Microsoft Administering Windows Server Hybrid Core Infrastructure (AZ-800)
Get full access to the updated question bank and confidently prepare for your exam.
Vendor
Microsoft
Certification
Infrastructure
Content
246 Qs
Status
Verified
Updated
18 hours ago
Test the Practice Engine
Experience our interactive testing environment with free demo questions
Premium Bundle
Complete Success Suite
Save $9 Instantly
-
✓Full PDF + Interactive Engine Everything you need to pass
-
✓All Advanced Question Types Drag & Drop, Hotspots, Case Studies
-
✓Priority 24/7 Expert Support Direct line to certification leads
-
✓90 Days Free Priority Updates Stay current as exams change
Success Metric
98.4% Pass Rate
Standard Simulation
Practice Engine
One-Time Payment
-
Web-Based (Zero Install)
-
Real Testing Environment Virtual & Practice Modes
-
Interactive Engine Drag & Drop, Hotspots
-
60 Days Free Updates
Compatible with All Devices
Basic Tier
PDF Study Guide
Digital Access
- ✓ Exam Questions (PDF)
- ✓ Mobile Friendly
- ✓ 60 Days Updates
Verified 50-Question Preview (AZ-800)
Verified Community
The CertoMetrics Standard.
Recommend the #1 platform for verified Microsoft certification resources.
Success Network
Help a Colleague Succeed.
Invite a peer to get their own updated AZ-800 prep kit.
Exam Overview
The Microsoft AZ-800 exam, "Administering Windows Server Hybrid Core Infrastructure," is a cornerstone for IT professionals navigating the evolving landscape of modern server management. This certification validates your expertise in deploying, managing, and maintaining Windows Server workloads across both on-premises and hybrid environments, seamlessly integrating with Azure services. Earning this credential demonstrates proficiency in critical areas like Active Directory, networking, storage, virtualization, and security, showcasing your ability to build resilient and scalable infrastructure. It signifies a crucial skill set for organizations transitioning to hybrid cloud models, enhancing career prospects and positioning you as a valuable asset capable of optimizing complex IT ecosystems. This certification is essential for administrators seeking to lead their organizations into the future of server management.
Questions
40-60
Passing Score
700/1000
Duration
100-120 Minutes
Difficulty
Intermediate/Expert
Level
Associate
Skills Measured
Career Path
Target Roles
Common Questions
Is the material up to date?
Yes. We update our question bank weekly to match the latest Microsoft standards. You get free updates for 90 days.
What format do I get?
You get instant access to both the **PDF** (for reading) and our **Premium Test Engine** (for exam simulation).
Is there a guarantee?
Absolutely. If you fail the AZ-800 exam using our materials, we offer a full money-back guarantee.
When do I get the download?
Instantly. The download link is available in your dashboard immediately after payment is confirmed.
Free Study Guide Samples
Previewing updated AZ-800 bank (50 Questions).
You have a Windows Server container host named Server1.
You create a Dockerfile named df1.
You need to generate a container image by using df1.
Which command should you run?
Correct Option: A
✅ Option A (Correct)
Reasoning: The docker build command is the standard tool for creating a container image from a Dockerfile. It reads the instructions within the specified Dockerfile (in this case, df1), executes them sequentially to assemble the layers, and packages the result into a new container image that can be run on any container host.
❌ Why the other choices are incorrect:
- Option B is incorrect: The
docker execcommand is used to run a command inside an already running container. It does not build images. - Option C is incorrect: The
docker createcommand creates a new container from an existing image but does not start it. It requires an image to exist first; it does not build one from a Dockerfile. - Option D is incorrect: The
docker imagescommand simply lists the container images that are already present on the host machine. It is a command for viewing, not creating.
Reference: https://docs.docker.com/engine/reference/commandline/build/
Your network contains the domains shown in the following exhibit.
You need to establish trust relationships as shown in the following exhibit.
Which type of trust can you use for Trust1 and Trust2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Trust1: Shortcut trust only
The domains `contoso.com` and `sub.west.contoso.com` exist within the same Active Directory forest. By default, a transitive trust path already exists through the parent domain `west.contoso.com`. A direct trust, labeled Trust1, is being created to optimize authentication requests by shortening this path. The specific type of trust used to connect two domains within the same forest to shorten the trust path is a **shortcut trust**.
