You have an Azure virtual machine named VM1 that runs Windows Server.
You need to configure the management of VM1 to meet the following requirements:
✑ Require administrators to request access to VM1 before establishing a Remote Desktop connection.
✑ Limit access to VM1 from specific source IP addresses.
✑ Limit access to VM1 to a specific management port.
What should you configure?

A. a network security group (NSG)

B. Azure Active Directory (Azure AD) Privileged Identity Management (PIM)

C. Microsoft Defender for Cloud

D. Azure Front Door

SIMULATION
-
You need to create a Group Policy Object (GPO) named GPO1 that only applies to a group named MemberServers.
To complete this task, sign in the required computer or computers.

SIMULATION
-
You need to ensure that the minimum password length for members of the BranchAdmins group is 12 characters. The solution must affect only the BranchAdmins group.
To complete this task, sign in the required computer or computers.

You have servers that have the DNS Server role installed. The servers are configured as shown in the following table.
 
All the client computers in the New York office use Server2 as the DNS server.
You need to configure name resolution in the New York office to meet the following requirements:
✑ Ensure that the client computers in New York can resolve names from contoso.com.
✑ Ensure that Server2 forwards all DNS queries for internet hosts to 131. 107.100.200.
The solution must NOT require modifications to Server1.
Which two components should you configure on Server2? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. a forwarder

B. a conditional forwarder

C. a delegation

D. a secondary zone

E. a reverse lookup zone

You need to meet the technical requirements for VM3.
On which volumes can you enable Data Deduplication?

A. C and D only

B. D only

C. C, D, E, and F

D. D and E only

E. D, E, and F only

HOTSPOT -
You have on-premises file servers that run Windows Server as shown in the following table.
 
You have the Azure file shares shown in the following table.
 
You add a Storage Sync Service named Sync1 and an Azure File Sync sync group named Group1. Group1 uses share1 as a cloud endpoint.
You register Server1 and Server2 with Sync1. You add D:Folder1 from Server1 as a server endpoint in Group1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
 

You are planning the implementation Azure Arc to support the planned changes.
You need to configure the environment to support configuration management policies.
What should you do?

A. Create a hybrid runbook worker in Azure Automation.

B. Deploy the Azure Monitor agent to all the servers.

C. Deploy the Azure Connected Machine agent to all the servers.

D. Hybrid Azure AD join all the serves.

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the servers shown in the following table.
 
You need to deploy inbound firewall rules to the servers. The solution must minimize administrative effort.
What should you use?

A. PowerShell Desired State Configuration (DSC)

B. local security objects

C. Group Policy Objects (GPOs)

D. Microsoft Intune configuration profiles

HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) domain named adatum.com. The domain contains a file server named Server1 and three users named User1, User2, and User3.
Server1 contains a shared folder named Share1 that has the following configurations:
 
The share permissions for Share1 are configured as shown in the Share Permissions exhibit.
 
Share1 contains a file named File1.bxt. The advanced security settings for File1.txt are configured as shown in the File Permissions exhibit.
 
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
 

HOTSPOT
-
Overview
-
Company Information
-
ADatum Corporation is a manufacturing company that has a main office in Seattle and two branch offices in Los Angeles and Montreal.
Fabrikam Partnership
-
ADatum recently partnered with 2 company named Fabrikam, Inc.
Fabrikam is a manufacturing company that has a main office in Boston and a branch office in Orlando.
Both companies intend to collaborate on several joint projects.
Existing Environment
-
ADatum AD DS Environment
-
The on-premises network of ADatum contains an Active Directory Domain Services (AD DS) forest named adatum.com.
The forest contains two domains named adatum.com and east.adatum.com and the domain controllers shown in the following table.
 
Fabrikam AD DS Environment
-
The on-premises network of Fabrikam contains an AD DS forest named fabrikam.com.
The forest contains two domains named fabrikam.com and south.fabrikam.com.
The fabrikam.com domain contains an organizational unit (OU) named Marketing.
Server Infrastructure
-
The adatum.com domain contains the servers shown in the following table.
 
