AZ-800 無料問題集「Microsoft Administering Windows Server Hybrid Core Infrastructure」
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains a server named Server1 that has the DFS Namespaces role service installed. Server! hosts a domain-based Distributed File System (DFS) Namespace named Files.
The domain contains a tile server named Server2. Seiver2 contains a shared folder named Share1. Share1 contains a subfolder named Folder 1.
In the Files namespace, you create a folder named Folder! that has a target of \\Server2.contoso.
com\Share1\Folder1.
You need to configure a logon script that will map drive letter M to Folder1. The solution must use the path of the DFS Namespace.
How should you complete the command to map the drive letter? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
The domain contains a tile server named Server2. Seiver2 contains a shared folder named Share1. Share1 contains a subfolder named Folder 1.
In the Files namespace, you create a folder named Folder! that has a target of \\Server2.contoso.
com\Share1\Folder1.
You need to configure a logon script that will map drive letter M to Folder1. The solution must use the path of the DFS Namespace.
How should you complete the command to map the drive letter? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Task 7
You need to monitor the security configuration of DC1 by using Microsoft Defender for Cloud.
The required source files are located in a folder named \\dc1.contoso.com\install.
You need to monitor the security configuration of DC1 by using Microsoft Defender for Cloud.
The required source files are located in a folder named \\dc1.contoso.com\install.
正解:
See the solution of this Task below.
Explanation:
One possible solution to monitor the security configuration of DC1 by using Microsoft Defender for Cloud is to use the Guest Configuration feature. Guest Configuration is a service that audits settings inside Linux and Windows virtual machines (VMs) to assess their compliance with your organization's security policies. You can use Guest Configuration to monitor the security baseline settings for Windows Server in the Microsoft Defender for Cloud portal by following these steps:
* On DC1, open a web browser and go to the folder named \dc1.contoso.com\install. Download the Guest Configuration extension file (GuestConfiguration.msi) and save it to a local folder, such as C:\Temp.
* Run the Guest Configuration extension file and follow the installation wizard. You can choose to install the extension for all users or only for the current user. For more information on how to install the Guest Configuration extension, see Install the Guest Configuration extension.
* After the installation is complete, sign in to the Microsoft Defender for Cloud portal (2).
* In the left pane, select Security Center and then Recommendations.
* In the recommendations list, find and select Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration).
* In the Remediate Security Configurations page, you can see the compliance status of your Windows VMs, including DC1, based on the Azure Compute Benchmark. The Azure Compute Benchmark is a set of rules that define the desired configuration state of your VMs. You can also see the number of failed, passed, and skipped rules for each VM. For more information on the Azure Compute Benchmark, see Microsoft cloud security benchmark: Azure compute benchmark is now available.
* To view the details of the security configuration of DC1, click on the VM name and then select View details. You can see the list of rules that apply to DC1 and their compliance status. You can also see the severity, description, and remediation steps for each rule. For example, you can see if DC1 has the latest security updates installed, if the firewall is enabled, if the password policy is enforced, and so on.
* To monitor the security configuration of DC1 over time, you can use the Compliance over time chart, which shows the trend of compliance status for DC1 in the past 30 days. You can also use the Compliance breakdown chart, which shows the distribution of compliance status for DC1 by rule severity.
By using Guest Configuration, you can monitor the security configuration of DC1 by using Microsoft Defender for Cloud and ensure that it meets your organization's security standards. You can also use Guest Configuration to monitor the security configuration of other Windows and Linux VMs in your Azure environment.
Explanation:
One possible solution to monitor the security configuration of DC1 by using Microsoft Defender for Cloud is to use the Guest Configuration feature. Guest Configuration is a service that audits settings inside Linux and Windows virtual machines (VMs) to assess their compliance with your organization's security policies. You can use Guest Configuration to monitor the security baseline settings for Windows Server in the Microsoft Defender for Cloud portal by following these steps:
* On DC1, open a web browser and go to the folder named \dc1.contoso.com\install. Download the Guest Configuration extension file (GuestConfiguration.msi) and save it to a local folder, such as C:\Temp.
* Run the Guest Configuration extension file and follow the installation wizard. You can choose to install the extension for all users or only for the current user. For more information on how to install the Guest Configuration extension, see Install the Guest Configuration extension.
* After the installation is complete, sign in to the Microsoft Defender for Cloud portal (2).
* In the left pane, select Security Center and then Recommendations.
* In the recommendations list, find and select Vulnerabilities in security configuration on your Windows machines should be remediated (powered by Guest Configuration).
