Microsoft

(AZ-801)

Configuring Windows Server Hybrid Advanced Services

Total: 136 Questions 1

Question: 1 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From Virus & threat protection, you configure Controlled folder access.
Does this meet the goal?

A. Yes
B. No

Answer: A

Explanation:

Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled-folders?vi
ew=o365-worldwide

Question: 2 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From Virus & threat protection, you configure Tamper Protection
Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:

Tamper Protection in Windows Security helps prevent malicious apps from changing important Microsoft
Defender Antivirus settings, including real-time protection and cloud-delivered protection.

Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled-folders?
view=o365-worldwide

Question: 3 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have a server named Server1 that runs Windows Server.
You need to ensure that only specific applications can modify the data in protected folders on Server1.
Solution: From App & browser control, you configure the Exploit protection settings.
Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:

Exploit protection helps protect devices from malware that uses exploits to spread and infect other devices.
Mitigation can be applied to either the operating system or to an individual app

Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled-folders?
view=o365-worldwide

Question: 4 CertyIQ
DRAG DROP -
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active
Directory (Azure AD) tenant.
The AD DS domain contains a domain controller named DC1. DC1 does NOT have internet access.
You need to configure password security for on-premises users. The solution must meet the following
requirements:
✑ Prevent the users from using known weak passwords.
✑ Prevent the users from using the company name in passwords.
What should you do? To answer, drag the appropriate configurations to the correct targets. Each configuration
may be used once, more than once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Answer:
 Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premise
s-deploy

Question: 5 CertyIQ
HOTSPOT -
The Default Domain Policy Group Policy Object (GPO) is shown in the GPO exhibit. (Click the GPO tab.)

The members of a group named Service Accounts are shown in the Group exhibit. (Click the Group tab.)
An organizational unit (OU) named ServiceAccounts is shown in the OU exhibit. (Click the OU tab.)
You create a Password Settings Object (PSO) as shown in the PSO exhibit. (Click the PSO tab.)

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:

Yes - coz the fine-grained pwd policy apply to group ServiceAccounts (of which ServiceAccount1 is a
 member). Fine-Grained Password Policy override Default Domain Policy GPO pwd settings.

No - coz ServiceAccount2 is not a member of the security group ServiceAccounts so it's get the Default
Domain Policy GPO pwd settings.

No - coz the minimum password lenght for this group is at least 16 character lenght

Question: 6 CertyIQ
DRAG DROP -
Your network contains an Active Directory Domain Services (AD DS) domain.
You need to implement a solution that meets the following requirements:
✑ Ensures that the members of the Domain Admins group are allowed to sign in only to domain controllers
✑ Ensures that the lifetime of Kerberos Ticket Granting Ticket (TGT) for the members of the Domain Admins group
is limited to one hour
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accou
nts

Question: 7 CertyIQ
You have an Azure virtual machine named VM1 that runs Windows Server.
You plan to deploy a new line-of-business (LOB) application to VM1.
You need to ensure that the application can create child processes.
What should you configure on VM1?

A. Microsoft Defender Credential Guard

B. Microsoft Defender Application Control
C. Microsoft Defender SmartScreen
D. Exploit protection

Answer: D

Explanation:

Exploit protection

Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-exploit-protection?
view=o365-worldwide

Question: 8 CertyIQ
HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain
contains the organizational units (OUs) shown in the following table.

In the domain, you create the Group Policy Objects (GPOs) shown in the following table.

You need to implement IPsec authentication to ensure that only authenticated computer accounts can connect to
the members in the domain. The solution must minimize administrative effort.
Which GPOs should you apply to the Domain Controllers OU and the Domain Servers OU? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-authentica
 tion-methods

Question: 9 CertyIQ
You have 100 Azure virtual machines that run Windows Server. The virtual machines are onboarded to Microsoft
Defender for Cloud.
You need to shut down a virtual machine automatically if Microsoft Defender for Cloud generates the
"Antimalware disabled in the virtual machine" alert for the virtual machine.
What should you use in Microsoft Defender for Cloud?

A. a logic app
B. a workbook
C. a security policy
D. adaptive network hardening

Answer: A

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts

Question: 10 CertyIQ
You have a Microsoft Sentinel deployment and 100 Azure Arc-enabled on-premises servers. All the Azure Arc-
enabled resources are in the same resource group.
You need to onboard the servers to Microsoft Sentinel. The solution must minimize administrative effort.
What should you use to onboard the servers to Microsoft Sentinel?

A.Azure Automation
B.Azure Policy
C.Azure virtual machine extensions
D.Microsoft Defender for Cloud

Answer: B

Explanation:

Enforce organization standards and assess compliance at scale for all your resources anywhere with Azure
Policy.

Reference:

https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/manage/hybrid/server/best-
practices/arc-policies-mma

Question: 11 CertyIQ
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active
Directory (Azure AD) tenant by using password hash synchronization.
You have a Microsoft 365 subscription.
All devices are hybrid Azure AD-joined.
Users report that they must enter their password manually when accessing Microsoft 365 applications.
You need to reduce the number of times the users are prompted for their password when they access Microsoft
365 and Azure services.
What should you do?

A. In Azure AD, configure a Conditional Access policy for the Microsoft Office 365 applications.
B. In the DNS zone of the AD DS domain, create an autodiscover record.
C. From Azure AD Connect, enable single sign-on (SSO).
D. From Azure AD Connect, configure pass-through authentication.

Answer: C

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start

Question: 12 CertyIQ
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have 50 Azure virtual machines that run Windows Server.
You need to ensure that any security exploits detected on the virtual machines are forwarded to Defender for
Cloud.
Which extension should you enable on the virtual machines?

A. Vulnerability assessment for machines

B. Microsoft Dependency agent
C. Log Analytics agent for Azure VMs
D. Guest Configuration agent

Answer: A

Explanation:

If I understand it correctly, then there's a difference between a VM extension and an agent. As the question is
about an extension and three of the four answers mention an agent, the answer must be A,

Reference:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm

Question: 13 CertyIQ
HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) forest. The forest contains the domains shown
in the following table.
You are implementing Microsoft Defender for Identity sensors.
You need to install the sensors on the minimum number of domain controllers. The solution must ensure that
Defender for Identity will detect all the security risks in both the domains.
What should you identify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/defender-for-identity/technical-faq#deployment https://docs.microsoft.com
/en-us/defender-for-identity/install-step4

Question: 14 CertyIQ
You have 10 servers that run Windows Server in a workgroup.
You need to configure the servers to encrypt all the network traffic between the servers. The solution must be as
secure as possible.
Which authentication method should you configure in a connection security rule?
 A. NTLMv2
B. pre-shared key
C. Kerberos V5
D. computer certificate

Answer: D

Explanation:

Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-authentica
tion-request-rule

Question: 15 CertyIQ
You have an Azure virtual machine named VM1 that runs Windows Server.
You need to encrypt the contents of the disks on VM1 by using Azure Disk Encryption.
What is a prerequisite for implementing Azure Disk Encryption?

A.Customer Lockbox for Microsoft Azure

B.an Azure key vault
C.a BitLocker recovery key
D.data-link layer encryption in Azure

Answer: B

Explanation:

Correct B)Azure Disk Encryption helps protect and safeguard your data to meet your organizational security
and compliance commitments. It uses the BitLocker feature of Windows to provide volume encryption for the
OS and data disks of Azure virtual machines (VMs), and is integrated with Azure Key Vault to help you control
and manage the disk encryption keys and secrets.https://docs.microsoft.com/en-us/azure/virtual-
machines/windows/disk-encryption-overview

Reference:

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview

Question: 16 CertyIQ
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains two servers
named Server1 and Server2 that run Windows
Server.
You need to ensure that you can use the Computer Management console to manage Server2. The solution must
use the principle of least privilege.
Which two Windows Defender Firewall with Advanced Security rules should you enable on Server2? Each correct
answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. the COM+ Network Access (DCOM-In) rule

B. all the rules in the Remote Event Log Management group
C. the Windows Management Instrumentation (WMI-In) rule
D. the COM+ Remote Administration (DCOM-In) rule
 E. the Windows Management Instrumentation (DCOM-In) rule

Answer: AB

Explanation:

Reference:
https://docs.microsoft.com/en-us/windows-server/administration/server-manager/configure-remote-manage
ment-in-server-manager

Question: 17 CertyIQ
You have a server that runs Windows Server. The server is configured to encrypt all incoming traffic by using a
connection security rule.
You need to ensure that Server1 can respond to the unencrypted tracert commands initiated from computers on
the same network.
What should you do from Windows Defender Firewall with Advanced Security?

A.From the IPsec Settings, configure IPsec defaults.

B.Create a new custom outbound rule that allows ICMPv4 protocol connections for all profiles.
C.Change the Firewall state of the Private profile to Off.
D.From the IPsec Settings, configure IPsec exemptions.

Answer: D

Explanation:

Correct Answer"IPSec exemptions change Exempt ICMP from IPSec to Yes. Use this setting to prevent ICMP
(Ping and Tracert) messages from being authenticated, encrypted, or both. Keeping ICMP messages
unprotected allows you to perform basic network troubleshooting when IPSec cannot be successfully
negotiated."

Question: 18 CertyIQ
You have an Azure virtual machine named VM1.
You enable Microsoft Defender SmartScreen on VM1.
You need to ensure that the SmartScreen messages displayed to users are logged.
What should you do?

A. From a command prompt, run WinRM quickconfig.

B. From the local Group Policy, modify the Advanced Audit Policy Configuration settings.
C. From Event Viewer, enable the Debug log.
D. From the Windows Security app, configure the Virus & threat protection settings.

Answer: C

Explanation:

"Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log, in the

Event Viewer.

Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or
use the command line to enable it:
 wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true"

Reference:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-
smartscreen/microsoft-defender-smartscreen-overview

Question: 19 CertyIQ
HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named
Server1 that runs Windows Server.
You run Get-BitLockerVolume -MountPoint C,D | fl *, which generates the following output.
You need to ensure that volume D will be unlocked automatically when Server1 restarts.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:
Box 1: Add-BitLockerKeyProtector
From the exhibit we see for volume D that AutoUnlockEnabled is False, and AutoUnlockKeyStored is empty.
The Add-BitLockerKeyProtector cmdlet adds a protector for the volume key of the volume protected with
BitLocker Drive Encryption.
Example: The following example adds an ADAccountOrGroup protector to the previously encrypted operating
system volume using the SID of the account:
Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-
8937238915-291003330-500
 Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.

