Topic 1, Fabrikam inc
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Fabrikam, Inc. is a manufacturing company that has a main office in Chicago and a branch office in Paris.
Existing Environment
Identity Infrastructure
Fabrikam has an Active Directory Domain Services (AD DS) forest that syncs with an Azure Active Directory (Azure AD) tenant. The AD DS forest contains two domains named corp.fabrikam.com and europe.fabrikam.com.
Chicago Office On-Premises Servers
The office in Chicago contains on-premises servers that run Windows Server 2016 as shown in the following table.
All the servers in the Chicago office are in the corp.fabrikam.com domain.
All the virtual machines in the Chicago office are hosted on HV1 and HV2. HV1 and HV2 are nodes in a failover cluster named Cluster1.
WEB1 and WEB2 run an Internet Information Services (IIS) website. Internet users connect to the website by using a URL of https://www.fabrikam.com.
All the users in the Chicago office run an application that connects to a UNC path of \Fileserver1Data. Paris On-Premises Servers
The office in Paris contains a physical server named dc2.europe.fabrikam.com that runs Windows Server 2016 and is a domain controller for the europe.fabrikam.com domain. Network Infrastructure
The networks in both the Chicago and Paris offices have local internet connections. The Chicago and Paris offices are connected by using VPN connections.
The client computers in the Chicago office get IP addresses from DHCP1.
Security Risks
Fabrikam identifies the following security risks:
Some accounts connect to AD DS resources by using insecure protocols such as NTLMv1, SMB1, and unsigned LDAP.
Servers have Windows Defender Firewall enabled. Server administrators sometimes modify firewall rules
and allow risky connections.
Requirements
Security Requirements
Fabrikam identifies the following security requirements:
Prevent server administrators from configuring Windows Defender Firewalls rules.
Encrypt all the data disks on the servers by using BitLocker Drive Encryption (BitLocker).
Ensure that only authorized applications can be installed or run on the servers in the forest.
Implement Microsoft Sentinel as a reporting solution to identify all connections to the domain controllers that use insecure protocols.
On-Premises Migration Plan
Fabrikam plans to migrate all the existing servers and identifies the following migration requirements:
Move the APP1 and APP2 virtual machines in the Chicago office to a new Hyper-V failover cluster named Cluster2 that will run Windows Server 2022.
– Cluster2 will contain two new nodes named HV3 and HV4.
– All virtual machine files will be stored on a Cluster Shared Volume (CSV).
Migrate Archive1 to a new failover cluster named Cluster3 that will run Windows Server 2022.
– Cluster3 will contain two physical nodes named Node1 and Node2.
– The file shares on Cluster3 will be a failover cluster role in active-passive mode.
Migrate all users, groups, and client computers from europe.fabrikam.com to corp.fabrikam.com.
– The migration will be performed by using the Active Directory Migration Tool (ADMT).
– A computer named ADMT computer will be deployed to the corp.fabrikam.com domain to run ADMT migration procedures.
– User accounts will retain their existing password.
Migrate the data share from Fileserver1 to a new server named Fileserver2 that will run Windows Server 2022. After the migration, the data share must be accessible by using the existing UNC path.
Azure Migration Plan
Fabrikam plans to migrate some resources to Azure and identifies the following migration requirements:
Create an Azure subscription named Sub1.
Create an Azure virtual network named Vnet1.
Use ExpressRoute to connect the Paris and Chicago offices to Vnet1.
License all servers for Microsoft Defender for servers.
Migrate APP3 and APP4 to Azure.
Migrate the www.fabrikam.com website to an Azure App Service web app named WebApp1.
Decommission WEB1 and WEB2.
DHCP Migration Plan
Fabrikam plans to replace DHCP1 with a new server named DHCP2 and identifies the following migration requirements:
Ensure that DHCP2 provides the same IP addresses that are currently available from DHCP1.
Prevent DHCP1 from servicing clients once services are enabled on DHCP2.
Ensure that the existing leases and reservations are migrated.
DRAG DROP
You are planning the implementation of Cluster2 to support the on-premises migration plan.
You need to ensure that the disks on Cluster2 meet the security requirements.
In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/failover-clustering/bitlocker-on-csv-in-ws-2022
HOTSPOT
You need to implement a security policy solution to authorize the applications. The solution must meet the security requirements.
Which service should you use to enforce the security policy, and what should you use to manage the policy settings? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview
You are remediating the firewall security risks to meet the security requirements.
