Microsoft AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam Practice Test

Create a domain controller named dc3.corp.fabrikam.com in Vnet1.

In a hybrid network, you can configure Azure virtual machines as domain controllers. The domain controllers in Azure communicate with the on-premises domain controllers in the same way that on-premises domain controllers communicate with each other.

Virtual machines in an Azure virtual network receive their DNS configuration from the DNS settings configured on the virtual network. You need to configure the Azure virtual network to use DC3 as the DNS server. Then all virtual machines in the virtual network will use DC3 and their DNS server.

One possible solution to prevent domain users from saving executable files in a share named \SRVl\Data is to use file screening on the file server. File screening allows you to block certain files from being saved based on their file name extension. Here are the steps to configure file screening:

On the file server, open File Server Resource Manager from the Administrative Tools menu.

In the left pane, expand File Screening Management and click on File Groups.

Right-click on File Groups and select Create File Group.

In the File Group Properties dialog box, enter a name for the file group, such as Executable Files.

In the Files to include box, enter the file name extensions that you want to block, such as .exe, .bat, .cmd, .com, .msi, .scr. You can use wildcards to specify multiple extensions, such as *.exe.

Click OK to create the file group.

In the left pane, click on File Screen Templates.

Right-click on File Screen Templates and select Create File Screen Template.

In the File Screen Template Properties dialog box, enter a name for the template, such as Block Executable Files.

On the Settings tab, select the option Active screening: Do not allow users to save unauthorized files.

On the File Groups tab, check the box next to the file group that you created, such as Executable Files.

On the Notification tab, you can configure how to notify users and administrators when a file screening event occurs, such as sending an email, logging an event, or running a command or script. You can also customize the message that users see when they try to save a blocked file.

Click OK to create the file screen template.

In the left pane, click on File Screens.

Right-click on File Screens and select Create File Screen.

In the Create File Screen dialog box, enter the path of the folder that you want to apply the file screening to, such as \SRVl\Data.

Select the option Derive properties from this file screen template (recommended) and choose the template that you created, such as Block Executable Files.

Click Create to create the file screen.

Now, domain users will not be able to save executable files in the share named \SRVl\Data. They will be able to save other files to the share.

TASK 4

???? Objective:

Enforce a minimum password length of 12 characters for members of the BranchAdmins group only.

Step-by-Step Guide: Fine-Grained Password Policy (FGPP)

✅ Step 1: Verify Forest Functional Level

Fine-grained password policies require the forest functional level to be at least Windows Server 2008.

On a DC, open Active Directory Domains and Trusts (domain.msc).

Right-click the domain and select Raise Forest Functional Level to verify.

If it’s lower, consider raising it (requires caution and planning).

✅ Step 2: Open the Active Directory Administrative Center (ADAC)

On a DC or management server, open ADAC:

Press Windows + R, type dsac.exe, and hit Enter.

✅ Step 3: Create a Fine-Grained Password Policy

In ADAC, in the left pane, expand the domain (e.g., contoso.com) and click System > Password Settings Container.

In the right pane, right-click and select New > Password Settings.

✅ Step 4: Configure the Password Policy

Name: e.g., BranchAdminsPSO.

Precedence: e.g., 1 (lower number = higher priority).

Minimum password length: 12.

Configure other settings as required (leave them at default if not specified).

In Directly Applies To, click Add.

Search for and select the BranchAdmins group.

Click OK.

✅ Step 5: Confirm and Apply

Click OK to create the policy.

It’s now linked directly to the BranchAdmins group, affecting only its members.

✅ Step 6: Verify the Policy

You can use PowerShell to confirm that the PSO is applied:

Get-ADUserResultantPasswordPolicy -Identity "username"

Replace "username" with a user from the BranchAdmins group. The output will show the minimum password length (should be 12).

Objective:

Configure the DHCP server SRV1 to lease IP addresses only to computers with MAC addresses starting with AABB in a specific range.

Step-by-Step Guide

✅ Step 1: Open DHCP Management Console

Log in to SRV1 with Domain Admin or DHCP Admin privileges.

Open DHCP Manager:

Press Windows + R, type dhcpmgmt.msc, and press Enter.

✅ Step 2: Create a New DHCP Scope

In the DHCP console, expand SRV1.

