AZ-800 Administering Windows Server Hybrid Core Infrastructure Questions and Answers

In the Administering Windows Server Hybrid Core Infrastructure materials (AZ-800), Microsoft explains that Group Managed Service Accounts (gMSAs) are designed for services running on multi ple servers and “provide automatic password management, simplified SPN management, and the ability to delegate the management to other administrators.” The guidance further states that before you can create any gMSA, “the domain must have a KDS root key so that the Key Distribution Service can generate and rotate strong, unique passwords for gMSAs on a schedule.” After the KDS root key is created, “use New-ADServiceAccount to create the gMSA and grant the computers (e.g., web servers) permission to retrieve the account password.” For IIS, the course notes specify that a gMSA can be used for app pools: “Configure the IIS application pool identity to a custom account and specify the gMSA name (ending with ‘$’) without a password; the password is managed automa tically by AD and rotates by policy (for example, every 30 days).”

Mapping these requirements to the scenario: Webapp1 runs on WEB1 and WEB2 and must use the same service account with an automatic 30-day password change . Therefore, the correct sequence is: create the KDS root key , create the gMSA , and then set the IIS application pool to run under that account. This fulfills the security requirement while allowing both web servers to share the same, automatically-rotated credentials.

n the Administering Windows Server Hybrid Core Infrastructure guidance for managing AD DS, Microsoft emphasizes using OU-level delegation to satisfy administrative needs while adhering to the principle of least privilege. The documentation explains that the Delegate Control wizard on an OU lets you grant a user or group only the specific permissions required for common tasks, including “Modify the membership of a group”. This grants the write permission to the member attribute on group objects contained in that OU, without giving broader account-management rights across the domain.

By contrast, placing a user in Account Operators or Server Operators provides elevated, domain-wide capabilities far beyond what is required. Account Operators can create, delete, and modify many account types across the domain (except for protected admin accounts), which violates least-privilege for a task that only needs to change group membership in one OU. Server Operators is unrelated to group membership and is intended for server administration tasks. Creating a delegation at the domain root would similarly be excessive because it applies broadly to all containers and OUs.

Therefore, to meet the requirement “Ensure that User1 can manage the membership of all the groups in Contoso\OU3,” you should delegate control on OU3 and assign the built-in task “Modify the membership of a group” to User1, achieving the minimal permissions necessary.

The exam materials explain that to add a new domain controller to an existing AD DS forest in Azure, you deploy a Windows Server IaaS VM and then promote it: “To extend on-premises AD DS into Azure, provision a Windows Server VM in Azure and run AD DS to create an additional domain controll er for the existing domain.” Conversely, Azure Active Directory Domain Services (Azure AD DS) provides a managed domain that is separate from and not writable by your on-premises administrators —you “do not get domain admin rights or access to DCs” —so it cannot be used to add a DC (dc3.corp.fabrikam.com) to the existing corp.fabrikam.com forest. Azure AD Application Proxy and Azure AD administrative units are unrelated to deploying DCs. Therefore, the correct implementation is to deploy an Azure virtual machine in Vnet1, install AD DS/DNS, and promote it to become DC3 in the existing domain.

The exam materials for Administering Windows Server Hybrid Core Infrastructure explain that when replacing private WAN links with Azure, Azure Virtual WAN (vWAN) can be used to centralize connectivity. For private connectivity, ExpressRoute integrates directly with a vWAN hub by deploying an ExpressRoute gateway in the hub. The gateway is the Azure resource that terminates ExpressRoute and enables hub-and-spoke routing to connected VNets (such as Vnet1 ). The guides emphasize: “ In a Virtual WAN hub, use the ExpressRoute gateway to connect ExpressRoute circuits and propagate routes acro ss the hub to your virtual networks .”

On-premises, each site (New York and Seattle) requires an ExpressRoute circuit connection provisioned via a connectivity provider. The circuit is the dedicated private connection from the customer edge to Microsoft’s edge and is what the office sites actually use; it’s then linked to the vWAN hub’s ExpressRoute gateway. The same materials note that Site-to-Site VPN is an alternative transport but is not required when ExpressRoute is mandated. Likewise, Application Gateway is a Layer-7 load balancer for HTTP/S traffic, and on-premises data gateway relates to Power BI/Power Platform hybrid connectivity, neither of which establishes network transport between offices and Azure.

Therefore, to meet the requirement “connect both on-premises offices to Vnet1 by using ExpressRoute,” configure an ExpressRoute gateway on the vWAN hub and ExpressRoute circuit connections in the offices.

In the Windows Server exam materials for Administering Windows Server Hybrid Core Infrastructure (AZ-800) , Microsoft documents that Data Deduplication is supported only on data volumes and specifically on NTFS-formatted volumes , and it cannot be enabled on the system or boot volume . The study text states: “Data Deduplication is applied at the volume level and supports NTFS data volumes. You cannot enable deduplication on the system or boot volume.” It further clarifies unsupported targets: “ReFS volumes and FAT/exFAT volumes are not supported for Data Deduplication in general-purpose server scenarios,” and emphasizes that deduplication is “not available for the operating s ystem volume.”

Applying these rules to VM3:

C: NTFS but it is the OS/system volume → not eligible .

D: NTFS data volume → eligible .

E: ReFS → not supported for general-purpose dedup in this context.

F: exFAT → not supported .

Therefore, the only volume on which you can enable Data Deduplication to meet the requirement is volume D .

In the AZ-800 “Administering Windows Server Hybrid Core Infrastructure” objectives for Active Directory, server promotion is governed by forest/domain administrative roles. The materials state that promoting a member server to a domain controller in a given domain requires membership in either the Enterprise Admins group or the Domain Admins group of the target domain. The Configuration and Domain naming contexts that DCPromo touches (NTDS settings, SYSVOL/DFS-R readiness, DC computer account, and associated service SPNs) are protected so that “Enterprise Admins have full rights forest-wide, and Domain Admins have full rights within their respective domain.”

In this case, the requirement is to promote Server1 to a domain controller in canada.contoso.com. From the identities table:

Contoso\Admin1 is a member of Enterprise Admins (forest-wide authority).

Canada\Admin3 is a member of Canada\Domain Admins (authority within canada.contoso.com).

Contoso\Admin2 is Domain Admins (contoso.com) only, which does not grant administrative authority in the canada.contoso.com child domain.

Therefore, the users who can currently perform the required task for Server1 are Admin1 and Admin3.

Server1 - Set-Item

Server4 - Enable-PSRemoting

ProcessA : All the containers and Server1

ProcessB : Container3 and Server1 only

Comprehensive and Detailed Explanation with all Administering Windows Server Hybrid Core Infrastructure documents : =

Understand ing the visibility of processes within Windows Server containers depends entirely on the isolation mode used: Windows Server isolation (Process isolation) or Hyper-V isolation . According to official documents for Administering Windows Server Hybrid Core In frastructure, these two modes determine how the container ' s kernel and processes interact with the host system.