HyperV1 contains the virtual machines shown in the following table.
 
All the virtual machines on HyperV1 have only the default management tools installed.
SSPace1 contains the Storage Spaces virtual disks shown in the following table.
 
Azure Resources
-
ADatum has an Azure subscription that contains an Azure AD tenant. Azure AD Connect is configured to sync the adatum.com forest with Azure AD.
The subscription contains the virtual networks shown in the following table.
 
The subscription contains the Azure Private DNS zones shown in the following table.
 
The subscription contains the virtual machines shown in the following table.
 
All the servers are in a workgroup.
The subscription contains a storage account named storage1 that has a file share named share1.
Requirements
-
Planned Changes
-
ADatum plans to implement the following changes:
•	Sync Data1 to share1.
•	Configure an Azure runbook named Task1.
•	Enable Azure AD users to sign in to Server1.
•	Create an Azure DNS Private Resolver that has the following configurations:
•	Name: Private1
•	Region: West US
•	Virtual network: VNet1
•	Inbound endpoint: SubnetB
•	Enable users in the adatum.com domain to access the resources in the south.fabrikam.com domain.
Technical Requirements
-
ADatum identifies the following technical requirements:
•	The data on SSPace1 must be available always.
•	DC2 must become the schema master if DC1 fails.
•	VM3 must be configured to enable per-folder quotas.
•	Trusts must allow access to only the required resources.
•	The users in the Marketing OU must have access to storage1.
•	Azure Automanage must be used on all supported Azure virtual machines.
•	A direct SSH session must be used to manage all the supported virtual machines on HyperV1.
You need to ensure that data availability on SSPace1 meets the technical requirements.
What is the maximum number of physical disks that can fail on each disk? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant.
You have several Windows 10 devices that are Azure AD hybrid-joined.
You need to ensure that when users sign in to the devices, they can use Windows Hello for Business.
Which optional feature should you select in Azure AD Connect?

A. Device writeback

B. Group writebeack

C. Azure AD app and attribute filtering

D. Password writeback

E. Directory extension attribute sync

DRAG DROP
-
Your network contains an Active Directory domain, a web app named App1, and a perimeter network. The perimeter network contains a server named Server1 that runs Windows Server.
You plan to provide external access to App1.
You need to implement the Web Application Proxy role service on Server1.
Which role should you add to Server1, and which role should you add to the network? To answer, drag the appropriate roles to the correct targets. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
 

HOTSPOT
-
Your company has a main office and 10 branch offices that are connected by using WAN links. The network contains an Active Directory domain.
All users have laptops and regularly travel between offices.
You plan to implement BranchCache in the branch offices.
In each branch office, you install a server that runs Windows Server and the BranchCache feature. You register the servers in Active Directory.
You need to configure the laptops to use the local BranchCache server automatically. The solution must minimize administrative effort.
Which two Group Policy settings should you configure? To answer, select the settings in the answer area.
NOTE: Each correct selection is worth one point.
 

You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server.
You plan to manage VM1 by using a PowerShell runbook.
You need to create the runbook.
What should you create first?

A. an Azure Automation account

B. an Azure workbook

C. a Log Analytics workspace

D. a Microsoft Power Automate flow

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are planning the deployment of DNS to a new network.
You have three internal DNS servers as shown in the following table.
 
The contoso.local zone contains zone delegations for east.contoso.local and west.contoso.local. All the DNS servers use root hints.
You need to ensure that all the DNS servers can resolve the names of all the internal namespaces and internet hosts.
Solution: On Server2, you create a conditional forwarder for west.contoso.local. On Server3, you create a conditional forwarder for east.contoso.local.
Does this meet the goal?

A. Yes

B. No

You need to meet the technical requirements for Server3.
Which users can perform the required tasks?

