AZ-800 Administering Windows Server Hybrid Core Infrastructure Questions and Answers

Graphical user interface, text, application Description automatically generated

Membership in the Enterprise Admins group or the Domain Admins group in the forest root domain is required.

A close up of a computer screen Description automatically generated

Graphical user interface, text, application, email Description automatically generated

Graphical user interface, text, application Description automatically generated with medium confidence

A white background with black and white clouds Description automatically generated

Text, table Description automatically generated with medium confidence

To create a GPO named GPO1 that only applies to a group named MemberServers, you can follow these steps:

• On a domain controller or a computer that has the Remote Server Administration Tools (RSAT) installed, open Group Policy Management from the Administrative Tools menu or by typing gpmc.msc in the Run box.
• In the left pane, expand your domain and right-click on Group Policy Objects. Select New to create a new GPO.
• In the New GPO dialog box, enter GPO1 as the Name of the new GPO and click OK. You can also optionally select a source GPO to copy the settings from.
• Right-click on the new GPO and select Edit to open the Group Policy Management Editor. Here, you can configure the settings that you want to apply to the group under the Computer Configuration and User Configuration nodes. For more information on how to edit a GPO, see Edit a Group Policy Object.
• Close the Group Policy Management Editor and return to the Group Policy Management console. Right-click on the new GPO and select Scope. Here, you can specify the scope of management for the GPO, such as the links, security filtering, and WMI filtering.
• Under the Security Filtering section, click on Authenticated Users and then click on Remove. This will remove the default permission granted to all authenticated users and computers to apply the GPO.
• Click on Add and then type the name of the group that you want to apply the GPO to, such as MemberServers. Click OK to add the group to the security filter. You can also click on Advanced to browse the list of groups available in the domain.
• Optionally, you can also configure the WMI Filtering section to further filter the GPO based on the Windows Management Instrumentation (WMI) queries. For more information on how to use WMI filtering, see Filter the scope of a GPO by using WMI filters.
• To link the GPO to an organizational unit (OU) or a domain, right-click on the OU or the domain in the left pane and select Link an Existing GPO. Select the GPO that you created, such as GPO1, and click OK. You can also change the order of preference by using the Move Up and Move Down buttons.
• Wait for the changes to replicate to other domain controllers. You can also force the update of the GPO by using the gpupdate /force command on the domain controller or the client computers. For more information on how to update a GPO, see Update a Group Policy Object.

Now, you have created a GPO named GPO1 that only applies to a group named MemberServers. You can verify the GPO application by using the gpresult /r command on a member server and checking the Applied Group Policy Objects entry. You can also use the Group Policy Results wizard in the Group Policy Management console to generate a report of the GPO application for a specific computer or user. For more information on how to use the Group Policy Results wizard, see Use the Group Policy Results Wizard.

To configure the domain to support the creation of gMSAs, you need to perform the following steps:

• On a domain controller or a computer that has the Remote Server Administration Tools (RSAT) installed, open PowerShell as an administrator and run the following command to install the Active Directory module:

Install-WindowsFeature -Name RSAT-AD-PowerShell

• Run the following command to create a Key Distribution Service (KDS) root key, which is required for generating passwords for gMSAs. You only need to do this once per domain:

Add-KdsRootKey -EffectiveImmediately

• Wait for at least 10 hours for the KDS root key to replicate to all domain controllers in the domain. Alternatively, you can use the -EffectiveTime parameter to specify a past date and time for the KDS root key, but this is not recommended for security reasons. For more information, see Add-KdsRootKey.
• After the KDS root key is replicated, you can create and configure gMSAs using the New-ADServiceAccount and Set-ADServiceAccount cmdlets. For more information, see Create a gMSA and Configure a gMSA.

To create a group-managed service account (gMSA) named gMSA1 and make it available on SRV1, you can follow these steps:

Step 1: Create the Key Distribution Services Root Key First, you need to create the KDS Root Key, which is required for the gMSA to function. You can do this with the following PowerShell command:

Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))

Note: The -EffectiveTime parameter is set to 10 hours in the past to ensure immediate effect.

Step 2: Create the gMSA Next, use the New-ADServiceAccount cmdlet to create the gMSA:

New-ADServiceAccount -Name gMSA1 -DNSHostName gmsa1.domain.com -PrincipalsAllowedToRetrieveManagedPassword SRV1$

Replace domain.com with your actual domain name.