Windows Server Isolation (Process Isolation) : In this mode, containers share the same kernel as the host. Processes running inside the container are essentially standard processes on the host, albeit isolated through namespaces and resource controls. Consequently, a process running in a process-isolated container (like Container1 and Container2 in the exhibit) is visible from the host ' s Task Manag er or Get-Process command, as well as from other containers sharing the same host kernel. Therefore, ProcessA can be verified as running from All the containers and Server1 .

Hyper-V Isolation : This mode provides a more secure and isolated environment by ru nning each container inside its own highly optimized virtual machine (utility VM). Because each container has its own private kernel, the host cannot " see " the internal processes of the container, and containers cannot see into each other. Container3 uses Hyper-V isolation. Therefore, ProcessC is only visible to the internal operating system of Container3 and, at a management level, to Server1 (the host). It is invisible to other containers (Container1, 2, and 4) because they are separated by kernel-level boundaries. Thus, you can verify ProcessC on Container3 and Server1 only .

In Windows Server AD DS, group scope determines which groups/accounts can be members. The AZ-800 study materials summarize: “Domain Local groups can include accounts, Global groups, and Universal groups from any domain and Domain Local groups from the same domain only. Global groups can include accounts and other Global groups from the same domain only. Universal groups can include *accounts, Global groups, and Universal groups from any domain.” In addition, distribution vs. security does not change the scope membership rules; it only affects whether the group can be assigned permis sions.

Applying the rules: Group3 is a Domain Local security group in contoso.com . Therefore it can contain Universal (Group1), Global from any domain (Group2 in contoso.com and Group4/Group5 in canada.contoso.com), but cannot contain a Domain Local from a nother domain (Group6 in canada.contoso.com). Hence: Group1, Group2, Group4, and Group5 only .

Group5 is a Global distribution group in canada.contoso.com . A Global group can only contain accounts or Global groups from the same domain . From the list, only G roup4 (Global distribution, canada.contoso.com) fits. It cannot contain Group1 (Universal), Group2 (Global but different domain), or Group6 (Domain Local). Therefore: Group4 only .

The exam materials state that Azure Automation runbooks can be authored in PowerShell and Python (along with Graphical and PowerShell Workflow where noted). The module on “Automate management in hybrid environments” specifies: “Runbooks support PowerShell for Windows-based automation and Python for cross-platform scenarios.” It further explains that these languages integrate with Automation Accounts, modules/packages, credentials, and managed identities to run tasks on Azure or hybrid resources through the Hybrid Runbook Worker. Languages such as Java, JavaScript, or Bicep are not runbook languages (Bicep is used for ARM template deployments, not runbook execution). Accordingly, Task1 can be implemented in PowerShell and Python.

The Administering Windows Server Hybrid Core Infrastructure content notes that Microsoft Entra Connect cloud sync uses lightweight agents and supports synchronizing specific OUs from multiple forests into a single tenant. The guide highlights that cloud sync “is designed for multi-forest or cross-organization scenarios and allows scoping to selected OUs and groups,” enabling granular onboarding of just the identities you need. The requirement says “the users in the Marketing OU (in Fabrikam’s forest) must have access to storage1.” Granting access to Azure Files using Entra-based authorization requires that those users exist in the same Entra tenant. Cloud sync enables importing only the Fabrikam Marketing OU into A. Datum’s tenant without establishing full trust for all users. Azure AD Connect in active or staging mode would target the A. Datum forest and isn’t intended for selectively bringing in a separate partner forest OU; AD FS is a federation solution and does not create tenant objects for ACLs on Azure resources like Azure Files. Therefore, implement Microsoft Entra Connect cloud sync and scope it to the Marketing OU to meet the requirement.

In the Administering Windows Server Hybrid Core Infrastructure materials under Hyper-V management, Microsoft specifies that Enhanced Sess ion Mode changes VMConnect from a raw console attach to a connection that uses Remote Desktop Protocol (RDP) to the guest. The guide states that Enhanced Session Mode “ uses RDP to establish the VMConnect session so the user must supply credentials for a lo gon to the guest operating system ,” and further that it “ prevents a second administrator from inheriting an already signed-in console session ” because the connection is treated as a new interactive sign-in. In contrast, the default basic console session “ attaches directly to the active console without prompting for credentials ,” which is exactly the current problem described for VM2.

The same objective area clarifies that other options do not meet the requirement: Guest Services integration only enables fi le copy and certain host-guest interactions; Credential Guard protects secrets inside Windows by isolating LSASS but does not affect Hyper-V console connection behavior ; Shielded VMs provide fabric-level protections and encryption but are not required mere ly to force credential prompts for VMConnect.

Therefore, to force users to provide credentials when they connect to VM2 and to eliminate inherited console sessions, you should enable Enhanced Session Mode on the Hyper-V host (and ensure the guest supports RDP).

The AZ-800 materials explain that enabling Microsoft Entra (Azure AD) sign-in to Windows Server running as an Azure VM is done by deploying the Azure AD Login for Windows VM extension. The study guide states that “for Azure VMs, Microsoft Entra sign-in is enabled by installing the AADLoginForWindows extension; once installed, Entra users and groups granted ‘Virtual Machine User/Login’ roles can sign in using Entra credentials.” The required operation is performed from Azure PowerShell with Set-AzVMExtension , providing the publisher Mic rosoft.Azure.ActiveDirectory , type AADLoginForWindows , and the target VM. Other options are not applicable: Set-AzVM changes VM properties but does not install extensions; New-ADComputer and Add-ADComputerServiceAccount are AD DS cmdlets unrelated to enabling Entra login on an Azure VM. Therefore, to meet the plan “Enable Microsoft Entra users to sign in to Server1,” you must run Set-AzVMExtension to install the AAD Login extension on Server1.

In the Windows Server Hybrid Core Infrastructure objectives for Active Directory group design, group scope and type determine valid membership and usage. The study guidance for group scopes states that a Domain Local group is used to assign permissions in its own domain and “can contain accounts, computer objects, global groups from any domain, and universal groups; it can also contain other domain local groups from the same domain only.” Security-type restrictions also apply: “Security groups can contain only security principals; distribution groups cannot be nested into security groups for access control.”

Applying these rules to Group3 (contoso.com Domain Local Security): it can accept security groups of compatible scopes. From the lists, Group1 (contoso.com Universal Security) and Group2 (contoso.com Global Security) are valid. Distribution groups (Group4, Group5, Group6) are not valid members of a security group used for authorization. Therefore, Group3 ⇒ Group1 and Group2 only.

For Group5 (canada.contoso.com Global Distribution), the scope rule for Global groups is: “Global groups can include user accounts and other global groups from the same domain only; they cannot include universal or domain local groups.” Hence, the only eligible group from the same domain and scope is Group4 (canada.contoso.com Global Distribution). Group6 is domain local (invalid), and cross-domain globals (Group2) are not permitted. Therefore, Group5 ⇒ Group4 only.