Box 2: Service -
The -Service parameter indicates that the system account for this computer unlocks the encrypted volume.
Add-BitLockerKeyProtector syntax with use of the ADAccountOrGroupProtector parameter:

Add-BitLockerKeyProtector -
[-MountPoint] <String[]>
[-ADAccountOrGroupProtector]
[-ADAccountOrGroup] <String>
[-Service]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Incorrect:
* Enable-BitLockerAutoUnlock
The Enable-BitLockerAutoUnlock cmdlet enables automatic unlocking for a volume protected by BitLocker
Disk Encryption.
The command has no -ADAccountOrGroupProtector parameter.
Syntax:

Enable-BitLockerAutoUnlock -
[-MountPoint] <String[]>
[-WhatIf]
[-Confirm]
[<CommonParameters>]
* The Clear-BitLockerAutoUnlock cmdlet removes all automatic unlocking keys used by BitLocker Drive
Encryption. BitLocker stores these keys for the fixed data drives of a system on a volume that hosts a
BitLocker-enabled operating system volume so that it can automatically unlock the fixed and removable data
volumes in a system. This makes it easier for users to access data volumes.
Syntax: Clear-BitLockerAutoUnlock []

Reference:
https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-
drive-encryption-tools-to-manage-bitlocker https://docs.microsoft.com/en-us/powershell/module/bitlocker/a
dd-bitlockerkeyprotector

Question: 20 CertyIQ
HOTSPOT -
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The
domain contains the accounts shown in the following table.

The domain is configured to store BitLocker recovery keys in Active Directory.

Admin1 and Admin2 perform the following configurations:
1. Admin1 turns on BitLocker Drive Encryption (BitLocker) for volume C on Server1.
2. Admin1 moves Server1 to OU1.
3. Admin2 turns on BitLocker for removable volume E on Server2.
4. Admin2 moves removable volume E from Server2 to Server1 and unlocks the volume.
On which Active Directory object can you view each BitLocker recovery key? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
 Explanation:
Box 1: Server1 -
You can configure Group Policies in your domain so that when encrypting any drive with BitLocker, the
computer will save the recovery key in its computer object account in AD (like storing a local computer
administrator password generated using LAPS).

Box 2: Server2 -

Reference:
http://woshub.com/store-bitlocker-recovery-keys-active-directory/

Question: 21 CertyIQ
HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains servers that run
Windows Server as shown in the following table.

Server1 has the connection security rules shown in the following table.
Server2 has the connection security rules shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:

1. Y - combine Rule12 and Rule 31.

2. Y - Rule 31, (assume there are no connection security rules on Server3)

3. Y - Rule 31, (assume there are no connection security rules on Server3)

 Reference:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/change-rules-from-
request-to-require-mode

Question: 22 CertyIQ
You have an Azure subscription that contains a user named User1 and the resources shown in the following table.

User1 has a computer named Computer1 that runs Windows 11. User1 works from home and establishes a Point-to-
Site (P2S) connection to GW1 to access AppSvr1.

You deploy the resources shown in the following table.

User1 cannot access AppSvr2.

You need to ensure that User1 can access AppSvr2.

What should you do?

A. On Computer1, download and reinstall the VPN client.

B. Create a route table and associate the table with GatewaySubnet on VNet1.
C. On Computer1, modify the Windows Defender Firewall settings.
D. Add a service endpoint to VNet2.

Answer: A

Explanation:

Perhaps A is correcthttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-
routing

https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overviewFor peered virtual

networks, resources in either virtual network can directly connect with resources in the peered virtual
network.The traffic between virtual machines in peered virtual networks is routed directly through the
Microsoft backbone infrastructure, not through a gateway or over the public Internet.Full connectivity is the
default option. So, just reinstall the client.
Question: 23 CertyIQ
HOTSPOT
-

You have a generation 1 Azure virtual machine named VM1 that runs Windows Server and is joined to an Active
Directory domain.

You plan to enable BitLocker Drive Encryption (Bit-Locker) on volume C of VM1.

You need to ensure that the BitLocker recovery key for VM1 is stored in Active Directory.

Which two Group Policy settings should you configure first? To answer, select the settings in the answer area.

NOTE: Each correct selection is worth one point.

Answer:

Question: 24 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have a server named Server1 that runs Windows Server.

You need to ensure that only specific applications can modify the data in protected folders on Server1.

Solution: From App & browser control, you configure Reputation-based protection.

Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:

Need to be used Controlled Folder Access

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-controlled-folders?
view=o365-worldwide#allow-specific-apps-to-make-changes-to-controlled-folders

Question: 25 CertyIQ
DRAG DROP
-

You have an Azure subscription that contains an Azure key vault named Vault1.

You plan to deploy a virtual machine named VM1 that will run Windows Server.

You need to enable encryption at host for VM1. The solution must use customer-managed keys.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.

Answer:
 Explanation:

1- Create a disk encryption set and generate RSA keys.

2- Grant Vault1 the managed identity permission for the disk encryption set.

3- Create VM1 and associate the disks of the virtual machine with the disk encryption set.

https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?
tabs=azure-powershell

Question: 26 CertyIQ
HOTSPOT
-

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains three servers
named Server1, Server2, and Server3 that run Windows Server. All the servers are on the same network and have
network connectivity.

On Server1, Windows Defender Firewall has a connection security rule that has the following settings:

•Rule Type: Server-to-server

•Endpoint 1: Any IP address
•Endpoint 2: Any IP address
•Requirements: Require authentication for inbound connections and request authentication for outbound
connections
•Authentication Method: Computer (Kerberos V5)
•Profile: Domain, Private, Public
•Name: Rule1

Server2 has no connection security rules.

On Server3, Windows Defender Firewall has a connection security rule that has the following settings:

•Rule Type: Server-to-server

•Endpoint 1: Any IP address
•Endpoint 2: Any IP address
•Requirements: Request authentication for inbound and outbound connections
•Authentication Method: Computer (Kerberos V5)
•Profile: Domain, Private, Public
•Name: Rule1

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Answers are N, Y, Y

To your second point, Server3 REQUESTS Kerberos v5 and Server2 cannot provide it. A connection can still
happen on a REQUEST, but not on a REQUIRE. Only Server1 REQUIRES authentication.

So, given answer is correct. - N, Y, Y

Question: 27 CertyIQ
Your network contains an Active Directory Domain Services (AD DS) forest. The forest functional level is Windows
Server 2012 R2. The forest contains the domains shown in the following table.

You create a user named Admin1.

You need to ensure that Admin1 can add a new domain controller that runs Windows Server 2022 to the
east.contoso.com domain. The solution must follow the principle of least privilege.

To which groups should you add Admin1?

A.EAST\Domain Admins only

B.CONTOSO\Enterprise Admins only
C.CONTOSO\Schema Admins and EAST\Domain Admins
D.CONTOSO\Enterprise Admins and CONTOSO\Schema Admins

Answer: D

Explanation:

CONTOSO\Enterprise Admins and CONTOSO\Schema Admins.

Question: 28 CertyIQ
You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains the
resources shown in the following table.

Sub1 has Microsoft Defender for Servers enabled. You are assigned the Contributor role for Sub1.

You need to implement just-in-time (JIT) VM access for VM1.

What should you do first?

A.Create a network security group (NSG).

B.Enable enhanced security in Microsoft Defender for Cloud.
C.Request the Owner role for Sub1.
D.Create an application security group.

Answer: C

Explanation:

Request the Owner role for Sub1.

QUESTION 29 TOPIC 1
QUESTION 30 TOPIC 1

Question: 29 TOPIC 2 CertyIQ

Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)

The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)
Server1 shuts down unexpectedly.
You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: From the Failover settings, you select Prevent failback.
Does this meet the goal?

A. Yes
B. No

Answer: A

Explanation:
 The Prevent failback setting will prevent the cluster failing back to Server1.

Question: 30 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)

The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)
Server1 shuts down unexpectedly.
You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: You increase Maximum failures in the specified period for the App1 cluster role.
Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
The Maximum failures setting is used to determine when the cluster determines that a node is offline. It does
 not affect whether a cluster will fail back when a node comes online.

Question: 31 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)
The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)
Server1 shuts down unexpectedly.
You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: From the General settings, you move Server2 up.
Does this meet the goal?

A.Yes
B.No

Answer: A

Explanation:

The tick is to choose which server to press "move up" and "move down". Lol, funny explanation attempt
 though.

I would say Yes since you are setting Server2 as the preferred owner

Question: 32 CertyIQ
You have a failover cluster named Cluster1 that has the following configurations:
✑ Number of nodes: 6
✑ Quorum: Dynamic quorum
✑ Witness: File share, Dynamic witness
What is the maximum number of nodes that can fail simultaneously while maintaining quorum?

A. 1 "In our case, if all 6 nodes are healthy, we have

7 votes in cluster, the cluster can accept losing 3
B. 2
votes(nodes) at most simultaneously to remain
C. 3 the cluster online, as 4 votes(3 nodes+dynamic
D. 4 witness) still constitute the majority of cluster
E. 5
If we have a node down, then 5 nodes healthy in
cluster, the witness doesn't have vote, 5 votes
Answer: C now, it's acceptable that 2 nodes failed
simultaneously."
Explanation:
Note this question is asking about nodes failing 'simultaneously', not nodes failing one after the other.
With six nodes and one witness, there are seven votes. To maintain quorum there needs to be four votes
available (four votes is the majority of seven). This means that a minimum of three nodes plus the witness
need to remain online for the cluster to function. Therefore, the maximum number of simultaneous failures is
three.

Reference:
https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/understand-quorum

Question: 33 topic 1 question 5 CertyIQ

HOTSPOT -
You have a failover cluster named FC1 that contains two nodes named Server1 and Server2. FC1 is configured to
use a file share witness.
You plan to configure FC1 to use a cloud witness.
You need to configure Azure Storage accounts for the cloud witness.
Which storage account type and authorization method should you configure? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/windows-server/failover-clustering/deploy-cloud-witness

Question: 34 CertyIQ
Your company uses Storage Spaces Direct.
You need to view the available storage in a Storage Space Direct storage pool.
What should you use?

A.System Configuration
B.File Server Resource Manager (FSRM)
C.the Get-StorageFileServer cmdlet
D.Failover Cluster Manager

Answer: D

Explanation:
If Failover Cluster Manager, select the Storage Space Direct storage pool. The information displayed in the
main window includes the free space and used space.
Question: 35 CertyIQ
DRAG DROP -
You need to create a Hyper-V hyper-converged cluster that stores virtual machines by using Storage Spaces
Direct.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/system-center/vmm/s2d-hyper-converged?view=sc-vmm-2019

Question: 36 CertyIQ
You have a Storage Spaces Direct configuration that has persistent memory and contains the data volumes shown
in the following table.

