Practice Free AZ-800 Exam Online Questions

Explanation:

In the Windows Server hybrid core curriculum, trust selection is based on domain/forest boundaries and adjacency. The guidance explains that parent/child domains in the same forest already have implicit, two-way transitive trusts. When authentication frequently crosses nonadjacent domains inside the same forest, you can create a shortcut trust “to optimize name-crack and referral time between domains that otherwise authenticate through multiple hops.” In the scenario, contoso.com (forest root) and sub.west.contoso.com (a grandchild) are nonadjacent domains in the same forest. They already trust through west.contoso.com, so the only additional trust that makes sense―and matches the diagram―is a shortcut trust to shorten the path.

For cross-forest connectivity, the material states that trusts across different forests are not implicit.

To enable authentication between contoso.com and fabrikam.com, you use either:

a Forest trust (created between forest root domains; transitive across the forests and best when ongoing collaboration is required), or an External trust (nontransitive, domain-to-domain; used when a full forest trust is not possible or not desired).

Therefore, Trust1 = Shortcut trust only (intra-forest, nonadjacent domains) and Trust2 = Forest trust or external trust only (inter-forest trust options).

Explanation:

Step 1: Install the Remote Access role.

Step 2: Import the AD FS certificate to Server2.

Step 3: Run the Web Application Proxy Configuration Wizard.

In Administering Windows Server Hybrid Core Infrastructure, the Web Application Proxy (WAP) component is documented as a role service of the Remote Access role and is deployed on an edge or perimeter server to publish AD FS and other web apps. The guide states that before configuring WAP, you must install the Remote Access role with the Web Application Proxy role service on the proxy server. It further explains that WAP must establish trust with the existing AD FS farm by using the AD FS service communications certificate: “Import the federation service SSL certificate (with private key) on the proxy server and place it in the local computer’s personal store.” After the certificate is present, you run the Web Application Proxy Configuration Wizard to “specify the Federation Service name, provide AD FS credentials, and complete the trust and configuration.” The materials also clarify that you do not install the AD FS role on the proxy and Microsoft Application Request Routing (ARR) is not required for WAP. The AD FS Configuration Wizard applies to federation servers, not proxies. Therefore, the minimal and correct sequence on Server2 is: Install Remote Access (WAP) → Import the AD FS cert → Run the Web Application Proxy Configuration Wizard, which configures the trust and enables publishing of the AD FS endpoint.

Explanation:

In Azure File Sync architecture (covered in Administering Windows Server Hybrid Core Infrastructure under “Implement and manage storage solutions”), the fundamental design points are:

Sync group C “A sync group defines a sync topology. Each sync group contains exactly one cloud endpoint (an Azure file share) and one or more server endpoints.” A server endpoint is a folder on a registered Windows Server. A server can participate in multiple sync groups so long as the server endpoints are different paths.

Storage Sync Service C “The Storage Sync Service is the top-level resource that maintains server registrations and houses your sync groups.” A Windows Server registers to one Storage Sync Service at a time, and that service can contain many sync groups and many servers.

FS1 must sync with newyorkfiles and companyfiles; FS2 must sync with seattlefiles and companyfiles. Since one Storage Sync Service can host multiple sync groups and multiple servers, and a server must be registered to a single service, the most efficient design is a single Storage Sync Service containing all three sync groups and both servers.

Explanation:

In the AZ-800 materials on “Manage and maintain Windows Server IaaS virtual machines,” the Serial Console requirement is called out clearly: the VM must have Boot diagnostics enabled so Azure can capture the console and provide an interactive text console during boot and runtime. The guidance explains that enabling Boot diagnostics (either managed or with a storage account) stores the console output and screen shots that the Serial Console relies on. Guest-level diagnostics or a managed identity are not prerequisites for Serial Console access.

Access control to the Serial Console is governed by Azure RBAC. The study guidance states that users must be granted either Virtual Machine Contributor (broad rights) or the minimal login roles; for secure, least-privilege access to a console session with administrative rights, assign Virtual Machine Administrator Login to the user. This role allows interactive sign-in to the VM (RDP/SSH/Serial Console) without granting configuration permissions on the VM.

Therefore, to let [email protected] use the Serial Console while meeting least-privilege objectives, enable Boot diagnostics on the VM (here, with a custom storage account, which satisfies the boot diagnostics requirement) and assign the Virtual Machine Administrator Login role to User1.