The Failover Clustering content in AZ-800 explains that Cluster Shared Volumes (CSV) allow multiple cluster nodes to simultaneously access the same NTFS/ReFS volume, making them the standard storage layout for highly available Hyper-V virtual machines and enabling feat ures like Live Migration and Quick Migration . CSVs present a consistent namespace across nodes (e.g., C:\ClusterStorage\VolumeX ) and are specifically recommended for storing VHDX files and configuration data for clustered VMs. By contrast, DFS Replication is not supported for virtual machine storage due to file-locking and consistency constraints; storage pools pertain to Storage Spaces, not an iSCSI LUN already presented to both hosts; and a mirrored volume on a single node does not provide cluster-wide, c oncurrent access. The guidance is explicit that when using a shared LUN (such as iSCSI) for clustered Hyper-V workloads, you should add the disk to the cluster, enable CSV , and place VMs on the CSV to support continuous availability and Live Migration with out downtime. Thus, the correct storage resource is Cluster Shared Volumes (CSV) .

No

Yes

Yes

In Administering Windows Server Hybrid Core Infrastructure , Microsoft states that the domain password policy for domain user accounts is determined by the GPO that wins at the domain root (commonly the Default Domain Policy ). GPOs linked to OUs do not change the domain password policy for user accounts in those OUs; they only affect local accounts on computers within those OUs unless Fine-Grained Password Policies (PSOs) are used and scoped to users/groups. The case shows Default Domain Policy in contoso.com sets Minimum password length = 10 . Therefore, both Admin1 (a domain user in Contoso\OU1) and User1 (in Contoso\OU3) fall under the 10-character minimum; the OU-linked GPO1 (14) does not override the domain password policy for their domain accounts → Admin1: No , User1: Yes .

For member servers and local accounts , the documentation explains that password policy settings in a GP O linked to the OU containing the computer apply to that computer’s local Security Accounts Manager (SAM) . In the scenario, Server1 resides in Member Servers and GPO2 linked to Member Servers specifies Minimum password length = 8 . Thus, when Admin1 creates a local account on Server1 , the enforced minimum is 8 characters → Yes . This approach follows least privilege and standard precedence: domain-level for domain accounts, OU-linked GPOs for local accounts, unless PSOs are explicitly defined.

In the Administering Windows Server Hybrid Core Infrastructure objectives for managing Hyper-V, enabling nested virtualization is the required step when you must “run virtual machines inside a virtual machine.” The referenced guidance states that Hyper-V on a VM is supported only when the host exposes hardware virtualization features to the guest. The prescriptive step is: “Turn off the VM and run Set-VMProcessor -VMName < V MName > -ExposeVirtualizationExtensions $true to enable nested virtualization.” The module further notes that this action “passes through Intel VT-x/AMD-V to the guest so the guest OS can install the Hyper-V role and create VMs.” It also clarifies that “the setting is applied on the parent host for the target VM and requires the VM to be powered off before the change is committed.”

Because the technical requirement says “Ensure that you can run virtual machines on VM1”, VM1 must be able to host Hyper-V while itself running as a VM on Server2. The first and essential cmdlet is therefore Set-VMProcessor with the -ExposeVirtualizationExtensions switch set to $true against VM1. Other optional settings (for example, MAC spoofing on the vNIC or static memory) may be configured later if needed, but exposing virtualization extensions is the enabling prerequisite that satisfies the requirement.

In the Windows Server container topic of Administering Windows Server Hybrid Core Infrastructure , Microsoft states the behavior of the two Windows container isolation modes very clearly:

Process isolation: “Windows Server containers run with process isolation and share the kernel with the host . Because the container uses the host’s kernel, the container base image must match the host OS version (including build) for the container to start.”

Hyper-V isolation: “With Hyper-V isolated containers, each container runs inside a lightweight virtual machine that has its own kernel , providing kernel-level isolation. Hyper-V isolation removes the requirement for the container image version to match the host , allowing older or differen t Windows versions to run on a newer host.”

Applying those rules to Host1 (Windows Server 2022):

Image1 (Windows Server 2022) matches the host version. Therefore, it can run with process isolation (kernel shared and versions match). Hyper-V isolation is always available as well, so either process or Hyper-V isolation can be used.

Image2 (Windows Server 2019) does not match the host’s kernel version. With process isolation this mismatch prevents startup. However, Hyper-V isolation provides its own kernel boundary, so the container can run only with Hyper-V isolation.

Thus, the correct selections are: Image1 – Hyper-V isolation or process isolation; Image2 – Hyper-V isolation only.

In the Administering Windows Server Hybrid Core Infrastructure materials (AZ-800), the prescribed sequence for enabling VM domain-join to Azure Active Directory Domain Services (Azure AD DS) is to first prepare networking, then deploy the managed domain, and finally point DNS to that domain. The guide explains that Azure AD DS is a managed domain and that you must deploy it into a virtual network: “Azure AD DS pr ovides domain join, group policy, and LDAP/NTLM/Kerberos without deploying domain controllers. The managed domain is associated with an Azure virtual network.” It further directs that VMs can only discover and join the managed domain when the VNet’s DNS points to the Azure AD DS IPs: “To enable name resolution for domain join, configure the virtual network DNS servers to the IP addresses of the Azure AD DS managed domain.”

Therefore, the correct, exam-aligned order is:

Create an Azure virtual network (the target network/subnet into which the managed domain will be placed).

Create an Azure AD DS instance (the managed domain is deployed into that VNet and provides two IP addresses).

Modify the settings of the Azure virtual network to use those IP addresses as custom DNS servers so that new or existing Azure VMs in that VNet can locate and join the domain. Installing the AD DS role or running its wizard is not required for Azure AD DS, and Azure AD Connect is optional for identity sync but not required for VM join.

To meet the requirement that VM3 be configured for per-folder quotas, the Windows Server file services module directs you to install File Server Resource Manager (FSRM). The course content explains: “FSRM provides quota management, file screening, and storage reporting. Quotas can be applied to volumes and to specific folders, enabling administrators to control the space consumed.” None of the other features listed deliver folder-level quota capability: Enhanced Storage and Windows Standards-Based Storage Management relate to storage management/SMI-S, and iSNS Server concerns iSCSI discovery services. Therefore, the first step is to install FSRM on VM3; after installation, you can create per-folder quota templates and assignments to enforce the desired limits.

To ensure that all objects, specifically Computer1 , can be used in Conditional Access (CA) policies, the environment must support device-based ide ntity in the cloud. In a hybrid scenario, while user objects and security groups (like Group1 and Group2 ) can be synchronized through standard Azure AD Connect (Microsoft Entra Connect) synchronization cycles, computer objects require specific configuratio n to become " identifiable " by Conditional Access.

According to the official study guides for the AZ-800 exam, simply syncing a computer object does not make it a " Hybrid Azure AD joined " device. To enable Computer1 to be used as a target or a condition (e. g., " Require Hybrid Azure AD joined device " ) in a CA policy, you must run the Azure AD Connect wizard and select the Configure Hybrid Azure AD join task. This process configures a Service Connection Point (SCP) in your on-premises Active Directory, which a llows Windows 10/11 devices like Computer1 to discover the Azure AD tenant and complete the registration process.

Furthermore, while group scopes (Universal vs. Domain Local) are often discussed in sync scenarios, Azure AD Connect by default synchronizes s ecurity groups regardless of their scope if they are within the synchronized Organizational Units (OUs). Therefore, the critical step to satisfy the requirement for " all objects " —especially the computer account—is enabling the Hybrid Join feature to establ ish a cloud-side device identity. This provides the necessary " device signal " that Conditional Access evaluates to grant or deny access.