You plan to add data volumes to Storage Spaces Direct as shown in the following table.

On which volumes can you use direct access (DAX)?

 A. Volume3 only
B. Volume4 only
C. Volume1 and Volume3 only
D. Volume2 and Volume4 only
E. Volume3 and Volume4 only

Answer: A

Explanation:
DAX can only be used on one volume and the volume has to be NTFS. You could configure DAX on Volume1
(although that would require reformatting the volume) or Volume3. However, 'Volume1 only' isn't an answer
option so Volume3 is the correct answer.
'Volume1 and Volume3' is incorrect because of the single volume limitation.

Reference:
https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/persistent-memory-direct-access

Question: 37 CertyIQ
HOTSPOT -
You have a failover cluster named Cluster1 that contains three nodes.
You plan to add two file server cluster roles named File1 and File2 to Cluster1. File1 will use the File Server for
general use role. File2 will use the Scale-Out File
Server for application data role.
What is the maximum number of nodes for File1 and File2 that can concurrently serve client connections? To
answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/windows-server/failover-clustering/sofs-overview

Question: 38 topic 2 question 10 CertyIQ

HOTSPOT -
You have a failover cluster named Cluster1 that contains the nodes shown in the following table.

A File Server for general use cluster role named HAFS is configured as shown in the General exhibit. (Click the
General tab.)
The Advanced Policies settings for HAFS are configured as shown in the Advanced Policies exhibit. (Click the
Advanced Policies tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Hot Area:

Answer:
 Explanation:
Box 1: Yes -
HAFS will move from Node1 to Node3 if we test failover for the cluster.
Note: Test failover.
Test failover of the clustered resource to validate cluster functionality.
Take the following steps:
1. Connect to one of the SQL Server cluster nodes by using RDP.
2. Open Failover Cluster Manager. Select Roles. Notice which node owns the SQL Server FCI role.
3. Right-click the SQL Server FCI role.
4. Select Move, and then select Best Possible Node.
5. Failover Cluster Manager shows the role, and its resources go offline. The resources then move and come
back online in the other node.

Box 2: Yes -
Node1 is the preferred owner.

Box 3: No -
Node2 is not a possible owner of the cluster.

Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/failover-cluster-instance-vnn-az
ure-load-balancer-configure

Question: 39 CertyIQ
You have two Azure virtual machines that run Windows Server.
You plan to create a failover cluster that will host the virtual machines.
You need to configure an Azure Storage account that will be used by the cluster as a cloud witness. The solution
must maximize resiliency.
Which type of redundancy should you configure for the storage account?

A.Geo-zone-redundant storage (GZRS)

B.Locally-redundant storage (LRS)
C.Zone-redundant storage (ZRS)
D.Geo-redundant storage (GRS)

Answer: C

Explanation:
For Replication, you can select Locally-redundant storage (LRS) or Zone-redundant storage (ZRS) as
applicable. ZRS offers more redundancy.
 Reference:
https://docs.microsoft.com/en-us/windows-server/failover-clustering/deploy-cloud-witness

Question: 40 CertyIQ
DRAG DROP -
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a failover cluster
named Cluster1.
You need to configure Cluster-Aware Updating (CAU) on the cluster by using Windows Admin Center (WAC).
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:

Explanation:

1. Add Cluster1 to WAC.

2. Enable CredSSP.

3. Add the Cluster-Aware Updating role.

https://4sysops.com/archives/install-updates-for-server-clusters-using-windows-admin-center/

Question: 41 CertyIQ
You have a three-node failover cluster.
You need to run pre-scripts and post-scripts when Cluster-Aware Updating (CAU) runs. The solution must minimize
administrative effort.
What should you use?
 A. Azure Functions
B. Run profiles
C. Windows Server Update Services (WSUS)
D. Scheduled tasks

Answer: B

Explanation:
Cluster-Aware Updating advanced options and updating run profiles.
You can set the PreUpdateScript or PostUpdateScript the option.

Reference:
https://docs.microsoft.com/en-us/windows-server/failover-clustering/cluster-aware-updating-options

Question: 42 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)
The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)
Server1 shuts down unexpectedly.
You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: You pause the Server1 node in Cluster1 and then start Server1.
Does this meet the goal?

A. Yes
B. No

Answer: B
 Explanation:
Instead, from the Failover settings, you select Prevent failback
Note: The Prevent failback setting will prevent the cluster failing back to Server1.
Preventing failback.
A third potential setting is used after a resource's cluster node comes back online after a failover. Under the
Failover tab is the Failback setting with the default setting "prevent failback." When failback is configured,
the virtual machine will return back to its original host when that host is again available. If you want virtual
machines to return to your known configuration after a host problem, this can be a good thing.

Reference:
https://www.computerweekly.com/tip/Configuring-cluster-failover-settings-for-Hyper-V-virtual-machines

Question: 43 topic 2 question 15 CertyIQ

Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
You have a failover cluster named Cluster1 that hosts an application named App1.
The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)
The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)
Server1 shuts down unexpectedly.
You need to ensure that when you start Server1, App1 continues to run on Server2.
Solution: From the General settings, you increase the priority of Server2 in the Preferred Owners list.
Does this meet the goal?

A. Yes
B. No

Answer: A
 Explanation:

The prefer owner have priority

The current host is Server2. Increasing the priority of Server2 in the Preferred Owners list will keep the app
running on Server2.

Question: 44 topic 2 question 16 CertyIQ

Your company uses Storage Spaces Direct.

You need to view the available storage in a Storage Space Direct storage pool.

What should you use?

A. System Configuration
B. Resource Monitor
C. the Get-StorageFileServer cmdlet
D. Windows Admin Center

Answer: D

Explanation:

https://learn.microsoft.com/en-us/azure-stack/hci/concepts/storage-spaces-direct-overview#manage-and-
monitor

Question: 45 CertyIQ
Your company uses Storage Spaces Direct.

You need to view the available storage in a Storage Space Direct storage pool.

What should you use?

A.the Get-StorageSubsystem cmdlet

B.File Server Resource Manager (FSRM)
C.Disk Management
D.Failover Cluster Manager

Answer: D

Explanation:

https://learn.microsoft.com/en-us/azure-stack/hci/concepts/storage-spaces-direct-overview#manage-and-
monitor

Question: 46 topic 2 question 18 CertyIQ

Your network contains an Active Directory Domain Services (AD DS) forest.
You need to deploy a Storage Spaces Direct converged infrastructure. The solution must meet the following
requirements:

•Use an Ethernet fabric.

•Eliminate the need for Data Center Bridging (DCB).

Which Remote Direct Memory Access (RDMA) networking technology should you implement?

A.InfiniBand
B.RoCEv2 not clear
C.iWARP
D.RoCEv1

Answer: C

Explanation:

https://learn.microsoft.com/en-us/azure-stack/hci/manage/validate-qos DCB is required for RDMA over

Converged Ethernet (Ro CE) networks, and is optional (but recommended) for Internet Wide Area RDMA
Protocol (iWARP) networks.

topic 2 question 19 manquant

Topic 2 question 20 manquant mal9etouch

Question: 47 topic 2 question 21 CertyIQ

Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

You have a failover cluster named Cluster1 that hosts an application named App1.

The General tab in App1 Properties is shown in the General exhibit. (Click the General tab.)
The Failover tab in App1 Properties is shown in the Failover exhibit. (Click the Failover tab.)
Server1 shuts down unexpectedly.

You need to ensure that when you start Server1, App1 continues to run on Server2.

Solution: From the General settings, you increase the priority of Server2 in the Preferred Owners list.

Does this meet the goal?

A.Yes
B.No

Answer: A

Explanation:

Prioritizing Server 2 meant that the app will continue to run on it even when Server 1 comes back as it's no
longer the highest priority machine.

topic 2 question 23

Question: 48 Topic 3 question 1 CertyIQ

HOTSPOT -
You have a Hyper-V failover cluster named Cluster1 at a main datacenter. Cluster1 contains two nodes that have
the Hyper-V server role installed. Cluster1 hosts
10 highly available virtual machines.
You have a cluster named Cluster2 in a disaster recovery site. Cluster2 contains two nodes that have the Hyper-V
server role installed.
You plan to use Hyper-V Replica to replicate the virtual machines from Cluster1 to Cluster2.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/virtualization/community/team-blog/2012/20120327-why-is-the-hyper-v-re
plica-broker-required

Question: 49 CertyIQ
You have two servers named Server1 and Server2 that run Windows Server. Both servers have the Hyper-V server
role installed.
Server1 hosts three virtual machines named VM1, VM2, and VM3. The virtual machines replicate to Server2.
Server1 experiences a hardware failure.
You need to bring VM1, VM2, and VM3 back online as soon as possible.
From the Hyper-V Manager console on Server2, what should you run for each virtual machine?

A. Start
B. Move
C. Unplanned Failover
D. Planned Failover

Answer: C

Explanation:

Planned is clearly not correct as we are dealing with an Unplanned hardware failure.

Reference:

https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/set-up-hyper-v-replica

Question: 50 CertyIQ
HOTSPOT -
You have a Hyper-V failover cluster named Cluster1 that uses a cloud witness. Cluster1 hosts a virtual machine
named VM1 that runs Windows Server.
You need to fail over VM1 automatically to a different node when a service named Service1 on VM1 fails.
What should you do on Cluster1 and VM1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
 Explanation:

https://techcommunity.microsoft.com/t5/failover-clustering/how-to-configure-vm-monitoring-in-windows-
server-2012/ba-p/371745

Question: 51 CertyIQ
DRAG DROP -
You have two physical servers named AppSrv1 and AppSrv2 and an unconfigured server named Server1. All the
servers run Windows Server. Only Server1 can access the internet.
You plan to use Azure Site Recovery to replicate AppSrv1 and AppSrv2 to Azure.
You need to deploy the required components to AppSrv1, AppSrv2, and Server1.
Which components should you deploy? To answer, drag the appropriate components to the correct servers. Each
component may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Answer:

Explanation:

Reference:
 https://docs.microsoft.com/en-us/azure/site-recovery/physical-azure-architecture https://docs.microsoft.com
/en-us/azure/site-recovery/physical-azure-set-up-source

Question: 52 topic 3 question 5 CertyIQ

DRAG DROP -
You have two Azure virtual machines named VM1 and VM2. VM1 is backed up to an Azure Recovery Services vault
daily and retains backups for 30 days.
You need to restore an individual file named C:\Data\Important.docx from VM1 to VM2. The solution must minimize
administrative effort.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm

Question: 53 CertyIQ
HOTSPOT -
You have three servers named Host1, Host2, and VM1 that run Windows Server. Host1 and Host2 have the Hyper-V
server role installed. VM1 is a virtual machine hosted on Host1.
You configure VM1 to replicate to Host2 by using Hyper-V Replica.
Which types of failovers can you perform on VM1 on each host? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Question: 54 CertyIQ
You have three Azure virtual machines named VM1, VM2, and VM3 that host a multitier application.
You plan to implement Azure Site Recovery.
You need to ensure that VM1, VM2, and VM3 fail over as a group.
What should you configure?