Trust2: Forest trust or external trust only
The domains `contoso.com` and `fabrikam.com` are the root domains of two different Active Directory forests. To establish a trust relationship between domains in different forests, you can use either an **external trust** or a **forest trust**. An external trust is non-transitive and connects only the two specified domains. A forest trust is transitive, connecting all domains in one forest with all domains in the other. Both are valid options for this scenario.
You have a server named Server1 that runs Windows Server 2022.
You add two 4-TB hard drives named Disk1 and Disk2 to Server1.
You need to format the drives. The solution must meet the following requirements:
• Disk1 must support disk level quotas.
• Disk2 must support Data Deduplication.
Which type of file system should you use for each drive? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Disk1: NTFS only
The requirement for Disk1 is to support disk-level quotas. Of the available modern Windows Server file systems, only NTFS (New Technology File System) has built-in support for disk quotas. The Resilient File System (ReFS) and exFAT do not support this feature, making NTFS the only correct choice.
Disk2: NTFS or ReFS only
The requirement for Disk2 is to support Data Deduplication. On Windows Server 2022, both NTFS and ReFS support the Data Deduplication feature, which optimizes storage by removing redundant data. Since either file system meets the requirement, this option is correct.
You need to ensure that data availability on SSPace1 meets the technical requirements.
What is the maximum number of physical disks that can fail on each disk? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
The analysis is based on the technical requirement that "The data on SSPace1 must be available always" and the properties of Storage Spaces resiliency types.
Disk1: 2
Disk1 uses the Mirror resiliency setting. To meet the high availability requirement, the most resilient mirror configuration, a three-way mirror, should be assumed. A three-way mirror keeps three copies of the data and can continue to function even if two physical disks fail simultaneously. Therefore, it can tolerate a maximum of 2 disk failures.Disk2: 1
Disk2 uses the Parity resiliency setting. This is equivalent to a single-parity configuration (like RAID-5). A single-parity space stripes data and parity information across disks. This configuration is designed to tolerate the failure of only one physical disk, regardless of the number of columns (as long as the minimum of three is met). Therefore, it can tolerate a maximum of 1 disk failure.You have an Azure subscription that contains a virtual network named VNet1. Vnet1 contains three subnets named Subnet1, Subnet2, and Subnet3.
You deploy a virtual machine that has the following settings:
• Name:VM1
• Subnet: Subnet2
• Network interface name: NIC1
• Operating system: Windows Server 2022
You need to ensure that VM1 can route traffic between Subnet1 and Subnet3. The solution must minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
The solution correctly identifies the two essential steps to configure an Azure VM running Windows Server as a router, also known as a Network Virtual Appliance (NVA). One configuration is required at the Azure platform level, and the other within the guest operating system.
✅ Enable IP forwarding for NIC1.
Reasoning: By default, Azure's networking fabric enforces a source/destination check, dropping any traffic received by a network interface (NIC) that isn't addressed to that NIC's own IP. Enabling IP forwarding on NIC1 disables this check, allowing the VM to receive traffic destined for other networks (like Subnet3) and forward it.
✅ Install and configure Routing and Remote Access.
Reasoning: Within the Windows Server 2022 operating system, packet forwarding is disabled by default. The 'Routing and Remote Access' (RRAS) server role must be installed and configured. This service enables the server's networking stack to route IP packets, effectively turning the VM into a software router.
You have 50 on-premises servers that run Windows Server
You have an Azure subscription.
You plan to monitor the on-premises servers by using Azure Monitor.
You need to collect event logs from the on-premises servers.
What should you do first?
Correct Option: B
✅ B: From the Azure portal, create a Log Analytics workspace. (Correct)
Reasoning: The foundational step for collecting log data in Azure Monitor is to create a Log Analytics workspace. This workspace acts as the central repository for storing, aggregating, and analyzing data from various sources, including on-premises servers. All other components, such as the Azure Monitor Agent and Data Collection Rules (DCRs), require a Log Analytics workspace as a destination for the data they collect. Therefore, creating the workspace is the prerequisite and the first logical action.
❌ Why the other choices are incorrect:
- A: From the Azure portal, create a storage account. A storage account is not the primary destination for collecting and analyzing event logs with Azure Monitor Logs. While it can be used for archiving, the interactive querying and analysis capabilities are provided by a Log Analytics workspace.