Set-VMProcessor VM1 -ExposeVirtualizationExtensions $true

In a Windows Server Hyper-V environme nt, running Hyper-V inside a virtual machine (i.e., installing the Hyper-V role in a guest) requires nested virtualization . The Administering Windows Server Hybrid Core Infrastructure materials explain that before you can add the Hyper-V role in the guest OS, the virtualization extensions of the physical CPU must be exposed to the VM: “To enable a virtual machine to act as a Hyper-V host, configure the VM to expose hardware virtualization extensions to the guest. This is done with the VM processor settings and is a prerequisite to installing the Hyper-V role inside the VM.” The guide further clarifies: “Use the PowerShell cmdlet Set-VMProcessor with the -ExposeVirtualizationExtensions parameter to allow the guest to see VT-x/AMD-V so that the Hyper-V role can be installed and started successfully.”

Other host settings such as Enhanced Session Mode, firmware options, or host resource protection are unrelated to enabling nested virtualization. After exposing the extensions, you can start VM1 and install the H yper-V role (e.g., Install-WindowsFeature Hyper-V -IncludeManagementTools -Restart ). Therefore, the first command you must run on the parent host (Server1) to permit installing Hyper-V within VM1 is:

Set-VMProcessor VM1 -ExposeVirtualizationExtensions $tru e .

Disk1 (three-way mirror): 2 disks; Disk2 (parity): 1 disk

\In the Administering Windows Server Hybrid Core Infrastructure materials on Storage Spaces resiliency, Microsoft describes how each resiliency type determines simultaneous disk-failure tolerance. The guide explains that mirror spaces keep multiple copies of data: “Two-way mirror writes two copies and can sustain a single disk failure; three-way mirror writes three copies and can sustain the loss of any two disks without data loss.” It also differentiates parity spaces , which stripe data with parity information: “Parity provides capacity efficiency comparable to RAID-5 and tolerates a single disk failure (use dual parity to withstand two failures).”

Applying these to SSPace1:

Disk1 uses a three-way mirror across eight physical disks. By definition, a three-way mirror survives two concurrent disk failures and remains online, satisfying the “always available” requirement.

Disk2 is configured as parity across twelve ph ysical disks. Standard parity (single parity) is equivalent to RAID-5 and survives one disk failure ; only dual parity would allow two, but the configuration provided specifies parity (not dual parity).

Therefore, the maximum simultaneous physical disk fail ures while maintaining availability are 2 for Disk1 and 1 for Disk2 .

The Azure File Sync section of the Administering Windows Server Hybrid Core Infrastructure materials states that a sync group defines the topology for synchronization and “contains one cloud endpoint and one or more server endpoints.” A cloud endpoint is an Azure file share associated with a Storage Sync Service. The guidance also notes that “the Storage Sync Service and the storage account (file share) must reside in the same Azure region” and that “a single Azure file share can be the cloud endpoint for only one sync group.” In the scenario, SyncA is in West US, so only file shares in West US (for example, storage1\share1 or storage2\share2) are eligible. However, regardless of how many eligible shares exist, the exam guide is explicit: each sync group supports a maximum of one cloud endpoint. Additional endpoints in the group must be server endpoints on Windows Server volumes. Therefore, the maximum number of cloud endpoints you can use with GroupA is 1, which directly reflects the product’s architecture and the documented exam objective requirements.

In the AZ-800 materials on “Manage and maintain Windows Server IaaS virtual machines,” the Serial Console requirement is called out clearly: the VM must have Boot diagnostics enabled so Azure can capture the console and provide an interactive text console during boot and runtime. The guidance explains that enabling Boot diagnostics (either managed or with a storage account) stores the console output and screen shots that the Serial Console relies on. Guest-level diagnostics or a managed identity are not prerequisites for Serial Console access.

Access control to the Serial Console is governed by Azure RBAC. The study guidance states that users must be granted either Virtual Machine Contributor (broad rights) or the minimal login roles; for secure, least-privilege access to a console session with administrative rights, assign Virtual Machine Administrator Login to the user. This role allows interactive sign-in to the VM (RDP/SSH/Serial Console) without granting configuration permissions on the VM.

Therefore, to let user1@contoso.com use the Serial Console while meeting least-privilege objectives, enable Boot diagnostics on the VM (here, with a custom storage account, which satisfies the boot diagnostics requirement) and assign the Virtual Machine Administrator Login role to User1.

 User1 can establish a PowerShell remoting session from Server1 to Server2. Yes

 User2 can establish a PowerShell remoting session from Server2 to DC1. No

 User3 can establish a PowerShell remoting session from Server1 to Server2. No

PowerShell Remoting (WinRM) security and connectivity are central themes in the Administering Windows Server Hybrid Core Infrastructure curriculum. The ability to establish a remote session is determined by three factors: the service state on the target, the network path, and the user ' s effective permissions.

User1 (Serv er1 to Server2) : On Server2 , the Enable-PSRemoting cmdlet has been executed. By default, this configures the WinRM service to allow connections from members of the local Administrators group. Since User1 is a member of the Contoso\Administrators group, and this domain group is a member of the local Administrators group on all member servers by default, User1 has the necessary rights to establish a session to Server2.

User2 (Server2 to DC1) : While User2 is a member of the Contoso\Remote Management Users grou p—a group specifically designed to provide non-administrative users with remoting access—the scenario explicitly states that Enable-PSRemoting was run only on Server2 . For any user to establish a remoting session to DC1 , the WinRM listener must first be en abled and configured on that specific target. Because the prompt does not indicate that remoting was enabled on DC1, the connection will fail regardless of User2 ' s group membership.

User3 (Server1 to Server2) : User3 is a member of the local Server2\Power U sers group. According to official documentation, the Power Users group does not possess the default permissions required to access the WinRM endpoints (Microsoft.PowerShell or Microsoft.Windows.ServerManager). Only members of the local Administrators or Re mote Management Users groups are granted these rights when Enable-PSRemoting is executed. Therefore, User3 cannot establish the session.

In the Administering Windows Server Hybrid Core Infrastructure material under Windows Remote Management/PowerShell Remoting and authentic ation, Microsoft describes the classic “second-hop” issue: when you start a remote session to Server2 using Kerberos and then try to reach a resource on Server3 , “ your delegated credentials are not forwarded by default .” The guide explains that Kerberos “ d oes not allow delegation unless it is explicitly configured ,” and the recommended domain-based solution is Kerberos constrained delegation (KCD) . With KCD you “ permit a specific computer account to delegate a user’s Kerberos credentials only to explicitly listed services ,” for example allowing Server2 (the WinRM/HTTP endpoint you connect to) to delegate to CIFS on Server3 so file or other resource access succeeds during the second hop.

