최신 AZ-800 무료덤프 - Microsoft Administering Windows Server Hybrid Core Infrastructure
You have an Azure Active Directory Domain Services (Azure AD DS) domain.
You create a new user named Admin1.
You need Admin1 to deploy custom Group Policy settings to all the computers in the domain. The solution must use the principle of least privilege.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
You create a new user named Admin1.
You need Admin1 to deploy custom Group Policy settings to all the computers in the domain. The solution must use the principle of least privilege.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
정답:
Explanation:
The Administering Windows Server Hybrid Core Infrastructure materials explain that in Azure Active Directory Domain Services (Azure AD DS) you don't get traditional Domain Admins or Group Policy Creator Owners rights. Instead, "administration of the managed domain is delegated to the AAD DC Administrators group. Members of this group can manage Group Policy in the managed domain and administer domain-joined computers." The guide furth er notes that Azure AD DS automatically creates two built-in OUs and GPOs : "AADDC Computers and AADDC Users , with the corresponding 'AADDC Computers GPO' and 'AADDC Users GPO' already linked." For computer configuration that should apply to all domain-join ed machines, the materials state that "you apply or customize computer policy by editing the AADDC Computers GPO (or by creating additional GPOs and linking them to the AADDC Computers OU)." They also emphasize least-privilege and supportability guidance: "Do not modify the Default Domain Policy in Azure AD DS; use the AADDC-scoped GPOs/OUs for managed-domain policy." Putting this together: to let Admin1 deploy custom policy to all computers while honoring least privilege, add Admin1 to AAD DC Administrator s (the only group granted GPO management in Azure AD DS) and have them modify the existing 'AADDC Computers GPO' that is al ready linked to the AADDC Computers OU so the settings flow to every domain-joined computer.
Your network contains the domains shown in the following exhibit.
Which type of trust can you use for Trust1 and Trust2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Which type of trust can you use for Trust1 and Trust2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
정답:
Explanation:
In the Windows Server hybrid core curriculum, trust selection is based on domain/forest boundaries and adjacency. The guidance explains that parent/child domains in the same forest already have implicit, two-way transitive trusts. When authentication frequently crosses nonadjacent domains inside the same forest, you can create a shortcut trust "to optimize name-crack and referral time between domains that otherwise authenticate through multiple hops." In the scenario, contoso.com (forest root) and sub.west.contoso.com (a grandchild) are nonadjacent domains in the same forest. They already trust through west.contoso.com, so the only additional trust that makes sense-and matches the diagram-is a shortcut trust to shorten the path.
For cross-forest connectivity, the material states that trusts across different forests are not implicit. To enable authentication between contoso.com and fabrikam.com, you use either:
* a Forest trust (created between forest root domains; transitive across the forests and best when ongoing collaboration is required), or
* an External trust (nontransitive, domain-to-domain; used when a full forest trust is not possible or not desired).
Therefore, Trust1 = Shortcut trust only (intra-forest, nonadjacent domains) and Trust2 = Forest trust or external trust only (inter-forest trust options).
Task 9
You need to replicate a read-only copy of a DNS zone named contosoxom to SRV2.
You need to replicate a read-only copy of a DNS zone named contosoxom to SRV2.
정답:
See the solution of this Task below.
Explanation:
Objective:
Create a read-only copy of the DNS zone contoso.com on SRV2.
Step-by-Step Guide: Using a Secondary Zone
# Step 1: Log in to SRV2
Log in to SRV2 (where you want to host the secondary zone) using an account with local administrative privileges.
# Step 2: Open DNS Manager
Press Windows + R, type dnsmgmt.msc, and pres s Enter.
# Step 3: Create a Secondary Zone
In the DNS Manager, expand the server node for SRV2.
Right-click Forward Lookup Zones and select New Zone.
The New Zone Wizard opens.
# Step 4: Configure the Secondary Zone
Zone Type:
Select Secondary zone and click Next.
Zone Name:
Type contoso.com and click Next.
Master DNS Servers:
Enter the IP address of the master DNS server that hosts the primary zone (e.g., SRV1's IP).
Click Next.
Finish:
Review the settings and click Finish.
# Step 5: Allow Zone Transfers on the Primary Server
On SRV1 (or the DNS server hosting the primary zone):
Open DNS Manager.
Right-click the contoso.com zone and select Properties.
Go to the Zone Transfers tab.
Check Allow zone transfers.
Specify SRV2's IP address (or allow to any server if needed).
# Step 6: Verify Zone Replication
On SRV2, refresh the Forward Lookup Zones in DNS Manager.
The contoso.com zone should now appear as a Secondary zone.
Check the Zone Transfer status to ensure it successfully replicated.
