AZ-800Free trial

Your network contains an Active Directory domain named contoso.com. The domain contains the computers shown in the following table.

On Server3, you create a Group Policy Object (GPO) named GPO1 and link GPO1 to contoso.com. GPO1 includes a shortcut preference named Shortcut1 that has item-level targeting configured as shown in the following exhibit.

To which computer will Shortcut1 be applied?

Your network contains a multi-site Active Directory Domain Services (AD DS) forest. Each Active Directory site is connected by using manually configured site links and automatically generated connections.

You need to minimize the latency for changes to Active Directory.

What should you do?

DRAG DROP

Your network contains two Active Directory Domain Services (AD DS) forests named contoso.com and fabrikam.com. Contoso.com contains three child domains named amer.contoso.com, apac.contoso.com, and emea.contoso.com. Fabrikam.com contains a child domain named apac.fabrikam.com. A bidirectional forest trust exists between contoso.com and fabrikam.com.

You need to provide users in the contoso.com forest with access to the resources in the fabrikam.com forest. The solution must meet the following requirements:

• Users in contoso.com must only be added directly to groups in the contoso.com forest.
• Permissions to access the resources in fabrikam.com must only be granted directly to groups in the fabrikam.com forest.
• The number of groups must be minimized.

Which type of groups should you use to organize the users and to assign permissions? To answer, drag the appropriate group types to the correct requirements. Each group may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

HOTSPOT

Your network contains two Active Directory forests and a domain trust as shown in the following exhibit.

The domain trust has the following configurations:

• Name: adatum.com
• Type: External
• Direction: One-way, outgoing
• Outgoing trust authentication level: Domain-wide authentication

The forests contain the users shown in the following table.

The forests contain the network shares shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

HOTSPOT

Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains a child named east.contoso.com and the servers shown in the following table.

You need to create a folder for the Central Store to manage Group Policy template files for the entire forest.

What should you name the folder, and on which server should you create the folder? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

HOTSPOT

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the domain controllers shown in the following table.

You need to configure DC3 to be the authoritative time server for the domain.

Which operations master role should you transfer to DC3, and which console should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

DRAG DROP

Your network contains an Active Directory domain named contoso.com. The domain contains group managed service accounts (gMSAs). You have a server named Server1 that runs Windows Server and is in a workgroup. Server1 hosts Windows containers.

You need to ensure that the Windows containers can authenticate to contoso.com.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Your on-premises network contains an Active Directory domain named contoso.com. You have an Azure AD tenant.

You plan to sync contoso.com with the Azure AD tenant by using Azure AD Connect cloud sync.

You need to create an account that will be used by Azure AD Connect cloud sync.

Which type of account should you create?

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the domain controllers shown in the following table.

You need to ensure that if an attacker compromises the computer account of RODC1, the attacker cannot view the Employee-Number AD DS attribute.

Which partition should you modify?

HOTSPOT

Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with an Azure AD tenant. The tenant contains a group named Group1 and the users shown in the following table.

Domain/OU filtering in Azure AD Connect is configured as shown in the Filtering exhibit. (Click the Filtering tab.)

You review the Azure AD Connect configurations as shown in the Configure exhibit. (Click the Configure tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

HOTSPOT

Your on-premises network contains an Active Directory Domain Services (AD DS) domain.

You plan to sync the domain with an Azure AD tenant by using Azure AD Connect cloud sync.

You need to meet the following requirements:

• Install the software required to sync the domain and Azure AD.
• Enable password hash synchronization.

What should you install, and what should you use to enable password hash synchronization? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

HOTSPOT

Your network contains two Active Directory Domain Services (AD DS) forests as shown in the following exhibit.

The forests contain the domain controllers shown in the following table.

You perform the following actions on DC1:

• Create a user named User1.
• Extend the schema with a new attribute named Attribute1.

To which domain controllers are User1 and Attribute1 replicated? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the resources shown in the following table.

You plan to replicate a volume from Server1 to Server2 by using Storage Replica.

You need to configure Storage Replica.

