Skip Navigation Links
 

Microsoft - AZ-800: Administering Windows Server Hybrid Core Infrastructure

Sample Questions

Question: 90
Measured Skill: Manage storage and file services (15-20%)

You have two on-premises servers named Server1 and Server2 that run Windows Server. You have an Azure Storage account named storage1 that contains a file share named share1.

Server1 syncs with share1 by using Azure File Sync.

You need to configure Server2 to sync with share1.

Which three actions should you perform in sequence?

(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.)

www.cert2brain.com

ASequence: 2, 1, 5
B Sequence: 3, 4, 5
C Sequence: 3, 1, 4
D Sequence: 3, 1, 5

Correct answer: D

Explanation:

Azure File Sync allows you to centralize your organization's file shares in Azure Files without giving up the flexibility, performance, and compatibility of an on-premises file server. It does this by transforming your Windows Servers into a quick cache of your Azure file share. You can use any protocol available on Windows Server to access your data locally (including SMB, NFS, and FTPS) and you can have as many caches as you need across the world.

Before a server can be used as a server endpoint in an Azure File Sync sync group, it must be registered with a Storage Sync Service. A server can only be registered with one Storage Sync Service at a time.

Registering a server with Azure File Sync requires the installation of the Azure File Sync agent.

Registering a server with Azure File Sync establishes a trust relationship between Windows Server and Azure. This relationship can then be used to create server endpoints on the server, which represent specific folders that should be synced with an Azure file share (also known as a cloud endpoint).

Reference: Manage registered servers with Azure File Sync



Question: 91
Measured Skill: Deploy and manage Active Directory Domain Services (AD DS) in on-premises and cloud environments (30-35%)

Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains a child domain named east.contoso.com.

In the contoso.com domain, you create two users named Admin1 and Admin2.

You need to ensure that the users can perform the following tasks:
  • Admin1 can create and manage Active Directory sites.
  • Admin2 can deploy domain controllers to the east.contoso.com domain.
The solution must use the principle of least privilege.

To which group should you add each user?

(To answer, select the appropriate options in the answer area. NOTE Each correct selection is worth one point.)

www.cert2brain.com

AAdmin1: contoso\Administrators
Admin2: east\Administrators
B Admin1: contoso\Domain Admins
Admin2: east\Domain Admins
C Admin1: contoso\Enterprise Admins
Admin2: contoso\Enterprise Admins
D Admin1: contoso\Enterprise Admins
Admin2: east\Domain Admins
E Admin1: east\Administrators
Admin2: east\Domain Admins
F Admin1: east\Domain Admins
Admin2: east\Administrators

Correct answer: B

Explanation:

Enterprise Admins and Domain Admins of the forest root domain can create and manage Active Directory sites.

Enterprise Admins and Domain Admins of the east.contoso.com domain can deploy domain controllers to the east.contoso.com domain.



Question: 92
Measured Skill: Manage Windows Servers and workloads in a hybrid environment (10-15%)

You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant.

You have an on-premises web app named WebApp1 that only supports Kerberos authentication.

You need to ensure that users can access WebApp1 by using their Azure AD account. The solution must minimize administrative effort.

What should you configure?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AIn Azure AD: The Azure AD Application Proxy connector
On-premises: The Azure AD Application Proxy service
B In Azure AD: The Azure AD Application Proxy connector
On-premises: The Web Application Proxy feature
C In Azure AD: The Azure AD Application Proxy service
On-premises: The Azure AD Application Proxy connector
D In Azure AD: The Azure AD Application Proxy service
On-premises: The Web Application Proxy feature
E In Azure AD: The Web Application Proxy feature
On-premises: The Azure AD Application Proxy service
F In Azure AD: The Web Application Proxy feature
On-premises: The Azure AD Application Proxy connector

Correct answer: C

Explanation:

Application Proxy is a feature of Azure AD that enables users to access on-premises web applications from a remote client. Application Proxy includes both the Application Proxy service which runs in the cloud, and the Application Proxy connector which runs on an on-premises server. Azure AD, the Application Proxy service, and the Application Proxy connector work together to securely pass the user sign-on token from Azure AD to the web application.

Application Proxy works with:

  • Web applications that use Integrated Windows authentication for authentication
  • Web applications that use form-based or header-based access
  • Web APIs that you want to expose to rich applications on different devices
  • Applications hosted behind a Remote Desktop Gateway
  • Rich client apps that are integrated with the Microsoft Authentication Library (MSAL)

Application Proxy supports single sign-on.

