Practice Free AZ-800 Exam Online Questions
HOTSPOT
You need to meet technical requirements for HyperV1.
Which command should you run? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
SIMULATION
Task 9
You plan to create group managed service accounts (gMSAs).
You need to configure the domain to support the creation of gMSAs.
On a domain controller or a computer that has the Remote Server Administration Tools (RSAT) installed, open PowerShell as an administrator and run the following command to install the Active Directory module:
Install-WindowsFeature -Name RSAT-AD-PowerShell
Run the following command to create a Key Distribution Service (KDS) root key, which is required for generating passwords for gMSAs. You only need to do this once per domain: Add-KdsRootKey -EffectiveImmediately
Wait for at least 10 hours for the KDS root key to replicate to all domain controllers in the domain. Alternatively, you can use the -EffectiveTime parameter to specify a past date and time for the KDS root key, but this is not recommended for security reasons. For more information, see Add-KdsRootKey.
After the KDS root key is replicated, you can create and configure gMSAs using the New-ADServiceAccount and Set-ADServiceAccount cmdlets. For more information, see Create a gMSA and Configure a gMSA.
HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain named adatum.com.
The domain contains a server named Server1 and the users shown in the following table.
Server1 contains a folder named D:Folder1.
The advanced security settings for Folder1 are configured as shown in the Permissions exhibit. (Click the Permissions tab.)
Folder1 is shared by using the following configurations:
The share permissions for Share1 are shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
To access files in a shared folder, you need to be granted permissions on the folder (NTFS permissions) AND permissions on the share. The most restrictive permission of the folder permissions and share permissions apply.
Box 1: Yes
Group1 has Read access to Folder1 and Change access to Share1. Therefore, User1 can read the files in Share1.
Box 2: No
Group3 has Full Control access to Share1. However, Group3 has no permissions configured Folder1.
Therefore, User3 cannot access the files in Share1.
Box 3: Yes
Group2 has write permission to Folder1. However, Group2 has no permission on Share1. Therefore, users in Group2 cannot access files in the shared folder.
Access Based Enumeration when enabled hides files and folders that users do not have permission to access. However, Access Based Enumeration is not enabled on Share1. This is indicated by the FolderEnumerationMode C Unrestricted setting. Therefore, the share will be visible to User2 even though User2 cannot access the shared folder.
Your network contains a single-domain Active Directory Domain Services (AD DS) forest named conto.com.
The forest contains the servers shown in the following exhibit table.
You plan to install a line-of-business (LOB) application on Server1. The application will install a custom windows services.
A new corporate security policy states that all custom Windows services must run under the context of a group managed service account (gMSA). You deploy a root key.
You need to create, configure, and install the gMSA that will be used by the new application.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . On Server1, run the install-ADServiceAccount cmdlet.
- B . On DC1, run the New-ADServiceAccount cmdlet.
- C . On DC1, run the Set_ADComputer cmdlet.
- D . ON DC1, run the Install-ADServiceAccount cmdlet.
- E . On Server1, run the Get-ADServiceAccount cmdlet.
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1.
On Server 1, you install Windows Admin Center and use Windows Admin Center to remove BUILTlNUsers from the allowed groups.
Vou discover that all users can still sign in to Windows Admin Center.
Vou need to prevent unauthorized users from signing in to Windows Admin Center.
What should you do in Windows Admin Center?
- A . Set Performance Profile to On
- B . Set Require manage-as sessions to re-authenticate to On
- C . From the Proxy settings, configure a bypass list.
- D . Add a security group to the allowed groups.
SIMULATION
Task 3
You need to run a container that uses the mcr.microsoft.com/windows/servercore/iis image on SRV1. Pott 60 on the container must be published to port 5001 on SRV1 and the container must run in the background.
Step 1: Pull the IIS Image First, pull the IIS image from the Microsoft Container Registry:
docker pull mcr.microsoft.com/windows/servercore/iis
Step 2: Run the Container Next, run the container with the required port mapping and ensure it runs in the background using the -d flag:
docker run -d -p 5001:60 –name iis_container mcr.microsoft.com/windows/servercore/iis
This command will start a container named iis_container using the IIS image, map port 60 inside the container to port 5001 on SRV1, and run the container in detached mode.
Step 3: Verify the Container is Running To verify that the container is running and the port is
published, use the following command:
docker ps
This will list all running containers and show the port mappings.
Step 4: Access the IIS Server You can now access the IIS server running in the container by navigating to http://<SRV1_IP>:5001 in a web browser, where <SRV1_IP> is the IP address of SRV1.
Note: Ensure that Docker is installed on SRV1 and that the port 5001 is open on the firewall to allow incoming connections1.
By following these steps, you should be able to run the IIS container on SRV1 with the specified port
mapping and have it running in the background.
SIMULATION
Task 4
You need to register SRV1 to sync Azure file shares The registration must use the 34646045 Storage Sync Service.
The required source files are located in a folder named \dc1.contoso.cominstall.
You do NOT need to configure file share synchronization at this time and you do NOT need to update the agent.
On SRV1, open PowerShell as an administrator and run the following command to install the Az.StorageSync module if it is not already installed:
Install-Module -Name Az.StorageSync
Run the following command to import the Az.StorageSync module:
Import-Module -Name Az.StorageSync
Run the following command to sign in to your Azure account and select the subscription that contains the 34646045 Storage Sync Service:
Connect-AzAccount
Select-AzSubscription -SubscriptionId <your-subscription-id>
Run the following command to register SRV1 with the 34646045 Storage Sync Service. You need to specify the resource group name and the Storage Sync Service name as parameters: Register-AzStorageSyncServer -ResourceGroupName <your-resource-group-name> – StorageSyncServiceName 34646045
Wait for the registration to complete. You can verify the registration status by checking the Registered servers tab on the Azure portal or by running the following command: Get-AzStorageSyncServer -ResourceGroupName <your-resource-group-name> – StorageSyncServiceName 34646045
Now, SRV1 is registered with the 34646045 Storage Sync Service and ready to sync Azure file shares. You can create server endpoints on SRV1 and cloud endpoints on the Azure file shares to define the sync topology.
You haw an Azure virtual machine named VM1 that runs Windows Server
You need to configure the management of VM1 to meet the following requirements:
• Require administrators to request access to VM1 before establishing a Remote Desktop connection.
• Limit access to VM1 from specific source IP addresses.
• Limit access to VMI to a specific management port
What should you configure?
- A . a network security group (NSG)
- B . Azure Active Directory (Azure AD) Privileged identity Management (PIM)
- C . Azure Front Door
- D . Microsoft Defender for Cloud
D
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/defender-fo
HOTSPOT
You have an Azure subscription that contains a virtual network named VNet1. Vnet1 contains three
subnets named Subnet1, Subnet2, and Subnet3.
You deploy a virtual machine that has the following settings:
• Name:VM1
• Subnet: Subnet2
• Network interface name: NIC1
• Operating system: Windows Server 2022
You need to ensure that VM1 can route traffic between Subnet1 and Subnet3. The solution must minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
HOTSPOT
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with an Azure AD tenant.
The tenant contains a group named Group1 and the users shown in the following table.
Domain/OU filtering in Azure AD Connect is configured as shown in the Filtering exhibit. (Click the Filtering tab.)
You review the Azure AD Connect configurations as shown in the Configure exhibit. (Click the Configure tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.