What should you configure to reduce the risks?
- A . a Group Policy Object (GPO)
- B . adaptive network hardening in Microsoft Defender for Cloud
- C . a network security group (NSG) in Sub1
- D . an Azure Firewall policy
A
Explanation:
Firewall rules configured in a Group Policy Object cannot be modified by local server administrators.
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule
You are planning the deployment of Microsoft Sentinel.
Which type of Microsoft Sentinel data connector should you use to meet the security requirements?
- A . Threat Intelligence – TAXII
- B . Azure Active Directory
- C . Microsoft Defender for Cloud
- D . Microsoft Defender for Identity
D
Explanation:
Reference: https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-legacy-protocols
You are planning the migration of Archive1 to support the on-premises migration plan.
What is the minimum number of IP addresses required for the node and cluster roles on Cluster3?
- A . 2
- B . 3
- C . 4
- D . 5
B
Explanation:
One IP for each of the two nodes in the cluster and one IP for the cluster virtual IP (VIP).
HOTSPOT
You are planning the www.fabrikam.com website migration to support the Azure migration plan.
How should you configure WebApp1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: Add a custom domain name
To migrate www.fabrikam.com website to an Azure App Service web app, you need to add Fabrikam.com as a custom domain in Azure. This will make the domain name available to use in the web app.
Box 2: Modify a DNS record
You need to change the DNS record for www.fabrikam.com to point to the Azure web app.
HTTP redirect rules won’t work because WEB1 and WEB2 will be decommissioned.
Reference: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=a%2Cazurecli
DRAG DROP
You are planning the DHCP1 migration to support the DHCP migration plan.
Which two PowerShell cmdlets should you run on DHCP1, and which two PowerShell cmdlets should you run on DHCP2? To answer, drag the appropriate cmdlets to the correct servers. Each cmdlet may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://theitbros.com/how-to-migrate-dhcp-to-windows-server-2016/
You are planning the data share migration to support the on-premises migration plan.
What should you use to perform the migration?
- A . Storage Migration Service
- B . Microsoft File Server Migration Toolkit
- C . File Server Resource Manager (FSRM)
- D . Windows Server Migration Tools
A
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/migrate-data
HOTSPOT
You are planning the migration of APP3 and APP4 to support the Azure migration plan.
What should you do on Cluster1 and in Azure before you perform the migration? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/migrate/tutorial-discover-hyper-v
HOTSPOT
You are planning the europe.fabrikam.com migration to support the on-premises migration plan.
Where should you install the Password Export Server (PES) service, where should you generate the encryption key? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Topic 2, Contoso, Ltd
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you
would like to complete each case. However, there may be additional case studies and sections on this
exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and Montreal.
Existing Environment
Active Directory Environment
Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with an Azure Active Directory (Azure AD) tenant.
The AD DS domain contains the domain controllers shown in the following table.
Contoso recently purchased an Azure subscription.
The functional level of the forest is Windows Server 2012 R2. The functional level of the domain is Windows Server 2012. The forest has the Active Directory Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.
The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.
The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.
Server Infrastructure
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.
By using Windows Firewall with Advanced Security, the servers have isolation connection security rules configured as shown in the following table.
Server4 has no connection security rules.
Server4 Configurations
Server4 has the effective Group Policy settings for user rights as shown in the following table.
Server4 has the disk configurations shown in the following exhibit.
Virtualization Infrastructure
The contoso.com domain has the Hyper-V failover clusters shown in the following table.
Technical Requirements
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault.
Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin.
Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault.
Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4.
Whenever possible, use the principle of least privilege.
HOTSPOT
You need to configure BitLocker on Server4.
On which volumes can you turn on BitLocker, and on which volumes can you turn on auto-unlock? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference:
https://docs.microsoft.com/en-us/windows-server/storage/refs/refs-overview
https://docs.microsoft.com/en-us/powershell/module/bitlocker/enable-bitlockerautounlock?view=windowsserver2022-ps
HOTSPOT
What is the effective minimum password length for User1 and Admin1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Box 1: 9
When multiple PSOs apply to a user, the PSO with the highest precedence (lowest precedence
number) applies which in this case is PSO1.
Box 2: 8
There are no PSOs applied to Admin1 so the password policy from the Default Domain GPO applies. The Minimum password length setting in GPO1 would only apply to local user accounts on computers in OU1. It does not apply to domain user accounts.