* In the Remediate Security Configurations page, you can see the compliance status of your Windows VMs, including DC1, based on the Azure Compute Benchmark. The Azure Compute Benchmark is a set of rules that define the desired configuration state of your VMs. You can also see the number of failed, passed, and skipped rules for each VM. For more information on the Azure Compute Benchmark, see Microsoft cloud security benchmark: Azure compute benchmark is now available.
* To view the details of the security configuration of DC1, click on the VM name and then select View details. You can see the list of rules that apply to DC1 and their compliance status. You can also see the severity, description, and remediation steps for each rule. For example, you can see if DC1 has the latest security updates installed, if the firewall is enabled, if the password policy is enforced, and so on.
* To monitor the security configuration of DC1 over time, you can use the Compliance over time chart, which shows the trend of compliance status for DC1 in the past 30 days. You can also use the Compliance breakdown chart, which shows the distribution of compliance status for DC1 by rule severity.
By using Guest Configuration, you can monitor the security configuration of DC1 by using Microsoft Defender for Cloud and ensure that it meets your organization's security standards. You can also use Guest Configuration to monitor the security configuration of other Windows and Linux VMs in your Azure environment.
You have a server named Server1 that runs Windows Server and has the Active Directory Federation Services role installed.
You plan to deploy Web Application Proxy to a server named Server2.
You export the Active Directory Federation Services (AD FS) certificate from Server1.
Which actions should you perform on Server2 in sequence? To answer, drag the appropriate actions to the correct order. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTF: Each correct selection is worth one point.
You plan to deploy Web Application Proxy to a server named Server2.
You export the Active Directory Federation Services (AD FS) certificate from Server1.
Which actions should you perform on Server2 in sequence? To answer, drag the appropriate actions to the correct order. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTF: Each correct selection is worth one point.
正解:
Explanation:
Your network contains an Active Directory domain, a web app named App1, and a perimeter network. The perimeter network contains a server named Server1 that runs Windows Server.
You plan to provide external access to App1.
You need to implement the Web Application Proxy role service on Server1.
Which role should you add to Server1, and which role should you add to the network? To answer, drag the appropriate roles to the correct targets. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
You plan to provide external access to App1.
You need to implement the Web Application Proxy role service on Server1.
Which role should you add to Server1, and which role should you add to the network? To answer, drag the appropriate roles to the correct targets. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
正解:
Explanation:
You have an Azure virtual machine named VM1 that has a private IP address only.
You configure the Windows Admin Center extension on VM1.
You have an on-premises computer that runs Windows 11. You use the computer for server management.
You need to ensure that you can use Windows Admin Center from the Azure portal to manage VM1.
What should you configure?
You configure the Windows Admin Center extension on VM1.
You have an on-premises computer that runs Windows 11. You use the computer for server management.
You need to ensure that you can use Windows Admin Center from the Azure portal to manage VM1.
What should you configure?
正解:C
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
Task 8
You need to deploy a new primary DNS zone named fabrikam.com to DC1. The zone must be signed.
You need to deploy a new primary DNS zone named fabrikam.com to DC1. The zone must be signed.
正解:
See the solution of this Task below.
Explanation:
To deploy a new primary DNS zone named fabrikam.com to DC1 and sign the zone, you can follow these steps:
Step 1: Create the Primary DNS Zone Use the Add-DnsServerPrimaryZone PowerShell command to create the primary zone:
Add-DnsServerPrimaryZone -Name "fabrikam.com" -ZoneFile "fabrikam.com.dns" -DynamicUpdate Secure This command creates a primary zone for fabrikam.com with a DNS file named fabrikam.com.dns and allows secure dynamic updates.
Step 2: Sign the Zone To sign the zone, you can use the DNS Manager or Windows PowerShell. Here's how to sign the zone using PowerShell:
Add-DnsServerSigningKey -ZoneName "fabrikam.com" -Type KeySigningKey -CryptoAlgorithm RsaSha256 Set-DnsServerDnsSecZoneSetting -ZoneName "fabrikam.com" -DenialOfExistence NSEC3 - NSEC3Parameters 1,0,10,"" These commands add a signing key to the zone and set DNSSEC settings with NSEC3 parameters.
Step 3: Publish the Signed Zone After signing the zone, ensure that it is published and available for DNS queries. You can verify the zone signing status using the following command:
Get-DnsServerZone -Name "fabrikam.com"
Note: Ensure that you have the appropriate permissions to perform these actions on DC1 and that the DNS Server role is installed and properly configured. Also, replace "fabrikam.com.dns" with the actual path to your DNS file if it's different12.
