Microsoft - AZ-800: Administering Windows Server Hybrid Core Infrastructure
Sample Questions
Question: 266
Measured Skill: Manage Windows Servers and workloads in a hybrid environment (10-15%)
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the servers shown in the following table.
The domain contains the users shown in the following table.
On Server2, you run the Enable-PSRemoting cmdlet.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)A | User1 can establish a PowerShell remoting session from Server1 to Server2: Yes
User2 can establish a PowerShell remoting session from Server2 to DC1: Yes
User3 can establish a PowerShell remoting session from Server1 to Server2: Yes |
B | User1 can establish a PowerShell remoting session from Server1 to Server2: Yes
User2 can establish a PowerShell remoting session from Server2 to DC1: No
User3 can establish a PowerShell remoting session from Server1 to Server2: No |
C | User1 can establish a PowerShell remoting session from Server1 to Server2: Yes
User2 can establish a PowerShell remoting session from Server2 to DC1: No
User3 can establish a PowerShell remoting session from Server1 to Server2: Yes |
D | User1 can establish a PowerShell remoting session from Server1 to Server2: No
User2 can establish a PowerShell remoting session from Server2 to DC1: Yes
User3 can establish a PowerShell remoting session from Server1 to Server2: No |
E | User1 can establish a PowerShell remoting session from Server1 to Server2: No
User2 can establish a PowerShell remoting session from Server2 to DC1: No
User3 can establish a PowerShell remoting session from Server1 to Server2: Yes |
F | User1 can establish a PowerShell remoting session from Server1 to Server2: No
User2 can establish a PowerShell remoting session from Server2 to DC1: No
User3 can establish a PowerShell remoting session from Server1 to Server2: No |
Correct answer: BExplanation:
When you work remotely, you type commands in PowerShell on one computer (known as the "local computer"), but the commands run on another computer (known as the "remote computer"). The experience of working remotely should be as much like working directly at the remote computer as possible.
System requirements
In Windows, PowerShell remoting uses Windows Remote Management (WinRM), which is provided by the Windows Management Framework (WMF). To run remote sessions on PowerShell, the local and remote computers must have the following:
- Windows PowerShell 3.0 or higher
- The Microsoft .NET Framework 4 or higher
- Windows Remote Management 3.0 or higher
To run remote sessions on Windows PowerShell 2.0, the local and remote computers must have the following:
- Windows PowerShell 2.0 or later
- The Microsoft .NET Framework 2.0 or later
- Windows Remote Management 2.0
User permissions
To create remote sessions and run remote commands, by default, the current user must be a member of the Administrators group on the remote computer or provide the credentials of an administrator. Otherwise, the command fails.
The permissions required to create sessions and run commands on a remote computer are established by the session configuration. The session configuration defines the configuration options for the connection endpoint on the remote computer. Specifically, the security descriptor on the session configuration determines who has access to the session configuration and who can use it to connect.
The security descriptors on the default session configurations, Microsoft.PowerShell and Microsoft.PowerShell32, only allow access to members of the Administrators group.
Members of the Administrators group on a computer can determine who has permission to connect to the computer remotely by changing the security descriptors on the default session configurations or create new session configurations with different security descriptors. Users can use the ConfigurationName parameter of *-PSSession
cmdlets to connect to different endpoints.
References:
about_Remote_Requirements
PowerShell Remoting FAQ
Question: 267
Measured Skill: Manage Windows Servers and workloads in a hybrid environment (10-15%)
Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains a user named User1 and the servers shown in the following table.
User1 is a member of the Protected Users security group.
User1 performs the following actions:
- From Server1, establishes a remote PowerShell session on Server2.
- From the PowerShell session on Server2, attempts to access a resource on Backup1.
The request to access the resource on Backup1 is denied.
You need to ensure that User1 can access the resources on Backup1 by using the PowerShell session on Server2. The solution must follow the principle of least privilege and minimize administrative effort.
What should you configure?A | Kerberos delegation |
B | CredSSP |
C | PSSessionConfiguration by using RunAs |
D | Resource-based Kerberos constrained delegation |
Correct answer: DExplanation:
Server2 requires permissions to pass the credentials of User1 to Backup1. To grant these permissions we need to configure the delegation settings from the properties of Server2's computer account in Active Directory.
