Practice Free D-AXAZL-A-00 Exam Online Questions
A Systems Integrator verifies the deployment of a 4-node cluster. The "Overview" blade in the Azure Portal shows the cluster is "Online", but the "Configuration" blade shows a warning for "Drift Control".
Status: "Non-Compliant"
Drift Detected: "HostNetworking"
Details: "Node-03: Adapter ‘pNIC01’ JumboPacket value is 1514. Intent ‘Storage’ requires 9014."
The integrator suspects a manual change was made on the node.
What is the consequence of this state, and how does the system behave? (Select all that apply.)
- A . Within the Azure Resource Manager (ARM) portal, deployment status changes to "Failed" and persists until an administrator manually corrects the configuration drift.
- B . The cluster remains operational, though storage performance may degrade due to RoCEv2 packet fragmentation.
- C . The "Storage" network intent on Node-03 becomes non-functional and ceases enforcement until drift resolution occurs.
- D . The cluster will trigger an immediate "Evacuate Node" action to drain workloads from Node-03.
- E . Network ATC remediates drift by resetting the JumboPacket to 9014 during its next scan (default interval: 15 minutes).
A DevOps team is setting up a Service Principal (SPN) for a CI/CD pipeline that will deploy Azure Local clusters.
The security policy states: "Service Principals must effectively expire every 90 days."
To operationalize this for the ARM deployment pipeline, which specific property of the Service Principal or App Registration must be rotated?
- A . The Object ID of the Service Principal in the Enterprise Applications blade.
- B . The Tenant ID: the immutable global identifier for the Azure AD tenant, which cannot be changed.
- C . The Client Secret (password) or Certificate credential for the App Registration.
- D . The Application (Client) ID: a permanent GUID identifier; changing it invalidates all role assignments.
Case Study 2: The "Zombie" Node Mystery
A Senior Support Engineer is troubleshooting a 4-node cluster. Node-03 was physically replaced due to hardware failure. The node was re-imaged, renamed to Node-03, and joined to the domain.
When attempting to add Node-03 back to the cluster (Add-ClusterNode), the operation fails immediately.
However, Get-ClusterNode on the active cluster shows only Node-01, 02, and 04. Node-03 is not in the list.
On Node-03 itself, Get-ClusterNode returns "The term ‘Get-ClusterNode’ is not recognized" (Cluster feature not installed yet).
What "Ghost" configuration is blocking the add operation?
- A . Node-03’s DNS A-record resolves to the IPv6 address of the decommissioned network interface, causing the cluster wizard to attempt communication with a non-existent endpoint.
- B . Active Directory’s Cluster Name Object retains the old Node-03 hostname in the msDS-AdditionalDnsHostName attribute, triggering a Kerberos SPN conflict during node validation.
- C . An existing Azure Arc resource for Node-03 remains registered in the Azure portal with a ‘Connected’ status, locking the hostname and preventing reintegration into the on-premises cluster environment.
- D . The replacement server’s physical disks retain the prior cluster’s signature in metadata headers due to reused drives or prior cluster membership without disk sanitization.
An Infrastructure Manager receives a Validate-DCB report showing a Configuration Mismatch for the MTU setting.
Node-01: Storage Adapter MTU = 9014
Node-02: Storage Adapter MTU = 9014
Switch Port 1/1: MTU = 1500
Switch Port 1/2: MTU = 1500
What is the immediate consequence of this mismatch for the Storage Spaces Direct (S2D) synchronization?
- A . The cluster nodes automatically negotiate down to the 1500 MTU value using the Path MTU Discovery (PMTUD) protocol, a standard mechanism intended to prevent packet loss across network paths.
- B . In this scenario, the switch fragments oversized packets into 1500-byte units during transmission, increasing CPU utilization on the switch hardware while preserving connectivity between cluster nodes.
- C . The RDMA-capable network adapters respond to the detected MTU mismatch by disabling RoCEv2 and initiating a fallback to the iWarp protocol to maintain operational continuity.
- D . Small packets (such as ICMP ping) transmit successfully, but large S2D synchronization packets exceed the switch MTU and are dropped, leading to storage pool instability or redundancy loss.
An Implementation Engineer runs a registration script and receives the following error:
[Error] The resource ‘AX-Node-01’ could not be created.
[Code] InvalidTemplateDeployment
[Message] The template deployment failed because of policy violation. Policy: ‘Allowed-Resource-Types’.
The engineer checks the policy definition and sees a whitelist of allowed resource types.
Which resource type MUST be present in the allowed list for Azure Local nodes to register successfully?
- A . Microsoft.Kubernetes/connectedClusters
- B . Microsoft.AzureStackHCI/clusters
- C . Microsoft.Compute/virtualMachines
- D . Microsoft.HybridCompute/machines
A DevOps engineer attempts to execute a deployment using the Azure CLI command az stack-hci-vm create … referencing a custom template. The deployment fails validation with the error InvalidTemplate.
The engineer examines the parameters.json file:
{
"$schema":
"https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"clusterName": {
"value": "azl-cluster-01"
},
"witnessStorageAccountKey": {
"value": "x8/9s9…"
}
}
}
The security policy prohibits plain-text secrets in parameter files.
What is the correct syntax modification to reference the witness key from an Azure Key Vault named kv-secrets instead of hardcoding the value?