A. an availability zone
B. a recovery plan
C. an availability set

Answer: B

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-overview

Question: 55 CertyIQ
DRAG DROP -
You have an Azure subscription that contains an Azure Recovery Services vault.
You have an on-premises physical server that runs Windows Server.
You need to back up the server daily to Azure.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:
 Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/backup/tutorial-backup-windows-server-to-azure

Question: 56 CertyIQ
DRAG DROP -
Your network contains an Active Directory Domain Services (AD DS) domain that has the Active Directory Recycle
Bin enabled. The domain contains two domain controllers named DC1 and DC2. The system state of the domain
controllers is backed up daily at 23:00 by using Windows Server Backup.
You have an organizational unit (OU) named ParisUsers that contains 1,000 users.
At 08:00, DC1 shuts down for hardware maintenance. The maintenance completes, but DC1 remains shut down.
At 09:00, an administrative error causes the manager attribute of each user in ParisUsers to be deleted.
You need to recover the user account details as quickly as possible. The solution must minimize data loss.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:
Question: 57 topic 3 question 10 CertyIQ
You have an on-premises server named Server1 that runs Windows Server and has the Hyper-V server role
installed.
You have an Azure subscription.
You plan to back up Server1 to Azure by using Azure Backup.
Which two Azure Backup options require you to deploy Microsoft Azure Backup Server (MABS)? Each correct
answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Bare Metal Recovery

B. Files and folders
C. System State
D. Hyper-V Virtual Machines

Answer: AD

Explanation:

correct answer is A and D. MARS agent can perform file-folder and system state backup so MABS is not
required. MABS is application aware backup service.

Question: 58 CertyIQ
DRAG DROP -
Your network contains an Active Directory Domain Services (AD DS) domain that has the Active Directory Recycle
Bin enabled. All domain controllers are backed up daily.
You accidentally remove all the users from a domain group.
You need to get a list of the users that were previously in the group.
Which four actions should you perform in sequence from a domain controller? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
 Answer:

Explanation:

Reference:
http://sysadmindoc.blogspot.com/2018/10/mount-active-directory-database-from.html

Question: 59 CertyIQ
DRAG DROP -
You have a server that runs Windows Server.
You plan to back up the server to an Azure Recovery Services vault once per week starting on the next Saturday.
You need to schedule the weekly backup and perform the initial backup as soon as possible.
In which order should you perform the actions? To answer, move all actions from the list of actions to the answer
are and arrange them in the correct order.
Select and Place:

Answer:
 Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/backup/install-mars-agent#download-the-mars-agent https://docs.mi
crosoft.com/en-us/azure/backup/backup-windows-with-mars-agent

Question: 60 CertyIQ
You have 200 Azure virtual machines.
You create a recovery plan in Azure Site Recovery to fail over all the virtual machines to an Azure region. The plan
has three manual actions.
You need to replace one of the manual actions with an automated process.
What should you use?

A. an Azure Desired State Configuration (DSC) virtual machine extension

B. an Azure Automation runbook
C. an Azure PowerShell function
D. a Custom Script Extension on the virtual machines

Answer: B

Explanation:

Automate tasks in recovery plans

Recovering large applications can be a complex task. Manual steps make the process prone to error, and the
person running the failover might not be aware of all app intricacies. You can use a recovery plan to impose
order, and automate the actions needed at each step, using Azure Automation runbooks for failover to Azure,
or scripts. For tasks that can't be automated, you can insert pauses for manual actions into recovery plans.
There are a couple of types of tasks you can configure:

Reference:

https://docs.microsoft.com/en-us/azure/site-recovery/recovery-plan-overview

Question: 61 CertyIQ
You have a server named Server1 that runs Windows Server and has the Hyper-V server role installed. You have a
Hyper-V failover cluster named Cluster1. All servers are members of the same domain.
You need to ensure that you use Hyper-V Replica with Kerberos authentication on the default port to replicate
virtual machines from Cluster1 to Server1.
What should you do on Server1?

A. Add primary servers to the Hyper-V Replica Broker configuration.

 B. From Hyper-V Settings, select Enable incoming and outgoing live migrations.
C. From Windows Defender Firewall with Advanced Security, enable the Hyper-V Replica HTTPS Listener (TCP-
In) rule.
D. From Windows Defender Firewall with Advanced Security, enable the Hyper-V Replica HTTP Listener (TCP-
In) rule.

Answer: D

Explanation:

This question is vague, there are other steps that need to be done, and this is not the first step, but because
the requirement is "with Kerberos authentication on the default port" that means they want you to answer D

Reference:

https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/set-up-hyper-v-replica

Question: 62 topic 3 question 15 CertyIQ

You have an on-premises server named Server1 that runs Windows Server. You have an Azure subscription.

You plan to back up the files and folders on Server1 to Azure by using Azure Backup.

You need to define how long the backups will be retained.

What should you use to configure the retention?

A.Windows Server Backup

B.a Recovery Services vault
C.the Microsoft Azure Recovery Services (MARS) agent
D.Backup center

Answer: C

Explanation:

https://learn.microsoft.com/en-us/azure/backup/backup-windows-with-mars-agent#create-a-backup-
policyThe backup policy specifies when to take snapshots of the data to create recovery points. It also
specifies how long to keep recovery points. You use the MARS agent to configure a backup policy.C for
correct

Question: 63 CertyIQ
HOTSPOT
-

You have three Hyper-V hosts named Server1, Server2, and Server3 that run Windows Server, Server1 hosts a
virtual machine named VM1.

You enable Hyper-V Replica to replicate VM1 to Server2 and set the replication frequency to 30 seconds.

You need to extend the replication and create a second replica of VM1.

On which Hyper-V hosts should you configure the replication, and what is the minimum replication frequency you
can use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Question: 64 CertyIQ
HOTSPOT
-

You have an Azure subscription.

You plan to deploy a virtual machine named VM1 to the East US Azure region and use Azure Site Recovery between
availability zones.

You need to configure the disks on VM1 and the virtual network. The solution must meet the following
requirements:

•Maximize the availability of VM1.

•Maintain the private IP address of VM1 during failover and failback operations.

What should you configure? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

 Answer:

Explanation:

Zone redundant storage (ZRS) Premium SSD.

One Virtual network and Two subnets.

Question: 65 CertyIQ
Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains two
virtual machines named VM1 and VM2 that run Windows Server.

You plan to implement a failover cluster named Cluster1 that will use VM1 and VM2 as nodes.

You need to ensure that Cluster1 can use floating IP addresses.

Which two components should you deploy? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A.Network Load Balancing (NLB)

B.the MultiPoint Services role
C.the Network Controller role
 D.the Host Guardian Service role
E.Software Load Balancer (SLB)

Answer: AE

Explanation:

Network Load Balancing (NLB): NLB is used for load balancing and providing a floating IP address for high
availability. It's commonly used for failover clusters. A Software Load Balancer can also be used for load
balancing and providing floating IP addresses for failover clusters. This is a more modern and software-based
approach compared to NLB.

topic 3 question 19 manquant

Question: 66 topic 3 question 20 CertyIQ

DRAG DROP
-

You have an Azure virtual machine named VM1 that runs Windows Server.

The operating system on VM1 fails to start due to a disk error.

You need to resolve the error.

Which four commands should you run in sequence in Azure Cloud Shell? To answer, move the appropriate
commands from the list of commands to the answer area and arrange them in the correct order.

Answer:
Question: 67 topic 4 question 1 CertyIQ
DRAG DROP -
You manage 200 physical servers that run Windows Server.
You plan to migrate the servers to Azure.
You need to prepare for discovery of the servers by using Azure Migrate.
Which three actions should you perform in sequence on a physical server? To answer, move the appropriate
actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/migrate/tutorial-discover-physical

Question: 68 CertyIQ
DRAG DROP -
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The functional
level of the forest and the domain is Windows
Server 2012 R2. The domain contains the domain controllers shown in the following table.

You need to raise the forest functional level to Windows Server 2016. The solution must meet the following
requirements:
✑ Ensure that there are three domain controllers after you raises the level.
✑ Minimize how long the FSMO roles are unavailable.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:
Question: 69 CertyIQ
You have an on-premises server that runs Windows Server and has the Web Server (IIS) server role installed. The
server hosts a web app that connects to an on- premises Microsoft SQL Server database.
You plan to migrate the web app to an Azure App Services web app. The database will remain on-premises.
You need to ensure that the migrated web app can access the database.
What should you configure in Azure?

A. an Azure SQL managed instance

B. an on-premises data gateway
C. Azure Extended Network
D. a Hybrid Connection

Answer: D

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-hybrid-connections

Question: 70 CertyIQ
You have two file servers named Server1 and Server2 that run Windows Server. Server1 contains a shared folder
named Data. Data contains 10 TB of data.
You plan to decommission Server1.
You need to migrate the files from Data to a new shared folder on Server2. The solution must meet the following
requirements:
✑ Ensure that share, file, and folder permissions are copied.
✑ After the initial copy occurs, ensure that changes in \\Server1\Data can be synced to the destination without
initiating a full copy.
✑ Minimize administrative effort.
What should you use?

A. xcopy
B. Storage Replica
C. Storage Migration Service
D. azcopy

Answer: C

Explanation:

Storage Migration Service using WAC

Migrate servers and file shares to Azure or Windows Server 2022, with no apps or users having to make any
changes.

Reference:

https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/overview#why-use-
storage-migration-service

Question: 71 topic 4 question 5 CertyIQ

HOTSPOT -
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains the servers
shown in the following table.

Server3 contains a share named Share1.