- C: From the on-premises servers, run azuremonitoragentclientsetup.msi. The Azure Monitor Agent needs to be associated with a Log Analytics workspace and a Data Collection Rule to know where to send data and what data to collect. Installing the agent before creating its destination (the workspace) is the wrong sequence of operations.
- D: From the Azure portal, create a data collection rule (DCR) in Azure Monitor. A Data Collection Rule defines what data to collect (data source) and where to send it (destination). You cannot create a DCR without first having a destination, which in this case is the Log Analytics workspace. Therefore, the workspace must exist before the DCR can be created.
Reference: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/quick-create-workspace
Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains a user named User1 and the servers shown in the following table.
User1 is a member of the Protected Users security group.
User1 performs the following actions:
• From Server1, establishes a remote PowerShell session on Server2
• From the PowerShell session on Server2, attempts to access a resource on Backup1
The request to access the resource on Backup1 is denied.
You need to ensure that User1 can access the resources on Backup1 by using the PowerShell session on Server2. The solution must follow the principle of least privilege and minimize administrative effort.
What should you configure?
Correct Option: D
This is a classic Kerberos "double-hop" problem, where credentials from the first hop (client to Server2) are not forwarded to the second hop (Server2 to Backup1). The critical constraint is that User1 is a member of the Protected Users security group, which blocks most forms of credential delegation for security reasons.
✅ Option D (Correct)
Reasoning: Resource-based Kerberos constrained delegation (RBCD) is the modern and secure method to solve the double-hop issue. Unlike traditional delegation, RBCD is configured on the back-end resource (Backup1), specifying which principals (like Server2) are trusted to delegate user identities to it. Crucially, RBCD is explicitly allowed for members of the Protected Users group.
❌ Why the other choices are incorrect:
* Option A is incorrect: Unconstrained Kerberos delegation is highly insecure and is explicitly blocked for members of the Protected Users group.
* Option B is incorrect: Credential Security Support Provider (CredSSP) involves caching the user's full credentials on the middle server (Server2), a practice that is disallowed for members of the Protected Users group to mitigate credential theft.
* Option C is incorrect: Using PSSessionConfiguration with RunAs would cause the session on Server2 to run under a different predefined account, not as User1. This doesn't solve the problem of granting User1 access to the resource on Backup1.
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the servers shown in the following table.
The domain contains the users shown in the following table.
On Server2, you run the Enable-PSRemoting cmdlet.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
The provided ground truth appears to contain a typographical error, as it selects two mutually exclusive options ('Yes' and 'No') for the first statement. The audit proceeds assuming the intended answer is 'Yes' for the first two statements and 'No' for the third, which aligns with standard Windows Server administration principles.
✅ Statement: User1 can establish a PowerShell remoting session from Server1 to Server2. Selection: Yes
Reasoning: User1 is a member of the domain 'Administrators' group. This makes User1 a member of the local 'Administrators' group on Server2. By default, members of the local Administrators group are granted permission to create remote PowerShell sessions, and PSRemoting has been explicitly enabled on Server2.
✅ Statement: User2 can establish a PowerShell remoting session from Server2 to DC1. Selection: Yes
Reasoning: User2 is a member of the 'Remote Management Users' domain group. This group is specifically designed to allow non-administrators to perform remote management tasks. Members of this group are granted access to WinRM for remote PowerShell sessions on domain-joined computers, including domain controllers, by default.
✅ Statement: User3 can establish a PowerShell remoting session from Server1 to Server2. Selection: No
Reasoning: User3 is a member of the local 'Power Users' group on Server2. The 'Power Users' group does not have permissions for PowerShell remoting by default. Only members of the 'Administrators' and 'Remote Management Users' groups have this right without additional configuration.
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1.
On Server1, you install Windows Admin Center and use Windows Admin Center to remove BUILTIN\Users from the allowed groups.
You discover that all users can still sign in to Windows Admin Center.
You need to prevent unauthorized users from signing in to Windows Admin Center.
What should you do in Windows Admin Center?