Right-click IPv4 and select New Scope.

The New Scope Wizard opens.

✅ Step 3: Configure the Scope

Name:

Enter a name (e.g., MAC-Filtered Scope).

Click Next.

IP Address Range:

Start IP: 192.168.1.190

End IP: 192.168.1.200

Subnet mask: as appropriate (e.g., 255.255.255.0).

Click Next.

Add Exclusions:

None needed unless you want to reserve certain addresses.

Click Next.

Lease Duration:

Set as needed, default is usually fine.

Click Next.

Configure DHCP Options:

You can skip or configure as needed (gateway, DNS, etc.).

Click Next.

Activate Scope:

Click Yes to activate it.

✅ Step 4: Configure MAC Address Filtering (Allow List)

In the DHCP console, expand the scope you created.

Right-click Filters under the scope and choose New Filter.

Enter the MAC address pattern to match devices with MAC addresses starting with AABB:

MAC Address: AABB*

Description: e.g., Allow devices starting with AABB.

Click Add.

✅ Step 5: Enable Allow Filters

Right-click Filters under the scope and select Enable.

Ensure that only devices matching the AABB pattern will receive leases.

✅ Step 6: Test and Verify

Use a test client with a MAC address starting with AABB to ensure it receives an IP address in the 192.168.1.190–192.168.1.200 range.

Use ipconfig /renew on the client, or check the DHCP leases in the Address Leases section.

Objective:

Grant permissions to the BranchAdmins group to manage the fabikam.com DNS zone on DC1.

Step-by-Step Guide

✅ Step 1: Log in to the DNS Server

Log in to DC1 (which hosts the DNS zone fabikam.com) using an account with Domain Admin or Enterprise Admin rights.

✅ Step 2: Open the DNS Manager

Open DNS Manager:

Press Windows + R, type dnsmgmt.msc, and hit Enter.

✅ Step 3: Locate the Zone

In the DNS Manager, expand the Forward Lookup Zones.

Locate and right-click on the zone fabikam.com.

✅ Step 4: Open Zone Properties

Right-click on fabikam.com and select Properties.

In the Properties window, go to the Security tab.

✅ Step 5: Grant Permissions

In the Security tab, click Add.

Enter the name of the group:

nginx

Copy

BranchAdmins

Click Check Names to resolve the group.

Click OK.

✅ Step 6: Assign the Appropriate Permissions

In the Permissions window, select the BranchAdmins group.

Assign the following permissions:

Read

Write

Create All Child Objects

Delete All Child Objects

Optionally, click Advanced for more granular control if needed.

✅ Step 7: Apply and Close

Click Apply and OK to save the changes.

To deploy a new primary DNS zone named fabrikam.com to DC1 and sign the zone, you can follow these steps:

Step 1: Create the Primary DNS Zone Use the Add-DnsServerPrimaryZone PowerShell command to create the primary zone:

Add-DnsServerPrimaryZone -Name "fabrikam.com" -ZoneFile "fabrikam.com.dns" -DynamicUpdate Secure

This command creates a primary zone for fabrikam.com with a DNS file named fabrikam.com.dns and allows secure dynamic updates.

Step 2: Sign the Zone To sign the zone, you can use the DNS Manager or Windows PowerShell. Here’s how to sign the zone using PowerShell:

Add-DnsServerSigningKey -ZoneName "fabrikam.com" -Type KeySigningKey -CryptoAlgorithm RsaSha256

Set-DnsServerDnsSecZoneSetting -ZoneName "fabrikam.com" -DenialOfExistence NSEC3 -NSEC3Parameters 1,0,10,""

These commands add a signing key to the zone and set DNSSEC settings with NSEC3 parameters.

Step 3: Publish the Signed Zone After signing the zone, ensure that it is published and available for DNS queries. You can verify the zone signing status using the following command:

Get-DnsServerZone -Name "fabrikam.com"

Note: Ensure that you have the appropriate permissions to perform these actions on DC1 and that the DNS Server role is installed and properly configured. Also, replace "fabrikam.com.dns" with the actual path to your DNS file if it’s different12.

By following these steps, you should be able to deploy and sign the new primary DNS zone fabrikam.com on DC1.