The docs contrast this with alternatives: CredSSP can work but “ is broad er in exposure and requires enabling a less restrictive credential delegation mechanism ,” while JEA limits what commands can be run and does not solve credential delegation . Selective authentication applies to forest trusts, and Enforce user logon restrict ions relates to KDC validation and is not a remedy for second-hop delegation . Because the requirement is to pass credentials from Server1 → Server2 → Server3 with minimal administrative touch and preserve security boundaries, configuring Kerberos constrain ed delegation on Server2’s computer account for the target services on Server3 is the correct approach.

In the Administering Windows Server Hybrid Core Infrastructure content for File Services, Microsoft describes File Server Resource Manager (FSRM) as the feature used to control the types of files that users can store on file servers. The guide explains that a file screen “prevents users from saving unauthorized file types on a volume or in a folder by applying a file group (such as Audio and Video) or custom file name patterns (for example, *.mp4).” It further clarifies that file screening “does not affect access permissions to other files and folders and allows permitted file types to be stored without restriction.” By contrast, NTFS permissions govern access (read/write/modify) and “cannot filter by file extension,” and NTFS quotas and File Management Tasks address capacity and automated tasks, not content blocking. Therefore, to stop users from storing .MP4 while allowing all other files, you create a File Screen on the path to Share1 and block either the built-in Audio and Video file group or a custom pattern *.mp4. This aligns precisely with the exam guide’s directive that FSRM File Screening is the supported and intended method to restrict file types on Windows file shares while leaving other file operations unaffected.

 File1 : Server1 and the Azure file share

 File3 : The Azure file share only

Azure File Sync cloud tiering manages local storage by bal ancing two specific policies: the Volume Free Space Policy and the Date Policy . According to the official documentation for Administering Windows Server Hybrid Core Infrastructure, the Volume Free Space policy is the primary governing factor for tiering de cisions.

Storage Calculations : Volume E is 500 GB . With a 30 percent free space requirement, the server must maintain 150 GB of free space ($500 \times 0.30 = 150$). This means only 350 GB ($500 - 150$) of file content can be cached locally on Server1.

Dat e Policy Application : The date policy is set to 70 days . Any file not accessed within this window is automatically tiered regardless of free space.

File4 (Last accessed 100 days ago) is older than 70 days, so it is tiered to The Azure file share only .

Volume Free Space Application : The remaining files (File1, File2, and File3) were all accessed within the last 70 days. Their total size is 500 GB ($200 + 100 + 200 = 500$). Since the maximum allowed local storage is 350 GB , Azure File Sync must tier addit ional files to satisfy the 30% free space requirement.

Tiering Priority : Files are tiered based on their " coldness " (last access time). File3 (60 days ago) is significantly older than File1 (2 days) and File2 (10 days). By tiering File3, the remaining loca l data (File1 + File2) totals 300 GB , which fits within the 350 GB limit.

Conclusion : Consequently, File1 remains cached on Server1 and the Azure file share , while File3 is tiered to The Azure file share only .

Process isolation: image1 only

Hyper-V isolation: image1, image2, image3, and image4

The Administering Windows Server Hybrid Core Infrastructure materials explain two Windows container isolation modes. For process isolation , the guide states that Windows Server containers share th e host’s kernel and therefore require kernel/OS-version compatibility : “ Process-isolated Windows containers run directly on the host and use the host’s kernel; the container image must match the host OS version/build .” Because Host1 is Windows Server 2022 , only a Windows Server 2022 container image can be run with process isolation. Thus, among the images shown, image1 (Windows Server 2022) is the only one eligible for process isolation; 2019 and 2016 images have kernel mismatches and cannot run in that mod e.

The same materials describe Hyper-V isolation as running each container inside a lightweight utility VM: “ Hyper-V–isolated containers get their own kernel inside a special VM, removing the kernel version dependency on the host .” This mode “ allows runnin g different Windows versions than the host ” and, when LCOW/WSL is present, it “ enables running Linux containers on Windows ” by supplying a Linux kernel within the utility VM. Since Host1 has the Subsystem for Linux installed, Hyper-V isolation can run Wind ows Server 2022, 2019, 2016 container images and also Linux containers. Therefore, to maximize isolation, you can run image1, image2, image3, and image4 with Hyper-V isolation , while process isolation is limited to image1 only .

In AD DS, site, subnet, and site-link objects live in the Configuration partition and are forest-wide. The Administering Windows Server Hybrid Core Infrastructure materials explain that permissions to create and manage these Configuration objects are held by default by Enterprise Admins and also by Domain Admins of the forest-root domain. Because we must apply the principle of least privilege, adding Admin1 to Contoso\Domain Admins (the forest-root domain’s Domain Admins) is sufficient to create/manage AD sites without granting the broader, higher-risk Enterprise Admins role.

For promoting a server to a domain controller in an existing domain, the guide states that you must be a member of the Domain Admins group in that target domain (or have equivalent delegated rights). Enterprise Admins is only required for forest-wide tasks or when creating the first DC in a new domain. Since Admin2 needs to deploy DCs to the existing child domain east.contoso.com, the least-privilege assignment is East\Domain Admins. This grants the necessary rights to run AD DS installation, create the NTDS settings/server objects, and replicate, without unnecessary forest-level privileges.

The Windows Server DHCP role supports reservations that map a client’s unique identifier (commonly the MAC address) to a specific IPv4 address inside the scope. The AZ-800 study material describes reservations as the mechanism to “ensure that a particular device always receives the same IP address from the DHCP server while still being managed by DHCP.” When a reservation exists, the DHCP server will always offer and lease the reserved address to that client and will not allocate that address to any other client. This meets scenarios such as networked printers, appliances, or servers that require a consistent IP but where you still want centralized lease management (lease tracking, option delivery, and centralized auditing). The content further contrasts reservations with exclusions and options: exclusions remove addresses from the pool and options deliver configuration parameters, neither of which guarantees a stable assignment to a given device. Therefore, creating one DHCP reservation per printer in Scope1 precisely satisfies the requirement that the printers are always assigned the same IP address.

To collect the recommended Windows Performance Counters from SRV1 in a Log Analytics workspace, you can follow these steps:

Step 1: Access the Log Analytics Workspace Log in to the Azure portal and navigate to your Log Analytics workspace.

Step 2: Configure Performance Counters In the Log Analytics workspace, select Advanced settings and then choose Data > Windows Performance Counters1. You can add the recommended performance counters by selecting the + button. If you’re using legacy agent management, you can add counters from the Legacy agents management menu2.

Step 3: Add P erformance Counters Select the counters you want to collect. You can add common counters quickly by checking the boxes next to them. For specific counters, enter the name of the counter in the format object(instance)\counter. For example, to collect the Pr ocessor Time counter for all instances of the Processor object, specify Processor(_Total)\% Processor Time.

Step 4: Set Sample Interval When adding a counter, you can set the sample interval, which is the frequency at which data is collected. The default is 10 seconds, but you can change this to a higher value if needed.

Step 5: Apply Configuration After adding the desired performance counters, select Apply at the top of the screen to save the configuration.

Step 6: Install and Configure the Agent Ensure t hat the Microsoft Monitoring Agent (MMA) is installed on SRV1. Configure the agent to report to your Log Analytics workspace by specifying the workspace ID and key during setup.

