The safer , easier way to help you pass any IT exams.

Exam : AZ-801

Title : Configuring Windows

Server Hybrid Advanced
Services

Version : V9.02

1 / 80
 The safer , easier way to help you pass any IT exams.

1.Topic 1, Fabrikam inc

Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this
exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided
in the case study. Case studies might contain exhibits and other resources that provide more information
about the scenario that is described in the case study. Each question is independent of the other
questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers
and to make changes before you move to the next section of the exam. After you begin a new section,
you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to
explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. If the case
study has an All Information tab, note that the information displayed is identical to the information
displayed on the subsequent tabs. When you are ready to answer a question, click the Question button
to return to the question.

Overview
Fabrikam, Inc. is a manufacturing company that has a main office in Chicago and a branch office in
Paris.

Existing Environment
Identity Infrastructure
Fabrikam has an Active Directory Domain Services (AD DS) forest that syncs with an Azure Active
Directory (Azure AD) tenant. The AD DS forest contains two domains named corp.fabrikam.com and
europe.fabrikam.com.

Chicago Office On-Premises Servers

The office in Chicago contains on-premises servers that run Windows Server 2016 as shown in the
following table.

2 / 80
 The safer , easier way to help you pass any IT exams.

All the servers in the Chicago office are in the corp.fabrikam.com domain.
All the virtual machines in the Chicago office are hosted on HV1 and HV2. HV1 and HV2 are nodes in a
failover cluster named Cluster1.
WEB1 and WEB2 run an Internet Information Services (IIS) website. Internet users connect to the
website by using a URL of https://www.fabrikam.com.
All the users in the Chicago office run an application that connects to a UNC path of \\Fileserver1\Data.
Paris On-Premises Servers
The office in Paris contains a physical server named dc2.europe.fabrikam.com that runs Windows Server
2016 and is a domain controller for the europe.fabrikam.com domain. Network Infrastructure
The networks in both the Chicago and Paris offices have local internet connections. The Chicago and
Paris offices are connected by using VPN connections.
The client computers in the Chicago office get IP addresses from DHCP1.

Security Risks
Fabrikam identifies the following security risks:
Some accounts connect to AD DS resources by using insecure protocols such as NTLMv1, SMB1, and
unsigned LDAP.
Servers have Windows Defender Firewall enabled. Server administrators sometimes modify firewall rules
and allow risky connections.

Requirements
Security Requirements
Fabrikam identifies the following security requirements:

3 / 80
 The safer , easier way to help you pass any IT exams.

Prevent server administrators from configuring Windows Defender Firewalls rules.

Encrypt all the data disks on the servers by using BitLocker Drive Encryption (BitLocker).
Ensure that only authorized applications can be installed or run on the servers in the forest.
Implement Microsoft Sentinel as a reporting solution to identify all connections to the domain controllers
that use insecure protocols.

On-Premises Migration Plan

Fabrikam plans to migrate all the existing servers and identifies the following migration requirements:
Move the APP1 and APP2 virtual machines in the Chicago office to a new Hyper-V failover cluster
named Cluster2 that will run Windows Server 2022.
- Cluster2 will contain two new nodes named HV3 and HV4.
- All virtual machine files will be stored on a Cluster Shared Volume (CSV).
Migrate Archive1 to a new failover cluster named Cluster3 that will run Windows Server 2022.
- Cluster3 will contain two physical nodes named Node1 and Node2.
- The file shares on Cluster3 will be a failover cluster role in active-passive mode.
Migrate all users, groups, and client computers from europe.fabrikam.com to corp.fabrikam.com.
- The migration will be performed by using the Active Directory Migration Tool (ADMT).
- A computer named ADMT computer will be deployed to the corp.fabrikam.com domain to run ADMT
migration procedures.
- User accounts will retain their existing password.

Migrate the data share from Fileserver1 to a new server named Fileserver2 that will run Windows Server
2022. After the migration, the data share must be accessible by using the existing UNC path.

Azure Migration Plan

Fabrikam plans to migrate some resources to Azure and identifies the following migration requirements:
Create an Azure subscription named Sub1.
Create an Azure virtual network named Vnet1.
Use ExpressRoute to connect the Paris and Chicago offices to Vnet1.
License all servers for Microsoft Defender for servers.
Migrate APP3 and APP4 to Azure.
Migrate the www.fabrikam.com website to an Azure App Service web app named WebApp1.
Decommission WEB1 and WEB2.

DHCP Migration Plan

Fabrikam plans to replace DHCP1 with a new server named DHCP2 and identifies the following
migration requirements:
Ensure that DHCP2 provides the same IP addresses that are currently available from DHCP1.
Prevent DHCP1 from servicing clients once services are enabled on DHCP2.
Ensure that the existing leases and reservations are migrated.

You are remediating the firewall security risks to meet the security requirements.
What should you configure to reduce the risks?
A. a Group Policy Object (GPO)

4 / 80
 The safer , easier way to help you pass any IT exams.

B. adaptive network hardening in Microsoft Defender for Cloud

C. a network security group (NSG) in Sub1
D. an Azure Firewall policy
Answer: A
Explanation:
Firewall rules configured in a Group Policy Object cannot be modified by local server administrators.
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-
an-inbound-port-rule

2.DRAG DROP
You are planning the implementation of Cluster2 to support the on-premises migration plan.
You need to ensure that the disks on Cluster2 meet the security requirements.
In which order should you perform the actions? To answer, move all actions from the list of actions to the
answer area and arrange them in the correct order.

Answer:

Explanation:
Graphical user interface, text, application, table
Description automatically generated

3.HOTSPOT
You are planning the www.fabrikam.com website migration to support the Azure migration plan.
How should you configure WebApp1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

5 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Box 1: Add a custom domain name
To migrate www.fabrikam.com website to an Azure App Service web app, you need to add Fabrikam.com
as a custom domain in Azure. This will make the domain name available to use in the web app.
Box 2: Modify a DNS record
You need to change the DNS record for www.fabrikam.com to point to the Azure web app.
HTTP redirect rules won’t work because WEB1 and WEB2 will be decommissioned.

4.You are planning the migration of Archive1 to support the on-premises migration plan.
What is the minimum number of IP addresses required for the node and cluster roles on Cluster3?
A. 2
B. 3
C. 4
D. 5
Answer: B
Explanation:
One IP for each of the two nodes in the cluster and one IP for the cluster virtual IP (VIP).

5.You are planning the data share migration to support the on-premises migration plan.
What should you use to perform the migration?
A. Storage Migration Service
B. Microsoft File Server Migration Toolkit
C. File Server Resource Manager (FSRM)
D. Windows Server Migration Tools
Answer: A
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/migrate-
data

6.You are planning the deployment of Microsoft Sentinel.

Which type of Microsoft Sentinel data connector should you use to meet the security requirements?
A. Threat Intelligence - TAXII
B. Azure Active Directory

6 / 80
 The safer , easier way to help you pass any IT exams.

C. Microsoft Defender for Cloud

D. Microsoft Defender for Identity
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-legacy-protocols

7.HOTSPOT
You need to implement a security policy solution to authorize the applications. The solution must meet
the security requirements.
Which service should you use to enforce the security policy, and what should you use to manage the
policy settings? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.

Answer:

Explanation:
Graphical user interface, text, application, chat or text message
Description automatically generated

7 / 80
 The safer , easier way to help you pass any IT exams.

8.HOTSPOT
You are planning the europe.fabrikam.com migration to support the on-premises migration plan-Where
should you install the Password Export Server (PES) service, where should you generate the encryption
key? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is
worth one point.