On Server1, DHCP has the following configurations:
✑ Conflict detection attempts: 3
✑ An IPv4 scope named Scope1 that has the following settings:
1. Address Pool: 172.16.10.100 - 172.16.10.130
2. Address Leases:
- 172.16.10.100 computer1.contoso.com
- 172.16.10.101 computer2.contoso.com
✑ Reservations: 172.16.10.101 computer2.contoso.com
✑ Policies: Policy1
You perform the following actions:

On Server1, you run -

Export-DhcpServer -File \\Server3\Share1\File1.xml.
✑ On Server2, you run
Import-DhcpServer -File \\Server3\Share1\File1.xml
-BackupPath \\Server3\Share1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:

Yes

Yes

Yes
Question: 72 CertyIQ
DRAG DROP -
You have a server named Server1 that runs Windows Server and has the Web Server (IIS) server role installed.
Server1 hosts an ASP.NET Core web app named
WebApp1 and the app's source files.
You install Docker on Server1.
You need to ensure that you can deploy WebApp1 to an Azure App Service web app from the Azure Container
Registry.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:

Explanation:
Step 1: Create a Dockerfile. This file contains instructions for the build process.
Step 2: Run the docker build command to create a container image.
Step 3: Run the docker push command to upload the image to Azure Container Registry.

Question: 73 CertyIQ
HOTSPOT -
You have two servers that have the Web Server (IIS) server role installed. The servers are configured as shown in
the following table.
Both servers are configured to enable website deployment by using the Web Deployment Tool. Server1 hosts a
website named Site1 that has Web Deploy
Publishing configured.
You plan to migrate Site1 to Server2.
You need to perform a pull synchronization of Site1 by using the Web Deployment Agent Service.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/iis/publish/using-web-deploy/synchronize-iis

Question: 74 CertyIQ
HOTSPOT -
You have a server that runs Windows Server and has the Web Server (IIS) server role installed. Server1 hosts a
single website that has the following configurations:
✑ Is accessible by using a URL of https://www.contoso.com:8443 and has an SSL certificate that was issued by a
third-party certification authority (CA) in the

Microsoft Trusted Root Program -

✑ Uses anonymous authentication
✑ Was developed by using PHP
You plan to use APP Service Migration Assistant to migrate the website to Azure App Service.
You need to migrate the website. The solution must minimize the number of changes made to the existing website.
What should you do manually to ensure that the website migration is successful? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
 Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/learn/modules/migrate-app-service-migration-assistant/3-understand-asse
ssment https://docs.microsoft.com/en-us/learn/modules/migrate-app-service-migration-assistant/5-understa
nd-migration

Question: 75 CertyIQ
DRAG DROP -
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a print server
named Server1. All printers are deployed to users by using a
Group Policy Object (GPO) named GPO1.
You deploy a new server named Server2.
You need to decommission Server1. The solution must meet the following requirements:
✑ Migrate the shared printers to Server2 by using the Printer Migration Wizard.
✑ Ensure that the users use the printers on Server2.
✑ Minimize downtime for the users.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:
 Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-migrating-print-servers-from-windows
-server-2008-to-windows-server-2012

Question: 76 topic 4 question 10 CertyIQ

You have a server named Server1 that runs Windows Server and has the Hyper-V server role installed.
You import the Azure Migrate appliance as VM1.
You need to register VM1 with Azure Migrate.
What should you do in Azure Migrate? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Create a project.
B. Add a migration tool.
C. Add an assessment tool.
D. Generate a project key.
E. Download the Azure Migrate installer script ZIP file.

Answer: ADE

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/migrate/how-to-set-up-appliance-hyper-v

Question: 77 CertyIQ
You have two servers that run Windows Server as shown in the following table.
You need to copy the contents of volume E from Server1 to Server2. The solution must meet the following
requirements:
✑ Ensure that files in-use are copied.
✑ Minimize administrative effort.
What should you use?

A. Storage Migration Service

B. Azure File Sync
C. Azure Backup
D. Storage Replica

Answer: C

Explanation:

How can the answer be Storage Migration Service when it does not satisfy the requirement of copying files in-
use? "The Storage Migration Service doesn't migrate files that applications exclusively lock". Same reason
NOT Azure File Sync - Files in-use are not copied, sync resumes when files are closed. Azure Backup is based
on VSS and can copy open files, and so does Storage Replica - "it does replicate in-use or open files" . Storage
Replica has to be within the same AD Forest. I don´t think it's legit to say that you can just add Server2 to the
domain when it goes against the given scenario, and the solution does not include that. Therefore Answer is
Azure Backup. Backup files using MARS and then restore them to Server2.

Question: 78 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
Your network contains a single-domain Active Directory Domain Services (AD DS) forest named contoso.com. The
functional level of the forest is Windows Server
2012 R2. All domain controllers run Windows Server 2012 R2.
Sysvol replicates by using the File Replication Service (FRS).
You plan to replace the existing domain controllers with new domain controllers that will run Windows Server
2022.
You need to ensure that you can add the first domain controller that runs Windows Server 2022.
Solution: You migrate sysvol from FRS to Distributed File System (DFS) Replication.
Does this meet the goal?

A. Yes
B. No

Answer: A

Explanation:
Do I need to change SYSVOL replication from FRS to DFS? If your domain is built based on Windows server
2008 or Windows Server 2008 R2, you are already using DFS for SYSVOL replication. If you originally
migrated from Windows server 2003, it's more likely you are still using FRS. In that case, before migration,
you need to change the SYSVOL replication method from FRS to DFS.
 Reference:
https://www.rebeladmin.com/2021/09/step-by-step-guide-active-directory-migration-from-windows-server-2
008-r2-to-windows-server-2022/

Question: 79 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
Your network contains a single-domain Active Directory Domain Services (AD DS) forest named contoso.com. The
functional level of the forest is Windows Server
2012 R2. All domain controllers run Windows Server 2012 R2.
Sysvol replicates by using the File Replication Service (FRS).
You plan to replace the existing domain controllers with new domain controllers that will run Windows Server
2022.
You need to ensure that you can add the first domain controller that runs Windows Server 2022.
Solution: You upgrade the PDC emulator.
Does this meet the goal?

A. Yes
B. No

Answer: B

Explanation:
Instead migrate sysvol from FRS to Distributed File System (DFS) Replication.
Note: Do I need to change SYSVOL replication from FRS to DFS? If your domain is built based on Windows
server 2008 or Windows Server 2008 R2, you are already using DFS for SYSVOL replication. If you originally
migrated from Windows server 2003, it's more likely you are still using FRS. In that case, before migration,
you need to change the SYSVOL replication method from FRS to DFS.

Reference:
https://www.rebeladmin.com/2021/09/step-by-step-guide-active-directory-migration-from-windows-server-2
008-r2-to-windows-server-2022/

Question: 80 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
Your network contains a single-domain Active Directory Domain Services (AD DS) forest named contoso.com. The
functional level of the forest is Windows Server
2012 R2. All domain controllers run Windows Server 2012 R2.
Sysvol replicates by using the File Replication Service (FRS).
You plan to replace the existing domain controllers with new domain controllers that will run Windows Server
2022.
You need to ensure that you can add the first domain controller that runs Windows Server 2022.
Solution: You run the Active Directory Migration Tool (ADMT).
Does this meet the goal?

A. Yes
B. No
 Answer: B

Explanation:
Instead migrate sysvol from FRS to Distributed File System (DFS) Replication.
Note: Do I need to change SYSVOL replication from FRS to DFS? If your domain is built based on Windows
server 2008 or Windows Server 2008 R2, you are already using DFS for SYSVOL replication. If you originally
migrated from Windows server 2003, it's more likely you are still using FRS. In that case, before migration,
you need to change the SYSVOL replication method from FRS to DFS.

Reference:
https://www.rebeladmin.com/2021/09/step-by-step-guide-active-directory-migration-from-windows-server-2
008-r2-to-windows-server-2022/

Question: 81 topic 4 question 15 CertyIQ

Your on-premises network has 200-Mbps connection to Azure and contains a server named Server that stores 70
TB of data files.
You have an Azure Storage account named storage1.
You plan to migrate the data files from Server1 to a blob storage container in storage1. Testing shows that copying
the data files by using azcopy will take approximately 35 days.
You need to minimize how long it will take to migrate the data to Azure.
What should you use?

A. Azure Storage Explorer

B. Azure Data Box
C. Storage Migration Service
D. Azure File Sync

Answer: B

Explanation:
The Microsoft Azure Data Box cloud solution lets you send terabytes of data into and out of Azure in a quick,
inexpensive, and reliable way. The secure data transfer is accelerated by shipping you a proprietary Data Box
storage device. Each storage device has a maximum usable storage capacity of 80 TB and is transported to
your datacenter through a regional carrier. The device has a rugged casing to protect and secure data during
the transit.

Reference:
https://docs.microsoft.com/en-us/azure/databox/data-box-overview

Question: 82 CertyIQ
You need to use a comma-separated value (CSV) file to import server inventory to Azure Migrate.
Which fields are mandatory for each entry in the CSV file?

A.Server name, IP addresses, OS version, and Number of disks

B.Server name, Cores, OS Name, and Memory (in MB)
C.Server name, IP addresses, Disk 1 size (in GB), and CPU utilization percentage

Answer: B

Explanation:
The following table summarizes the file fields to fill in:
 Reference:
https://docs.microsoft.com/en-us/azure/migrate/tutorial-discover-import

Question: 83 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.
Your network contains a single-domain Active Directory Domain Services (AD DS) forest named contoso.com. The
functional level of the forest is Windows Server
2012 R2. All domain controllers run Windows Server 2012 R2.
Sysvol replicates by using the File Replication Service (FRS).
You plan to replace the existing domain controllers with new domain controllers that will run Windows Server
2022.
You need to ensure that you can add the first domain controller that runs Windows Server 2022.
Solution: You raise the domain and forest functional levels.
Does this meet the goal?

A.Yes
B.No

Answer: A

Explanation:

https://learn.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsrDomain
controllers use a special shared folder named SYSVOL to replicate sign-in scripts and Group Policy object
 files to other domain controllers. Windows 2000 Server and Windows Server 2003 use the File Replication
Service (FRS) to replicate SYSVOL. Windows Server 2008 uses the newer Distributed File System Replication
(DFS Replication) service for domains that use the Windows Server 2008 domain functional level. Windows
Server 2008 uses FRS for domains that run older domain functional levels.Answer is Yes

Question: 84 CertyIQ
HOTSPOT
-

You have the servers shown in the following table.

You plan to migrate file shares from Server1 to Server2.

You need to deploy the Storage Migration Service and the Storage Migration Service extension.

On which server should you install each component? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:
Question: 85 topic 4 question 19 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

You deploy Azure Migrate to an on-premises network.

You have an on-premises physical server named Server1 that runs Windows Server and has the following
configurations:

•Operating system disk: 600 GB

•Data disk: 3 TB
•NIC Teaming: Enabled
•Mobility service: Installed
•Windows Defender Firewall: Enabled
•Microsoft Defender Antivirus: Enabled

You need to ensure that you can use Azure Migrate to migrate Server1.