Explanation:
Objective:
Create a read-only copy of the DNS zone contoso.com on SRV2.
Step-by-Step Guide: Using a Secondary Zone
# Step 1: Log in to SRV2
Log in to SRV2 (where you want to host the secondary zone) using an account with local administrative privileges.
# Step 2: Open DNS Manager
Press Windows + R, type dnsmgmt.msc, and pres s Enter.
# Step 3: Create a Secondary Zone
In the DNS Manager, expand the server node for SRV2.
Right-click Forward Lookup Zones and select New Zone.
The New Zone Wizard opens.
# Step 4: Configure the Secondary Zone
Zone Type:
Select Secondary zone and click Next.
Zone Name:
Type contoso.com and click Next.
Master DNS Servers:
Enter the IP address of the master DNS server that hosts the primary zone (e.g., SRV1's IP).
Click Next.
Finish:
Review the settings and click Finish.
# Step 5: Allow Zone Transfers on the Primary Server
On SRV1 (or the DNS server hosting the primary zone):
Open DNS Manager.
Right-click the contoso.com zone and select Properties.
Go to the Zone Transfers tab.
Check Allow zone transfers.
Specify SRV2's IP address (or allow to any server if needed).
# Step 6: Verify Zone Replication
On SRV2, refresh the Forward Lookup Zones in DNS Manager.
The contoso.com zone should now appear as a Secondary zone.
Check the Zone Transfer status to ensure it successfully replicated.
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the offices shown in the following table.
You need to deploy a Network Policy Server (NPS) named NPS1 to enforce network access policies for all remote connections.
What is the minimum number of RADIUS clients that you should add to NPS1 ?
You need to deploy a Network Policy Server (NPS) named NPS1 to enforce network access policies for all remote connections.
What is the minimum number of RADIUS clients that you should add to NPS1 ?
정답: A
설명: (DumpTOP 회원만 볼 수 있음)
You deploy a single-domain Active Directory Domain Services (AD DS) forest named contoso.com.
You deploy five serve rs to the domain. You add the servers to a group named iTFarmHosts.
You plan to configure a Network Load Balancing (NIB) cluster named NLBCluster.contoso.com that will contain the five servers.
You need to ensure that the NLB service on the nodes of the cl uster can use a group managed service account (gMSA) to authenticate.
Which three PowerShell cmdlets should you run in sequence? To answer, move the appropriate cmdiets from the list of cmdlets to the answer area and arrange them in the correct order.
You deploy five serve rs to the domain. You add the servers to a group named iTFarmHosts.
You plan to configure a Network Load Balancing (NIB) cluster named NLBCluster.contoso.com that will contain the five servers.
You need to ensure that the NLB service on the nodes of the cl uster can use a group managed service account (gMSA) to authenticate.
Which three PowerShell cmdlets should you run in sequence? To answer, move the appropriate cmdiets from the list of cmdlets to the answer area and arrange them in the correct order.
정답:
Explanation:
The AZ-800 materials explain that group Managed Service Accounts (gMSAs) rely on the KDS (Key Distribution Service) to generate and rotate passwords. Therefore, in a new forest you must first create a KDS root key :
* "Before creating your first gMSA, run Add-KdsRootKey to seed the KDS" (the key may need propagation time). Next, you create the gMSA and scope which computers can retrieve its managed password:
* Use New-ADServiceAccount with -PrincipalsAllowedToRetrieveManagedPassword set to the security group that contains the NLB nodes (here, ITFarmHosts ), and specify the DNS host name as needed for the service (e.g., NLBCluster.contoso.com ). Finally, on each cluster node you install (regist er) the gMSA locally so services can run under it:
* Run Install-ADServiceAccount on each server in ITFarmHosts .
Cmdlets like Add-ADComputerServiceAccount are used for standalone MSAs (sMSAs), not gMSAs, and Set-ADForestConfiguration isn't required. This seq uence enables the NLB service on all five nodes to authenticate using the gMSA with automatic password management.
Task 11
You need to ensure that all DHCP clients that get an IP address from SRV1 will be configured to use DC1 as a DNS server.
You need to ensure that all DHCP clients that get an IP address from SRV1 will be configured to use DC1 as a DNS server.
정답:
See the solution of this Task below.
Explanation:
One possible solution to ensure that all DHCP clients that get an IP address from SRV1 will be configured to use DC1 as a DNS server is to use the DHCP scope options. DHCP scope options are settings that apply to all DHCP clients that obtain an IP address from a specific scope. You can use the DHCP scope options to specify the DNS server IP address, as well as other parameters such as the default gat eway, the domain name, and the DNS suffix. Here are the steps to configure the DHCP scope options on SRV1:
On SRV1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.