To ensure that all computers in the domain use DNSSEC to resolve names in the adatum.com zone, you’ll need to configure both the DNS servers and the client computers. Here’s how you can do it:

Step 1: Sign the adatum.com Zone First, you need to sign the adatum.com DNS zone. This can be done using the DNS Manager or PowerShell. Here’s a PowerShell example:

Add-DnsServerSigningKey -ZoneName "adatum.com" -CryptoAlgorithm RsaSha256

Set-DnsServerDnsSecZoneSetting -ZoneName "adatum.com" -DenialOfExistence NSEC3 -NSEC3Parameters 1,0,10,""

This will add a signing key and configure DNSSEC for the zone with NSEC3 parameters.

Step 2: Configure DNS Servers Ensure that your DNS servers are configured to support DNSSEC. This includes setting up trust anchors for the zones that you want to validate and configuring the DNS servers to provide DNSSEC validation for DNS queries.

Step 3: Configure DNS Clients For DNSSEC validation to occur on the client side, the client computers must be configured to trust the DNS server’s validation process. This typically involves configuring the client’s DNS settings to point to a DNS server that supports DNSSEC.

Step 4: Validate Configuration You can validate that DNSSEC is working correctly by using tools like nslookup or dig to query DNS records and check for the presence of DNSSEC signatures in the responses.

Note: The exact steps may vary depending on your environment and the version of Windows Server you are using. Ensure that you have the appropriate administrative rights to make these changes and that you test the configuration in a controlled environment before deploying it domain-wide12.

By following these steps, you should be able to ensure that all computers in your domain use DNSSEC to resolve names in the adatum.com zone.

One possible solution to ensure that the Azure file share named share1 can sync to on-premises servers is to use Azure File Sync. Azure File Sync allows you to centralize your file shares in Azure Files without giving up the flexibility, performance, and compatibility of an on-premises file server. It does this by transforming your Windows Servers into a quick cache of your Azure file share. You can use any protocol available on Windows Server to access your data locally (including SMB, NFS, and FTPS) and you can have as many caches as you need across the world1.

Here are the steps to configure Azure File Sync for the Azure file share named share1 and the source files located in a folder named \dc1.contoso.com\install:

On the Azure portal, create a Storage Sync Service in the same region as your storage account that contains the Azure file share named share1. For more information on how to create a Storage Sync Service, see How to deploy Azure File Sync.

On the on-premises server that hosts the folder named \dc1.contoso.com\install, install the Azure File Sync agent. For more information on how to install the Azure File Sync agent, see Install the Azure File Sync agent.

On the on-premises server, register the server with the Storage Sync Service that you created in the first step. For more information on how to register a server with a Storage Sync Service, see Register/unregister a server with Storage Sync Service.

On the Azure portal, create a sync group that defines the sync topology for a set of files. In the sync group, select the Azure file share named share1 as the cloud endpoint and the folder named \dc1.contoso.com\install as the server endpoint. For more information on how to create a sync group, see Create a sync group and a cloud endpoint and Create a server endpoint.

Wait for the initial sync to complete. You can monitor the sync progress on the Azure portal or on the on-premises server. For more information on how to monitor sync progress, see [Monitor sync progress].

Once the initial sync is complete, you can add more on-premises servers to the same sync group to sync and cache the content locally. You can also enable cloud tiering to optimize the storage space on the on-premises servers by tiering infrequently accessed or older files to Azure Files.

TASK 7

???? Objective:

Attach the VHDX file c:\vhds\Disk1.vhdx to VM1 so it can dynamically expand when VM1 is running.

Step-by-Step Guide

✅ Step 1: Verify the VHDX File Type

Dynamic expansion means the virtual disk type should be dynamic (not fixed).

Let’s verify the disk type of Disk1.vhdx:

powershell

Copy

Get-VHD -Path "c:\vhds\Disk1.vhdx"

In the output, ensure that VhdType shows Dynamic.

If it’s not dynamic, convert it:

powershell

Copy

Convert-VHD -Path "c:\vhds\Disk1.vhdx" -DestinationPath "c:\vhds\Disk1_dynamic.vhdx" -VHDType Dynamic

✅ Step 2: Attach the VHDX to VM1

Use PowerShell to add the disk to VM1:

powershell

Copy

Add-VMHardDiskDrive -VMName "VM1" -Path "c:\vhds\Disk1.vhdx"

✅ Or do it via Hyper-V Manager:

Open Hyper-V Manager.