HOTSPOT
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
HOTSPOT
With which servers can Server1 and Server3 communicate? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You need to back up Server 4 to meet the technical requirements.
What should you do first?
- A . Deploy Microsoft Azure Backup Server (MABS).
- B . Configure Windows Server Backup.
- C . Install the Microsoft Azure Recovery Services (MARS) agent.
- D . Configure Storage Replica.
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/backup/install-mars-agent
You need to meet the technical requirements for Cluster3.
What should you include in the solution?
- A . Enable integration services on all the virtual machines.
- B . Add a Windows Server server role.
- C . Configure a fault domain doe the cluster.
- D . Add a failover cluster role.
D
Explanation:
The Hyper-V replica broker role is required on the cluster.
Reference: https://docs.microsoft.com/en-us/virtualization/community/team-blog/2012/20120327-why-is-the-hyper-v-replica-broker-required
DRAG DROP
You need to meet the technical requirements for Cluster2.
Which four actions should you perform in sequence before you can enable replication? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-tutorial
You need to meet technical requirements for Share1.
What should you use?
- A . Storage Migration Service
- B . File Server Resource Manager (FSRM)
- C . Server Manager
- D . Storage Replica
A
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/overview
HOTSPOT
You need to implement alerts for the domain controllers. The solution must meet the technical requirements.
What should you do on the domain controllers, and what should you create on Azure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShellWindows
You need to meet the technical requirements for User1.
To which group in contoso.com should you add User1?
- A . Domain Admins
- B . Account Operators
- C . Schema Admins
- D . Backup Operators
You are evaluating the technical requirements tor Cluster2.
What is the minimum number of Azure Site Recovery Providers that you should install?
- A . 1
- B . 4
- C . 12
- D . 16
Which domain controller should be online to meet the technical requirements for DC4?
- A . DC1
- B . DC2
- C . DC3
Topic 3, Misc. Questions
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From Virus & threat protection, you configure Controlled folder access.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled-folders?view=o365-worldwide
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From Virus & threat protection, you configure Tamper Protection.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled-folders?view=o365-worldwide
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From App & browser control, you configure the Exploit protection settings.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled-folders?view=o365-worldwide
DRAG DROP
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant.
The AD DS domain contains a domain controller named DC1. DC1 does NOT have internet access.
You need to configure password security for on-premises users.
The solution must meet the following requirements:
✑ Prevent the users from using known weak passwords.
✑ Prevent the users from using the company name in passwords.
What should you do? To answer, drag the appropriate configurations to the correct targets. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy
HOTSPOT
The Default Domain Policy Group Policy Object (GPO) is shown in the GPO exhibit. (Click the GPO tab.)
The members of a group named Service Accounts are shown in the Group exhibit. (Click the Group tab.)
An organizational unit (OU) named ServiceAccounts is shown in the OU exhibit. (Click the OU tab.)
You create a Password Settings Object (PSO) as shown in the PSO exhibit. (Click the PSO tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements–level-100-#fine_grained_pswd_policy_mgmt
DRAG DROP
Your network contains an Active Directory Domain Services (AD DS) domain.
You need to implement a solution that meets the following requirements:
✑ Ensures that the members of the Domain Admins group are allowed to sign in only to domain controllers
✑ Ensures that the lifetime of Kerberos Ticket Granting Ticket (TGT) for the members of the Domain Admins group is limited to one hour
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts
You have an Azure virtual machine named VM1 that runs Windows Server.
You plan to deploy a new line-of-business (LOB) application to VM1.
You need to ensure that the application can create child processes.
What should you configure on VM1?
- A . Microsoft Defender Credential Guard
- B . Microsoft Defender Application Control
- C . Microsoft Defender SmartScreen
- D . Exploit protection
A
Explanation:
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-exploit-protection?view=o365-worldwide
HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
The domain contains the organizational units (OUs) shown in the following table.
In the domain, you create the Group Policy Objects (GPOs) shown in the following table.
You need to implement IPsec authentication to ensure that only authenticated computer accounts can connect to the members in the domain. The solution must minimize administrative effort.
Which GPOs should you apply to the Domain Controllers OU and the Domain Servers OU? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-authentication-methods
You have 100 Azure virtual machines that run Windows Server. The virtual machines are onboarded to Microsoft Defender for Cloud.