Step 7: Verify Data Collection After the agent is configured, it will start co llecting the specified performance counters. You can verify the data collection in the Log Analytics workspace by running queries against the collected data.

Note: The legacy Log Analytics agent will be deprecated by August 2024. Migrate to the Azure Monit or agent before this date to continue ingesting data3.

By following these steps, you should be able to collect the recommended Windows Performance Counters from SRV1 in your Log Analytics workspace. Ensure that you have the necessary permissions and that S RV1 has network connectivity to Azure services.

TASK 7

???? Objective:

Attach the VHDX file c:\vhds\Disk1.vhdx to VM1 so it can dynamically expand when VM1 is running.

Step-by-Step Guide

✅ Step 1: Verify the VHDX File Type

Dynamic expansion means the virtual disk type should be dynamic (not fixed).

Let’s verify the disk type of Disk1.vhdx:

powershell

Copy

Get-VHD -Path " c:\vhds\Disk1.vhdx "

In the output, ensur e that VhdType shows Dynamic.

If it’s not dynamic, convert it:

powershell

Copy

Convert-VHD -Path " c:\vhds\Disk1.vhdx " -DestinationPath " c:\vhds\Disk1_dynamic.vhdx " -VHDType Dynamic

✅ Step 2: Attach the VHDX to VM1

Use PowerShell to add the disk to VM1:

p owershell

Copy

Add-VMHardDiskDrive -VMName " VM1 " -Path " c:\vhds\Disk1.vhdx "

✅ Or do it via Hyper-V Manager:

Open Hyper-V Manager.

Select VM1 and go to Settings.

In the left pane, select SCSI Controller (recommended for hot-add).

Click Add Hard Drive.

Browse and select c:\vhds\Disk1.vhdx.

Click Apply and OK.

✅ Step 3: Verify Hot-Add Support (Optional)

If VM1 is running Windows Server 2012 or later and uses a SCSI Controller, the VHDX can be added without shutting down the VM.

✅ Step 4: Verify the Di sk in the VM

Inside VM1, open Disk Management (diskmgmt.msc).

The newly attached disk should appear as unallocated.

Initialize it, create a volume, and format if needed.

Summary

VHDX file type: Must be dynamic for expanding.

Hot-adding supported if attached via SCSI Controller and OS supports it.

Now Disk1.vhdx is attached to VM1 and can expand dynamically.

One possible solution to configure SRV1 as a DNS server that can resolve names from the contoso.com domain by using DC1 and all other names by using the root hint servers is to use conditional forwarding. Conditional forwarding allows a DNS server to forward queries for a specific domain name to another DNS server, while using the normal forwarding or root hint servers for other queries. Here are the steps to configure conditional forwarding on SRV1:

On SRV 1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.

In the left pane, right-click on Conditional Forwarders and select New Conditional Forwarder.

In the New Conditional Forwarder dialog box, enter contoso.com as the DNS Domain name.

In the IP addresses of the master servers box, enter the IP address of DC1, which is the DNS server for the contoso.com domain. You can also click on Resolve to verify the name resolution of DC1.

Optionally, you can check the box Store this conditional forwarder in Active Directory, and replicate it as follows if you want to store and replicate the conditional forwarder in AD DS. You can also select the replication scope from the drop-down list.

Click OK to create the conditional forwar der.

Now, SRV1 will forward any queries for the contoso.com domain to DC1, and use the root hint servers for any other queries. You can test the name resolution by using the nslookup command on SRV1 or another computer that uses SRV1 as its DNS server. For example, you can run the following commands:

nslookup www.contoso.com

nslookup www.microsoft.com

The first command should return the IP address of www.contoso.com from DC1, and the second command should return the IP address of www.microsoft.com from a root hint server.

TASK 4

???? Objective:

Enforce a minimum password lengt h of 12 characters for members of the BranchAdmins group only.

Step-by-Step Guide: Fine-Grained Password Policy (FGPP)

✅ Step 1: Verify Forest Functional Level

Fine-grained password policies require the forest functional level to be at least Windows Serv er 2008.

On a DC, open Active Directory Domains and Trusts (domain.msc).

Right-click the domain and select Raise Forest Functional Level to verify.

If it’s lower, consider raising it (requires caution and planning).

✅ Step 2: Open the Active Directory Administrative Center (ADAC)

On a DC or management server, open ADAC:

Press Windows + R, type dsac.exe, and hit Enter.

✅ Step 3: Create a Fine-Grained Password Policy

In ADAC, in the left pane, expand the domain (e.g., contoso.com) and click System > Pas sword Settings Container.

In the right pane, right-click and select New > Password Settings.

✅ Step 4: Configure the Password Policy

Name: e.g., BranchAdminsPSO.

Precedence: e.g., 1 (lower number = higher priority).

Minimum password length: 12.

Configure other settings as required (leave them at default if not specified).

In Directly Applies To, click Add.

Search for and select the BranchAdmins group.

Click OK.

✅ Step 5: Confirm and Apply

Click OK to create the policy.

It’s now linked directly to the Bran chAdmins group, affecting only its members.

✅ Step 6: Verify the Policy

You can use PowerShell to confirm that the PSO is applied:

Get-ADUserResultantPasswordPolicy -Identity " username "

Replace " username " with a user from the BranchAdmins group. The output will show the minimum password length (should be 12).

One possible solution to register SRV1 to sync Azure file shares using the 34646045 Storage Sync Service is to use the Register-AzStorageSyncServer cmdlet from the Az.StorageSync module. This cmdlet establishes a trust relationship between the server and the Storage Sync Service, which is required for creating server endpoints and syncing files. Here are the steps to register SRV1 using the cmdlet:

On SRV1, open PowerShell as an administrator and run the following command to install the Az.StorageSync module if it is not already installed:

Install-Module -Name Az.StorageSync

Run the following com mand to import the Az.StorageSync module:

Import-Module -Name Az.StorageSync

Run the following command to sign in to your Azure account and select the subscription that contains the 34646045 Storage Sync Service:

Connect-AzAccount

Select-AzSubscription -Su bscriptionId < your-subscription-id >

Run the following command to register SRV1 with the 34646045 Storage Sync Service. You need to specify the resource group name and the Storage Sync Service name as parameters:

Register-AzStorageSyncServer -ResourceGroupN ame < your-resource-group-name > -StorageSyncServiceName 34646045

Wait for the registration to complete. You can verify the registration status by checking the Registered servers tab on the Azure portal or by running the following command:

Get-AzStorageSyncS erver -ResourceGroupName < your-resource-group-name > -StorageSyncServiceName 34646045

Now, SRV1 is registered with the 34646045 Storage Sync Service and ready to sync Azure file shares. You can create server endpoints on SRV1 and cloud endpoints on the Azur e file shares to define the sync topology.

To ensure that all computers in the domain use DNSSEC to resolve names in the adatum.com zone, you’ll need to configure both the DNS servers a nd the client computers. Here’s how you can do it:

Step 1: Sign the adatum.com Zone First, you need to sign the adatum.com DNS zone. This can be done using the DNS Manager or PowerShell. Here’s a PowerShell example:

Add-DnsServerSigningKey -ZoneName " adatu m.com " -CryptoAlgorithm RsaSha256

Set-DnsServerDnsSecZoneSetting -ZoneName " adatum.com " -DenialOfExistence NSEC3 -NSEC3Parameters 1,0,10, " "

This will add a signing key and configure DNSSEC for the zone with NSEC3 parameters.