Solution: You disable Windows Defender Firewall on Server1.

Does this meet the goal?

A.Yes
B.No

Answer: B

Explanation:

Correct answer is B:NO

Question: 86 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

You deploy Azure Migrate to an on-premises network.

You have an on-premises physical server named Server1 that runs Windows Server and has the following
configurations:

•Operating system disk: 600 GB

•Data disk: 3 TB
•NIC Teaming: Enabled
•Mobility service: Installed
•Windows Defender Firewall: Enabled
•Microsoft Defender Antivirus: Enabled

You need to ensure that you can use Azure Migrate to migrate Server1.

Solution: You shrink the data disk on Server1.

Does this meet the goal?

A.Yes
B.No

Answer: B

Explanation:

I say the issue is the Mobility service being install. "It is unsupported to install the Azure Migrate Appliance on
a server that has the replication appliance or mobility service agent installed. Ensure that the appliance server
has not been previously used to set up the replication appliance or has the mobility service agent installed on
the server." https://learn.microsoft.com/en-us/azure/migrate/tutorial-discover-physical

Question: 87 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

You deploy Azure Migrate to an on-premises network.

You have an on-premises physical server named Server1 that runs Windows Server and has the following
configurations:

•Operating system disk: 600 GB

•Data disk: 3 TB
•NIC Teaming: Enabled
•Mobility service: Installed
•Windows Defender Firewall: Enabled
•Microsoft Defender Antivirus: Enabled

You need to ensure that you can use Azure Migrate to migrate Server1.
Solution: You disable NIC Teaming on Server1.

Does this meet the goal?

A.Yes
B.No
 Answer: B

Explanation:

I say the issue is the Mobility service being install. "It is unsupported to install the Azure Migrate Appliance on
a server that has the replication appliance or mobility service agent installed. Ensure that the appliance server
has not been previously used to set up the replication appliance or has the mobility service agent installed on
the server." https://learn.microsoft.com/en-us/azure/migrate/tutorial-discover-physical

Question: 88 CertyIQ
Note: This question is part of a series of questions that present the same scenario. Each question in the series
contains a unique solution that might meet the stated goals. Some question sets might have more than one correct
solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not
appear in the review screen.

You deploy Azure Migrate to an on-premises network.

You have an on-premises physical server named Server1 that runs Windows Server and has the following
configurations:

•Operating system disk: 600 GB

•Data disk: 3 TB
•NIC Teaming: Enabled
•Mobility service: Installed
•Windows Defender Firewall: Enabled
•Microsoft Defender Antivirus: Enabled

You need to ensure that you can use Azure Migrate to migrate Server1.

Solution: You disable Microsoft Defender Antivirus on Server1.

Does this meet the goal?

A.Yes
B.No

Answer: B

Explanation:

Correct answer is B: NO

topic 4 question 23

Question: 89 CertyIQ
DRAG DROP
-

You have an on-premises IIS web server that hosts a web app named App1.

You plan to migrate App1 to a container and run the container in Azure.

You need to perform the following tasks:

•Export App1 to a ZIP file.
•Create a container image based on App1.

The solution must minimize administrative effort.

Which tool should you use for each task? To answer, drag the appropriate tools to the correct tasks. Each tool may
be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view
content.

NOTE: Each correct selection is worth one point.

Answer:

Explanation:

web deploy and windows admin center.

https://techcommunity.microsoft.com/t5/iis-support-blog/how-to-migrate-a-website-using-web-deploy/ba-
p/852244

https://learn.microsoft.com/en-us/virtualization/windowscontainers/wac-tooling/wac-images

Question: 90 topic 4 question 24 CertyIQ

HOTSPOT
-

You have a failover cluster named Cluster1 that contains four Windows Server nodes named Node1, Node2, Node3,
and Node4.

You need to deploy a Storage Spaces Direct virtual disk to Cluster1.

You add the following disks to each node:

•Three 512-GB NVMe disks

•Three 3-TB HDD disks
•Three 1-TB SSD disks

On Cluster1, you enable Storage Spaces Direct and add the new disks.

What is the total amount of disk space available for the Storage Spaces Direct virtual disk, and which operations
are cached for the SSD and HDD disks? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:
Question: 91 CertyIQ
HOTSPOT
-

Your on-premises datacenter contains physical servers and Hyper-V virtual machines.

You have an Azure subscription.

You plan to use Azure Migrate to perform the following tasks:

•Migrate the physical servers to Azure virtual machines.

•Migrate the Hyper-V virtual machines to Azure.

What should you use for each task? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:
Question: 92 topic 5 question 1 CertyIQ
You have an on-premises network and an Azure virtual network.
You establish a Site-to-Site VPN connection from the on-premises network to the Azure virtual network, but the
connection frequently disconnects.
You need to debug the IPsec tunnel from Azure.
Which Azure VPN Gateway diagnostic log should you review?

A.GatewayDiagnosticLog
B.RouteDiagnosticLog
C.IKEDiagnosticLog
D.TunnelDiagnosticLog

Answer: C

Explanation:
1. I choose option CThe IKEDiagnosticLog table offers verbose debug logging for IKE/IPsec. This is very useful
to review when troubleshooting disconnections, or failure to connect VPN scenarios.

Question: 93 CertyIQ
You have an Azure virtual machine named VM1 that has the Web Server (IIS) server role installed. VM1 hosts a
critical line-of-business (LOB) application.
After the security team at your company deploys a new security baseline to VM1, users begin reporting that the
application is unresponsive.
You suspect that the security baseline has caused networking issues.
You need to perform a network trace on VM1.
What should you do?

A. From VM1, run netstat.

B. From Performance Monitor on VM1, create a Data Collector Set.
C. From the Azure portal, configure the Diagnostics settings for VM1.
D. From the Azure portal, configure the Performance diagnostics settings for VM1.

Answer: D

Explanation:

Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-diagnostics

Question: 94 CertyIQ
You have an Azure virtual machine named VM1. Crash dumps for a process named Process1 are enabled for VM1.
When process1.exe on VM1 crashes, a technician must access the memory dump files on the virtual machine. The
technician must be prevented from accessing the virtual machine.
To what should you provide the technician access?

A. an Azure file share

B. an Azure Log Analytics workspace
C. an Azure Blob Storage container
D. a managed disk
 Answer: C

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview

Question: 95 CertyIQ
You have a server named Server1 that runs the Remote Desktop Session Host role service. Server1 has five custom
applications installed.
Users who sign in to Server1 report that the server is slow. Task Manager shows that the average CPU usage on
Server1 is above 90 percent. You suspect that a custom application on Server1 is consuming excessive processor
capacity.
You plan to create a Data Collector Set in Performance Monitor to gather performance statistics from Server1.
You need to view the resources used by each of the five applications.
Which object should you add to the Data Collector Set?

A. Processor information
B. Processor
C. Process
D. Processor performance

Answer: C

Explanation:

https://help.tableau.com/current/server/en-us/perf_collect_perfmon.htm

Question: 96 CertyIQ
You plan to deploy the Azure Monitor agent to 100 on-premises servers that run Windows Server.
Which parameters should you provide when you install the agent?

A. the client ID and the secret of an Azure service principal

B. the name and the access key of an Azure Storage account
C. a connection string for an Azure SQL database
D. the ID and the key of an Azure Log Analytics workspace

Answer: D

Explanation:

Reference:
https://docs.microsoft.com/en-us/windows-server/storage/storage-spaces/configure-azure-monitor

Question: 97 CertyIQ
Your on-premises network contains two subnets. The subnets contain servers that run Windows Server as shown in
the following table.
Server4 has the following IP configurations:
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . . :
IPv4 Address . . . . . . . . . . . : 192.168.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
From Server4, you can ping Server1 and Server2 successfully. When you ping Server3, you get a Request timed
out response.
From Server2, you can ping Server1 and Server3 successfully.
The misconfiguration of which component on Server3 can cause the Request timed out response?

A.default gateway
B.IP address
C.subnet mask
D.DNS server

Answer: C

Explanation:

B and D are definitely wrong; IP address misconfigured is just plain silly and DNS server is of no relevanceA is
wrong as default gateway has to be on same subnet as the hostC is therefore correct

I'm pretty rusty on my subnetting but I'll give it a shot- The key here is we're told what works and what
doesnt:S2 can ping to S1S2 can ping to S3 implies S2 and S3 are indeed on the same subnetS4 can ping to
S1S4 can ping to S2but S4 CANNOT ping S3 even though they should be on the same subnetQuestion implies
a /24 mask is(or should be) in use for all since we're told there are "two subnets". 192.168.1.0/24 would cover
S1 address, and 192.168.0.0/24 would cover S2/S3/S4.But if S3 had a /26 mask.. 255.255.255.192, it would
cause ONLY S2 and S3 to be on the same network. Since S4's fourth octet is so far away, it would be on a
different subnet IF the /26 mask was in use.So misconfigured mask would explain why S2 can ping S3 but S4
cannot ping S3.

Question: 98 CertyIQ
You have five Azure virtual machines.
You need to collect performance data and Windows Event logs from the virtual machines. The data collected must
be sent to an Azure Storage account.
What should you install on the virtual machines?

A. the Azure Connected Machine agent

B. the Azure Monitor agent
C. the Dependency agent
D. the Telegraf agent
E. the Azure Diagnostics extension
 Answer: E

Explanation:

"Diagnostics extension: Sends data to Azure Monitor Metrics (Windows only), Azure Event Hubs, and Azure
Storage. This is not consolidated yet." So, Diagnostics extension is a legacy extension that will be replaced
completely by Azure Monitor agent in the near future but right now is the right answer. Moreover, the
emphases is on the "Send data to Azure Storage" and the Diagnostics extension does exactly that.

Reference:

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview

Question: 99 CertyIQ
HOTSPOT -
You have a server named Server1 that runs Windows Server.
On Server1, you create a Data Collector Set named CollectorSet1 based on the Basic template.
You need to configure CollectorSet1 to meet the following requirements:
✑ Older performance counter logs must be overwritten by new ones.
✑ Performance counter logging must stop if there is less than 500 MB of free disk space.
What should you configure for each requirement? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
Question: 100 CertyIQ
You have an Azure virtual machine named VM1.
You install an application on VM1, and then restart the virtual machine.
After the restart, you get the following error message: `Boot failure. Reboot and Select proper Boot Device or
Insert Boot Media in selected Boot Device.`
You need to mount the operating system disk offline from VM1 to a temporary virtual machine to troubleshoot the
issue.
Which command should you run in Azure CLI?