You need to shut down a virtual machine automatically if Microsoft Defender for Cloud generates the "Antimalware disabled in the virtual machine" alert for the virtual machine.
What should you use in Microsoft Defender for Cloud?
- A . a logic app
- B . a workbook
- C . a security policy
- D . adaptive network hardening
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts
You have a Microsoft Sentinel deployment and 100 Azure Arc-enabled on-premises servers. All the Azure Arc-enabled resources are in the same resource group.
You need to onboard the servers to Microsoft Sentinel. The solution must minimize administrative effort.
What should you use to onboard the servers to Microsoft Sentinel?
- A . Azure Automation
- B . Azure Policy
- C . Azure virtual machine extensions
- D . Microsoft Defender for Cloud
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/manage/hybrid/server/best-practices/arc-policies-mma
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant by using password hash synchronization.
You have a Microsoft 365 subscription.
All devices are hybrid Azure AD-joined.
Users report that they must enter their password manually when accessing Microsoft 365 applications.
You need to reduce the number of times the users are prompted for their password when they access Microsoft 365 and Azure services.
What should you do?
- A . In Azure AD. configure a Conditional Access policy for the Microsoft Office 365 applications.
- B . In the DNS zone of the AD DS domain, create an autodiscover record.
- C . From Azure AD Connect, enable single sign-on (SSO).
- D . From Azure AD Connect, configure pass-through authentication.
C
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have 50 Azure virtual machines that run Windows Server.
You need to ensure that any security exploits detected on the virtual machines are forwarded to Defender for Cloud.
Which extension should you enable on the virtual machines?
- A . Vulnerability assessment for machines
- B . Microsoft Dependency agent
- C . Log Analytics agent for Azure VMs
- D . Guest Configuration agent
A
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm
HOTSPOT
Your network contains an Active Directory Domain Services (AD DS) forest.
The forest contains the domains shown in the following table.
You are implementing Microsoft Defender for Identity sensors.
You need to install the sensors on the minimum number of domain controllers. The solution must ensure that Defender for Identity will detect all the security risks in both the domains.
What should you identify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/technical-faq#deployment
https://docs.microsoft.com/en-us/defender-for-identity/install-step4
You have 10 servers that run Windows Server in a workgroup.
You need to configure the servers to encrypt all the network traffic between the servers. The solution must be as secure as possible.
Which authentication method should you configure in a connection security rule?
- A . NTLMv2
- B . pre-shared key
- C . KerberosV5
- D . computer certificate
D
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-
authentication-request-rule
You have an Azure virtual machine named VM1 that runs Windows Server.
You need to encrypt the contents of the disks on VM1 by using Azure Disk Encryption.
What is a prerequisite for implementing Azure Disk Encryption?
- A . Customer Lockbox for Microsoft Azure
- B . an Azure key vault
- C . a BitLocker recovery key
- D . data-link layer encryption in Azure
B
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains two servers named Server1 and Server2 that run Windows Server.
You need to ensure that you can use the Computer Management console to manage Server2. The solution must use the principle of least privilege.
Which two Windows Defender Firewall with Advanced Security rules should you enable on Server2? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
- A . the COM+ Network Access (DCOM-ln) rule
- B . all the rules in the Remote Event Log Management group
- C . the Windows Management Instrumentation (WMI-ln) rule
- D . the COM+ Remote Administration (DCOM-ln) rule
- E . the Windows Management Instrumentation (DCOM-ln) rule
AB
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-management-in-server-manager
You have a server that runs Windows Server. The server is configured to encrypt all incoming traffic by using a connection security rule.
You need to ensure that Server1 can respond to the unencrypted tracert commands initiated from computers on the same network.
What should you do from Windows Defender Firewall with Advanced Security?
- A . From the IPsec Settings, configure IPsec defaults.
- B . Create a new custom outbound rule that allows ICMPv4 protocol connections for all profiles.
- C . Change the Firewall state of the Private profile to Off.
- D . From the IPsec Settings, configure IPsec exemptions.
You have an Azure virtual machine named VM1.
You enable Microsoft Defender SmartScreen on VM1.
You need to ensure that the SmartScreen messages displayed to users are logged.
What should you do?
- A . From a command prompt, run WinRM quickconfig.
- B . From the local Group Policy, modify the Advanced Audit Policy Configuration settings.
- C . From Event Viewer, enable the Debug log.
- D . From the Windows Security app. configure the Virus & threat protection settings.