Answer:

9.DRAG DROP
You are planning the DHCP1 migration to support the DHCP migration plan.
Which two PowerShell cmdlets should you run on DHCP1, and which two PowerShell cmdlets should
you run on DHCP2? To answer, drag the appropriate cmdlets to the correct servers. Each cmdlet may be
used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to
view content. NOTE: Each correct selection is worth one point.

8 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Graphical user interface, text, application, chat or text message
Description automatically generated

10.HOTSPOT
You are planning the migration of APP3 and APP4 to support the Azure migration plan.
What should you do on Cluster1 and in Azure before you perform the migration? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

9 / 80
 The safer , easier way to help you pass any IT exams.

Explanation:
Graphical user interface, text, application
Description automatically generated

11. Topic 2, Contoso, Ltd

Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this
exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided
in the case study. Case studies might contain exhibits and other resources that provide more information
about the scenario that is described in the case study. Each question is independent of the other
questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers
and to make changes before you move to the next section of the exam. After you begin a new section,
you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to
explore the content of the case study before you answer the questions. Clicking these buttons displays
information such as business requirements, existing environment, and problem statements. If the case
study has an All Information tab, note that the information displayed is identical to the information
displayed on the subsequent tabs. When you are ready to answer a question, click the Question button
to return to the question.

10 / 80
 The safer , easier way to help you pass any IT exams.

Overview
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los
Angeles and Montreal.

Existing Environment
Active Directory Environment
Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com
that syncs with an Azure Active Directory (Azure AD) tenant.

The AD DS domain contains the domain controllers shown in the following table.

Contoso recently purchased an Azure subscription.

The functional level of the forest is Windows Server 2012 R2. The functional level of the domain is
Windows Server 2012. The forest has the Active Directory Recycle Bin enabled.

The contoso.com domain contains the users shown in the following table.

The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.

The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.

11 / 80
 The safer , easier way to help you pass any IT exams.

Server Infrastructure
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following
table.

By using Windows Firewall with Advanced Security, the servers have isolation connection security rules
configured as shown in the following table.

Server4 has no connection security rules.

Server4 Configurations
Server4 has the effective Group Policy settings for user rights as shown in the following table.

Server4 has the disk configurations shown in the following exhibit.

12 / 80
 The safer , easier way to help you pass any IT exams.

Virtualization Infrastructure
The contoso.com domain has the Hyper-V failover clusters shown in the following table.

Technical Requirements
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault.
Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin.
Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault.
Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4.
Whenever possible, use the principle of least privilege.

Which domain controller should be online to meet the technical requirements for DC4?
A. DC1

13 / 80
 The safer , easier way to help you pass any IT exams.

B. DC2
C. DC3
Answer: A

12.You need to meet technical requirements for Share1.

What should you use?
A. Storage Migration Service
B. File Server Resource Manager (FSRM)
C. Server Manager
D. Storage Replica
Answer: A
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/overview

13.DRAG DROP
You need to meet the technical requirements for Cluster2.
Which four actions should you perform in sequence before you can enable replication? To answer, move
the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:
Text
Description automatically generated

14.You need to meet the technical requirements for Cluster3.

What should you include in the solution?
A. Enable integration services on all the virtual machines.
B. Add a Windows Server server role.
C. Configure a fault domain doe the cluster.
D. Add a failover cluster role.
Answer: D

14 / 80
 The safer , easier way to help you pass any IT exams.

Explanation:
The Hyper-V replica broker role is required on the cluster.
Reference: https://docs.microsoft.com/en-us/virtualization/community/team-blog/2012/20120327-why-is-
the-hyper-v-replica-broker-required

15.You are evaluating the technical requirements tor Cluster2.

What is the minimum number of Azure Site Recovery Providers that you should install?
A. 1
B. 4
C. 12
D. 16
Answer: B

16.HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.

Answer:

Explanation:
Text
Description automatically generated

17.HOTSPOT
You need to implement alerts for the domain controllers. The solution must meet the technical
requirements.
What should you do on the domain controllers, and what should you create on Azure? To answer, select
the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

15 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Text
Description automatically generated

18.HOTSPOT
You need to configure BitLocker on Server4.
On which volumes can you turn on BitLocker, and on which volumes can you turn on auto-unlock? To
answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one
point.

16 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

17 / 80
 The safer , easier way to help you pass any IT exams.

19.You need to back up Server 4 to meet the technical requirements.

What should you do first?
A. Deploy Microsoft Azure Backup Server (MABS).
B. Configure Windows Server Backup.
C. Install the Microsoft Azure Recovery Services (MARS) agent.
D. Configure Storage Replica.
Answer: C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/backup/install-mars-agent

20.HOTSPOT
What is the effective minimum password length for User1 and Admin1? To answer, select the appropriate
options in the answer area. NOTE: Each correct selection is worth one point.

Answer:

18 / 80
 The safer , easier way to help you pass any IT exams.

Explanation:
Table
Description automatically generated
Box 1: 9
When multiple PSOs apply to a user, the PSO with the highest precedence (lowest precedence number)
applies which in this case is PSO1.
Box 2: 8
There are no PSOs applied to Admin1 so the password policy from the Default Domain GPO applies.
The Minimum password length setting in GPO1 would only apply to local user accounts on computers in
OU1. It does not apply to domain user accounts.

21.You need to meet the technical requirements for User1.

To which group in contoso.com should you add User1?
A. Domain Admins
B. Account Operators
C. Schema Admins
D. Backup Operators
Answer: A

22.HOTSPOT
With which servers can Server1 and Server3 communicate? To answer, select the appropriate options in
the answer area. NOTE: Each correct selection is worth one point.

19 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Graphical user interface, text, application, chat or text message
Description automatically generated

23. Topic 3, Misc. Questions

You have three servers named Server1. Server1 and Server3 that run Windows Server and have the

20 / 80
 The safer , easier way to help you pass any IT exams.

hyper V server rote installed. Server 1 hosts an Azure Migrate appliance named Migrate1.
You plan to migrate virtual machines to Azure.
You need to ensure that any new virtual machines created on Server 1. Server2 and Server3 are
available in Azure Migrate
What should you do?
A. On Migrate1, add a discovery source.
B. On the DNS server used by Migrate 1, create a GlobalName zone.
C. On Migrate1, set the Startup Type of the Computer Browser service to Automatic
D. On the network that has Migrate1 deployed, deploy a WINS server.
Answer: A

24.HOTSPOT
You have an on-premises server named Server1 and Microsoft Sentinel instance.
You plan to collect windows Defender Firewall events from Sever1 and analyze the event data by using
Microsoft Sentinel.
What should you install on Server1, and which information should you provide during the instance? To
answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one
point.

Answer:

25.HOTSPOT
You have a failover cluster named FC1 that contains two nodes named Server1 and Server2. FC1 is
configured to use a file share witness.
You plan to configure FC1 to use a cloud witness.
You need to configure Azure Storage accounts for the cloud witness.
Which storage account type and authorization method should you configure? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.

21 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Graphical user interface, text
Description automatically generated with medium confidence

26.DRAG DROP
You have two physical servers named AppSrv1 and AppSrv2 and an unconfigured server named
Server1. All the servers run Windows Server. Only Server1 can access the internet.
You plan to use Azure Site Recovery to replicate AppSrv1 and AppSrv2 to Azure.
You need to deploy the required components to AppSrv1, AppSrv2, and Server1.
Which components should you deploy? To answer, drag the appropriate components to the correct
servers. Each component may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Answer:

22 / 80
 The safer , easier way to help you pass any IT exams.