Select VM1 and go to Settings.

In the left pane, select SCSI Controller (recommended for hot-add).

Click Add Hard Drive.

Browse and select c:\vhds\Disk1.vhdx.

Click Apply and OK.

✅ Step 3: Verify Hot-Add Support (Optional)

If VM1 is running Windows Server 2012 or later and uses a SCSI Controller, the VHDX can be added without shutting down the VM.

✅ Step 4: Verify the Disk in the VM

Inside VM1, open Disk Management (diskmgmt.msc).

The newly attached disk should appear as unallocated.

Initialize it, create a volume, and format if needed.

Summary

VHDX file type: Must be dynamic for expanding.

Hot-adding supported if attached via SCSI Controller and OS supports it.

Now Disk1.vhdx is attached to VM1 and can expand dynamically.

One possible solution to configure Hyper-V to ensure that running virtual machines can be moved between SRV1 and SRV2 without downtime is to use Live Migration. Live Migration is a feature of Hyper-V that allows you to move a running virtual machine from one host to another without any noticeable interruption of service. To set up Live Migration between SRV1 and SRV2, you need to perform the following steps:

On both SRV1 and SRV2, open Hyper-V Manager from the Administrative Tools menu or by typing virtmgmt.msc in the Run box.

In the left pane, right-click on the name of the server and select Hyper-V Settings.

In the Hyper-V Settings dialog box, select Live Migrations in the navigation pane.

Check the box Enable incoming and outgoing live migrations.

Under Authentication protocol, select the method that you want to use to authenticate the live migration traffic between the servers. You can choose either Kerberos or CredSSP. Kerberos does not require you to sign in to the source server before starting a live migration, but it requires you to configure constrained delegation on the domain controller. CredSSP does not require you to configure constrained delegation, but it requires you to sign in to the source server through a local console session, a Remote Desktop session, or a remote Windows PowerShell session. For more information on how to configure constrained delegation, see Configure constrained delegation.

Under Performance options, select the option that best suits your network configuration and performance requirements. You can choose either TCP/IP or Compression or SMB. TCP/IP uses a single TCP connection for the live migration traffic. Compression uses multiple TCP connections and compresses the live migration traffic to reduce the migration time and network bandwidth usage. SMB uses the Server Message Block (SMB) 3.0 protocol and can leverage SMB features such as SMB Multichannel and SMB Direct. For more information on how to choose the best performance option, see Choose a live migration performance option.

Under Advanced Features, you can optionally enable the Use any available network for live migration option, which allows Hyper-V to use any available network adapter on the source and destination servers for live migration. If you do not enable this option, you need to specify one or more network adapters to be used for live migration by clicking on the Add button and selecting the network adapter from the list. You can also change the order of preference by using the Move Up and Move Down buttons.

Click OK to apply the settings.

Now, you have configured Hyper-V to enable live migration between SRV1 and SRV2. You can use Hyper-V Manager or Windows PowerShell to initiate a live migration of a running virtual machine from one server to another.

One possible solution to configure SRV1 as a DNS server that can resolve names from the contoso.com domain by using DC1 and all other names by using the root hint servers is to use conditional forwarding. Conditional forwarding allows a DNS server to forward queries for a specific domain name to another DNS server, while using the normal forwarding or root hint servers for other queries. Here are the steps to configure conditional forwarding on SRV1:

On SRV1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.

In the left pane, right-click on Conditional Forwarders and select New Conditional Forwarder.

In the New Conditional Forwarder dialog box, enter contoso.com as the DNS Domain name.

In the IP addresses of the master servers box, enter the IP address of DC1, which is the DNS server for the contoso.com domain. You can also click on Resolve to verify the name resolution of DC1.

Optionally, you can check the box Store this conditional forwarder in Active Directory, and replicate it as follows if you want to store and replicate the conditional forwarder in AD DS. You can also select the replication scope from the drop-down list.

Click OK to create the conditional forwarder.