C
Explanation:
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)
The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)
Server1 shuts down unexpectedly.
You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: From the Failover settings, you select Prevent failback.
Does this meet the goal?
- A . Yes
- B . No
A
Explanation:
The Prevent failback setting will prevent the cluster failing back to Server1.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)
The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)
Server1 shuts down unexpectedly.
You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: You increase Maximum failures in the specified period for the App1 cluster role.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
The Maximum failures setting is used to determine when the cluster determines that a node is offline. It does not affect whether a cluster will fail back when a node comes online.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)
The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)
Server1 shuts down unexpectedly.
You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: From the General settings, you move Server2 up.
Does this meet the goal?
- A . Yes
- B . No
B
Explanation:
Server1 and Server2 are both unticked so the order they are listed in has no effect on whether the cluster will fail back.
You have a failover cluster named Cluster1 that has the following configurations:
✑ Number of nodes: 6
✑ Quorum: Dynamic quorum
✑ Witness: File share, Dynamic witness
What is the maximum number of nodes that can fail simultaneously while maintaining quorum?
- A . 1
- B . 2
- C . 3
- D . 4
- E . 5
C
Explanation:
Note this question is asking about nodes failing ‘simultaneously’, not nodes failing one after the other.
With six nodes and one witness, there are seven votes. To maintain quorum there needs to be four votes available (four votes is the majority of seven). This means that a minimum of three nodes plus the witness need to remain online for the cluster to function. Therefore, the maximum number of simultaneous failures is three.
Reference: https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/understand-quorum
HOTSPOT
You have a failover cluster named FC1 that contains two nodes named Server1 and Server2. FC1 is configured to use a file share witness.
You plan to configure FC1 to use a cloud witness.
You need to configure Azure Storage accounts for the cloud witness.
Which storage account type and authorization method should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/failover-clustering/deploy-cloud-witness
Your company uses Storage Spaces Direct.
You need to view the available storage in a Storage Space Direct storage pool.
What should you use?
- A . System Configuration
- B . File Server Resource Manager (FSRM)
- C . the Get-ScorageFileServer cmdlet
- D . Failover Cluster Manager
D
Explanation:
If Failover Cluster Manager, select the Storage Space Direct storage pool. The information displayed in the main window includes the free space and used space.
DRAG DROP
You have three servers named Server1, Server2, Server3 that run Windows Server and have the Hyper-V server role installed.
You plan to create a hyper-converged cluster to host Hyper-V virtual machines.
You need to ensure that you can store virtual machines in Storage Spaces Direct.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Explanation:
Reference: https://docs.microsoft.com/en-us/system-center/vmm/s2d-hyper-converged?view=sc-vmm-2019
You have a Storage Spaces Direct configuration that has persistent memory and contains the data volumes shown in the following table.
You plan to add data volumes to Storage Spaces Direct as shown in the following table.
On which volumes can you use direct access (DAX)?
- A . Volume3 only
- B . Volume4 only
- C . Volume1 and Volume3 only
- D . Volume2 and Volume4 only
- E . Volume3 and Volume4 only
A
Explanation:
DAX can only be used on one volume and the volume has to be NTFS. You could configure DAX on
Volume1 (although that would require reformatting the volume) or Volume3. However, ‘Volume1 only’ isn’t an answer option so Volume3 is the correct answer.
‘Volume1 and Volume3’ is incorrect because of the single volume limitation.
Reference: https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/persistent-memory-direct-access
HOTSPOT
You have a failover cluster named Cluster1 that contains three nodes.
You plan to add two file server cluster roles named File1 and File2 to Cluster1. File1 will use the File Server for general use role. File2 will use the Scale-Out File Server for application data role.
What is the maximum number of nodes for File1 and File2 that can concurrently serve client connections? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/windows-server/failover-clustering/sofs-overview
HOTSPOT
You have a Hyper-V failover cluster named Cluster1 at a main datacenter. Cluster1 contains two nodes that have the Hyper-V server role installed. Cluster1 hosts 10 highly available virtual machines.
You have a cluster named Cluster2 in a disaster recovery site. Cluster2 contains two nodes that have the Hyper-V server role installed.
You plan to use Hyper-V Replica to replicate the virtual machines from Cluster1 to Cluster2.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Reference: https://docs.microsoft.com/en-us/virtualization/community/team-blog/2012/20120327-why-is-the-hyper-v-replica-broker-required