Where should you install Windows Admin Center?

You have an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with Azure AD by using Azure AD Connect.

You enable password protection for contoso.com.

You need to prevent users from including the word contoso as part of their password.

What should you use?

Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three domains. Each domain contains 10 domain controllers.

You plan to store a DNS zone in a custom Active Directory partition.

You need to create the Active Directory partition for the zone. The partition must replicate to only four of the domain controllers.

What should you use?

HOTSPOT

You have an Active Directory Domain Services (AD DS) domain that contains a group named Group1.

You need to create a group managed service account (gMSA) named Account1. The solution must ensure that Group1 can use Account1.

How should you complete the script? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.

You deploy an app that adds custom attributes to the domain.

From Azure Cloud Shell, you discover that you cannot query the custom attributes of users.

You need to ensure that the custom attributes are available in Azure AD.

Which task should you perform from Microsoft Azure Active Directory Connect first?

You have an Active Directory Domain Services (AD DS) domain that contains the domain controllers shown in the following table.

The domain contains an app named App1 that uses a custom application partition to store configuration data.

You decommission App1.

When you attempt to remove the custom application partition, the process fails.

Which domain controller is unavailable?

DRAG DROP -
You create a new Azure subscription.
You plan to deploy Azure Active Directory Domain Services (Azure AD DS) and Azure virtual machines.
You need to ensure that the virtual machines can join to Azure AD DS.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

DRAG DROP

Case Study

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview

Company Information

ADatum Corporation is a manufacturing company that has a main office in Seattle and two branch offices in Los Angeles and Montreal.

Fabrikam Partnership

ADatum recently partnered with 2 company named Fabrikam, Inc.

Fabrikam is a manufacturing company that has a main office in Boston and a branch office in Orlando.

Both companies intend to collaborate on several joint projects.

Existing Environment

ADatum AD DS Environment

The on-premises network of ADatum contains an Active Directory Domain Services (AD DS) forest named adatum.com.

The forest contains two domains named adatum.com and east.adatum.com and the domain controllers shown in the following table.

Fabrikam AD DS Environment

The on-premises network of Fabrikam contains an AD DS forest named fabrikam.com.

The forest contains two domains named fabrikam.com and south.fabrikam.com.

The fabrikam.com domain contains an organizational unit (OU) named Marketing.

Server Infrastructure

The adatum.com domain contains the servers shown in the following table.

HyperV1 contains the virtual machines shown in the following table.

All the virtual machines on HyperV1 have only the default management tools installed.

SSPace1 contains the Storage Spaces virtual disks shown in the following table.

Azure Resources

ADatum has an Azure subscription that contains an Azure AD tenant. Azure AD Connect is configured to sync the adatum.com forest with Azure AD.

The subscription contains the virtual networks shown in the following table.

The subscription contains the Azure Private DNS zones shown in the following table.

The subscription contains the virtual machines shown in the following table.

All the servers are in a workgroup.

The subscription contains a storage account named storage1 that has a file share named share1.

Requirements

Planned Changes

ADatum plans to implement the following changes:

• Sync Data1 to share1.
• Configure an Azure runbook named Task1.
• Enable Azure AD users to sign in to Server1.
• Create an Azure DNS Private Resolver that has the following configurations:
• Name: Private1
• Region: West US
• Virtual network: VNet1
• Inbound endpoint: SubnetB
• Enable users in the adatum.com domain to access the resources in the south.fabrikam.com domain.

Technical Requirements

ADatum identifies the following technical requirements:

• The data on SSPace1 must be available always.
• DC2 must become the schema master if DC1 fails.
• VM3 must be configured to enable per-folder quotas.
• Trusts must allow access to only the required resources.
• The users in the Marketing OU must have access to storage1.
• Azure Automanage must be used on all supported Azure virtual machines.
• A direct SSH session must be used to manage all the supported virtual machines on HyperV1.

DC1 fails.

You need to meet the technical requirements for the schema master.

You run ntdsutil.exe.