A. Admin3 only

B. Admin1 and Admin3 only

C. Admin1 only

D. Admin1, Admin2, and Admin3

E. Admin1 and Admin2 only

DRAG DROP
-
Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and fabrikam.com. Contoso.com contains three child domains named amer.contoso.com, apac.contoso.com, and emea.contoso.com. Fabrikam.com contains a child domain named apac.fabrikam.com. A bidirectional forest trust exists between contoso.com and fabrikam.com.
You need to provide users in the contoso.com forest with access to the resources in the fabrikam.com forest. The solution must meet the following requirements:
•	Users in contoso.com must only be added directly to groups in the contoso.com forest.
•	Permissions to access the resources in fabrikam.com must only be granted directly to groups in the fabrikam.com forest.
•	The number of groups must be minimized.
Which type of groups should you use to organize the users and to assign permissions? To answer, drag the appropriate group types to the correct requirements. Each group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
 

HOTSPOT
-
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the domain controllers shown in the following table.
 
You need to configure DC3 to be the authoritative time server for the domain.
Which operations master role should you transfer to DC3, and which console should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using DEFAULTIPSITELINK.
You open a new branch office that contains only client computers.
You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.
Solution: You create a new site named Site4 and associate Site4 to DEFAULTIPSITELINK.
Does this meet the goal?

A. Yes

B. No

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using DEFAULTIPSITELINK.
You open a new branch office that contains only client computers.
You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.
Solution: You configure the Try Next Closest Site Group Policy Object (GPO) setting in a GPO that is linked to Site1.
Does this meet the goal?

A. Yes

B. No

You have a server that runs Windows Server 2022 and has the network adapters shown in the following table.
 
You need to configure NIC teaming for LAN2 and LAN3. The solution must support Dynamic Virtual Machine Multi-Queue (d.VMMQ).
What should you use?

A. LACP teaming mode

B. Switch Embedded Teaming (SET)

C. load balancing and failover (LBFO)

D. Static teaming mode

Your network contains an Active Directory Domain Services (AD DS) domain.
You plan to use Active Directory Administrative Center to create a new user named User1.
Which two attributes are required to create User1? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Password

B. Profile path

C. User SamAccountName logon

D. Full name

E. First name

F. User UPN logon

DRAG DROP -
You have a server named Server1.
You plan to use Storage Spaces to expand the storage available to Server1. You attach eight physical disks to Server1. Four disks are HDDs and four are SSDs.
You need to create a volume on Server1 that will use the storage on all the new disks. The solution must provide the fastest read performance for frequently used files.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
 

Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains a DNS server named Server1. Server1 hosts a DNS zone named fabrikam.com that was signed by DNSSEC.
You need to ensure that all the member servers in the domain perform DNSSEC validation for the fabrikam.com namespace.
What should you do?

A. On Server1, run the Add-DnsServerTrustAnchor cmdlet.

B. On each member server, run the Add-DnsServerTrustAnchor cmdlet.

C. From a Group Policy Object (GPO), add a rule to the Name Resolution Policy Table (NRPT).

D. From a Group Policy Object (GPO), modify the Network List Manager policies.

HOTSPOT -
You have 10 on-premises servers that run Windows Server.
You plan to use Azure Network Adapter to connect the servers to the resources in Azure.
Which prerequisites do you require on-premises and in Azure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 

DRAG DROP -
You deploy a new Active Directory Domain Services (AD DS) forest named contoso.com. The domain contains three domain controllers named DC1, DC2, and
DC3.
You rename Default-First-Site-Name as Site1.
You plan to ship DC1, DC2, and DC3 to datacenters in different locations.
You need to configure replication between DC1, DC2, and DC3 to meet the following requirements:
✑ Each domain controller must reside in its own Active Directory site.
✑ The replication schedule between each site must be controlled independently.
✑ Interruptions to replication must be minimized.
Which three actions should you perform in sequence in the Active Directory Sites and Services console? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
 

You have a server named Server1 that runs Windows Server and contains a file share named Share1.
You need to prevent users from storing MP4 files in Share1. The solution must ensure that the users can store other types of files in the share.
What should you configure on Server1?