- A . json
"witnessStorageAccountKey":
{
"reference": {
"keyVault": {
"id":
"/subscriptions/…/resourceGroups/…/providers/Microsoft.KeyVault/vaults/kv-secrets"
},
"secretName":
"witness-key"
}
} - B . json
"witnessStorageAccountKey":
{
"value":
"[parameters(‘kv-secrets’).secret(‘witness-key’)]"
} - C . json
"witnessStorageAccountKey":
{
"keyVaultReference":
"kv-secrets/witness-key"
} - D . json
"witnessStorageAccountKey":
{
"secureValue":
"kv-secrets/witness-key"
}
A Site Reliability Engineer is verifying the switch configuration for a new Dell AX deployment. The engineer runs a command on the Top-of-Rack switch to verify the Quality of Service settings for the RDMA traffic class (Priority 3).
Refer to the following switch command output:
Switch# show dcb ets details
——————————————————-
Interface Priority-Group Priority Bandwidth (%)
——————————————————-
Eth1/1 0 0,1,2,4-7 40%
Eth1/1 1 3 60%
——————————————————-
Switch# show dcb pfc details
——————————————————-
Interface Priority Status
——————————————————-
Eth1/1 3 Disabled
Eth1/1 0-2,4-7 Disabled
Based on this output, what is the critical configuration error that will impact the stability of the Azure Local storage fabric?
- A . Priority 3 is assigned to a dedicated Priority Group, preventing bandwidth borrowing from other traffic groups during congestion events.
- B . The bandwidth allocation for Priority Group 1 is set to 60%, which exceeds the Microsoft recommended maximum of 50%.
- C . Using Priority 0 for non-storage traffic conflicts with standard management traffic class assignments in converged fabric designs.
- D . Priority Flow Control (PFC) is disabled for Priority 3 (the designated RDMA traffic class), violating the mandatory lossless network fabric requirement essential for reliable RoCEv2 operation in Azure Local storage environments.
Backup agents cannot connect to the CSVs.
– "Deny access to this computer from the network" -> Added Guest, Local Account.
– "Apply UAC to built-in Administrator" -> Enabled.
– "Restrict NTLM: Incoming NTLM traffic" -> Deny All Accounts.
Which specific policy setting is the primary culprit, and why is it breaking these specific cluster functions?
- A . UAC on Administrator: This policy restricts remote administrative privileges of the built-in Administrator account. Consequently, the CAU plugin cannot elevate privileges remotely via WMI to initiate update scans without proper configuration of the LocalAccountTokenFilterPolicy registry setting.
- B . Deny Network Access: This policy blocks network logon for Guest and Local Account. The Cluster Service Account (CLIUSR) is a domain-managed service account and is typically unaffected unless explicitly targeted by policy configuration.
- C . Restrict NTLM (Deny All): Cluster operations fail because Live Migration, intra-node RPC, CAU, and backup agents may rely on NTLM authentication for IP-based connections (where Kerberos fails) or local account impersonation scenarios.
- D . The policies are correctly configured; the issue arises from Firewall rules not permitting dynamic RPC ports. However, disabling NTLM does not alter RPC port requirements―the failures stem from authentication errors when NTLM fallbacks are blocked.
A deployment validation fails with a generic "Internet Connectivity" error.
The engineer runs the Test-ArcConnectivity command on the node to investigate and sees the following output:
“`
Source : Node-01
Destination : https://management.azure.com
Status : Fail
Details : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Certificate : CN=Corp-DeepPacket-Inspection-Proxy
“`
What is the specific network environment issue indicated by this log?
- A . The node’s system clock is desynchronized by over 5 minutes from UTC, invalidating the TLS certificate’s validity period during handshake.
- B . The Azure Arc agent uses deprecated TLS 1.0; Azure endpoints require TLS 1.2 or higher for secure communication.
- C . Firewall rules block outbound TCP port 443 (HTTPS), forcing the agent to fall back to HTTP on port 80, which Azure endpoints explicitly reject.
- D . An SSL inspection proxy intercepts traffic, but its root CA certificate is missing from the node’s Trusted Root store.
Why is it critically important to select the specific "Dell Custom" VSR (Validated Solution Recipe) ISO image revision that strictly matches the version of the Solution Builder Extension (SBE) intended for the deployment, rather than simply using the "latest" available ISO?
- A . Within Azure Local deployments on Dell AX nodes, the Azure Arc agent version packaged in the "latest" ISO exhibits incompatibility with "Legacy" registration scripts executed by the deployment wizard, causing script failures and preventing successful node registration to Azure Arc.
- B . The SBE package contains a manifest of allowed OS version hashes. Any deviation from the VSR baseline OS version―including minor Cumulative Updates (LCUs)―triggers compliance check failure, blocking cluster creation.
- C . When the deployed ISO revision exceeds the SBE’s expected version, a "License Activation Error" occurs because Automatic Virtual Machine Activation (AVMA) keys embedded in the ISO are bound to the original build timestamp and rejected by the SBE’s validation routine.
- D . During Virtual Media mounting on legacy Dell PowerEdge infrastructure, the "latest" ISO employs encryption using a key algorithm unsupported by older iDRAC firmware versions, resulting in decryption failure and termination of the mount process.