Correct Option: D
✅ Option D (Correct)
Reasoning: Windows Admin Center controls access to the gateway through a list of allowed security groups. By default, this includes the BUILTIN\Users group. The scenario states this group was removed. When the list of allowed groups is empty, Windows Admin Center defaults to allowing all authenticated users to access the gateway as a failsafe measure to prevent administrators from being locked out. To properly restrict access after removing the default group, you must explicitly add one or more specific security groups containing only authorized users. This action populates the list and enforces the intended access restrictions.
❌ Why the other choices are incorrect:
- Option A is incorrect: The Performance Profile setting is used to enable or disable the collection of more detailed performance data and is unrelated to user authentication or authorization for the gateway.
- Option B is incorrect: The 'Require manage-as sessions to re-authenticate' setting forces users to re-enter credentials when connecting to a target server from the Windows Admin Center gateway using alternate ('manage-as') credentials. It does not control who can sign in to the gateway itself.
- Option C is incorrect: Proxy settings are for configuring how the Windows Admin Center gateway connects to external resources or target servers through a network proxy. This has no impact on user authentication to the gateway.
Reference: https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-control
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains two servers named Server1 and Server2 that run Windows Server 2022.
You plan to deploy an app named App1 that will be load balanced between Server1 and Server2.
You need to create an identity that will be used to run App1 on Server1 and Server2. The solution must meet the following requirements:
• The password for the identity must be changed regularly.
• Administrative effort must be minimized.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
The solution correctly outlines the sequence for deploying a Group Managed Service Account (gMSA) for a load-balanced application. A gMSA is the appropriate identity type because it can be used across multiple servers (Server1 and Server2) and meets the requirements for automatic password management and minimal administrative effort.
✅ Step 1: Create a Key Distribution Services (KDS) root key. Reasoning: This is the mandatory first step. The KDS root key is a prerequisite that must be created in Active Directory once per forest. Domain Controllers use this key to generate and manage the passwords for all Managed Service Accounts, ensuring their security and automatic rotation.
✅ Step 2: Create a group managed service account (gMSA). Reasoning: After the KDS root key is in place, the gMSA object itself can be created in Active Directory. This action defines the identity for the application. A gMSA is chosen over a standalone MSA (sMSA) because the application is distributed across multiple servers.
✅ Step 3: Install the service account on Server1 and Server2. Reasoning: Once the gMSA is created in AD, it must be installed on each member server that will use it. This step registers the gMSA on Server1 and Server2, granting them permission to retrieve the account's current password from a domain controller and run services under its context.
Your network contains two Active Directory forests and a domain trust as shown in the following exhibit.
The domain trust has the following configurations:
• Name: adatum.com
• Type: External
• Direction: One-way, outgoing
• Outgoing trust authentication level: Domain-wide authentication
The forests contain the users shown in the following table.
The forests contain the network shares shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
You have a Microsoft Entra tenant.
You need to implement Microsoft Entra Connect Sync. The solution must meet the following requirements:
• Prevent the password hashes of contoso.com from being synced to the Microsoft Entra tenant.
• Minimize user effort when authenticating to Microsoft Entra registered apps.
• Minimize the number of on-premises infrastructure components.
What should you include in the solution for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
You have an Azure virtual machine named VM1 that runs Windows Server.
You need to ensure that administrators request access to VM1 before establishing a Remote Desktop connection.
What should you configure?
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. Contoso.com contains an organizational unit (OU) named OU1.
You have an Azure subscription named Sub1 that is linked to a Microsoft Entra tenant named fabrikam.com. Fabrikam.com syncs with contoso.com.
In Sub1, you create a Microsoft Entra Domain Services domain configured as shown in the following table.
In domain1.onmicrosoft.com, you create two OUs named OU1 and OU2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. Contoso.com contains an organizational unit (OU) named OU1.
You have an Azure subscription that is linked to a Microsoft Entra tenant named fabrikam.com.
You need to sync contoso.com with fabrikam.com. The solution must meet the following requirements:
• Support Windows Hello for Business by using a hybrid certificate deployment.
• Ensure that the passwords in contoso.com do NOT sync to fabnkam.com.
Which Microsoft Entra Connect feature should you use for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains the domain controllers shown in the following table.
You have a partner organization that has an AD DS forest named fabrikam.com.
You create a trust relationship between contoso.com and fabrikam.com.
You need to configure selective authentication for the trust relationship.