A. az vm repair create
B. az vm boot-diagnostics enable
C. az vm capture
D. az vm disk attach

Answer: A

Explanation:

az vm repair create - Create a new repair VM and attach the source VM's copied OS disk as a data disk.

Reference:

https://docs.microsoft.com/en-us/cli/azure/vm/repair?view=azure-cli-latest

Question: 101 topic 5 question 10 CertyIQ

You have a Site-to-Site VPN between an on-premises network and an Azure VPN gateway. BGP is disabled for the
Site-to-Site VPN.
You have an Azure virtual network named Vnet1 that contains a subnet named Subnet1. Subnet1 contains a virtual
machine named Server1.
You can connect to Server1 from the on-premises network.
You extend the address space of Vnet1. You add a subnet named Subnet2 to Vnet1. Subnet2 uses the extended
address space. You deploy an Azure virtual machine named Server2 to Subnet2.
You cannot connect to Server2 from the on-premises network. Server1 can connect to Server2.
You need to ensure that you can connect to Subnet2 from the on-premises network.
What should you do?

A. Add an additional Site-to-Site VPN between the on-premises network and Vnet1.
B. Add a private endpoint to Subnet2.
C. To Subnet2, add a route table that contains a user-defined route.
D. Update the routing information on the on-premises routers.

Answer: D

Explanation:

Correct. Your on-prem needs to know that the new subnet is part of the VPN tunnel, and to send traffic to the
tunnel.

Question: 102 CertyIQ

DRAG DROP -
You have an Azure virtual machine named VM1 that runs Windows Server. VM1 has boot diagnostics configured to
use a managed storage account.
You are troubleshooting connectivity issue on VM1.
You need to run a PowerShell cmdlet on VM1 by using the Azure Serial Console.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of
actions to the answer area and arrange them in the correct order.
Select and Place:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-overview https://docs.m
icrosoft.com/en-us/troubleshoot/azure/virtual-machines/serial-console-windows

Question: 103 CertyIQ

HOTSPOT -
You have an on-premises server named Server1 and a Microsoft Sentinel instance.
You plan to collect Windows Defender Firewall events from Server1 and analyze the event data by using Microsoft
Sentinel.
What should you install on Server1, and which information should you provide during the installation? To answer,
select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:

Explanation:
Box 1: Azure Monitor agent -
The Azure Monitor agent supports Log Analytics, Metrics explorer, and Microsoft Sentinel.
Note: The Azure Monitor agent is meant to replace the Log Analytics agent, Azure Diagnostic extension and
Telegraf agent for both Windows and Linux machines. It can send data to both Azure Monitor Logs and Azure
Monitor Metrics and uses Data Collection Rules (DCR) which provide a more scalable method of configuring
data collection and destinations for each agent.
Use the Azure Monitor agent if you need to:
* Collect guest logs and metrics from any machine in Azure, in other clouds, or on-premises. (Azure Arc-
enabled servers required for machines outside of Azure.)
* Manage data collection configuration centrally, using data collection rules and use Azure Resource Manager
(ARM) templates or policies for management overall.
* Send data to Azure Monitor Logs and Azure Monitor Metrics (preview) for analysis with Azure Monitor.
* Use Windows event filtering or multi-homing for logs on Windows and Linux.
 Box 2: The Azure Log Analytics workspace ID and workspace key
The Azure Monitor agent sends data to Azure Monitor Metrics (preview) or a Log Analytics workspace
supporting Azure Monitor Logs.
Enable Microsoft Defender for Cloud monitoring of on-premises Windows computers.
1. In the Azure portal on the Defender for Cloud - Overview blade, select the Get Started tab.
2. Select Configure under Add new non-Azure computers. A list of your Log Analytics workspaces displays,
and should include the Defender for Cloud-
SentinelWorkspace.
3. Select this workspace. The Direct Agent blade opens with a link for downloading a Windows agent and keys
for your workspace identification (ID) to use when you configure the agent.
4. Select the Download Windows Agent link applicable to your computer processor type to download the
setup file.
5. To the right of Workspace ID, select Copy, and then paste the ID into Notepad.
6. To the right of Primary Key, select Copy, and then paste the key into Notepad.

Reference:
https://docs.microsoft.com/en-us/azure/architecture/hybrid/hybrid-security-monitoring https://docs.microsoft
.com/en-us/azure/azure-monitor/agents/agents-overview

Question: 104 CertyIQ

Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain
contains three domain controllers named DC1,
DC2, and DC3.
You connect a Microsoft Defender for Identity instance to the domain.
You need to onboard all the domain controllers to Defender for Identity.
What should you run on the domain controllers?

A. Azure ATP Sensor Setup.exe

B. AzureConnectedMachineAgent.msi
C. MARSAgentInstaller.exe
D. MMASetup-AMD64.exe

Answer: A

Explanation:
Azure ATP uses data from sensors, known as Azure ATP Sensors, that are installed on your domain
controllers. The ATP sensors monitor the domain controller network traffic for signs of malicious activity, as
well as other security risks such as connections made with weak or insecure protocols.
Incorrect:
Not B: The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted
outside of Azure on your corporate network or other cloud providers.
Not C: Azure Backup uses the MARS agent to back up files, folders, and system state from on-premises
machines and Azure VMs. Those backups are stored in a
Recovery Services vault in Azure.
Not D: The Microsoft Monitoring Agent is a service used to watch and report on application and system health
on a Windows computer. The Microsoft Monitoring
Agent collects and reports a variety of data including performance metrics, event logs and trace information.

Question: 105 CertyIQ

HOTSPOT -
You have an Azure Active Directory Domain Services (Azure AD DS) domain named aadds.contoso.com.
You have an Azure virtual network named Vnet1. Vnet1 contains two virtual machines named VM1 and VM2 that run
Windows Server. VM1 and VM2 are joined to aadds.contoso.com.
You create a new Azure virtual network named Vnet2. You add a new server named VM3 to Vnet2.
When you attempt to join VM3 to aadds.contoso.com, you get an error message that the domain cannot be found.
You need to ensure that you can join VM3 to aadds.contoso.com.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:
Box 1: Configure virtual network peering between Vnet1 and Vnet2.
Connectivity issues for domain-join.
If the VM can't find the managed domain, there's usually a network connection or configuration issue. Review
the following troubleshooting steps to locate and resolve the issue:
1. Ensure the VM is connected to the same, or a peered, virtual network as the managed domain. If not, the VM
can't find and connect to the domain in order to join.
If the VM isn't connected to the same virtual network, confirm that the virtual networking peering or VPN
connection is Active or Connected to allow the traffic to flow correctly.
2. Try to ping the domain using the domain name of the managed domain, such as ping aaddscontoso.com.
* If the ping response fails, try to ping the IP addresses for the domain displayed on the overview page in the
portal for your managed domain, such as ping
10.0.0.4.
* If you can successfully ping the IP address but not the domain, DNS may be incorrectly configured. Make
sure that you've configured the managed domain DNS servers for the virtual network.
 Box 2: Add a virtual network link to an existing Azure private DNS zone.
The private DNS zone already exists.
After you create a private DNS zone in Azure, you'll need to link a virtual network to it. Once linked, VMs
hosted in that virtual network can access the private DNS zone. Every private DNS zone has a collection of
virtual network link child resources. Each one of these resources represents a connection to a virtual network.
A virtual network can be linked to private DNS zone as a registration or as a resolution virtual network.

Reference:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/troubleshoot-domain-join https://do
cs.microsoft.com/en-us/azure/dns/private-dns-virtual-network-links

Question: 106 topic 5 question 15 CertyIQ

You have five Azure virtual machines. You have a dedicated Azure Storage account to collect performance data.
You need to send the collected data directly to the Azure Storage account.
What should you install on the virtual machines?

A.the Azure Connected Machine agent

B.the Telegraf agent
C.the Dependency agent
D.the Azure Monitor agent
E.the Azure Diagnostics extension

Answer: E

Explanation:

This is almost literally the same question as in topic 5, question 7.There the Azure Diagnostics Extension was
given as the correct answer. I believe that is correct - because the link provided there proves it:
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overview

https://learn.microsoft.com/en-us/azure/azure-monitor/agents/diagnostics-extension-overviewUse Azure
Diagnostics extension if you need to:Send data to Azure Storage for archivingAnswer is E

Question: 107 CertyIQ

You have an Azure virtual machine named VM1 that runs Windows Server.
When you attempt to install the Azure Performance Diagnostics extension on VM1, the installation fails.
You need to identify the cause of the installation failure.
What are two possible ways to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Sign in to VM1 and verify the MonitoringAgent.log file.

B. Sign in to VM1 and verify the WaAppAgent.log file.
C. From the Azure portal, view the alerts for VM1.
D. From the Azure portal, view the activity log for VM1.

Answer: BD

Explanation:
B: Windows Azure Guest Agent Service: This service is the service that is responsible for all the logging in
WAppAgent.log. This service is responsible for configuring various extensions and communication from Guest
 to Host.
D: Activity log: See activity log entries filtered for the current virtual machine. Use this log to view the recent
activity of the machine, such as any configuration changes and when it was stopped and started.

Reference:
https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/performance-diagnostics-vm-extensio
n https://docs.microsoft.com/en-us/azure/azure-monitor/vm/monitor-virtual-machine-analyze

Question: 108 CertyIQ

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains 20 Active
Directory sites. All user management is performed from a central site.
You add users to a group.
You discover that group changes do NOT appear on a domain controller in a remote site.
You need to identify whether the group changes appear on other domain controllers.
What should you use?

A.Active Directory Sites and Services

B.Active Directory Replication Status Tool
C.Microsoft Support and Recovery Assistant
D.File Replication Service (FRS) Status Viewer

Answer: B

Explanation:
The Active Directory Replication Status Tool (ADREPLSTATUS) analyzes the replication status for domain
controllers in an Active Directory domain or forest.
The Active Directory Replication Status Tool (ADREPLSTATUS) analyzes the replication status for domain
controllers in an Active Directory domain or forest.
ADREPLSTATUS displays data in a format that is similar to REPADMIN /SHOWREPL * /CSV imported into
Excel but with significant enhancements.
Specific capabilities for this tool include:
¢ Expose Active Directory replication errors occurring in a domain or forest
¢ Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active
Directory forests
¢ Help administrators and support professionals resolve replication errors by linking to Active Directory
replication troubleshooting content on Microsoft TechNet
¢ Allow replication data to be exported to source or destination domain administrators or support
professionals for offline analysis

Reference:
https://www.microsoft.com/en-us/download/details.aspx

Question: 109 CertyIQ

You have an Azure virtual machine named VM1 that runs Windows Server.
You plan to deploy a new line-of-business (LOB) application to VM1.
You need to prevent the application from creating child processes.
What should you configure on VM1?