A. File Management Tasks

B. NTFS Quotas

C. NTFS permissions

D. file screens

You have an Azure subscription that contains the following resources.
✑ An Azure Log Analytics workspace
✑ An Azure Automation account
✑ Azure Arc
You have an on-premises server named Server1 that is onboarded to Azure Arc.
You need to manage Microsoft updates on Server1 by using Azure Arc.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. From the Automation account, enable Update Management for Server1.

B. From the Virtual machines data source of the Log Analytics workspace, connect Server1.

C. On Server1, install the Azure Monitor agent

D. Add Microsoft Sentinel to the Log Analytics workspace

What should you implement for the deployment of DC3?

A. Azure Active Directory Domain Services (Azure AD DS)

B. an Azure virtual machine

C. an Azure AD administrative unit

D. Azure AD Application Proxy

DRAG DROP -
You create a new Azure subscription.
You plan to deploy Azure Active Directory Domain Services (Azure AD DS) and Azure virtual machines.
You need to ensure that the virtual machines can join to Azure AD DS.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
 

You have an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with Azure AD by using Azure AD Connect.
You enable password protection for contoso.com.
You need to prevent users from including the word contoso as part of their password.
What should you use?

A. the Azure Active Directory admin center

B. Active Directory Users and Computers

C. Synchronization Service Manager

D. Windows Admin Center

You have an on-premises server named Server1 that runs Windows Server.
You have an Azure subscription that contains a virtual network named VNet1.
You need to connect Server1 to VNet1 by using Azure Network Adapter.
What should you use?

A. the Azure portal

B. Azure AD Connect

C. Device Manager

D. Windows Admin Center

HOTSPOT
-
Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains a child named east.contoso.com and the servers shown in the following table.
 
You need to create a folder for the Central Store to manage Group Policy template files for the entire forest.
What should you name the folder, and on which server should you create the folder? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

You need to implement an availability solution for DHCP that meets the networking requirements.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. On DHCP1, create a scope that contains 25 percent of the IP addresses from Scope2.

B. On the router in each office, configure a DHCP relay.

C. DHCP2, configure a scope that contains 25 percent of the IP addresses from Scope1.

D. On each DHCP server, install the Failover Clustering feature and add the DHCP cluster role.

E. On each DHCP scope, configure DHCP failover.

SIMULATION
-
You need to collect the recommended Windows Performance Counters from SRV1 in a Log Analytics workspace.
The required files are stored in a shared folder named dc1install.
To complete this task, sign in to the required computer or computers.

HOTSPOT -
Which groups can you add to Group3 and Group5? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 

HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains a child domain named east.contoso.com.
In the contoso.com domain, you create two users named Admin1 and Admin2.
You need to ensure that the users can perform the following tasks:
✑ Admin1 can create and manage Active Directory sites.
✑ Admin2 can deploy domain controllers to the east.contoso.com domain.
The solution must use the principle of least privilege.
To which group should you add each user? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 

HOTSPOT -
You need to meet the technical requirements for Server4.
Which cmdlets should you run on Server1 and Server4? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 

HOTSPOT -
You have a server named Server1 that runs Windows Server and has the Hyper-V server role installed.
You need to limit which Hyper-V module cmdlets helpdesk users can use when administering Server1 remotely.
You configure Just Enough Administration (JEA) and successfully build the role capabilities and session configuration files.
How should you complete the PowerShell command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 

HOTSPOT
-
Your network contains two Active Directory Domain Services (AD DS) forests as shown in the following exhibit.
 
The forests contain the domain controllers shown in the following table.
 
You perform the following actions on DC1:
•	Create a user named User1.
•	Extend the schema with a new attribute named Attribute1.
To which domain controllers are User1 and Attribute1 replicated? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

SIMULATION
-
You plan to delegate the management of a DNS zone named fabrikam.com located on DC1 to the BranchAdmins group.
You need to ensure that you can grant permissions to the fabikam.com zone.
To complete this task, sign in the required computer or computers.