Explanation:
Graphical user interface, text, application
Description automatically generated

27.You have an on-premises server named Server1 that runs Windows Server and has the Hyper-V
server role installed.
You have an Azure subscription.
You plan to back up Server1 to Azure by using Azure Backup.
Which two Azure Backup options require you to deploy Microsoft Azure Backup Server (MABS)? Each
correct answer presents a complete solution. NOTE: Each correct selection is worth one point.
A. Bare Metal Recovery
B. Files and folders
C. System State
D. Hyper-V Virtual Machines
Answer: A,C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/backup/backup-mabs-system-state-and-bmr

28.HOTSPOT
You have a server that runs Windows Server and has the Web Server (IIS) server role installed.
Server1 hosts a single website that has the following configurations:
✑ Is accessible by using a URL of https://www.contoso.com:8443 and has an SSL certificate that was
issued by a third-party certification authority (CA) in the Microsoft Trusted Root Program
✑ Uses anonymous authentication
✑ Was developed by using PHP
You plan to use APP Service Migration Assistant to migrate the website to Azure App Service.
You need to migrate the website. The solution must minimize the number of changes made to the
existing website.
What should you do manually to ensure that the website migration is successful? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth one point.

23 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Graphical user interface, text, application
Description automatically generated

29.You have an on-premises server named Served that runs Windows Server. You have an Azure
subscription. You plan to back up the files and folders on Server1 to Azure by using Azure Backup. You
need to define how long the backups will be retained.
What should you use to configure the retention?
A. Backup center
B. Windows Server Backup
C. the Microsoft Azure Recovery Services (MARS) agent
D. a Recovery Services vault
Answer: B

30.HOTSPOT
You have a failover cluster named Cluster1 that contains the nodes shown in the following table.

24 / 80
 The safer , easier way to help you pass any IT exams.

A File Server for general use cluster role named HAFS is configured as shown in the
General exhibit (Click the General tab.)

Answer:

31.Your company uses Storage Spaces Direct.

You need to view the available storage in a Storage Space Direct storage pool.
What should you use?
A. The Get-StoragefileServer cmdlet
B. Resource Monitor
C. System Configuration
D. Windows Admin Center
Answer: D

32.You have two Azure Virtual machines that run Windows Server.
You plan to create a failover cluster that will host the virtual machines.
You need to configure an Azure Storage account that will be used by the cluster as a cloud witness. The
solution must maximize resiliency.
Which type of redundancy should you configure for the storage account?
A. Geo-zone-redundant storage (GZRS)
B. Geo-redundant storage (GRS)
C. Zone-redundant storage (ZRS)
D. Locally-redundant storage (LRS)
Answer: A

33.Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these

25 / 80
 The safer , easier way to help you pass any IT exams.

questions will not appear in the review screen.

You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)

The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)

26 / 80
 The safer , easier way to help you pass any IT exams.

Server1 shuts down unexpectedly.

You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: From the Failover settings, you select Prevent failback.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
The Prevent failback setting will prevent the cluster failing back to Server1.

34.HOTSPOT

27 / 80
 The safer , easier way to help you pass any IT exams.

Your network contains an Active Directory Domain Services (AD DS) domain.
The domain contains the servers shown in the following table.

Server3 contains a share named Share1.

On Server1, DHCP has the following configurations:
Conflict detection attempts: 3
An IPv4 scope named Scope1 that has the following settings:
1. Address Pool: 172.16.10.100 - 172.16.10.130
2. Address Leases:
- 172.16.10.100 computer1.contoso.com
- 172.16.10.101 computer2.contoso.com
Reservations: 172.16.10.101 computer2.contoso.com
Policies: Policy1
You perform the following actions:
✑ On Server1, you run
Export-DhcpServer -File \\Server3\Share1\File1.xml.
✑ On Server2, you run
Import-DhcpServer -File \\Server3\Share1\File1.xml
-BackupPath \\Server3\Share1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.

Answer:

Explanation:
Text
Description automatically generated

28 / 80
 The safer , easier way to help you pass any IT exams.

35.Your network contains an Active Directory Domain Service (AD DS) domain named contoso.com. The
domain contains three domain controllers named DC1, DC2, and DC3.
You connect a Microsoft Defender or identity instances to the domain.
You need to onboard all the domain controllers to Defender for identity.
What should you run the domain controllers?
A. AzureConnectedMachineAgent,wsl
B. MARAgentInstaller,exe
C. Azure ATP Sensor setup,exe
D. MASetup-AMD64,exe
Answer: B

36.You have an Azure virtual machine named VM1.

You enable Microsoft Defender SmartScreen on VM1.
You need to ensure that the SmartScreen messages displayed to users are logged.
What should you do?
A. From a command prompt, run WinRM quickconfig.
B. From the local Group Policy, modify the Advanced Audit Policy Configuration settings.
C. From Event Viewer, enable the Debug log.
D. From the Windows Security app. configure the Virus & threat protection settings.
Answer: C
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-
smartscreen/microsoft-defender-smartscreen-overview

37.You have a server named Server1 that runs Windows Server.

You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From App & browser control, you configure the Reputation-based protection.
Does this meet the goal?
A. Yes
B. No
Answer: B

38.Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains
two servers named Server1 and Server2 that run Windows Server.
You need to ensure that you can use the Computer Management console to manage Server2. The
solution must use the principle of least privilege.
Which two Windows Defender Firewall with Advanced Security rules should you enable on Server2?
Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. the COM+ Network Access (DCOM-ln) rule
B. all the rules in the Remote Event Log Management group
C. the Windows Management Instrumentation (WMI-ln) rule
D. the COM+ Remote Administration (DCOM-ln) rule
E. the Windows Management Instrumentation (DCOM-ln) rule

29 / 80
 The safer , easier way to help you pass any IT exams.

Answer: A,B
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/administration/server-manager/configure-
remote-management-in-server-manager

39.DRAG DROP
You have two Azure virtual machines named VM1 and VM2. VM1 is backed up to an Azure Recovery
Services vault daily and retains backups for 30 days.
You need to restore an individual file named C:\Data\Important.docx from VM1 to VM2. The solution
must minimize administrative effort.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:
Text
Description automatically generated

40.You have an Azure virtual machine named VM1 that runs Windows Server.
You need to encrypt the contents of the disks on VM1 by using Azure Disk Encryption.
What is a prerequisite for implementing Azure Disk Encryption?
A. Customer Lockbox for Microsoft Azure
B. an Azure key vault
C. a BitLocker recovery key
D. data-link layer encryption in Azure
Answer: B
Explanation:

30 / 80
 The safer , easier way to help you pass any IT exams.

Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview

41.HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain.
The domain contains a server named Server1 that runs Windows Server.

Answer:

42.Your company uses Storage Spaces Direct.

You need to view the available storage in a Storage Space Direct storage pool.
What should you use?
A. System Configuration
B. File Server Resource Manager (FSRM)
C. the Get-ScorageFileServer cmdlet
D. Failover Cluster Manager
Answer: D
Explanation:
If Failover Cluster Manager, select the Storage Space Direct storage pool. The information displayed in
the main window includes the free space and used space.

43.You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have 50 Azure virtual machines that run Windows Server.
You need to ensure that any security exploits detected on the virtual machines are forwarded to
Defender for Cloud.
Which extension should you enable on the virtual machines?
A. Vulnerability assessment for machines
B. Microsoft Dependency agent
C. Log Analytics agent for Azure VMs
D. Guest Configuration agent

31 / 80
 The safer , easier way to help you pass any IT exams.

