRV 1 with an account that has administrative privileges.
Open PowerShell as Administrator.
# Step 3: Enable Nested Virtualization
Run the following command:
Set-VMProcessor -VMName " VM1 " -ExposeVirtualizationExtensions $true
# Step 4: Verify Nested Virtu alization
To confirm the change, run:
Get-VMProcessor -VMName " VM1 " | Format-List ExposeVirtualizationExtensions
# The output should show:
ExposeVirtualizationExtensions : True
# Step 5: Configure Network Adapter (Optional for Nested VMs)
Nested virtualization requires MAC address spoofing for the VM network adapter.
Run:
Set-VMNetworkAdapter -VMName " VM1 " -MacAddressSpoofing On
# Step 6: Start the VM
Use PowerShell:
Start-VM -Name " VM1 "
Or start the VM in Hyper-V Manager.
Additional Notes
Nested virtualization allows you to run Hyper-V within a VM.
Useful for lab/test environments (e.g., running nested Hyper-V hosts in a VM).
Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and fabrikam.com. Contoso.com contains three child domains named amer.contoso.com, apac.contoso.com, and emea.contoso.com. Fabrikam.com contains a child domain named apac.fabrikam.com. A bidirectional forest trust exists between contoso.com and fabrikam.com.
You need to provide users in the contoso.com forest with access to the resources in the fabrikam.com forest.
The solution must meet the follo wing requirements:
* Users in contoso.com must only be added directly to groups in the contoso.com forest.
* Permissions to access the resources in fabrikam.com must only be granted directly to groups in the fabrikam.
com forest.
* The number of groups must be minimized.
Which type of groups should you use to organize the users and to assign permissions? To answer, drag the appropriate group types to the correct requirements. Each group type may be used once, more than once, or not at all. You may need to dr ag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Correct Answer:

Explanation:

The Windows Server hybrid core administration guidance describes the classic cross-forest/group nesting model as AGUDLP: "Accounts # Global (or Universal ) # Domain Local # Permissions." For resource access that spans forests, the documentation stresses two points: (1) Put user accounts into groups that exist only in the ir own forest , and (2) Grant ACL permissions only to groups that exist in the resource forest . It further explains that Universal groups are forest-wide and "can contain users and global groups from any domain in the same forest and can be used across fore st trusts," which minimizes the number of groups when users come from multiple child domains. By contrast, Domain Global groups are limited to membership from a single domain, which would require separate globals per child domain and thus more groups. For assigning permissions at the resource side, the guidance states that Domain Local groups are intended to "receive permissions on resources within their own domain and can contain members from trusted forests," which satisfies the requirement that permissions in fabrikam.com be granted only to groups in that forest. Therefore, to meet all constraints and minimize group count: place contoso.com users in a Universal group (in contoso.
com) and add that group to a Domain Local group (in fabrikam.com) that is granted the required permissions.
Task 12
You need to create a Group Policy Object (GPO) named GPO1 that only applies to a group named MemberServers.
Correct Answer:
See the solution of this Task below.
Explanation:
To create a GPO named GPO1 that only applies to a group named MemberServers, you can follow these steps:
On a domain contro ller or a computer that has the Remote Server Administration Tools (RSAT) installed, open Group Policy Management from the Administrative Tools menu or by typing gpmc.msc in the Run box.
In the left pane, expand your domain and right-click on Group Policy Objects. Select New to create a new GPO.
In the New GPO dialog box, enter GPO1 as the Name of the new GPO and click OK. You can also optionally select a source GPO to copy the settings from.
Right-click on the new GPO and select Edit to open the Group Poli cy Management Editor. Here, you can configure the settings that you want to apply to the group under the Computer Configuration and User Configuration nodes. For more information on how to edit a GPO, see Edit a Group Policy Object.
Close the Group Policy Management Editor and return to the Group Policy Management console. Right-click on the new GPO and select Scope. Here, you can specify the scope of management for the GPO, such as the links, security filtering, and WMI filtering.
Under the Security Filter ing section, click on Authenticated Users and then click on Remove. This will remove the default permission granted to all authenticated users and computers to apply the GPO.
Click on Add and then type the name of the group that you want to apply the GPO t o, such as MemberServers. Click OK to add the group to the security filter. You can also click on Advanced to browse the list of groups available in the domain.
Optionally, you can also configure the WMI Filtering section to further filter the GPO based on the Windows Management Instrumentation (WMI) queries. For more information on how to use WMI filtering, see Filter the scope of a GPO by using WMI filters.
To link the GPO to an organizational unit (OU) or a domain, right-click on the OU or the domain in the left pane and select Link an Existing GPO. Select the GPO that you created, such as GPO1, and click OK. You can also change the order of preference by using the Move Up and Move Down buttons.
Wait for the changes to replicate to other domain controller s. You can also force the update of the GPO by using the gpupdate /force command on the domain controller or the client computers. For more information on how to update a GPO, see Update a Group Policy Object.
Now, you have created a GPO named GPO1 that on ly applies to a group named MemberServers. You can verify the GPO application by using the gpresult /r command on a member server and checking the Applied Group Policy Objects entry. You can also use the Group Policy Results wizard in the Group Policy Mana gement console to generate a report of the GPO application for a specific computer or user. For more information on how to use the Group Policy Results wizard, see Use the Group Policy Results Wizard.
Task 1
You need to crea te a group-managed service account (gMSA) named gMSA1 and make gMSA1 available on SRV1.
Correct Answer:
See the solution of this Task below.
Explanation:
To create a group-managed service account (gMSA) named gMSA1 and make it available on SRV1, you can follo w these steps:
Step 1: Create the Key Distribution Services Root Key First, you need to create the KDS Root Key, which is required for the gMSA to function. You can do this with the following PowerShell command:
Add-KdsRootKey -EffectiveTime ((get-date).ad dhours(-10))
Note: The -EffectiveTime parameter is set to 10 hours in the past to ensure immediate effect.
Step 2: Create the gMSA Next, use the New-ADServiceAccount cmdlet to create the gMSA:
New-ADServiceAccount -Name gMSA1 -DNSHostName gmsa1.domain.com -
PrincipalsAllowedToRetrieveManagedPassword SRV1$
Replace domain.com with your actual domain name.
Step 3: Install the gMSA on SRV1 Now, you need to install the gMSA on the server SRV1. Run the following command on SRV1:
Install-ADServiceAccount -Identity gMSA1
Step 4: Test the gMSA To ensure that the gMSA is installed correctly and ready for use, perform a test using:
Test-ADServiceAccount -Identity gMSA1
If the test returns True, the gMSA is correctly installed and ready for use on SRV1.
Step 5: Configure the Service to Use the gMSA Finally, configure the service that requires the gMSA to use gMSA1 by setting the service's logon account to domain\gMSA1$ and leave the password field blank.
This will create and make the gMSA gMSA1 available on SRV1. Ensure t hat you have the necessary permissions and that SRV1 is properly joined to the domain before proceeding with these steps123.
Your network contains a Microsoft Entra Domain Services domain named sk230128outlook.onmicrosoft.
com. The domain contains a server named Server1 that runs Windows Server.
You have the users shown in the following table.

The domain contains the Group Policy Objects (GPOs) shown in the following exhibit.

The minimum password length for each GPO is configured as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each c orrect selection is worth one point.
Correct Answer:

Explanation:
If User1 changes their password, the new password must have at least 10 characters. No If User2 changes their password, the new password must have at least seven characters. Yes If User3 changes their password, the new password must have at least 13 characters. No Explana tion:
The Windows Server Hybrid Core Infrastructure materials explain that Account policies (Password Policy, Account Lockout Policy, and Kerberos Policy) are domain-wide and are processed only from the GPO linked at the domain root (typically the Default Domain Policy). The guide states that "password policy settings for domain user accounts are obtained from the domain account policy; GPOs linked to OUs do not change the domain password policy for user objects." It further clarifies that OU-linked GPOs containing Account Policy settings affect only the local Security Accounts Manager (SAM) of computers whose computer objects are in that OU-not the passwords of domain user accounts. In Microsoft Entra Domain Services (managed domains), you also see the built-in AADDC Users GPO and AADDC Computers GPO; however, the same scope rules apply: domain users' password length is determined by the domain account policy, while local accounts on member servers/workstations inherit Account Policy from the GPO that applies to the computer object's OU.
Applying these rules to the scenario:
* User1 is a domain user under AADDC Users OU. Even if that OU GPO set 10 characters, it does not override the domain account policy # No.
* User2 is a local user on Server1. The computer object (typically under AADDC Computers) receives its Account Policy from the AADDC Computers GPO, which sets minimum length = 7 # Yes.
* User3 is a domain user under OU1 with GPO1. OU-level Account Policy (e.g., 13 characters) does not affect domain user passwords # No.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the re view screen.
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using DEFAULTIPSIT ELINK.
You open a new branch office that contains only client computers.
You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.
Solution: You create a new site named Site4 and assoc iate Site4 to DEFAULTSITELINK.
Does this meet the goal?
Correct Answer: A Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
You have a server named Server1 that runs Windows Server 2019 and hosts a container named Contained.
Contained uses a Windows Server 2019 base image that was built by using a Docker file.
You upgrade Server1 to Windows Serve r 2022.
You need to ensure that Contained will run on Server1. The solution must minimize administrative effort.
What should you do?
Correct Answer: C Vote an answer
Task 4
You need to register SRV1 to sync Azure file shares The registration must use the 34646045 Storage Sync Service.
The required source files are located in a folder named \\dc1.contoso.com\install.
You do NOT need to configure file share synchronization at this time and you do NOT need to update the agent.
Correct Answer:
See the solution of this Task below.
Explanation:
One possible solution to register SRV1 to sync Azure file shares using the 34646045 Storage Sync Service is to use the Register-AzStorageSyncServer cmdlet from the Az.StorageSync module. This cmdlet establishes a trust relationship between the server and the Storage Sync Service, which is required for creating server endpoints and syncing files. Here are the steps to register SRV1 using the cmdlet:
On SRV1, open PowerShell as an administrator and run the following command to install the Az.StorageSync module if it is not already installed:
Install-Module -Name Az.StorageSync
Run the following com mand to import the Az.StorageSync module:
Import-Module -Name Az.StorageSync
Run the following command to sign in to your Azure account and select the subscription that contains the
34646045 Storage Sync Service:
Connect-AzAccount
Select-AzSubscription -Su bscriptionId < your-subscription-id >
Run the following command to register SRV1 with the 34646045 Storage Sync Service. You need to specify the resource group name and the Storage Sync Service name as parameters:
Register-AzStorageSyncServer -ResourceGroupN ame < your-resource-group-name > - StorageSyncServiceName 34646045 Wait for the registration to complete. You can verify the registration status by checking the Registered servers tab on the Azure portal or by running the following command:
Get-AzStorageSyncS erver -ResourceGroupName < your-resource-group-name > -StorageSyncServiceName
34646045
Now, SRV1 is registered with the 34646045 Storage Sync Service and ready to sync Azure file shares. You can create server endpoints on SRV1 and cloud endpoints on the Azur e file shares to define the sync topology.
You need to implement an availability solution for DHCP that meets the network ing requirements.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Correct Answer: A,C Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three domains. Each domain contains 10 domain controllers.
You plan to store a DNS zone in a custom Active Directory partition.
You need to create the Active Directory partition for the zone. The partition must replicate to only four of the domain controllers.
What should you use?
Correct Answer: D Vote an answer
Explanation: Only visible for FreeCram members. You can sign-up / login (it's free).
You deploy a single-domain Active Directory Domain Services (AD DS) forest named contoso.com.
You deploy a server to the domain and configure the server to run a service.
You need to ensure that the service can use a group managed service account (gMSA) to authenticate.
Which three PowerShell cmdlets should you run in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.
Correct Answer:

Explanation:

The Administering Windows Server Hybrid Core Infrastructure materials explain that group Managed Service Accounts (gMSAs) rely on the Key Distribution Service (KDS) to generate and distribute the managed password. Therefore, the first step in a new forest (or where no key exists yet) is to create a KDS root key:
Add-KdsRootKey . The guide state s that "the KDS root key is required once per forest before any gMSA can be created or used," and without it, password material cannot be issued.
Next, you create the gMSA in Active Directory using New-ADServiceAccount . When creating the account, you speci fy the principals that are allowed to retrieve the managed password (for example, the computer account of Server1 or a group). The study content notes: "Use New-ADServiceAccount with - PrincipalsAllowedToRetrieveManagedPassword to authorize the host compute rs that will run the service." This removes the need to separately run mapping cmdlets.
Finally, on the target server, you install the gMSA locally using Install-ADServiceAccount . The documentation emphasizes: "After the account is created in AD, the host computer must install the gMSA so the Local Security Authority can obtain and maintain the password automatically." Because authorization is granted at creation time, Add-ADComputerServiceAccount is not required in this minimal, correct sequence.
0
0
0
10