You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. The on-premises network is connected to Azure by using a Site-to-Site VPN.
You have the DNS zones shown in the following table.
 
You need to ensure that names from fabrikam.com can be resolved from the on-premises network.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Create a stub zone for fabrikam.com on DC1.

B. Create a conditional forwarder for fabrikam.com on DC1.

C. Create a secondary zone for fabrikam.com on DC1.

D. Deploy an Azure virtual machine that runs Windows Server. Modify the DNS Servers settings for the virtual network.

E. Deploy an Azure virtual machine that runs Windows Server. Configure the virtual machine as a DNS forwarder.

You have an on premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. The domain contains two servers named Server1 and Server2.
A user named Admin1 is a member of the local Administrators group on Server1 and Server2.
You plan to manage Server1 and Server2 by using Azure Arc. Azure Arc objects will be added to a resource group named RG1.
You need to ensure that Admin1 can configure Server1 and Server2 to be managed by using Azure Arc.
What should you do first?

A. From the Azure portal, generate a new onboarding script.

B. Assign Admin1 the Azure Connected Machine Onboarding role for RG1.

C. Hybrid Azure AD join Server1 and Server2.

D. Create an Azure cloud-only account for Admin1.

You have an Active Directory Domain Services (AD DS) domain that contains the domain controllers shown in the following table.
 
The domain contains an app named App1 that uses a custom application partition to store configuration data.
You decommission App1.
When you attempt to remove the custom application partition, the process fails.
Which domain controller is unavailable?

A. DC1

B. DC2

C. DC3

D. DC4

Your company has a main office and a branch office. The two offices are connected by using a WAN link. Each office contains a firewall that filters WAN traffic.
The network in the branch office contains 10 servers that run Windows Server. All servers are administered from the main office only.
You plan to manage the servers in the branch office by using a Windows Admin Center gateway.
On a server in the branch office, you install the Windows Admin Center gateway by using the defaults settings.
You need to configure the firewall in the branch office to allow the required inbound connection to the Windows Admin Center gateway.
Which inbound TCP port should you allow?

A. 443

B. 3389

C. 5985

D. 6516

You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server.
You build an app named App1.
You need to configure continuous integration and continuous deployment (CI/CD) of App1 to VM1.
What should you create first?

A. an App Service Environment

B. an Azure DevOps organization

C. a managed identity

D. an Azure Automation account

Your on-premises network has an IP address range of 10.0.0.0/23.
You have an Azure virtual network named VNet1 that contains a virtual machine named VM1.
VNet1 has an IP address range of 10.0.1.0/24.
You need to deploy a Site-to-Site (S2S) VPN to connect the on-premises network to VNet1.
What should you do first?

A. Deploy Azure Bastion to VNet1.

B. Deploy Azure Extended Network.

C. Configure VNet1 to use the IP address range of 10.0.2.0/24.

D. Configure VNet1 to use an IP address range of 10.0.1.128/25.

HOTSPOT
-
You have an Active Directory Domain Services (AD DS) domain that contains the member servers shown in the following table.
 
Server3 contains a data disk named Disk1 that has Data Deduplication installed. Disk1 contains the files shown in the following table.
 
Server3 fails.
You need to recover the files on Disk1.
Which files can you recover if you attach Disk1 to Server1, and which files can you recover if you attach Disk1 to Server2? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
 

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
You need to identify which server is the PDC emulator for the domain.
Solution: From Active Directory Sites and Services, you right-click Default-First-Site-Name in the console tree, and then select Properties.
Does this meet the goal?

A. Yes

B. No

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using DEFAULTIPSITELINK.
You open a new branch office that contains only client computers.
You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.
Solution: You create a new subnet object that is associated to Site1.
Does this meet the goal?

A. Yes

B. No