In the left pane, expand your DHCP server and c lick on IPv4.
In the right pane, right-click on the scope that you want to configure and select Properties.
In the Scope Properties dialog box, click on the DNS tab.
Check the box Enable DNS dynamic updates according to the settings below. This option allows the DHCP server to register and update the DNS records for the DHCP clients.
Select the option Always dynamically update DNS records. This option ensures that the DHCP server updates both the A and PTR records for the DHCP clients, regardless of whe ther they request or support dynamic updates.
Check the box Discard A and PTR records when lease is deleted. This option allows the DHCP server to delete the DNS records for the DHCP clients when their leases expire or are released.
Check the box Dynamical ly update DNS records for DHCP clients that do not request updates. This option allows the DHCP server to update the DNS records for the DHCP clients that do not support dynamic updates, such as legacy or non-Windows clients.
In the DNS servers section, cl ick on the Add button to add a new DNS server IP address.
In the Add Server dialog box, enter the IP address of DC1, which is the DNS server that you want to use for the DHCP clients, and click Add.
Click OK to close the Add Server dialog box and return to the Scope Properties dialog box.
Click OK to apply the changes and close the Scope Properties dialog box.
Now, all DHCP clients that get an IP address from SRV1 will be configured to use DC1 as a DNS server. You can verify the DNS configuration by using t he ipconfig /all command on a DHCP client computer and checking the DNS Servers entry. You can also check the DNS records for the DHCP clients by using the DNS Manager console on DC1.
Explanation:
One possible solution to ensure that all DHCP clients that get an IP address from SRV1 will be configured to use DC1 as a DNS server is to use the DHCP scope options. DHCP scope options are settings that apply to all DHCP clients that obtain an IP address from a specific scope. You can use the DHCP scope options to specify the DNS server IP address, as well as other parameters such as the default gat eway, the domain name, and the DNS suffix. Here are the steps to configure the DHCP scope options on SRV1:
On SRV1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.
In the left pane, expand your DHCP server and c lick on IPv4.
In the right pane, right-click on the scope that you want to configure and select Properties.
In the Scope Properties dialog box, click on the DNS tab.
Check the box Enable DNS dynamic updates according to the settings below. This option allows the DHCP server to register and update the DNS records for the DHCP clients.
Select the option Always dynamically update DNS records. This option ensures that the DHCP server updates both the A and PTR records for the DHCP clients, regardless of whe ther they request or support dynamic updates.
Check the box Discard A and PTR records when lease is deleted. This option allows the DHCP server to delete the DNS records for the DHCP clients when their leases expire or are released.
Check the box Dynamical ly update DNS records for DHCP clients that do not request updates. This option allows the DHCP server to update the DNS records for the DHCP clients that do not support dynamic updates, such as legacy or non-Windows clients.
In the DNS servers section, cl ick on the Add button to add a new DNS server IP address.
In the Add Server dialog box, enter the IP address of DC1, which is the DNS server that you want to use for the DHCP clients, and click Add.
Click OK to close the Add Server dialog box and return to the Scope Properties dialog box.
Click OK to apply the changes and close the Scope Properties dialog box.
Now, all DHCP clients that get an IP address from SRV1 will be configured to use DC1 as a DNS server. You can verify the DNS configuration by using t he ipconfig /all command on a DHCP client computer and checking the DNS Servers entry. You can also check the DNS records for the DHCP clients by using the DNS Manager console on DC1.
Your network contains a multi-site Active Directory Domain Services (AD DS) forest. Each Active Dir ectory site is connected by using manually configured site links and automatically generated connections.
You need to minimize the convergence time for changes to Active Directory.
What should you do?
You need to minimize the convergence time for changes to Active Directory.
What should you do?
정답: B
설명: (DumpTOP 회원만 볼 수 있음)
Your network contains an Active Directory Domains Services (AD DS) domain named contoso.com. You implement a central s tore.
You create a new Group Policy Object (GPO) named GP01.
When you attempt to edit GP01, you see the settings shown in the exhibit. (Click the Exhibit tab.) You need to ensure that all settings are available.
Solution: You modify the properties of GPO1.
Does this meet the goal?
You create a new Group Policy Object (GPO) named GP01.
When you attempt to edit GP01, you see the settings shown in the exhibit. (Click the Exhibit tab.) You need to ensure that all settings are available.
Solution: You modify the properties of GPO1.
Does this meet the goal?
정답: B
You need to configure network communication between the Seattle and New York offices. The solution must meet the networking requirements.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct sel ection is worth one point.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct sel ection is worth one point.