Step 3: Install the gMSA on SRV1 Now, you need to install the gMSA on the server SRV1. Run the following command on SRV1:

Install-ADServiceAccount -Identity gMSA1

Step 4: Test the gMSA To ensure that the gMSA is installed correctly and ready for use, perform a test using:

Test-ADServiceAccount -Identity gMSA1

If the test returns True, the gMSA is correctly installed and ready for use on SRV1.

Step 5: Configure the Service to Use the gMSA Finally, configure the service that requires the gMSA to use gMSA1 by setting the service’s logon account to domain\gMSA1$ and leave the password field blank.

This will create and make the gMSA gMSA1 available on SRV1. Ensure that you have the necessary permissions and that SRV1 is properly joined to the domain before proceeding with these steps123.

One possible solution to ensure that a DHCP scope named scope1 on SRV1 can service client requests is to activate the scope on the DHCP server. A scope must be activated before it can assign IP addresses to DHCP clients. To activate a DHCP scope on SRV1, perform the following steps:

• On SRV1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.
• In the left pane, expand your DHCP server and click on IPv4.
• In the right pane, right-click on the scope that you want to activate, such as scope1, and select Activate.
• Wait for the scope to be activated. You can verify the activation status by checking the icon next to the scope name. A green arrow indicates that the scope is active, while a red arrow indicates that the scope is inactive.

Now, the DHCP scope named scope1 on SRV1 can service client requests and lease IP addresses to DHCP clients. You can test the DHCP service by using the ipconfig /renew command on a DHCP client computer that is connected to the same subnet as the scope.

To use Azure File Sync to replicate the contents of C:\app on SRV1 to an Azure file share named sharel1, with the source files located in \\dc1.contoso.com\install, follow these steps:

Step 1: Prepare Windows Server for Azure File Sync Ensure that SRV1 meets the prerequisites for Azure File Sync, such as having a supported version of Windows Server and PowerShell 5.1 or later1.

Step 2: Deploy the Storage Sync Service In the Azure portal, deploy the Storage Sync Service in the same region as your Azure file share1.

Step 3: Create an Azure File Share Create an Azure file share named sharel1 in your storage account1.

Step 4: Install the Azure File Sync Agent Download and install the Azure File Sync agent on SRV11.

Step 5: Register SRV1 with the Storage Sync Service After installing the agent, register SRV1 with the Storage Sync Service using the Azure portal1.

Step 6: Create a Sync Group and Server Endpoint In the Azure portal, go to your Storage Sync Service and create a new sync group. Add a server endpoint with the path C:\app on SRV12.

Step 7: Configure Cloud Endpoint Add the Azure file share sharel1 as the cloud endpoint to the sync group2.

Step 8: Initiate the Sync Process The initial sync will start automatically after the cloud endpoint and server endpoint are added to the sync group. Ensure that the Azure File Sync agent is running on SRV11.

Step 9: Monitor the Sync Status Monitor the sync status in the Azure portal to ensure that the files are being replicated correctly from C:\app on SRV1 to the Azure file share sharel11.

Note: Make sure that the network connectivity between SRV1 and the Azure file share is established and that the necessary ports are open. Also, verify that the SMB security settings allow for the required SMB protocol version and authentication methods1.

By following these steps, you should be able to replicate the contents of C:\app on SRV1 to the Azure file share sharel1 using Azure File Sync. Ensure that you have the necessary permissions to perform these actions and that SRV1 is properly configured to communicate with Azure services.

Docker

Explore

To create a container image named app1 for your application using the Dockerfile in the C:\app directory on SRV1, follow these steps:

Step 1: Open PowerShell or Command Prompt First, open PowerShell or Command Prompt on SRV1.

Step 2: Navigate to the Application Directory Change to the directory where your application and Dockerfile are located:

cd C:\app

Step 3: Build the Container Image Use the docker build command to create the container image. The -t flag tags the image with the name app1:

docker build -t app1 .

The period . at the end of the command tells Docker to use the Dockerfile in the current directory.

Step 4: Verify the Image Creation After the build process completes, verify that the image app1 has been created successfully by listing all images:

docker images

You should see app1 in the list of images.