Answer: A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-
vm

44.You deploy Azure Migrate to an on-premises network.

You have an on-premises physical server named Server1 that runs Windows Server and has the
following configuration.
* Operating system disk 600 GB
* Data disic 3 TB
* NIC Teaming: Enabled
* Mobility service: installed
* Windows Firewall: Enabled
* Microsoft Defender Antivirus: Enabled
You need to ensure that you can use Azure Migrate to migrate Server1.
Solution: You disable NIC Teaming on Server1.
Does this meet the goal?
A. Yes
B. No
Answer: B

45.You have a server named Server1 that runs the Remote Desktop Session Host role service. Server1
has five custom applications installed.
Users who sign in to Server1 report that the server is slow. Task Manager shows that the average CPU
usage on Server1 is above 90 percent. You suspect that a custom application on Server1 is consuming
excessive processor capacity.
You plan to create a Data Collector Set in Performance Monitor to gather performance statistics from
Server1.
You need to view the resources used by each of the five applications.
Which object should you add to the Data Collector Set?
A. Processor information
B. Processor
C. Process
D. Processor performance
Answer: C

46.You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure
Active Directory (Azure AD) tenant by using password hash synchronization.
You have a Microsoft 365 subscription.
All devices are hybrid Azure AD-joined.
Users report that they must enter their password manually when accessing Microsoft 365 applications.
You need to reduce the number of times the users are prompted for their password when they access
Microsoft 365 and Azure services.
What should you do?

32 / 80
 The safer , easier way to help you pass any IT exams.

A. In Azure AD. configure a Conditional Access policy for the Microsoft Office 365 applications.
B. In the DNS zone of the AD DS domain, create an autodiscover record.
C. From Azure AD Connect, enable single sign-on (SSO).
D. From Azure AD Connect, configure pass-through authentication.
Answer: C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

47.HOTSPOT
You have a Hyper-V failover cluster named Cluster1 at a main datacenter. Cluster1 contains two nodes
that have the Hyper-V server role installed. Cluster1 hosts 10 highly available virtual machines.
You have a cluster named Cluster2 in a disaster recovery site. Cluster2 contains two nodes that have the
Hyper-V server role installed.
You plan to use Hyper-V Replica to replicate the virtual machines from Cluster1 to Cluster2.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.

Answer:

33 / 80
 The safer , easier way to help you pass any IT exams.

Explanation:
Graphical user interface, text, application
Description automatically generated

48.DRAG DROP
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a
print server named Server1. All printers are deployed to users by using a Group Policy Object (GPO)
named GPO1.
You deploy a new server named Server2.
You need to decommission Server1.
The solution must meet the following requirements:
✑ Migrate the shared printers to Server2 by using the Printer Migration Wizard.
✑ Ensure that the users use the printers on Server2.
✑ Minimize downtime for the users.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:
Graphical user interface, text, application, email
Description automatically generated

49.You have three servers named Server 1. Servers and Server3 that run Windows Server. The servers
have the Hyper-V server rote installed and are configured in a Storage Spaces Deed cluster named
Cluster1.
Cluster1 hosts a virtual machine named VM1 that has Windows Admin Center Installed.
You manage all servers and clusters by using Windows Admin Center.
You purchase an Azure subscription.
You need to configure email alerts in Azure Monitor for the following:
• Disk Capacity Utilization Over 80% for 10 Minutes
• Any critical alert in the cluster system event log

34 / 80
 The safer , easier way to help you pass any IT exams.

• Memory Utilization over 95% for 10 minutes

• Heartbeat fewer than 5 beats for 5 Minutes.
• CPU Utilization over 85 % for 10 Minutes.
• Any hearth service faults for the cluster
The solution must use the minimum amount of administrative effort.
What should you do?
A. From Windows Admin Center, configure Azure Monitor and onboard clustered.
B. From Azure portal, configure Azure Monitor and onboard Cluster1 by using Azure Arc.
C. Configure Azure Monitor and manually install the Microsoft Monitoring Agent on Server1, Server2 and
Server3
Answer: A

50.Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains a single-domain Active Directory Domain Services (AD DS) forest named
contoso.com. The functional level of the forest is Windows Server 2012 R2. All domain controllers run
Windows Server 2012 R2.
Sysvol replicates by using the File Replication Service (FRS).
You plan to replace the existing domain controllers with new domain controllers that will run Windows
Server 2022.
You need to ensure that you can add the first domain controller that runs Windows Server 2022.
Solution: You run the Active Directory Migration Tool (ADMT).
Does this meet the goal?
A. Yes
B. No
Answer: B

51.You have an Azure virtual machine named VM1 that runs Windows Server.
When you attempt to install the Azure Performance Diagnostics extension on VM I, the installation fails.
You need to identify the cause of the installation failure.
What are two possible ways to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Sign in to VM1 and verify the WaAppAgentlog file.
B. From the Azure portal, view the alerts for VM1.
C. From the Azure portal, view the activity log for VM1.
D. Sign into VM1 and verify the MonitoringAgentlog file.
Answer: A,B

52.You have two file servers named Server1 and Server2 that run Windows Server. Server1 contains a
shared folder named Data. Data contains 10 TB of data.
You plan to decommission Server1.

35 / 80
 The safer , easier way to help you pass any IT exams.

You need to migrate the files from Data to a new shared folder on Server2.
The solution must meet the following requirements:
✑ Ensure that share, file, and folder permissions are copied.
✑ After the initial copy occurs, ensure that changes in \\Server1\Data can be synced to the destination
without initiating a full copy.
✑ Minimize administrative effort.
What should you use?
A. xcopy
B. Storage Replica
C. Storage Migration Service
D. azcopy
Answer: C
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-
service/overview#why-use-storage-migration-service

53.Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From Virus & threat protection, you configure Tamper Protection.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-
controlled-folders?view=o365-worldwide

54.HOTSPOT
You have three servers named Host1, Host2, and VM1 that run Windows Server. Host1 and Host2 have
the Hyper-V server role installed. VM1 is a virtual machine hosted on Host1.
You configure VM1 to replicate to Host2 by using Hyper-V Replica.
Which types of failovers can you perform on VM1 on each host? To answer, select the appropriate
options in the answer area. NOTE: Each correct selection is worth one point.

36 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:

37 / 80
 The safer , easier way to help you pass any IT exams.

Graphical user interface, text, application, chat or text message

Description automatically generated

55.You have a server named Server1 that runs Windows Server and has the Hyper-V server role
installed. You have a Hyper-V failover cluster named Cluster1. All servers are members of the same
domain.
You need to ensure that you use Hyper-V Replica with Kerberos authentication on the default port to
replicate virtual machines from Cluster1 to Server1.
What should you do on Server1?
A. Add primary servers to the Hyper-V Replica Broker configuration.
B. From Hyper-V Settings, select Enable incoming and outgoing live migrations
C. From Windows Defender Firewall with Advanced Security, enable the Hyper-V Replica HTTPS
Listener (TCP-ln) rule.
D. From Windows Defender Firewall with Advanced Security, enable the Hyper-V Replica HTTP Listener
(TCP-ln) rule.
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/set-up-hyper-
v-replica

56.You have a Microsoft Sentinel deployment and 100 Azure Arc-enabled on-premises servers. All the
Azure Arc-enabled resources are in the same resource group.
You need to onboard the servers to Microsoft Sentinel. The solution must minimize administrative effort.
What should you use to onboard the servers to Microsoft Sentinel?
A. Azure Automation
B. Azure Policy
C. Azure virtual machine extensions
D. Microsoft Defender for Cloud
Answer: B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/cloud-adoption-
framework/manage/hybrid/server/best-practices/arc-policies-mma

57.DRAG DROP
You have an on-premises IIS web server that hosts a web app named Appl. You plan to migrate App1 to
a container and run the container in Azure.
You need to perform the following tasks:
• Export App1 to a ZIP file.
• Create a container image based on Appl.
The solution must minimize administrative effort.