Step 2: Configure DNS Servers E nsure that your DNS servers are configured to support DNSSEC. This includes setting up trust anchors for the zones that you want to validate and configuring the DNS servers to provide DNSSEC validation for DNS queries.

Step 3: Configure DNS Clients For DNS SEC validation to occur on the client side, the client computers must be configured to trust the DNS server’s validation process. This typically involves configuring the client’s DNS settings to point to a DNS server that supports DNSSEC.

Step 4: Validate Configuration You can validate that DNSSEC is working correctly by using tools like nslookup or dig to query DNS records and check for the presence of DNSSEC signatures in the responses.

Note: The exact steps may vary depending on your environment and the version of Windows Server you are using. Ensure that you have the appropriate administrative rights to make these changes and that you test the configuration in a controlled environment before deploying it domain-wide12.

By following these steps, you shoul d be able to ensure that all computers in your domain use DNSSEC to resolve names in the adatum.com zone.

TASK 6

???? Objective:

Enable nested virtualization for a VM (VM1) on SRV1.

Step-by-Step Guide: Enable Nested Virtualization

✅ Step 1: Verify Requirements

Nested virtualization requires:

SRV1 to have a processor that supports Intel VT-x or AMD-V.

Hyper-V role installed on SRV1.

VM1 must be turned off.

✅ Step 2: Open PowerShell on SRV1

Log in to SRV 1 with an account that has administrative privileges.

Open PowerShell as Administrator.

✅ Step 3: Enable Nested Virtualization

Run the following command:

Set-VMProcessor -VMName " VM1 " -ExposeVirtualizationExtensions $true

✅ Step 4: Verify Nested Virtu alization

To confirm the change, run:

Get-VMProcessor -VMName " VM1 " | Format-List ExposeVirtualizationExtensions

✅ The output should show:

ExposeVirtualizationExtensions : True

✅ Step 5: Configure Network Adapter (Optional for Nested VMs)

Nested virtualization requires MAC address spoofing for the VM network adapter.

Run:

Set-VMNetworkAdapter -VMName " VM1 " -MacAddressSpoofing On

✅ Step 6: Start the VM

Use PowerShell:

Start-VM -Name " VM1 "

Or start the VM in Hyper-V Manager.

Additional Notes

Nested virtualization allows you to run Hyper-V within a VM.

Useful for lab/test environments (e.g., running nested Hyper-V hosts in a VM).

To use Azure File Sync to replicate the contents of C:\app on SRV1 to an Azure file share named sharel1, with the source files located in \\dc1.contoso.com\install, follow these steps:

Step 1: Prepare Windows Server for Azure File Sync Ensure that SRV1 meets the prerequisites for Azure File Sync, such as having a supported version of Windows Server and PowerShell 5.1 or later1.

Step 2: Deplo y the Storage Sync Service In the Azure portal, deploy the Storage Sync Service in the same region as your Azure file share1.

Step 3: Create an Azure File Share Create an Azure file share named sharel1 in your storage account1.

Step 4: Install the Azure Fi le Sync Agent Download and install the Azure File Sync agent on SRV11.

Step 5: Register SRV1 with the Storage Sync Service After installing the agent, register SRV1 with the Storage Sync Service using the Azure portal1.

Step 6: Create a Sync Group and Serv er Endpoint In the Azure portal, go to your Storage Sync Service and create a new sync group. Add a server endpoint with the path C:\app on SRV12.

Step 7: Configure Cloud Endpoint Add the Azure file share sharel1 as the cloud endpoint to the sync group2.

S tep 8: Initiate the Sync Process The initial sync will start automatically after the cloud endpoint and server endpoint are added to the sync group. Ensure that the Azure File Sync agent is running on SRV11.

Step 9: Monitor the Sync Status Monitor the sync status in the Azure portal to ensure that the files are being replicated correctly from C:\app on SRV1 to the Azure file share sharel11.

Note: Make sure that the network connectivity between SRV1 and the Azure file share is established and that the necess ary ports are open. Also, verify that the SMB security settings allow for the required SMB protocol version and authentication methods1.

By following these steps, you should be able to replicate the contents of C:\app on SRV1 to the Azure file share sharel 1 using Azure File Sync. Ensure that you have the necessary permissions to perform these actions and that SRV1 is properly configured to communicate with Azure services.

To create an AD DS site named Site2 that is associated to an IP address range of 192.168.2.0 to 192.168.2.255, you can follow these steps:

On a domain controller or a computer that has the Remote Server Administration Tools (RSAT) installed, open Active Directory Sites and Services from the Administrative Tools menu or by typing dssite.msc in the Run box.

In the left pane, right-click on Sites and select New Site.

In the New Object - Site di alog box, enter Site2 as the Name of the new site. Select a site link to associate the new site with, such as DEFAULTIPSITELINK, and click OK. You can also create a new site link if you want to customize the replication frequency and schedule between the s ites. For more information on how to create a site link, see Create a Site Link.

In the left pane, right-click on Subnets and select New Subnet.

In the New Object - Subnet dialog box, enter 192.168.2.0/24 as the Prefix of the subnet. This notation represen ts the IP address range of 192.168.2.0 to 192.168.2.255 with a subnet mask of 255.255.255.0. Select Site2 as the Site object to associate the subnet with, and click OK.

Wait for the changes to replicate to other domain controllers. You can verify the site and subnet creation by checking the Sites and Subnets containers in Active Directory Sites and Services.

Now, you have created an AD DS site named Site2 that is associated to an IP address range of 192.168.2.0 to 192.168.2.255. You can add domain controlle rs to the new site and configure the site links and site link bridges to optimize the replication topology.

Comprehensive and Detailed Explanation with all Administering Windows Server Hybrid Core Infrastructure documents: =

In the Administering Windows Server Hybrid Core Infrastructure study materials, Automanage for Azure VMs is described as a service that “onboards supported Azure virtual machines into a curated set of best-practice services automatically.” The guide notes that Automanage supports Azure IaaS VMs running Windows Server (2012 R2 and later) and common Linux distributions (for example Ubuntu/RHEL), while unsupported operating systems such as Windows client SKUs or older Windows Server releases are excluded. The same content emphasizes that Automanage targets “only supported Azure VMs” and does not extend to machines that don’t meet OS prerequisites.

Given the scenario, Server1 (supported Linux server) and Server2 (supported Windows Server) meet Automanage prerequisites, whereas the remaining Azure VMs are not in the supported matrix (client OS or an older/unsupported server release). Therefore, enabling Automanage on Server1 and Server2 only satisfies the technical requirement to “use Azure Automanage on all supported Azure virtual machines.”