By following these steps, you should be able to deploy and sign the new primary DNS zone fabrikam.com on DC1.
Explanation:
To deploy a new primary DNS zone named fabrikam.com to DC1 and sign the zone, you can follow these steps:
Step 1: Create the Primary DNS Zone Use the Add-DnsServerPrimaryZone PowerShell command to create the primary zone:
Add-DnsServerPrimaryZone -Name "fabrikam.com" -ZoneFile "fabrikam.com.dns" -DynamicUpdate Secure This command creates a primary zone for fabrikam.com with a DNS file named fabrikam.com.dns and allows secure dynamic updates.
Step 2: Sign the Zone To sign the zone, you can use the DNS Manager or Windows PowerShell. Here's how to sign the zone using PowerShell:
Add-DnsServerSigningKey -ZoneName "fabrikam.com" -Type KeySigningKey -CryptoAlgorithm RsaSha256 Set-DnsServerDnsSecZoneSetting -ZoneName "fabrikam.com" -DenialOfExistence NSEC3 - NSEC3Parameters 1,0,10,"" These commands add a signing key to the zone and set DNSSEC settings with NSEC3 parameters.
Step 3: Publish the Signed Zone After signing the zone, ensure that it is published and available for DNS queries. You can verify the zone signing status using the following command:
Get-DnsServerZone -Name "fabrikam.com"
Note: Ensure that you have the appropriate permissions to perform these actions on DC1 and that the DNS Server role is installed and properly configured. Also, replace "fabrikam.com.dns" with the actual path to your DNS file if it's different12.
By following these steps, you should be able to deploy and sign the new primary DNS zone fabrikam.com on DC1.
You have two on-premises servers named Server1 and Servet2 that run Windows Server.
You have an Azure Storage account named storage1 that contains a file share named share'. Server1 syncs with share1 by using Azure File Sync You need to configure Server2 to sync with share1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
You have an Azure Storage account named storage1 that contains a file share named share'. Server1 syncs with share1 by using Azure File Sync You need to configure Server2 to sync with share1.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
正解:
Explanation:
You haw an Azure virtual machine named VM1 that runs Windows Server
You need to configure the management of VM1 to meet the following requirements:
* Require administrators to request access to VM1 before establishing a Remote Desktop connection.
* Limit access to VM1 from specific source IP addresses.
* Limit access to VMI to a specific management port
What should you configure?
You need to configure the management of VM1 to meet the following requirements:
* Require administrators to request access to VM1 before establishing a Remote Desktop connection.
* Limit access to VM1 from specific source IP addresses.
* Limit access to VMI to a specific management port
What should you configure?
正解:D
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
Task 10
You use a Group Policy preference to map \\dd.contoso.com\instal1 as drive H for all users. If a user already has an existing drive mapping for H. the new drive mapping must take precedence.
You use a Group Policy preference to map \\dd.contoso.com\instal1 as drive H for all users. If a user already has an existing drive mapping for H. the new drive mapping must take precedence.
正解:
See the solution of this Task below.
Explanation:
To map \\dd.contoso.com\instal1 as drive H for all users using Group Policy Preferences and ensure that the new drive mapping takes precedence over any existing mappings, follow these steps:
Step 1: Open Group Policy Management Console Open the Group Policy Management Console (GPMC) on a machine that has administrative privileges over the domain.
Step 2: Create or Edit a GPO Create a new Group Policy Object (GPO) or edit an existing one that applies to the users who need the drive mapping.
Step 3: Navigate to Drive Mappings In the GPO Editor, navigate to:
User Configuration -> Preferences -> Windows Settings -> Drive Maps
Step 4: New Drive Mapping Right-click on Drive Maps and select New -> Mapped Drive.
Step 5: Configure Drive Mapping In the New Drive Properties window, configure the following settings:
* Action: Select Replace. This action will overwrite any existing mappings with the same drive letter.
* Location: Enter the UNC path \\dd.contoso.com\instal1.
* Drive Letter: Choose H: from the drop-down menu.
* Reconnect: Check this option if you want the drive mapping to persist across logon sessions.
* Label As: Optionally, provide a label for the drive mapping.
* Hide/Show this drive: Set according to your preference.
* Hide/Show all drives: Set according to your preference.
Step 6: Common Tab Go to the Common tab and configure the following:
* Run in logged-on user's security context (user policy option): Check this option.
* Item-level targeting: Click on Targeting and set up any specific criteria if needed.