Now, SRV1 will forward any queries for the contoso.com domain to DC1, and use the root hint servers for any other queries. You can test the name resolution by using the nslookup command on SRV1 or another computer that uses SRV1 as its DNS server. For example, you can run the following commands:

nslookup www.contoso.com

nslookup www.microsoft.com

The first command should return the IP address of www.contoso.com from DC1, and the second command should return the IP address of www.microsoft.com from a root hint server.

To configure the domain to support the creation of gMSAs, you need to perform the following steps:

On a domain controller or a computer that has the Remote Server Administration Tools (RSAT) installed, open PowerShell as an administrator and run the following command to install the Active Directory module:

Install-WindowsFeature -Name RSAT-AD-PowerShell

Run the following command to create a Key Distribution Service (KDS) root key, which is required for generating passwords for gMSAs. You only need to do this once per domain:

Add-KdsRootKey -EffectiveImmediately

Wait for at least 10 hours for the KDS root key to replicate to all domain controllers in the domain. Alternatively, you can use the -EffectiveTime parameter to specify a past date and time for the KDS root key, but this is not recommended for security reasons. For more information, see Add-KdsRootKey.

After the KDS root key is replicated, you can create and configure gMSAs using the New-ADServiceAccount and Set-ADServiceAccount cmdlets. For more information, see Create a gMSA and Configure a gMSA.

To collect the recommended Windows Performance Counters from SRV1 in a Log Analytics workspace, you can follow these steps:

Step 1: Access the Log Analytics Workspace Log in to the Azure portal and navigate to your Log Analytics workspace.

Step 2: Configure Performance Counters In the Log Analytics workspace, select Advanced settings and then choose Data > Windows Performance Counters1. You can add the recommended performance counters by selecting the + button. If you’re using legacy agent management, you can add counters from the Legacy agents management menu2.

Step 3: Add Performance Counters Select the counters you want to collect. You can add common counters quickly by checking the boxes next to them. For specific counters, enter the name of the counter in the format object(instance)\counter. For example, to collect the Processor Time counter for all instances of the Processor object, specify Processor(_Total)\% Processor Time.

Step 4: Set Sample Interval When adding a counter, you can set the sample interval, which is the frequency at which data is collected. The default is 10 seconds, but you can change this to a higher value if needed.

Step 5: Apply Configuration After adding the desired performance counters, select Apply at the top of the screen to save the configuration.

Step 6: Install and Configure the Agent Ensure that the Microsoft Monitoring Agent (MMA) is installed on SRV1. Configure the agent to report to your Log Analytics workspace by specifying the workspace ID and key during setup.

Step 7: Verify Data Collection After the agent is configured, it will start collecting the specified performance counters. You can verify the data collection in the Log Analytics workspace by running queries against the collected data.

Note: The legacy Log Analytics agent will be deprecated by August 2024. Migrate to the Azure Monitor agent before this date to continue ingesting data3.

By following these steps, you should be able to collect the recommended Windows Performance Counters from SRV1 in your Log Analytics workspace. Ensure that you have the necessary permissions and that SRV1 has network connectivity to Azure services.

TASK 2

???? Objective: Configure DC3 to replicate with DC1 and DC2 only between 8:00 PM and 6:00 AM.

Step-by-Step Guide: Replication Scheduling for DC3

✅ Step 1: Promote DC3 to a Domain Controller (if not already done)

Use Server Manager or PowerShell to install the Active Directory Domain Services role and promote the server as a domain controller.

Example PowerShell command to install the AD DS role:

powershell

Copy

Install-WindowsFeature AD-Domain-Services

To promote:

powershell

Copy

Install-ADDSDomainController -DomainName "contoso.com"

✅ Step 2: Open Active Directory Sites and Services

Log in to DC3 or another DC with administrative tools.

Open Active Directory Sites and Services (dssite.msc).

✅ Step 3: Locate the Site

In the left pane, expand the Sites container and find the site that contains DC3.

Expand the site to find Servers.

Under Servers, select DC3.

✅ Step 4: Configure Replication Connection Objects

Expand DC3 and click on NTDS Settings.

In the right pane, you’ll see connection objects to other domain controllers (these represent replication partners).