Which domain controller should be granted permissions to fabrikam.com?
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains a child named east.contoso.com and the servers shown in the following table.
You need to create a folder for the Central Store to manage Group Policy template files for the entire forest.
What should you name the folder, and on which server should you create the folder? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a user named User1. User1 is a member of a group named Group1 and is in an organizational unit (OU) named OU1.
The domain has minimum password lengths configured as shown in the following table.
What is the minimum password length that User1 should use when changing to a new password?
Premium Solution Locked
Unlock all 246 answers & explanations
You have a server named Server1 that runs Windows Server and contains two drives named C and
Premium Solution Locked
Unlock all 246 answers & explanations
You have on-premises servers that run Windows Server as shown in the following table.
You have an Azure subscription that contains a virtual machine named VM1.
You need to ensure that you can manage all the servers by using Azure Arc. The solution must minimize administrative effort.
On which servers should you install the Azure Connected Machine agent?
Premium Solution Locked
Unlock all 246 answers & explanations
Which two languages can you use for Task1? Each correct answer presents a complete solution.
Premium Solution Locked
Unlock all 246 answers & explanations
You need to ensure that VM3 meets the technical requirements.
What should you install first?
Premium Solution Locked
Unlock all 246 answers & explanations
You have an Azure subscription that contains the storage accounts shown in the following table.
In the East US Azure region, you create a storage sync service named Sync1.
You need to create a sync group in Sync1.
Which storage accounts can you use, and what can you specify as the cloud endpoints. To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a user named User1 and the servers shown in the following table.
You need to ensure that User1 can manage only Scope1 and Scope3.
What should you do?
Premium Solution Locked
Unlock all 246 answers & explanations
You have an Azure virtual machine named VM1 that contains the drives shown in the following table.
On VM1, you plan to install an app named App1. The data for App1 must be stored on a persistent data disk assigned to drive
Premium Solution Locked
Unlock all 246 answers & explanations
You have a Windows Server 2022 container host named Host1 and a container registry that contains the container images shown in the following table.
You need to run the containers on Host1.
Which isolation mode can you use for each image? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
You need to meet technical requirements for HyperV1.
Which command should you run? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
You have an Active Directory Domain Services (AD DS) domain. The domain contains three servers named Server1, Server2, and Server3 that run Windows Server.
You sign in to Server1 by using a domain account and start a remote PowerShell session to Server2. From the remote PowerShell session, you attempt to access a resource on Server3, but access to the resource is denied.
You need to ensure that your credentials are passed from Server1 to Server3. The solution must minimize administrative effort.
What should you do?
Premium Solution Locked
Unlock all 246 answers & explanations
Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains the servers shown in the following table.
The domain controllers do NOT have internet connectivity.
You plan to implement Azure AD Password Protection for the domain.
You need to deploy Azure AD Password Protection agents. The solution must meet the following requirements:
• All Azure AD Password Protection policies must be enforced.
• Agent updates must be applied automatically.
• Administrative effort must be minimized.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
You need to ensure that access to storage1 for the Marketing OU users meets the technical requirements.
What should you implement?
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the resources shown in the following table.
You plan to replicate a volume from Server1 to Server2 by using Storage Replica.
You need to configure Storage Replica.
Where should you install Windows Admin Center?
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the domain controllers shown in the following table.
You need to ensure that if an attacker compromises the computer account of RODC1, the attacker cannot view the Employee-Number AD DS attribute.
Which partition should you modify?
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the domain controllers shown in the following table.
You need to configure DC3 to be the authoritative time server for the domain.
Which operations master role should you transfer to DC3, and which console should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the servers shown in the following table.
You need to deploy inbound firewall rules to the servers. The solution must minimize administrative effort.
What should you use?
Premium Solution Locked
Unlock all 246 answers & explanations
You have a server named Server1 that runs Windows Server and has the Active Directory Federation Services role installed.
You plan to deploy Web Application Proxy to a server named Server2.
You export the Active Directory Federation Services (AD FS) certificate from Server1.
Which actions should you perform on Server2 in sequence? To answer, drag the appropriate actions to the correct order. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains the segments shown in the following table.
You have servers that run Windows Server and are configured as shown in the following table.