Which five commands should you run in sequence? To answer, move the appropriate commands from the list of commands to the answer area and arrange them in the correct order?

Case Study -

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study -
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview -

Company Information -
ADatum Corporation is a manufacturing company that has a main office in Seattle and two branch offices in Los Angeles and Montreal.

Fabrikam Partnership -

ADatum recently partnered with 2 company named Fabrikam, Inc.

Fabrikam is a manufacturing company that has a main office in Boston and a branch office in Orlando.

Both companies intend to collaborate on several joint projects.

Existing Environment -

ADatum AD DS Environment -

The on-premises network of A. Datum contains an Active Directory Domain Services (AD DS) forest named adatum.com.

The forest contains two domains named adatum.com and east.adatum.com and the domain controllers shown in the following table.

Fabrikam AD DS Environment -

The on-premises network of Fabrikam contains an AD DS forest named fabrikam.com.

The forest contains two domains named fabrikam.com and south.fabrikam.com.

The fabrikam.com domain contains an organizational unit (OU) named Marketing.

Server Infrastructure -

The adatum.com domain contains the servers shown in the following table.

HyperV1 contains the virtual machines shown in the following table.

All the virtual machines on HyperV1 have only the default management tools installed.

SSPace1 contains the Storage Spaces virtual disks shown in the following table.

Azure Resources -

ADatum has an Azure subscription that contains an Azure AD tenant. Azure AD Connect is configured to sync the adatum.com forest with Azure AD.

The subscription contains the virtual networks shown in the following table.

The subscription contains the Azure Private DNS zones shown in the following table.

The subscription contains the virtual machines shown in the following table.

All the servers are in a workgroup.

The subscription contains a storage account named storage1 that has a file share named share1.

Requirements -

Planned Changes -

ADatum plans to implement the following changes:

• Sync Data1 to share1.
• Configure an Azure runbook named Task1.
• Enable Azure AD users to sign in to Server1.
• Create an Azure DNS Private Resolver that has the following configurations:
• Name: Private1
• Region: West US
• Virtual network: VNet1
• Inbound endpoint: SubnetB
• Enable users in the adatum.com domain to access the resources in the south.fabrikam.com domain.

Technical Requirements -

ADatum identifies the following technical requirements:

• The data on SSPace1 must be available always.
• DC2 must become the schema master if DC1 fails.
• VM3 must be configured to enable per-folder quotas.
• Trusts must allow access to only the required resources.
• The users in the Marketing OU must have access to storage1.
• Azure Automanage must be used on all supported Azure virtual machines.
• A direct SSH session must be used to manage all the supported virtual machines on HyperV1.

You need to ensure that access to storage1 for the Marketing OU users meets the technical requirements.

What should you implement?

Your network contains an Active Directory Domain Services (AD DS) domain.

You plan to use Active Directory Administrative Center to create a new user named User1.

Which two attributes are required to create User1? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

HOTSPOT

Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains the servers shown in the following table.

The domain controllers do NOT have internet connectivity.

You plan to implement Azure AD Password Protection for the domain.

You need to deploy Azure AD Password Protection agents. The solution must meet the following requirements:

• All Azure AD Password Protection policies must be enforced.
• Agent updates must be applied automatically.
• Administrative effort must be minimized.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

HOTSPOT

Your on-premises network contains a single-domain Active Directory Domain Services (AD DS) forest. You have an Azure AD tenant named contoso.com. The AD DS forest syncs with the Azure AD tenant by using Azure AD Connect.

You need to ensure that users in the forest that have a custom attribute of NoSync are excluded from synchronization.

How should you configure the Azure AD Connect cloudFiltered attribute, and which tool should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains three Active Directory sites named Site1, Site2, and Site3. Each site contains two domain controllers. The sites are connected by using DEFAULTIPSITELINK.

You open a new branch office that contains only client computers.

You need to ensure that the client computers in the new office are primarily authenticated by the domain controllers in Site1.

Solution: You create a new site named Site4 and associate Site4 to DEFAULTIPSITELINK.

Does this meet the goal?