38 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Azure Migrate
Web deploy

58.You have a three-node failover cluster.

You need to run pre-scripts and post-scripts when Cluster-Aware Updating (CAU) runs.
The solution must minimize administrative effort.
What should you use?
A. Scheduled tasks
B. Run profiles
C. Azure Functions
D. Windows Server Update Serveries (WSUS)
Answer: A

59.DRAG DROP
Your network contains an Active Directory Domain Services (AD DS) domain.
You need to implement a solution that meets the following requirements:
✑ Ensures that the members of the Domain Admins group are allowed to sign in only to domain
controllers
✑ Ensures that the lifetime of Kerberos Ticket Granting Ticket (TGT) for the members of the Domain
Admins group is limited to one hour
Which three actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

39 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Graphical user interface, text, application, email
Description automatically generated

60.HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain.
The domain contains servers that run Windows Server as shown in the following table.

Server1 has the connection security rules shown in the following table.

Answer:

40 / 80
 The safer , easier way to help you pass any IT exams.

61.You have an on-premises network and an Azure virtual network.

You establish a Site-to-Site VPN connection from the on-premises network to the Azure virtual network,
but the connection frequently disconnects.
You need to debug the IPsec tunnel from Azure.
Which Azure VPN Gateway diagnostic log should you review?
A. GatewayDiagnosticLog
B. RouteDiagnosticLog
C. IKEDiagnosticLog
D. TunnelDiagnosticLog
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/troubleshoot-vpn-with-azure-diagnostics

62.Your on-premises network has a 200-Mbps connection to Azure and contains a server named
Server1 that stores 70 TB of data files.
You have an Azure Storage account named storage 1.
You plan to migrate the data files from Server1 to a blob storage container in storage!.
Testing shows that copying the data files by using azcopy will take approximately 35 days.
You need to minimize how long it will take to migrate the data to Azure.
What should you use?
A. Storage Migration Service
B. Azure Storage Explorer
C. Azure Data Box
D. Azure File Sync
Answer: A

63.You deploy Azure Migrate to an on-premises network.

You have an on-premises physical server named Server1 that runs Windows Server and has the
following configuration.
Operating system disk 600 GB
Data disic 3 TB
NIC Teaming: Enabled
Mobility service: installed
Windows Firewall: Enabled
Microsoft Defender Antivirus: Enabled

41 / 80
 The safer , easier way to help you pass any IT exams.

You need to ensure that you can use Azure Migrate to migrate Server1.
Solution: You disable Microsoft Defender Antivirus on Server1.
Does this meet the goal?
A. Yes
B. No
Answer: B

64.DRAG DROP
You have an Azure virtual machine named VM1 that runs Windows Server. VM1 has boot diagnostics
configured to use a managed storage account.
You are troubleshooting connectivity issue on VM1.
You need to run a PowerShell cmdlet on VM1 by using the Azure Serial Console.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:
Graphical user interface, text, application, email
Description automatically generated

65.CORRECT TEXT
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named
contos.com.
The domain contains the accounts shown in the following table.

42 / 80
 The safer , easier way to help you pass any IT exams.

The domain is configured to store BitLocker recovery keys in Active Directory.

* Admin1 turns on BitLocker Drive Encryption (BitLocker) for volume C on Server1.
* Admin1 moves Server1 to OU1.
* Admin2 turns on BitLocker for removable volume E on Server2.
* Admin2 moves removable volume E from Server2 to Server1 and unlocks the volume.
On which Active Directory object can you each BitLocker recovery key? To answer, select the
appropriate options in the answer area. NOTE: Each correct selection is worth on point.

Answer:

66.DRAG DROP
You have a server named Server1 that runs Windows Server and has the Web Server (IIS) server role
installed. Server1 hosts an ASP.NET Core web app named WebApp1 and the app’s source files.
You install Docker on Server1.
You need to ensure that you can deploy WebApp1 to an Azure App Service web app from the Azure
Container Registry.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

Answer:

43 / 80
 The safer , easier way to help you pass any IT exams.

Explanation:
Step 1: Create a Dockerfile. This file contains instructions for the build process.
Step 2: Run the docker build command to create a container image.
Step 3: Run the docker push command to upload the image to Azure Container Registry.

67.You deploy Azure Migrate to an on-premises network.

You have an on-premises physical server named Server1 that runs Windows Server and has the
following configuration.
Operating system disk 600 GB
Data disic 3 TB
NIC Teaming: Enabled
Mobility service: installed
Windows Firewall: Enabled
Microsoft Defender Antivirus: Enabled
You need to ensure that you can use Azure Migrate to migrate Server1.
Solution: You disable Windows Firewall on Server1.
Does this meet the goal?
A. Yes
B. No
Answer: B

68.You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs
Windows Server.
The subscription contains the storage accounts shown in the following table.

You plan to enable boot diagnostics for VM1.

You need to configure storage for the boot diagnostics logs and snapshots.

44 / 80
 The safer , easier way to help you pass any IT exams.

Which storage account should you use?

A. storage1
B. storage2
C. storage3
Answer: C

69.You have five Azure virtual machines. You have a dedicated Azure Storage account to collect
performance data. You need to send the collected data directly to the Azure Storage account.
What should you install on the virtual machines?
A. the Telegraf agent
B. the Azure Monitor agent
C. the Dependency agent
D. the Azure Diagnostics extension
E. the Azure Connected Machine agent
Answer: D

70.DRAG DROP
You manage 200 physical servers that run Windows Server.
You plan to migrate the servers to Azure.
You need to prepare for discovery of the servers by using Azure Migrate.
Which three actions should you perform in sequence on a physical server? To answer, move the
appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:
Graphical user interface, text, application, email
Description automatically generated

71.You have an Azure virtual machine named VM1.

45 / 80
 The safer , easier way to help you pass any IT exams.

You install an application on VM1, and then restart the virtual machine.
After the restart, you get the following error message: “Boot failure. Reboot and Select proper Boot
Device or Insert Boot Media in selected Boot Device.”
You need to mount the operating system disk offline from VM1 to a temporary virtual machine to
troubleshoot the issue.
Which command should you run in Azure CLI?
A. az vm repair create
B. az vm boot-diagnostics enable
C. az vm capture
D. az vm disk attach
Answer: A
Explanation:
Reference: https://docs.microsoft.com/en-us/cli/azure/vm/repair?view=azure-cli-latest

72.HOTSPOT
You have two servers that have the Web Server (IIS) server role installed.
The servers are configured as shown in the following table.

Both servers are configured to enable website deployment by using the Web Deployment Tool. Server1
hosts a website named Site1 that has Web Deploy Publishing configured.
You plan to migrate Site1 to Server2.
You need to perform a pull synchronization of Site1 by using the Web Deployment Agent Service.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

73.You have two servers that run Windows Server as shown in the following table.

46 / 80
 The safer , easier way to help you pass any IT exams.

You need to copy the contents of volume E from Server1 to Server2.

The solution must meet the following requirements:
✑ Ensure that files in-use are copied.
✑ Minimize administrative effort.
What should you use?
A. Storage Migration Service
B. Azure File Sync
C. Azure Backup
D. Storage Replica
Answer: A

74.Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)

47 / 80
 The safer , easier way to help you pass any IT exams.