정답:
Explanation:
The exam materials for Administering Windows Server Hybrid Core Infrastructure explain that when replacing private WAN links with Azure, Azure Virtual WAN (vWAN) can be used to centralize connectivity. For private connectivity, ExpressRoute integrates directly with a vWAN hub by deploying an ExpressRoute gateway in the hub. The gateway is the Azure resource that terminates ExpressRoute and enables hub-and-spoke routing to connected VNets (such as Vnet1 ). The guides emphasize: " In a Virtual WAN hub, use the ExpressRoute gateway to connect ExpressRoute circuits and propagate routes acro ss the hub to your virtual networks ." On-premises, each site (New York and Seattle) requires an ExpressRoute circuit connection provisioned via a connectivity provider. The circuit is the dedicated private connection from the customer edge to Microsoft's edge and is what the office sites actually use; it's then linked to the vWAN hub's ExpressRoute gateway. The same materials note that Site-to-Site VPN is an alternative transport but is not required when ExpressRoute is mandated. Likewise, Application Gateway is a Layer-7 load balancer for HTTP/S traffic, and on-premises data gateway relates to Power BI/Power Platform hybrid connectivity, neither of which establishes network transport between offices and Azure.
Therefore, to meet the requirement "connect both on-premises offices to Vnet1 by using ExpressRoute," configure an ExpressRoute gateway on the vWAN hub and ExpressRoute circuit connections in the offices.
Task 4
You need to run a container that uses the mcrmicrosoft.com/windows/servercofe/iis image on SRV1. Port 80 on the container must be published to port 5001 on SRV1 and the container must run in the background
You need to run a container that uses the mcrmicrosoft.com/windows/servercofe/iis image on SRV1. Port 80 on the container must be published to port 5001 on SRV1 and the container must run in the background
정답:
See the solution of this Task below.
Explanation:
To ru n a container on SRV1 using the mcrmicrosoft.com/windows/servercofe/iis image, publish port 80 on the container to port 5001 on SRV1, and ensure it runs in the background, you can follow these steps:
Step 1: Pull the IIS Image First, pull the correct IIS i mage from the Microsoft Container Registry:
docker pull mcr.microsoft.com/windows/servercore/iis
Step 2: Run the Container Next, run the container with the required port mapping and ensure it runs in the background using the -d flag:
docker run -d -p 5001: 80 --name iis_container mcr.microsoft.com/windows/servercore/iis This command will start a container named iis_container using the IIS image, map port 80 inside the container to port 5001 on SRV1, and run the container in detached mode.
Step 3: Verify the Container is Running To verify that the container is running and the port is published, use the following command:
docker ps
This will list all running containers and show the port mappings.
Step 4: Access the IIS Server You can now access the IIS server r unning in the container by navigating to http://
< SRV1_IP > :5001 in a web browser, where < SRV1_IP > is the IP address of SRV1.
Note: Ensure that Docker is installed on SRV1 and that the port 5001 is open on the firewall to allow incoming connections1.
By foll owing these steps, you should be able to run the IIS container on SRV1 with the specified port mapping and have it running in the background. Please replace mcrmicrosoft.com/windows/servercofe/iis with the correct image name mcr.microsoft.com/windows/serve rcore/iis as shown in the commands above.
Explanation:
To ru n a container on SRV1 using the mcrmicrosoft.com/windows/servercofe/iis image, publish port 80 on the container to port 5001 on SRV1, and ensure it runs in the background, you can follow these steps:
Step 1: Pull the IIS Image First, pull the correct IIS i mage from the Microsoft Container Registry:
docker pull mcr.microsoft.com/windows/servercore/iis
Step 2: Run the Container Next, run the container with the required port mapping and ensure it runs in the background using the -d flag:
docker run -d -p 5001: 80 --name iis_container mcr.microsoft.com/windows/servercore/iis This command will start a container named iis_container using the IIS image, map port 80 inside the container to port 5001 on SRV1, and run the container in detached mode.
Step 3: Verify the Container is Running To verify that the container is running and the port is published, use the following command:
docker ps
This will list all running containers and show the port mappings.
Step 4: Access the IIS Server You can now access the IIS server r unning in the container by navigating to http://
< SRV1_IP > :5001 in a web browser, where < SRV1_IP > is the IP address of SRV1.
Note: Ensure that Docker is installed on SRV1 and that the port 5001 is open on the firewall to allow incoming connections1.
By foll owing these steps, you should be able to run the IIS container on SRV1 with the specified port mapping and have it running in the background. Please replace mcrmicrosoft.com/windows/servercofe/iis with the correct image name mcr.microsoft.com/windows/serve rcore/iis as shown in the commands above.