The exam content for Group Policy processing stresses User Group Policy loopback processing for session hosts (RDS/AVD): “In environments like Remote Desktop Session Host (or Azure Virtual Desktop), enable loopback processing on the OU that contains the session host computers so that user settings from that GPO apply when users log on to those computers, regardless of the user’s own OU.” The requirement states: “Apply GPO4 to the Azure Virtual Desktop session hosts. Ensure that Azure Virtual D esktop user sessions lock after being idle for 10 minutes. Users must be able to control the lockout time manually from their client computer.” The idle-lock is a user configuration setting that must apply when users sign in to the session hosts, not to their personal devices. Therefore, enable loopback processing (Merge/Replace) in GPO4, which is linked to the VirtualDesktops OU containing the session hosts. Using security filtering or Enforced cannot make user settings in GPO4 override the user’s own OU without loopback. Loopback ensures the AVD hosts impose the 10-minute lock for sessions, while leaving users free to set their own client device policies independently—fulfilling least-impact design.

Modify the trust on : DC2

Modify the permissions for the : Computer object of SRV1

In an Active Directory Domain Services (AD DS) environment involving multiple forests and external trusts, managing granular access across domain boundaries is achieved through Selective Authentication . According to official documents for Administering Windows Server Hybrid Core Infrastructure, there are two primary authentication settings for a trust: Domain-wide authentication and Se lective authentication .

When you need to restrict users from a trusted forest (contoso.com) so they can only access specific resources in the trusting forest (adatum.com), you must configure the trust to use Selective Authentication . This configuration must be performed in the resource domain (the trusting domain). Based on the provided table, DC2 is the domain controller for adatum.com , which is where the shared resources (SRV1) reside. Therefore, you must modify the trust properties on DC2 to enable Selective Authentication for the incoming trust from contoso.com.

Once Selective Authentication is enabled, Windows does not automatically grant the " Authenticated Users " SID to the user ' s access token for resources in the local domain. Instead, administrators must explicitly grant the Allowed to Authenticate permission on the specific resource ' s computer object. In this scenario, since the requirement is to restrict access specifically to resources on SRV1 , you must modify the security permissions on the Comput er object of SRV1 in Active Directory Users and Computers. By granting the contoso.com users (or a group containing them) this permission, they can successfully authenticate against SRV1 while being blocked from all other servers in the adatum.com forest. This satisfies the requirement to prevent access to any other resources while maintaining the ability of adatum.com users to access contoso.com (as the 2-way trust remains intact).

One possible solution to ensure that all DHCP clients that get an IP address from SRV1 will be configured to use DC1 as a DNS server is to use the DHCP scope options. DHCP scope options are settings that apply to all DHCP clients that obtain an IP address from a specific scope. You can use the DHCP scope options to specify the DNS server IP address, as well as other parameters such as the default gat eway, the domain name, and the DNS suffix. Here are the steps to configure the DHCP scope options on SRV1:

On SRV1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.

In the left pane, expand your DHCP server and c lick on IPv4.

In the right pane, right-click on the scope that you want to configure and select Properties.

In the Scope Properties dialog box, click on the DNS tab.

Check the box Enable DNS dynamic updates according to the settings below. This option allows the DHCP server to register and update the DNS records for the DHCP clients.

Select the option Always dynamically update DNS records. This option ensures that the DHCP server updates both the A and PTR records for the DHCP clients, regardless of whe ther they request or support dynamic updates.

Check the box Discard A and PTR records when lease is deleted. This option allows the DHCP server to delete the DNS records for the DHCP clients when their leases expire or are released.

Check the box Dynamical ly update DNS records for DHCP clients that do not request updates. This option allows the DHCP server to update the DNS records for the DHCP clients that do not support dynamic updates, such as legacy or non-Windows clients.

In the DNS servers section, cl ick on the Add button to add a new DNS server IP address.

In the Add Server dialog box, enter the IP address of DC1, which is the DNS server that you want to use for the DHCP clients, and click Add.

Click OK to close the Add Server dialog box and return to the Scope Properties dialog box.

Click OK to apply the changes and close the Scope Properties dialog box.

Now, all DHCP clients that get an IP address from SRV1 will be configured to use DC1 as a DNS server. You can verify the DNS configuration by using t he ipconfig /all command on a DHCP client computer and checking the DNS Servers entry. You can also check the DNS records for the DHCP clients by using the DNS Manager console on DC1.

TASK 2

???? Objective: Configure DC3 to replicate with DC1 and DC2 only between 8:00 PM and 6:00 AM.

Step-by-Step Guide: Replication Scheduling for DC3

✅ Step 1: Promote DC3 to a Domain Controller (if not already done)

Use Server Manager or P owerShell to install the Active Directory Domain Services role and promote the server as a domain controller.

Example PowerShell command to install the AD DS role:

powershell

Copy

Install-WindowsFeature AD-Domain-Services

To promote:

powershell

Copy

Install-ADDSDomainController -DomainName " contoso.com "

✅ Step 2: Open Active Directory Sites and Services

Log in to DC3 or another DC with administrative tools.

Open Active Directory Sites and Services (dssite.msc).

✅ Step 3: Locate the Site

In the lef t pane, expand the Sites container and find the site that contains DC3.

Expand the site to find Servers.

Under Servers, select DC3.

✅ Step 4: Configure Replication Connection Objects

Expand DC3 and click on NTDS Settings.

In the right pane, you’ll see co nnection objects to other domain controllers (these represent replication partners).

✅ Step 5: Adjust the Replication Schedule for Each Connection

For each connection object to DC1 and DC2:

Right-click the connection object and select Properties.

Click t he Change Schedule button.

✅ Step 6: Set the Replication Schedule

In the schedule window, you’ll see a grid of hours.

Clear all hours except the time window of 8 PM to 6 AM (in 1-hour blocks).

Select 8 PM to 6 AM (10 hours total) for all days.

Click OK to save.

✅ Step 7: Verify and Document

Ensure that both connection objects (to DC1 and DC2) have the updated schedule.

Document your configuration as part of your environment’s change control.

According to the Administering Windows Server Hybrid Core Infrastructure (AZ-800) exam study materials, Azure DNS Private Resolver allows bidirectional name resolution between on-premises environments and Azure private DNS zones. The Private DNS Resolver consists of inbound endpoints (to resolve queries from on-premises to Azure) and outbound endpoints (to resolve queries from Azure to on-pr emises DNS servers). For name resolution to work, private DNS zones must be linked to the virtual network associated with the resolver’s hub network.

In this scenario, the planned configuration specifies:

A Private DNS Resolver named Private1 created in th e West US region and linked to VNet1 .

An inbound endpoint in SubnetB .

The requirement is to identify which private DNS zones will be available for name resolution through this resolver.

From the details given, only Zone1.com and Zone2.com are linked to VNe t1 , allowing them to participate in name resolution using the resolver. Zone3.com is not linked to VNet1 (either un linked or linked to another virtual network), and therefore it cannot be resolved through the DNS Resolver in VNet1.

As emphasized in Microso ft’s hybrid infrastructure documentation:

“Private DNS zones must be linked to the same virtual network that contains the Private DNS Resolver or to peered virtual networks for name resolution to succeed.”

Hence, only Zone1.com and Zone2.com are available for name resolution through the Private DNS Resolver.

✅ Correct Answer: C. Zone1.com and Zone2.com only