The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)

48 / 80
 The safer , easier way to help you pass any IT exams.

Server1 shuts down unexpectedly.

You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: You increase Maximum failures in the specified period for the App1 cluster role.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
The Maximum failures setting is used to determine when the cluster determines that a node is offline. It
does not affect whether a cluster will fail back when a node comes online.

75.Note: This question is part of a series of questions that present the same scenario. Each question in

49 / 80
 The safer , easier way to help you pass any IT exams.

the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains a single-domain Active Directory Domain Services (AD DS) forest named
contoso.com. The functional level of the forest is Windows Server 2012 R2. All domain controllers run
Windows Server 2012 R2.
Sysvol replicates by using the File Replication Service (FRS).
You plan to replace the existing domain controllers with new domain controllers that will run Windows
Server 2022.
You need to ensure that you can add the first domain controller that runs Windows Server 2022.
Solution: You migrate sysvol from FRS to Distributed File System (DFS) Replication.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
Reference: https://www.rebeladmin.com/2021/09/step-by-step-guide-active-directory-migration-from-
windows-server-2008-r2-to-windows-server-2022/

76.DRAG DROP
Your network contains an Active Directory Domain Services (AD DS) domain that has the Active
Directory Recycle Bin enabled. All domain controllers are backed up daily.
You accidentally remove all the users from a domain group.
You need to get a list of the users that were previously in the group.
Which four actions should you perform in sequence from a domain controller? To answer, move the
appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

50 / 80
 The safer , easier way to help you pass any IT exams.

Explanation:
Graphical user interface, text, table
Description automatically generated with medium confidence

77.DRAG DROP
You need to create a Hyper-V hyper-converged cluster that stores virtual machines by using Storage
Spaces Owed
Which three actions should you perform in sequence? To answer, move the appropriate anions from the
list of actions to the answer area and arrange them in the correct order.

Answer:

78.DRAG DROP
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure
Active Directory (Azure AD) tenant.
The AD DS domain contains a domain controller named DC1. DC1 does NOT have internet access.
You need to configure password security for on-premises users.

51 / 80
 The safer , easier way to help you pass any IT exams.

The solution must meet the following requirements:

✑ Prevent the users from using known weak passwords.
✑ Prevent the users from using the company name in passwords.
What should you do? To answer, drag the appropriate configurations to the correct targets. Each
configuration may be used once, more than once, or not at all. You may need to drag the split bar
between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Answer:

79.You deploy Azure Migrate to an on-premises network.

You have an on-premises physical server named Server1 that runs Windows Server and has the
following configuration.
* Operating system disk 600 GB
* Data disic 3 TB
* NIC Teaming: Enabled
* Mobility service: installed
* Windows Firewall: Enabled
* Microsoft Defender Antivirus: Enabled
You need to ensure that you can use Azure Migrate to migrate Server1.
Solution: You shrink the data disk on Server1.
Does this meet the goal?
A. Yes
B. No
Answer: B

80.Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these

52 / 80
 The safer , easier way to help you pass any IT exams.

questions will not appear in the review screen.

You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From App & browser control, you configure the Exploit protection settings.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-
controlled-folders?view=o365-worldwide

81.Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit (Click the General Tab)

53 / 80
 The safer , easier way to help you pass any IT exams.

The failover tab in App1 Properties is shown in the failover exhibit (Click the Failover tab.)

54 / 80
 The safer , easier way to help you pass any IT exams.

Server 1 shuts down unexpectedly.

You need to ensure that when you start Server 1. App1 continues to run on Server2
Solution: From the General settings, you increase the priority of Server2 in the Preferred Owners list.
Does this meet the goal?
A. Yes
B. NO
Answer: B

82.DRAG DROP
You have a server that runs Windows Server.
You plan to back up the server to an Azure Recovery Services vault once per week starting on the next
Saturday.
You need to schedule the weekly backup and perform the initial backup as soon as possible.

55 / 80
 The safer , easier way to help you pass any IT exams.

In which order should you perform the actions? To answer, move all actions from the list of actions to the
answer are and arrange them in the correct order.

Answer:

Explanation:
Text
Description automatically generated with medium confidence

83.Your network contains an Active Directory Domain Services (AD DS> domain. The domain contains
20 Active Directory sites. All user management is performed from a central site.
You add users to a group.
You discover that group changes do NOT appear on a domain controller in a remote site.
You need to identify whether the group changes appear on other domain controllers.
What should you use?
A. Microsoft Support and Recovery Assistant
B. File Replication Service (FRS) Status Viewer
C. Active Directory Replication Status Tool
D. Active Directory Sites and Services
Answer: D

84.HOTSPOT
The Default Domain Policy Group Policy Object (GPO) is shown in the GPO exhibit. (Click the GPO tab.)

56 / 80
 The safer , easier way to help you pass any IT exams.

The members of a group named Service Accounts are shown in the Group exhibit. (Click the Group tab.)

57 / 80
 The safer , easier way to help you pass any IT exams.

An organizational unit (OU) named Service Accounts is shown in the OU exhibit. (Click the OU tab.)

You create a Password Settings Object (PSO) as shown in the PSO exhibit. (Click the PSO tab.)

58 / 80
 The safer , easier way to help you pass any IT exams.

For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE:
Each correct selection is worth one point.

Answer:

Explanation:
A screenshot of a computer

59 / 80
 The safer , easier way to help you pass any IT exams.

Description automatically generated with medium confidence

85.You have a Site-to-Site VPN between an on-premises network and an Azure VPN gateway. BGP is
disabled for the Site-to-Site VPN.
You have an Azure virtual network named Vnet1 that contains a subnet named Subnet1.
Subnet1 contains a virtual machine named Server1.
You can connect to Server1 from the on-premises network.
You extend the address space of Vnet1. You add a subnet named Subnet2 to Vnet1. Subnet2 uses the
extended address space. You deploy an Azure virtual machine named Server2 to Subnet2.
You cannot connect to Server2 from the on-premises network. Server1 can connect to Server2.
You need to ensure that you can connect to Subnet2 from the on-premises network.
What should you do?
A. Add an additional Site-to-Site VPN between the on-premises network and Vnetl.
B. Add a private endpoint to Subnet2.
C. To Subnet2. add a route table that contains a user-defined route.
D. Update the routing information on the on-premises routers.
Answer: D

86.You have an on-premises server that runs Windows Server and has the Web Server (IIS) server role
installed. The server hosts a web app that connects to an on-premises Microsoft SQL Server database.
You plan to migrate the web app to an Azure App Services web app. The database will remain on-
premises.
You need to ensure that the migrated web app can access the database.
What should you configure in Azure?
A. an Azure SQL managed instance
B. an on-premises data gateway
C. Azure Extended Network
D. a Hybrid Connection
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections

87.You have 100 Azure virtual machines that run Windows Server. The virtual machines are onboarded
to Microsoft Defender for Cloud.
You need to shut down a virtual machine automatically if Microsoft Defender for Cloud generates the
"Antimalware disabled in the virtual machine" alert for the virtual machine.
What should you use in Microsoft Defender for Cloud?
A. a logic app
B. a workbook
C. a security policy
D. adaptive network hardening
Answer: A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts

60 / 80
 The safer , easier way to help you pass any IT exams.