Kerberos constrained delegation was introduced in Windows Server 2003 to provide a safer form of delegation compared to unconstrained delegation that could be used by services. When it is configured, constrained delegation restricts the services to which the specified server can act on the behalf of a user.
References: Kerberos Constrained Delegation Overview
Question: 268
Measured Skill: Manage virtual machines and containers (15-20%)
You have a server named Server1 that runs Windows Server 2019 and hosts a container named Container1. Container1 uses a Windows Server 2019 base image that was built by using a Docker file.
You upgrade Server1 to Windows Server 2022.
You need to ensure that Container1 will run on Server1. The solution must minimize administrative effort.
What should you do?A | Start Container1 in Hyper-V isolation mode. |
B | Modify the Docker file. |
C | Start Container1 in process isolation mode. |
D | Rebuild the base image for Container1. |
Correct answer: AExplanation:
To upgrade a container host to a newer Windows or Windows Server version, you can either perform an in-place upgrade or a clean installation. Since the container host and the Windows containers share a single kernel, you should make sure the container's base image OS version matches that of the host. However, you can still have a newer version of the container host with an older base image with Hyper-V isolation.
References:
Upgrade containers to a new version of the Windows operating system
Isolation Modes
Question: 269
Measured Skill: Manage virtual machines and containers (15-20%)
You have a server named Host1 that runs Windows Server 2022 and is configured as a container host. Host1 stores a container image named image1 that is based on Windows Server 2019.
You need to start a container from image1 on Host1.
How should you complete the command?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)A | Docker run -d container image1 |
B | Docker run -d -isolation=hyperv image1 |
C | MsiExec run -d -isolation=process image1 |
D | Start run -d -isolation=hyperv image1 |
E | Start-VM run -d container image1 |
F | Start-VM run -d -isolation=process image1 |
Correct answer: BExplanation:
Since the container host and the Windows containers share a single kernel, you should make sure the container's base image OS version matches that of the host. However, you can still have a newer version of the container host with an older base image with Hyper-V isolation.
Windows containers offer two distinct modes of runtime isolation: process
and Hyper-V
isolation. Containers running under both isolation modes are created, managed, and function identically. They also produce and consume the same container images. The difference between the isolation modes is to what degree of isolation is created between the container, the host operating system, and all of the other containers running on that host.
Process Isolation
This is the "traditional" isolation mode for containers and is what is described in the Windows containers overview. With process isolation, multiple container instances run concurrently on a given host with isolation provided through namespace, resource control, and process isolation technologies. When running in this mode, containers share the same kernel with the host as well as each other. This is approximately the same as how Linux containers run.
Hyper-V isolation
This isolation mode offers enhanced security and broader compatibility between host and container versions. With Hyper-V isolation, multiple container instances run concurrently on a host; however, each container runs inside of a highly optimized virtual machine and effectively gets its own kernel. The presence of the virtual machine provides hardware-level isolation between each container as well as the container host.
Isolation examples
Managing Hyper-V-isolated containers with Docker is nearly identical to managing process-isolated containers. To create a container with Hyper-V isolation using Docker, use the --isolation
parameter to set --isolation=hyperv
.
docker run -it --isolation=hyperv mcr.microsoft.com/windows/servercore:ltsc2019 cmd
To create a container with process isolation through Docker, use the --isolation
parameter to set --isolation=process
.
docker run -it --isolation=process mcr.microsoft.com/windows/servercore:ltsc2019 cmd
Windows containers running on Windows Server default to running with process isolation. Windows containers running on Windows 10 Pro and Enterprise default to running with Hyper-V isolation. Starting with the Windows 10 October 2018 update, users running a Windows 10 Pro or Enterprise host can run a Windows container with process isolation. Users must must directly request process isolation by using the --isolation=process
flag.
References:
Upgrade containers to a new version of the Windows operating system
Isolation Modes
Question: 270
Measured Skill: Manage virtual machines and containers (15-20%)
You have a Windows Server container host named Server1.
You create a Dockerfile named df1.
You need to generate a container image by using df1.
Which command should you run?A | docker build |
B | docker exec |
C | docker create |
D | docker images |
Correct answer: AExplanation:
The Dockerfile is a text file that contains the instructions needed to create a new container image. These instructions include identification of an existing image to be used as a base, commands to be run during the image creation process, and a command that will run when new instances of the container image are deployed.
Docker build
is the Docker engine command that consumes a Dockerfile and triggers the image creation process.
Reference: Dockerfile on Windows