✅ Step 5: Adjust the Replication Schedule for Each Connection

For each connection object to DC1 and DC2:

Right-click the connection object and select Properties.

Click the Change Schedule button.

✅ Step 6: Set the Replication Schedule

In the schedule window, you’ll see a grid of hours.

Clear all hours except the time window of 8 PM to 6 AM (in 1-hour blocks).

Select 8 PM to 6 AM (10 hours total) for all days.

Click OK to save.

✅ Step 7: Verify and Document

Ensure that both connection objects (to DC1 and DC2) have the updated schedule.

Document your configuration as part of your environment’s change control.

TASK 5

???? Objective:

Configure a Group Policy Preference to create a shortcut to \\srvi.contoso.com\data on the desktop of users in the Server Admins OU.

Step-by-Step Guide: Using Group Policy Preferences to Create a Desktop Shortcut

✅ Step 1: Open Group Policy Management Console (GPMC)

Log in to a DC or a management computer with RSAT installed.

Open Group Policy Management (gpmc.msc).

✅ Step 2: Create a New GPO

In the GPMC console, expand the forest and the domain (e.g., contoso.com).

Right-click the OU named Server Admins and select Create a GPO in this domain, and Link it here.

Name the GPO, e.g., Desktop Shortcut for Server Admins.

✅ Step 3: Edit the GPO

Right-click the newly created GPO and select Edit.

This opens the Group Policy Management Editor.

✅ Step 4: Navigate to User Preferences

In the editor, expand:

User Configuration > Preferences > Windows Settings > Shortcuts.

✅ Step 5: Create the Shortcut

Right-click Shortcuts and select New > Shortcut.

In the New Shortcut Properties window:

Action: Create

Name: Data Folder

Target Type: File System Object

Location: Desktop

Target Path: \\srvi.contoso.com\data

Optionally, set an icon or description if you want.

✅ Step 6: Configure Item-Level Targeting (Optional)

If you want to limit this shortcut strictly to specific users/groups, click the Common tab.

Check Item-level targeting and configure conditions (optional).

For this scenario, linking the GPO to the Server Admins OU is usually sufficient.

✅ Step 7: Close and Update

Close the editor.

In GPMC, ensure the GPO is linked to the Server Admins OU.

Force a Group Policy Update on client computers:

On a client computer:

gpupdate /force

Or wait for the next Group Policy refresh cycle.

✅ Step 8: Verify

Log in as a user in the Server Admins OU.

The shortcut to \\srvi.contoso.com\data should appear on the desktop.

TASK 3

???? Objective:

Create a user named Admin1 in contoso.com.

Admin1 must be able to back up and restore files on SRV1.

Follow the principle of least privilege.

Step-by-Step Guide

✅ Step 1: Create the User Account

Log in to a Domain Controller (e.g., DC1) with appropriate admin rights.

Open Active Directory Users and Computers (dsa.msc).

In the contoso.com domain:

Right-click the Users container or another OU where you want to create the account.

Select New > User.

Enter the following:

First name: Admin1

User logon name: Admin1

Click Next and set a password (ensure it meets the domain’s password policy).

Configure password options (e.g., User must change password at next logon, if required).

Click Finish.

✅ Step 2: Grant Backup and Restore Rights on SRV1

By default, Backup Operators have the ability to back up and restore files (without giving full admin rights).

Log in to SRV1 (the target server).

Open Computer Management (compmgmt.msc).

In the left pane, expand:

System Tools > Local Users and Groups > Groups.

Find and double-click the Backup Operators group.

Click Add.

In the Select Users, Computers, Service Accounts, or Groups window:

Type Admin1.

Click Check Names to resolve the user.

Click OK to add Admin1 to the group.

Click OK again to close the Backup Operators group properties.

✅ Step 3: Verify Access

Log in as Admin1 on SRV1 and test performing backup and restore operations using tools like Windows Server Backup.

Since Backup Operators can back up and restore data but do not have full administrative privileges, this follows the least privilege principle.

✅ Additional Notes

If you prefer using PowerShell, you can add the user to the group like this on SRV1:

Add-LocalGroupMember -Group "Backup Operators" -Member "contoso\Admin1"

Membership in the Enterprise Admins group or the Domain Admins group in the forest root domain is required.