Step 7: Apply the GPO Click Apply and then OK to save the drive mapping configuration.
Step 8: Link the GPO Link the GPO to an Organizational Unit (OU) or domain that contains the users who should receive the drive mapping.
Step 9: Update Group Policy Instruct users to log off and log back on, or use the gpupdate /force command to refresh Group Policy on their computers.
Explanation:
To map \\dd.contoso.com\instal1 as drive H for all users using Group Policy Preferences and ensure that the new drive mapping takes precedence over any existing mappings, follow these steps:
Step 1: Open Group Policy Management Console Open the Group Policy Management Console (GPMC) on a machine that has administrative privileges over the domain.
Step 2: Create or Edit a GPO Create a new Group Policy Object (GPO) or edit an existing one that applies to the users who need the drive mapping.
Step 3: Navigate to Drive Mappings In the GPO Editor, navigate to:
User Configuration -> Preferences -> Windows Settings -> Drive Maps
Step 4: New Drive Mapping Right-click on Drive Maps and select New -> Mapped Drive.
Step 5: Configure Drive Mapping In the New Drive Properties window, configure the following settings:
* Action: Select Replace. This action will overwrite any existing mappings with the same drive letter.
* Location: Enter the UNC path \\dd.contoso.com\instal1.
* Drive Letter: Choose H: from the drop-down menu.
* Reconnect: Check this option if you want the drive mapping to persist across logon sessions.
* Label As: Optionally, provide a label for the drive mapping.
* Hide/Show this drive: Set according to your preference.
* Hide/Show all drives: Set according to your preference.
Step 6: Common Tab Go to the Common tab and configure the following:
* Run in logged-on user's security context (user policy option): Check this option.
* Item-level targeting: Click on Targeting and set up any specific criteria if needed.
Step 7: Apply the GPO Click Apply and then OK to save the drive mapping configuration.
Step 8: Link the GPO Link the GPO to an Organizational Unit (OU) or domain that contains the users who should receive the drive mapping.
Step 9: Update Group Policy Instruct users to log off and log back on, or use the gpupdate /force command to refresh Group Policy on their computers.
You have an Azure subscription that contains the virtual networks shown in the following table.
You deploy a virtual machine named VM1 that runs Windows Server. VM1 is connected to Subnet11.
You plan to add an additional network interface named NIC1 to VM1.
To which subnets can NIC1 be attached?
You deploy a virtual machine named VM1 that runs Windows Server. VM1 is connected to Subnet11.
You plan to add an additional network interface named NIC1 to VM1.
To which subnets can NIC1 be attached?
正解:B
解答を投票する
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using DEFAULTIPSITELINK.
You open a new branch office that contains only client computers.
You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.
Solution: You create a new site named Site4 and associate Site4 to DEFAULTSITELINK.
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using DEFAULTIPSITELINK.
You open a new branch office that contains only client computers.
You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.
Solution: You create a new site named Site4 and associate Site4 to DEFAULTSITELINK.
Does this meet the goal?
正解:B
解答を投票する
Your company has a main office and 10 branch offices that are connected by using WAN links. The network contains an Active Directory domain.
All users have laptops and regularly travel between offices.
You plan to implement BranchCache in the branch offices.
In each branch office, you install a server that runs Windows Server and the BranchCache feature. You register the servers in Active Directory.
You need to configure the laptops to use the local BranchCache server automatically. The solution must minimize administrative effort.
Which two Group Policy settings should you configure? To answer, select the settings in the answer area.
NOTE: Each correct selection is worth one point.
All users have laptops and regularly travel between offices.
You plan to implement BranchCache in the branch offices.
In each branch office, you install a server that runs Windows Server and the BranchCache feature. You register the servers in Active Directory.
You need to configure the laptops to use the local BranchCache server automatically. The solution must minimize administrative effort.
Which two Group Policy settings should you configure? To answer, select the settings in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
--> Turn on BranchCache
--> Enable Automatic Hosted Cache Discovery by Service Connection ...
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2022 and has the DHCP Server role. Server1 contains a single DHCP scope named Scope1.
You deploy five printers to the network.
You need to ensure that the printers are always assigned the same IP address.
Solution: You create a DHCP address exclusion for each printer.
Does this meet the requirement?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server 2022 and has the DHCP Server role. Server1 contains a single DHCP scope named Scope1.
You deploy five printers to the network.
You need to ensure that the printers are always assigned the same IP address.
Solution: You create a DHCP address exclusion for each printer.
Does this meet the requirement?
正解:B
解答を投票する