Application Proxy is recommended for giving remote users access to internal resources. Application Proxy replaces the need for a VPN or reverse proxy. It is not intended for internal users on the corporate network. These users who unnecessarily use Application Proxy can introduce unexpected and undesirable performance issues.

How Application Proxy works

The following diagram shows how Azure AD and Application Proxy work together to provide single sign-on to on-premises applications.

  1. After the user has accessed the application through an endpoint, the user is directed to the Azure AD sign-in page.
  2. After a successful sign-in, Azure AD sends a token to the user's client device.
  3. The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token. Application Proxy then sends the request to the Application Proxy connector.
  4. If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user.
  5. The connector sends the request to the on-premises application.
  6. The response is sent through the connector and Application Proxy service to the user.

Reference: Remote access to on-premises applications through Azure AD Application Proxy



Question: 93
Measured Skill: Implement and manage an on-premises and hybrid networking infrastructure (15-20%)

Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the VPN servers shown in the following table.



You have a server named NPS1 that has Network Policy Server (NPS) installed. NPS1 has the following RADIUS clients:



VPN1, VPN2, and VPN3 use NPS1 for RADIUS authentication.

All the users in contoso.com are allowed to establish VPN connections.

For each of the following statements, select Yes If the statement is true. Otherwise, select No.

(NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AThe contoso.com users can authenticate successfully when they establish a VPN connection to VPN1: Yes
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN2: Yes
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN3: Yes
B The contoso.com users can authenticate successfully when they establish a VPN connection to VPN1: Yes
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN2: Yes
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN3: No
C The contoso.com users can authenticate successfully when they establish a VPN connection to VPN1: Yes
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN2: No
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN3: Yes
D The contoso.com users can authenticate successfully when they establish a VPN connection to VPN1: No
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN2: Yes
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN3: No
E The contoso.com users can authenticate successfully when they establish a VPN connection to VPN1: No
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN2: Yes
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN3: Yes
F The contoso.com users can authenticate successfully when they establish a VPN connection to VPN1: No
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN2: No
The contoso.com users can authenticate successfully when they establish a VPN connection to VPN3: No

Correct answer: D

Explanation:

Authentication requests from VPN1 are rejected by NPS1 because NPSClient1 is disabled.

Authentication requests from VPN2 are handled correctly.

Authentication requests from VPN3 are rejected by NPS1 because there is no RADIUS client configured for VPN3 on NPS1. The IP address of NPSClient1 does not match the IP address of VPN3.



Question: 94
Measured Skill: Manage Windows Servers and workloads in a hybrid environment (10-15%)

You have an Azure subscription named Sub1 and 503 on-premises virtual machines that run Windows Server.

You plan to onboard the on-premises virtual machines to Azure Arc by running the Azure Arc deployment script.

You need to create an identity that must be used by the script to authenticate access to sub1. The solution must use the principle of least privilege.

How should you complete the command?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

ANew-AzADAppCredential -DisplayName 'Arc-for-servers' -Role 'Azure Connected Machine Onboarding'
B New-AzADAppCredential -DisplayName 'Arc-for-servers' -Role 'Virtual Machine User Login'
C New-AzADServicePrincipal -DisplayName 'Arc-for-servers' -Role 'Virtual Machine Contributor'
D New-AzADServicePrincipal -DisplayName 'Arc-for-servers' -Role 'Azure Connected Machine Onboarding'
E New-AzUserAssignedIdentity -DisplayName 'Arc-for-servers' -Role 'Virtual Machine Contributor'
F New-AzUserAssignedIdentity -DisplayName 'Arc-for-servers' -Role 'Virtual Machine User Login'

Correct answer: D

Explanation:

You can enable Azure Arc-enabled servers for one or a small number of Windows or Linux machines in your environment by performing a set of steps manually. Or you can use an automated method by running a template script that Microsoft provides. This script automates the download and installation of both agents.

This method requires that you have administrator permissions on the machine to install and configure the agent. On Linux, by using the root account, and on Windows, you are member of the Local Administrators group.

The following Azure built-in roles are required for different aspects of managing connected machines:

  • To onboard machines, you must have the Azure Connected Machine Onboarding or Contributor role for the resource group in which the machines will be managed.
  • To read, modify, and delete a machine, you must have the Azure Connected Machine Resource Administrator role for the resource group.
  • To select a resource group from the drop-down list when using the Generate script method, you must have the Reader role for that resource group (or another role which includes Reader access).

References:

Connect hybrid machines to Azure using a deployment script

Required permissions

Azure PowerShell





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2022 by cert2brain.com