Step 5: Use the Image Now, you can use the image app1 to run containers or push it to a container registry if needed.

By following these steps, you’ll have created a Docker container image named app1 using the Dockerfile located in C:\app on SRV11. Ensure that Docker is installed on SRV1 and that you have the necessary permissions to execute these commands.

To collect the recommended Windows Performance Counters from SRV1 in a Log Analytics workspace, you can follow these steps:

Step 1: Access the Log Analytics Workspace Log in to the Azure portal and navigate to your Log Analytics workspace.

Step 2: Configure Performance Counters In the Log Analytics workspace, select Advanced settings and then choose Data > Windows Performance Counters1. You can add the recommended performance counters by selecting the + button. If you’re using legacy agent management, you can add counters from the Legacy agents management menu2.

Step 3: Add Performance Counters Select the counters you want to collect. You can add common counters quickly by checking the boxes next to them. For specific counters, enter the name of the counter in the format object(instance)\counter. For example, to collect the Processor Time counter for all instances of the Processor object, specify Processor(_Total)\% Processor Time.

Step 4: Set Sample Interval When adding a counter, you can set the sample interval, which is the frequency at which data is collected. The default is 10 seconds, but you can change this to a higher value if needed.

Step 5: Apply Configuration After adding the desired performance counters, select Apply at the top of the screen to save the configuration.

Step 6: Install and Configure the Agent Ensure that the Microsoft Monitoring Agent (MMA) is installed on SRV1. Configure the agent to report to your Log Analytics workspace by specifying the workspace ID and key during setup.

Step 7: Verify Data Collection After the agent is configured, it will start collecting the specified performance counters. You can verify the data collection in the Log Analytics workspace by running queries against the collected data.

Note: The legacy Log Analytics agent will be deprecated by August 2024. Migrate to the Azure Monitor agent before this date to continue ingesting data3.

By following these steps, you should be able to collect the recommended Windows Performance Counters from SRV1 in your Log Analytics workspace. Ensure that you have the necessary permissions and that SRV1 has network connectivity to Azure services.

To deploy a new primary DNS zone named fabrikam.com to DC1 and sign the zone, you can follow these steps:

Step 1: Create the Primary DNS Zone Use the Add-DnsServerPrimaryZone PowerShell command to create the primary zone:

Add-DnsServerPrimaryZone -Name "fabrikam.com" -ZoneFile "fabrikam.com.dns" -DynamicUpdate Secure

This command creates a primary zone for fabrikam.com with a DNS file named fabrikam.com.dns and allows secure dynamic updates.

Step 2: Sign the Zone To sign the zone, you can use the DNS Manager or Windows PowerShell. Here’s how to sign the zone using PowerShell:

Add-DnsServerSigningKey -ZoneName "fabrikam.com" -Type KeySigningKey -CryptoAlgorithm RsaSha256

Set-DnsServerDnsSecZoneSetting -ZoneName "fabrikam.com" -DenialOfExistence NSEC3 -NSEC3Parameters 1,0,10,""

These commands add a signing key to the zone and set DNSSEC settings with NSEC3 parameters.

Step 3: Publish the Signed Zone After signing the zone, ensure that it is published and available for DNS queries. You can verify the zone signing status using the following command:

Get-DnsServerZone -Name "fabrikam.com"

Note: Ensure that you have the appropriate permissions to perform these actions on DC1 and that the DNS Server role is installed and properly configured. Also, replace "fabrikam.com.dns" with the actual path to your DNS file if it’s different12.

By following these steps, you should be able to deploy and sign the new primary DNS zone fabrikam.com on DC1.

To run a container on SRV1 using the mcrmicrosoft.com/windows/servercofe/iis image, publish port 80 on the container to port 5001 on SRV1, and ensure it runs in the background, you can follow these steps:

Step 1: Pull the IIS Image First, pull the correct IIS image from the Microsoft Container Registry:

docker pull mcr.microsoft.com/windows/servercore/iis

Step 2: Run the Container Next, run the container with the required port mapping and ensure it runs in the background using the -d flag:

docker run -d -p 5001:80 --name iis_container mcr.microsoft.com/windows/servercore/iis

This command will start a container named iis_container using the IIS image, map port 80 inside the container to port 5001 on SRV1, and run the container in detached mode.