You deploy a server named Server4 that runs Windows Server and has a static IP address of 172.16.1.1. You connect Server4 to Segment1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point,
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains the servers shown in the following table.
On Server1, you create a DNS zone named Zone1.com as shown in the following exhibit.
To which DNS servers is Zone1.com replicated?
Premium Solution Locked
Unlock all 246 answers & explanations
You have a server named Server1 that runs Windows Server. Server1 has a single network interface and the Hyper-V virtual switches shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains a DHCP server.
You plan to add a new subnet and deploy Windows Server to the subnet.
You need to use the server as a DHCP relay agent.
Which role should you install on the server?
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the offices shown in the following table.
You need to deploy a Network Policy Server (NPS) named NPS1 to enforce network access policies for all remote connections.
What is the minimum number of RADIUS clients that you should add to NPS1?
Premium Solution Locked
Unlock all 246 answers & explanations
You have an Active Directory Domain Services (AD DS) domain. The domain contains a member server named Server1 that runs Windows Server.
You need to ensure that you can manage password policies for the domain from Server1.
Which command should you run first on Server1?
Premium Solution Locked
Unlock all 246 answers & explanations
You have servers that run Windows Server 2022 as shown in the following table.
Server2 contains a .NET app named App1.
You need to establish a WebSocket connection from App1 to the SQL Server instance on Server1. The solution must meet the following requirements:
• Minimize the number of network ports that must be open on the on-premises network firewall.
• Minimize administrative effort.
What should you create first?
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Active Directory domain, a web app named App1, and a perimeter network. The perimeter network contains a server named Server1 that runs Windows Server.
You plan to provide external access to App1.
You need to implement the Web Application Proxy role service on Server1.
Which role should you add to Server1, and which role should you add to the network? To answer, drag the appropriate roles to the correct targets. Each role may be used once, more than once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
You have an on-premises server named Server1 that runs Windows Server.
You have an Azure subscription that contains a virtual network named VNet1.
You need to connect Server1 to VNet1 by using Azure Network Adapter.
What should you use?
Premium Solution Locked
Unlock all 246 answers & explanations
You have a server that runs Windows Server 2022 and has the network adapters shown in the following table.
You need to configure NIC teaming for LAN2 and LAN3. The solution must support Dynamic Virtual Machine Multi-Queue (
Premium Solution Locked
Unlock all 246 answers & explanations
You have an Azure subscription that contains the virtual machines shown in the following table.
You plan to implement Azure Automanage for Windows Server.
You need to identify the operating system prerequisites.
Which virtual machines support Hotpatch, and which virtual machines support SMB over QUIC? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server.
You build an app named App1.
You need to configure continuous integration and continuous deployment (CI/CD) of App1 to VM1.
What should you create first?
Premium Solution Locked
Unlock all 246 answers & explanations
You have a server named Server1 that has the Hyper-V server role installed. Server1 hosts the virtual machines shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and fabrikam.com. Contoso.com contains three child domains named amer.contoso.com, apac.contoso.com, and emea.contoso.com. Fabrikam.com contains a child domain named apac.fabrikam.com.
A bidirectional forest trust exists between contoso.com and fabrikam.com.
You need to provide users in the contoso.com forest with access to the resources in the fabrikam.com forest. The solution must meet the following requirements:
• Users in contoso.com must only be added directly to groups in the contoso.com forest.
• Permissions to access the resources in fabrikam.com must only be granted directly to groups in the fabrikam.com forest.
• The number of groups must be minimized.
Which type of groups should you use to organize the users and to assign permissions? To answer, drag the appropriate group types to the correct requirements. Each group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Your network contains an Azure Active Directory Domain Services (Azure AD DS) domain named contoso.com.
You need to configure a password policy for the local user accounts on the Azure virtual machines joined to contoso.com.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 246 answers & explanations
Full Question Bank Locked
You have reached the end of the free study guide preview. Upgrade now to unlock all 246 questions and the full simulation engine.
Certification Path
Related Certifications
Customer Reviews
Global Community Feedback
David M.
"The practice engine is incredible. It feels exactly like the real testing environment and helped me build so much confidence."
Sarah J.
"The PDF is very well organized and the explanations for the answers are actually helpful, not just random text."
Michael C.
"I was skeptical, but the content is high quality and definitely worth the price. I passed on my first try!"