88.You have a server named Server1 that runs Windows Server and has the Hyper-V server role
installed.
You import the Azure Migrate appliance as VM1.
You need to register VM1 with Azure Migrate.
What should you do in Azure Migrate? Each correct answer presents part of the solution. NOTE: Each
correct selection is worth one point.
A. Create a project.
B. Add a migration tool.
C. Add an assessment tool.
D. Generate a project key.
E. Download the Azure Migrate installer script ZIP file.
Answer: A,D,E
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/migrate/how-to-set-up-appliance-hyper-v

89.You have an Azure virtual machine named VM1. Crash dumps for a process named Process1 are
enabled for VM1.
When process1.exe on VM1 crashes, a technician must access the memory dump files on the virtual
machine. The technician must be prevented from accessing the virtual machine.
To what should you provide the technician access?
A. an Azure file share
B. an Azure Log Analytics workspace
C. an Azure Blob Storage container
D. a managed disk
Answer: C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview

90.You have an Azure virtual machine named VM1 that has the Web Server (IIS) server role installed.
VM1 hosts a critical line-of-business (LOB) application.
After the security team at your company deploys a new security baseline to VM1, users begin reporting
that the application is unresponsive.
You suspect that the security baseline has caused networking issues.
You need to perform a network trace on VM1.
What should you do?
A. From VM1, run necscac.
B. From Performance Monitor on VM1. create a Data Collector Set.
C. From the Azure portal, configure the Diagnostics settings for VM1.
D. From the Azure portal, configure the Performance diagnostics settings for VM1.
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-
diagnostics

61 / 80
 The safer , easier way to help you pass any IT exams.

91.HOTSPOT
You have a failover cluster named Cluster1 that contains three nodes.
You plan to add two file server cluster roles named File1 and File2 to Cluster1. File1 will use the File
Server for general use role. File2 will use the Scale-Out File Server for application data role.
What is the maximum number of nodes for File1 and File2 that can concurrently serve client
connections? To answer, select the appropriate options in the answer area. NOTE: Each correct
selection is worth one point.

Answer:

62 / 80
 The safer , easier way to help you pass any IT exams.

Explanation:
Graphical user interface, application
Description automatically generated

92.Your company uses Storage Spaces Direct.

You need to view the available storage in a Storage Space Direct storage pool.
What should you use?
A. File Server Resource Manager (FSRM)
B. the Get-StorageSubsystem cmdlet
C. Disk Management
D. Windows Admin Center
Answer: D

93.Your network contains an Active Directory Domain Services (AD DS) domain All domain members
have Microsoft Defender Credential Guard with UEFI tock configured in the domain you deploy a server
named Server1 that runs Windows Server. You disable Credential Guard on Server1. You need to
ensure that Server1 is MOST subject to Credential Guard restrictions.
What should you do next?
A. Run the Device Guard and Credential Guard hardware readiness tool
B. Disable the Turn on Virtual nation Based Security group policy setting
C. Run dism and specify the /Disable-Feature and /FeatureName:IsolatedUserMode parameters
Answer: B

94.You have two servers named Server1 and Server2 that run Windows Server. Both servers have the
Hyper-V server role installed.
Server1 hosts three virtual machines named VM1, VM2, and VM3. The virtual machines replicate to
Server2.
Server1 experiences a hardware failure.
You need to bring VM1, VM2, and VM3 back online as soon as possible.
From the Hyper-V Manager console on Server2, what should you run for each virtual machine?
A. Start
B. Move
C. Unplanned Failover
D. Planned Failover
Answer: C
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/set-up-hyper-
v-replica

95.You have a failover cluster named Cluster1 that has the following configurations:
✑ Number of nodes: 6
✑ Quorum: Dynamic quorum
✑ Witness: File share, Dynamic witness
What is the maximum number of nodes that can fail simultaneously while maintaining quorum?

63 / 80
 The safer , easier way to help you pass any IT exams.

A. 1
B. 2
C. 3
D. 4
E. 5
Answer: C
Explanation:
Note this question is asking about nodes failing ‘simultaneously’, not nodes failing one after the other.
With six nodes and one witness, there are seven votes. To maintain quorum there needs to be four votes
available (four votes is the majority of seven). This means that a minimum of three nodes plus the
witness need to remain online for the cluster to function. Therefore, the maximum number of
simultaneous failures is three.
Reference: https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/understand-
quorum

96.You have an Azure virtual machine named VM1 that runs Windows Server.
You plan to deploy a new line-of-business (LOB) application to VM1.
You need to ensure that the application can create child processes.
What should you configure on VM1?
A. Microsoft Defender Credential Guard
B. Microsoft Defender Application Control
C. Microsoft Defender SmartScreen
D. Exploit protection
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-exploit-
protection?view=o365-worldwide

97.HOTSPOT
You have a Hyper-V failover cluster named Cluster1 that uses a cloud witness. Cluster1 hosts a virtual
machine named VM1 that runs Windows Server.
You need to fail over VM1 automatically to a different node when a service named Service1 on VM1 fails.
What should you do on Cluster1 and VM1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

64 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Text, table
Description automatically generated

98.HOTSPOT
You have an Azure Active Directory Domain Services (Azure AD DS) domain named aadds.contoso.com.
You have an Azure virtual network named Vnet1. Vnet1 contains two virtual machines named VM1 and
VM2 that run Windows Server. VMI and VM2 are joined to aadds.contoso.com.
You create a new Azure virtual network named Vnet2. You add a new server named VM3 to Vnet2.
When you attempt to join VM3 to aadds.contoso.com, you get an error message that the domain cannot
be found.
You need to ensure that you can join VM3 toaadds.contoso.com.

65 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

99.You have five Azure virtual machines.

You need to collect performance data and Windows Event logs from the virtual machines.
The data collected must be sent to an Azure Storage account.
What should you install on the virtual machines?
A. the Azure Connected Machine agent
B. the Azure Monitor agent
C. the Dependency agent
D. the Telegraf agent
E. the Azure Diagnostics extension
Answer: E
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview

100.You need to use a comma-separated value (CSV) file to import server inventory to Azure Migrate.
Which fields are mandatory for each entry in the CSV file?
A. Server name. Cores, OS Name, and Memory (in MB)
B. Server name, IP addresses. Disk 1 size (in GB), and CPU utilization percentage
C. Server name, IP addresses, OS version, and Number of disks
Answer: B

66 / 80
 The safer , easier way to help you pass any IT exams.

101.DRAG DROP
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The
functional level of the forest and the domain is Windows Server 2012 R2.
The domain contains the domain controllers shown in the following table.

You need to raise the forest functional level to Windows Server 2016.
The solution must meet the following requirements:
✑ Ensure that there are three domain controllers after you raises the level.
✑ Minimize how long the FSMO roles are unavailable.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

Answer:

67 / 80
 The safer , easier way to help you pass any IT exams.

Explanation:
Graphical user interface, text, application, email
Description automatically generated

102.HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
The domain contains the organizational units (OUs) shown in the following table.

In the domain, you create the Group Policy Objects (GPOs) shown in the following table.

You need to implement IPsec authentication to ensure that only authenticated computer accounts can
connect to the members in the domain. The solution must minimize administrative effort.
Which GPOs should you apply to the Domain Controllers OU and the Domain Servers OU? To answer,
select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

68 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Table
Description automatically generated

103.Note: This question is part of a series of questions that present the same scenario. Each question in

69 / 80
 The safer , easier way to help you pass any IT exams.

the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From Virus & threat protection, you configure Controlled folder access.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-
controlled-folders?view=o365-worldwide

104.You plan to deploy the Azure Monitor agent to 100 on-premises servers that run Windows Server.
Which parameters should you provide when you install the agent?
A. the client ID and the secret of an Azure service principal
B. the name and the access key of an Azure Storage account
C. a connection string for an Azure SQL database
D. the ID and the key of an Azure Log Analytics workspace
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/configure-azure-
monitor

105.You have a Storage Spaces Direct configuration that has persistent memory and contains the data
volumes shown in the following table.