Step 3: Verify the Container is Running To verify that the container is running and the port is published, use the following command:

docker ps

This will list all running containers and show the port mappings.

Step 4: Access the IIS Server You can now access the IIS server running in the container by navigating to https:// :5001 in a web browser, where is the IP address of SRV1.

Note: Ensure that Docker is installed on SRV1 and that the port 5001 is open on the firewall to allow incoming connections1.

By following these steps, you should be able to run the IIS container on SRV1 with the specified port mapping and have it running in the background. Please replace mcrmicrosoft.com/windows/servercofe/iis with the correct image name mcr.microsoft.com/windows/servercore/iis as shown in the commands above.

Virtual machines in an Azure virtual network receive their DNS configuration from the DNS settings configured on the virtual network. You need to configure the Azure virtual network to use DC3 as the DNS server. Then all virtual machines in the virtual network will use DC3 and their DNS server.

Graphical user interface, text, application Description automatically generated

Create a domain controller named dc3.corp.fabrikam.com in Vnet1.

In a hybrid network, you can configure Azure virtual machines as domain controllers. The domain controllers in Azure communicate with the on-premises domain controllers in the same way that on-premises domain controllers communicate with each other.

Graphical user interface, text, application, email Description automatically generated

Graphical user interface Description automatically generated with medium confidence

Table Description automatically generated with medium confidence

One possible solution to configure Hyper-V to ensure that running virtual machines can be moved between SRV1 and SRV2 without downtime is to use Live Migration. Live Migration is a feature of Hyper-V that allows you to move a running virtual machine from one host to another without any noticeable interruption of service. To set up Live Migration between SRV1 and SRV2, you need to perform the following steps:

• On both SRV1 and SRV2, open Hyper-V Manager from the Administrative Tools menu or by typing virtmgmt.msc in the Run box.
• In the left pane, right-click on the name of the server and select Hyper-V Settings.
• In the Hyper-V Settings dialog box, select Live Migrations in the navigation pane.
• Check the box Enable incoming and outgoing live migrations.
• Under Authentication protocol, select the method that you want to use to authenticate the live migration traffic between the servers. You can choose either Kerberos or CredSSP. Kerberos does not require you to sign in to the source server before starting a live migration, but it requires you to configure constrained delegation on the domain controller. CredSSP does not require you to configure constrained delegation, but it requires you to sign in to the source server through a local console session, a Remote Desktop session, or a remote Windows PowerShell session. For more information on how to configure constrained delegation, see Configure constrained delegation.
• Under Performance options, select the option that best suits your network configuration and performance requirements. You can choose either TCP/IP or Compression or SMB. TCP/IP uses a single TCP connection for the live migration traffic. Compression uses multiple TCP connections and compresses the live migration traffic to reduce the migration time and network bandwidth usage. SMB uses the Server Message Block (SMB) 3.0 protocol and can leverage SMB features such as SMB Multichannel and SMB Direct. For more information on how to choose the best performance option, see Choose a live migration performance option.
• Under Advanced Features, you can optionally enable the Use any available network for live migration option, which allows Hyper-V to use any available network adapter on the source and destination servers for live migration. If you do not enable this option, you need to specify one or more network adapters to be used for live migration by clicking on the Add button and selecting the network adapter from the list. You can also change the order of preference by using the Move Up and Move Down buttons.
• Click OK to apply the settings.

Now, you have configured Hyper-V to enable live migration between SRV1 and SRV2. You can use Hyper-V Manager or Windows PowerShell to initiate a live migration of a running virtual machine from one server to another.

One possible solution to ensure that all DHCP clients that get an IP address from SRV1 will be configured to use DC1 as a DNS server is to use the DHCP scope options. DHCP scope options are settings that apply to all DHCP clients that obtain an IP address from a specific scope. You can use the DHCP scope options to specify the DNS server IP address, as well as other parameters such as the default gateway, the domain name, and the DNS suffix. Here are the steps to configure the DHCP scope options on SRV1:

• On SRV1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.
• In the left pane, expand your DHCP server and click on IPv4.
• In the right pane, right-click on the scope that you want to configure and select Properties.
• In the Scope Properties dialog box, click on the DNS tab.
• Check the box Enable DNS dynamic updates according to the settings below. This option allows the DHCP server to register and update the DNS records for the DHCP clients.
• Select the option Always dynamically update DNS records. This option ensures that the DHCP server updates both the A and PTR records for the DHCP clients, regardless of whether they request or support dynamic updates.
• Check the box Discard A and PTR records when lease is deleted. This option allows the DHCP server to delete the DNS records for the DHCP clients when their leases expire or are released.
• Check the box Dynamically update DNS records for DHCP clients that do not request updates. This option allows the DHCP server to update the DNS records for the DHCP clients that do not support dynamic updates, such as legacy or non-Windows clients.
• In the DNS servers section, click on the Add button to add a new DNS server IP address.
• In the Add Server dialog box, enter the IP address of DC1, which is the DNS server that you want to use for the DHCP clients, and click Add.
• Click OK to close the Add Server dialog box and return to the Scope Properties dialog box.
• Click OK to apply the changes and close the Scope Properties dialog box.

Now, all DHCP clients that get an IP address from SRV1 will be configured to use DC1 as a DNS server. You can verify the DNS configuration by using the ipconfig /all command on a DHCP client computer and checking the DNS Servers entry. You can also check the DNS records for the DHCP clients by using the DNS Manager console on DC1.

One possible solution to configure SRV1 as a DNS server that can resolve names from the contoso.com domain by using DC1 and all other names by using the root hint servers is to use conditional forwarding. Conditional forwarding allows a DNS server to forward queries for a specific domain name to another DNS server, while using the normal forwarding or root hint servers for other queries. Here are the steps to configure conditional forwarding on SRV1:

• On SRV1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.
• In the left pane, right-click on Conditional Forwarders and select New Conditional Forwarder.
• In the New Conditional Forwarder dialog box, enter contoso.com as the DNS Domain name.
• In the IP addresses of the master servers box, enter the IP address of DC1, which is the DNS server for the contoso.com domain. You can also click on Resolve to verify the name resolution of DC1.
• Optionally, you can check the box Store this conditional forwarder in Active Directory, and replicate it as follows if you want to store and replicate the conditional forwarder in AD DS. You can also select the replication scope from the drop-down list.
• Click OK to create the conditional forwarder.

Now, SRV1 will forward any queries for the contoso.com domain to DC1, and use the root hint servers for any other queries. You can test the name resolution by using the nslookup command on SRV1 or another computer that uses SRV1 as its DNS server. For example, you can run the following commands:

nslookup www.contoso.com

nslookup www.microsoft.com

The first command should return the IP address of www.contoso.com from DC1, and the second command should return the IP address of www.microsoft.com from a root hint server.

To manage SRV1 remotely using PowerShell, you’ll need to set up PowerShell Remoting. Here’s a step-by-step guide:

Step 1: Enable PowerShell Remoting on SRV1 On SRV1, run the following command to enable PowerShell Remoting:

Enable-PSRemoting -Force

This command configures the computer to receive PowerShell remote commands that are sent by using the WS-Management technology.

Step 2: Configure the TrustedHosts List (If Needed) If you’re managing SRV1 from a computer that is not part of the same domain, you’ll need to add the managing computer’s name to the TrustedHosts list on SRV1:

Set-Item wsman:\localhost\Client\TrustedHosts -Value "ManagingComputerName" -Concatenate -Force

Replace “ManagingComputerName” with the name of your managing computer.

Step 3: Start a Remote Session From your managing computer, start a remote session with SRV1 using the Enter-PSSession cmdlet:

Enter-PSSession -ComputerName SRV1 -Credential (Get-Credential)

This command prompts you for credentials and then starts a remote session with SRV1.

Step 4: Run Remote Commands Once the remote session is established, you can run any PowerShell command as if you were directly on SRV1. For example:

Get-Service

This command gets the status of services on SRV1.

Step 5: Exit the Remote Session When you’re finished, exit the remote session:

Exit-PSSession

Note: Ensure that both the managing computer and SRV1 are properly configured to communicate over the network, and that any firewalls allow for the necessary ports (default is 5985 for HTTP and 5986 for HTTPS) to be open for WS-Management traffic12.

By following these steps, you should be able to manage SRV1 remotely using PowerShell. Make sure you have the appropriate administrative privileges to perform these actions.