You plan to add data volumes to Storage Spaces Direct as shown in the following table.

On which volumes can you use direct access (DAX)?

A. Volume3 only
B. Volume4 only
C. Volume1 and Volume3 only
D. Volume2 and Volume4 only

70 / 80
 The safer , easier way to help you pass any IT exams.

E. Volume3 and Volume4 only

Answer: A
Explanation:
DAX can only be used on one volume and the volume has to be NTFS. You could configure DAX on
Volume1 (although that would require reformatting the volume) or Volume3. However, ‘Volume1 only’
isn’t an answer option so Volume3 is the correct answer.
‘Volume1 and Volume3’ is incorrect because of the single volume limitation.
Reference: https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/persistent-memory-
direct-access

106.DRAG DROP
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a
failover cluster named Cluster1.
You need to configure Cluster-Aware Updating (CAU) on the cluster by using Windows Admin Center
(WAC).
Which three actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

Answer:

107.DRAG DROP
You have three servers named Server1, Server2, Server3 that run Windows Server and have the Hyper-
V server role installed.
You plan to create a hyper-converged cluster to host Hyper-V virtual machines.
You need to ensure that you can store virtual machines in Storage Spaces Direct.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

71 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Graphical user interface, text, application
Description automatically generated

108.HOTSPOT
You have a server named Server1 that runs Windows Server.
On Server1, you create a Data Collector Set named CollectorSet1 based on the Basic template.
You need to configure CollectorSet1 to meet the following requirements:
✑ Older performance counter logs must be overwritten by new ones.
✑ Performance counter logging must stop if there is less than 500 MB of free disk space.
What should you configure for each requirement? To answer, select the appropriate options in the
answer area. NOTE: Each correct selection is worth one point.

Answer:

72 / 80
 The safer , easier way to help you pass any IT exams.

Explanation:
Table
Description automatically generated with medium confidence

109.HOTSPOT
You have the servers shown in the following table.

You plan to migrate file shares from Server1 to Server2.

Answer:

110.Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.

73 / 80
 The safer , easier way to help you pass any IT exams.

After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
Your network contains a single-domain Active Directory Domain Services (AD DS) forest named
contoso.com. The functional level of the forest is Windows Server 2012 R2. All domain controllers run
Windows Server 2012 R2.
Sysvol replicates by using the File Replication Service (FRS).
You plan to replace the existing domain controllers with new domain controllers that will run Windows
Server 2022.
You need to ensure that you can add the first domain controller that runs Windows Server 2022.
Solution: You upgrade the PDC emulator.
Does this meet the goal?
A. Yes
B. No
Answer: B

111.You have a server that runs Windows Server. The server is configured to encrypt all incoming traffic
by using a connection security rule.
You need to ensure that Server1 can respond to the unencrypted tracert commands initiated from
computers on the same network.
What should you do from Windows Defender Firewall with Advanced Security?
A. From the IPsec Settings, configure IPsec defaults.
B. Create a new custom outbound rule that allows ICMPv4 protocol connections for all profiles.
C. Change the Firewall state of the Private profile to Off.
D. From the IPsec Settings, configure IPsec exemptions.
Answer: D

112.You have three Azure virtual machines named VM1, VM2, and VM3 that host a multitier application.
You plan to implement Azure Site Recovery.
You need to ensure that VM1, VM2, and VM3 fail over as a group.
What should you configure?
A. an availability zone
B. a recovery plan
C. an availability set
Answer: B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-overview

113.You have 10 servers that run Windows Server in a workgroup.

You need to configure the servers to encrypt all the network traffic between the servers.
The solution must be as secure as possible.
Which authentication method should you configure in a connection security rule?
A. NTLMv2
B. pre-shared key
C. KerberosV5

74 / 80
 The safer , easier way to help you pass any IT exams.

D. computer certificate
Answer: D
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-
an-authentication-request-rule

114.You have 200 Azure virtual machines.

You create a recovery plan in Azure Site Recovery to fail over all the virtual machines to an Azure region.
The plan has three manual actions.
You need to replace one of the manual actions with an automated process.
What should you use?
A. an Azure Desired State Configuration (DSC) virtual machine extension
B. an Azure Automation runbook
C. an Azure PowerShell function
D. a Custom Script Extension on the virtual machines
Answer: B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/recovery-plan-overview

115.Your network contains a single-domain Active Directory Domain Services (AD DS) forest named
contoso.com. The functional level of the forest is Windows Server 2012 R2. All domain controllers run
Windows Server 2012 R2.
Sysvol replicates by using the File Replication Service (FRS).
You plan to replace the existing domain controllers with new domain controllers that will run Windows
Server 2022.
You need to ensure that you can add the first domain controller that runs Windows Server 2022.
Solution; You raise the domain and forest functional levels.
Does this meet the goal?
A. Yes
B. No
Answer: B

116.HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) forest.
The forest contains the domains shown in the following table.

75 / 80
 The safer , easier way to help you pass any IT exams.

You are implementing Microsoft Defender for Identity sensors.

You need to install the sensors on the minimum number of domain controllers. The solution must ensure
that Defender for Identity will detect all the security risks in both the domains.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each
correct selection is worth one point.

Answer:

Explanation:
Text, table
Description automatically generated

117.DRAG DROP
You have an Azure subscription that contains an Azure Recovery Services vault.
You have an on-premises physical server that runs Windows Server.
You need to back up the server daily to Azure.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

76 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Graphical user interface, text, application
Description automatically generated

118.DRAG DROP
Your network contains an Active Directory Domain Services (AD DS) domain that has the Active
Directory Recycle Bin enabled. The domain contains two domain controllers named DC1 and DC2. The
system state of the domain controllers is backed up daily at 23:00 by using Windows Server Backup.
You have an organizational unit (OU) named ParisUsers that contains 1,000 users.
At 08:00, DC1 shuts down for hardware maintenance. The maintenance completes, but DC1 remains
shut down.
At 09:00, an administrative error causes the manager attribute of each user in ParisUsers to be deleted.
You need to recover the user account details as quickly as possible. The solution must minimize data
loss.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the
list of actions to the answer area and arrange them in the correct order.

77 / 80
 The safer , easier way to help you pass any IT exams.

Answer:

Explanation:
Text, table
Description automatically generated with medium confidence

119.Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have
more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these
questions will not appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)

78 / 80
 The safer , easier way to help you pass any IT exams.

The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)

Server1 shuts down unexpectedly.

You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: From the General settings, you move Server2 up.
Does this meet the goal?

A. Yes
B. No

79 / 80
 The safer , easier way to help you pass any IT exams.

Answer: B
Explanation:
Server1 and Server2 are both unticked so the order they are listed in has no effect on whether the
cluster will fail back.

120.Your on-premises network contains two subnets.

The subnets contain servers that run Windows Server as shown in the following table.

Server4 has the following IP configurations:

Ethernet adapter Ethernet:
Connection-specific DNS Suffix . . :
IPv4 Address . . . . . . . . . . . : 192.168.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
From Server4, you can ping Server1 and Server2 successfully. When you ping Server3, you get a
Request timed out response.
From Server2, you can ping Server1 and Server3 successfully.
The misconfiguration of which component on Server3 can cause the Request timed out response?
A. default gateway
B. IP address
C. subnet mask
D. DNS server
Answer: C

80 / 80