A. Microsoft Defender Credential Guard

B. Microsoft Defender Application Control
C. Microsoft Defender SmartScreen
 D. Exploit protection

Answer: D

Explanation:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/customize-exploit-protection?
view=o365-worldwide#powershell-reference-table

Question: 110 CertyIQ

Your network contains an Active Directory Domain Services (AD DS) domain. All domain members have Microsoft
Defender Credential Guard with UEFI lock configured.
In the domain, you deploy a server named Server1 that runs Windows Server. You disable Credential Guard on
Server1.
You need to ensure that Server1 is NOT subject to Credential Guard restrictions.
What should you do next?

A. Disable the Turn on Virtualization Based Security group policy setting.

B. Run dism and specify the /Disable-Feature and /FeatureName:IsolatedUserMode parameters.
C. Run the Device Guard and Credential Guard hardware readiness tool.

Answer: A

Explanation:

https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-
manage#disabling-windows-defender-credential-guard-using-group-policy

Question: 111 topic 5 question 20 CertyIQ

You have three servers named Server1, Server2, and Server3 that run Windows Server. The servers have the
Hyper-V server role installed and are configured in a Storage Spaces Direct cluster named Cluster1.
Cluster1 hosts a virtual machine named VM1 that has Windows Admin Center installed.
You manage all servers and clusters by using Windows Admin Center.
You purchase an Azure subscription.
You need to configure email alerts in Azure Monitor for the following:
✑ Disk Capacity Utilization Over 80 % for 10 Minutes
✑ Any critical alert in the cluster system event log
✑ Memory Utilization over 95 % for 10 Minutes
✑ Heartbeat fewer than 5 beats for 5 Minutes
✑ CPU Utilization over 85 % for 10 Minutes
✑ Any health service faults for the cluster
The solution must use the minimum amount of administrative effort.
What should you do?

A. From the Azure portal, configure Azure Monitor and onboard Cluster1 by using Azure Arc.
B. From Windows Admin Center, configure Azure Monitor and onboard Cluster1.
C. Configure Azure Monitor and manually install the Microsoft Monitoring Agent on Server1 Server2, and
Server3

Answer: B

Explanation:
 B) The solution must use the minimum amount of administrative effort.Windows Admin Center is capable of
meeting these requirements and least amount of effort compared to
A.https://www.virtualizationhowto.com/2019/06/manage-storage-spaces-direct-with-windows-admin-
center/https://learn.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/azure-
monitor

Question: 112 topic 5 question 21 CertyIQ

You have three servers named Server1, Server2, and Server3 that run Windows Server and have the Hyper-V server
role installed. Server1 hosts an Azure
Migrate appliance named Migrate1.
You plan to migrate virtual machines to Azure.
You need to ensure that any new virtual machines created on Server1, Server2, and Server3 are available in Azure
Migrate.
What should you do?

A. On the network that has Migrate1 deployed, deploy a WINS server.

B. On Migrate1, set the Startup Type of the Computer Browser service to Automatic.
C. On the DNS server used by Migrate1, create a GlobalName zone.
D. On Migrate1, add a discovery source.

Answer: D

Explanation:

On Migrate1, add a discovery source.

Question: 113 topic 5 question 22 CertyIQ

You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server.
The subscription contains the storage accounts shown in the following table.

You plan to enable boot diagnostics for VM1.

You need to configure storage for the boot diagnostics logs and snapshots.

Which storage account should you use?

A. storage1
B. storage2
C. storage3
D. storage4
 Answer: B

Explanation:

Standard type is required. Can either be Standard LRS or Standard ZRS.https://learn.microsoft.com/en-

us/azure/virtual-machines/boot-diagnostics#boot-diagnostics-storage-account

question topic 5 question 23 manquant ------->27

Question: 114 CertyIQ

topic 5 question 28
HOTSPOT
-

Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains 10
servers that run Windows Server.

You have an Azure subscription. The subscription contains 10 virtual machines that run Windows Server.

You need to install the Azure Monitor Agent on the Azure virtual machines and the on-premises servers.

What should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:
 topic 5 question 29 manquant

Question: 115 topic 6 question 1 CASE STUDY 1 question 1 CertyIQ

DRAG DROP -
You are planning the implementation of Cluster2 to support the on-premises migration plan.
You need to ensure that the disks on Cluster2 meet the security requirements.
In which order should you perform the actions? To answer, move all actions from the list of actions to the answer
area and arrange them in the correct order.
Select and Place:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/windows-server/failover-clustering/bitlocker-on-csv-in-ws-2022

Question: 116 CertyIQ

HOTSPOT -
You need to implement a security policy solution to authorize the applications. The solution must meet the security
requirements.
Which service should you use to enforce the security policy, and what should you use to manage the policy
settings? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/
wdac-and-applocker-overview

Question: 117 CertyIQ

You are remediating the firewall security risks to meet the security requirements.
What should you configure to reduce the risks?

A. a Group Policy Object (GPO)

B. adaptive network hardening in Microsoft Defender for Cloud
C. a network security group (NSG) in Sub1
D. an Azure Firewall policy
 Answer: A

Explanation:
Firewall rules configured in a Group Policy Object cannot be modified by local server administrators.

Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-an-inbound-p
ort-rule

Question: 118 CertyIQ

You are planning the deployment of Microsoft Sentinel.
Which type of Microsoft Sentinel data connector should you use to meet the security requirements?

A.Threat Intelligence - TAXII

B.Azure Active Directory
C.Microsoft Defender for Cloud
D.Microsoft Defender for Identity

Answer: D

Explanation:

https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sourcesAfter you onboard Microsoft Sentinel

into your workspace, you can use data connectors to start ingesting your data into Microsoft Sentinel.
Microsoft Sentinel comes with many out of the box connectors for Microsoft services, which you can integrate
in real time. For example, the Microsoft 365 Defender connector is a service-to-service connector that
integrates data from Office 365, Azure Active Directory (Azure AD), Microsoft Defender for Identity, and
Microsoft Defender for Cloud Apps.Answer is D

Reference:

https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-legacy-protocols

Question: 119 case study 2 topic 7 question 1 CertyIQ

HOTSPOT -
You need to configure BitLocker on Server4.
On which volumes can you turn on BitLocker, and on which volumes can you turn on auto-unlock? To answer,
select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
 Explanation:

Reference:
https://docs.microsoft.com/en-us/windows-server/storage/refs/refs-overview https://docs.microsoft.com/en-
us/powershell/module/bitlocker/enable-bitlockerautounlock?view=windowsserver2022-ps

Question: 120 CertyIQ

Introductory Info Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to
complete each case. However, there may be additional case studies and sections on this exam. You must manage
your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to
make changes before you move to the next section of the exam. After you begin a new section, you cannot return
to this section.

To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information such
as business requirements, existing environment, and problem statements. If the case study has an All Information
tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you
are ready to answer a question, click the Question button to return to the question.

Overview -
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and
Montreal.

Existing Environment -

Active Directory Environment -

Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with
an Azure Active Directory (Azure AD) tenant.
The AD DS domain contains the domain controllers shown in the following table.

Contoso recently purchased an Azure subscription.

The functional level of the forest is Windows Server 2012 R2. The functional level of the domain is Windows Server
2012. The forest has the Active Directory
Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.

The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.

The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.

Server Infrastructure -
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.

By using Windows Firewall with Advanced Security, the servers have isolation connection security rules configured
as shown in the following table.
Server4 has no connection security rules.

Server4 Configurations -
Server4 has the effective Group Policy settings for user rights as shown in the following table.

Server4 has the disk configurations shown in the following exhibit.

Virtualization Infrastructure -
The contoso.com domain has the Hyper-V failover clusters shown in the following table.
Technical Requirements -
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault.
Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin.
Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault.
Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4.
Whenever possible, use the principle of least privilege. Question HOTSPOT -
What is the effective minimum password length for User1 and Admin1? To answer, select the appropriate options in
the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
 Explanation:
Box 1: 9 -
When multiple PSOs apply to a user, the PSO with the highest precedence (lowest precedence number)
applies which in this case is PSO1.

Box 2: 8 -
There are no PSOs applied to Admin1 so the password policy from the Default Domain GPO applies.
The Minimum password length setting in GPO1 would only apply to local user accounts on computers in OU1. It
does not apply to domain user accounts.

Question: 121 CertyIQ

study case 2
HOTSPOT -
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
 Answer:

Question: 122 CertyIQ

study case 2
HOTSPOT -
With which servers can Server1 and Server3 communicate? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:
Question: 123 case study 1 CertyIQ
You are planning the migration of Archive1 to support the on-premises migration plan.
What is the minimum number of IP addresses required for the node and cluster roles on Cluster3?

A. 2
B. 3
C. 4
D. 5

Answer: C

Explanation:

4 1 NodeA1 NodeB1 Cluster IP1 Cluster file serverhttps://learn.microsoft.com/en-us/windows-server/failover-

clustering/deploy-two-node-clustered-file-server

Question: 124 case study 2 CertyIQ

You are evaluating technical requirements for Cluster 2.
What is the minimum number of Azure Site Recovery Providers that you should install?

A. 1
B. 4
C. 12
D. 16
 Answer: B

Explanation:
Use one Azure Site Recovery Provider on each node, which in this case is four.
During Site Recovery deployment, you gather Hyper-V hosts and clusters into Hyper-V sites. You install the
Azure Site Recovery Provider and Recovery Services agent on each standalone Hyper-V host, or on each
Hyper-V cluster node.
Note:
* Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault.
* Cluster2 is a Hyper-V failover cluster with 4 nodes, and 12 virtual machines.

Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-architecture

Question: 125 case study 2 CertyIQ

You need to back up Server 4 to meet the technical requirements.
What should you do first?

A. Deploy Microsoft Azure Backup Server (MABS).

B. Configure Windows Server Backup.
C. Install the Microsoft Azure Recovery Services (MARS) agent.
D. Configure Storage Replica.

Answer: C

Explanation:

The MARS agent

Azure Backup uses the MARS agent to back up data from on-premises machines and Azure VMs to a backup
Recovery Services vault in Azure. The MARS agent can:

Run on on-premises Windows machines so that they can back up directly to a backup Recovery Services vault
in Azure.

Reference:

https://docs.microsoft.com/en-us/azure/backup/install-mars-agent

Question: 126 case study 1 CertyIQ

You need to meet the technical requirements for Cluster3.
What should you include in the solution?

A. Enable integration services on all the virtual machines.

B. Configure a fault domain doe the cluster.
C. Add a failover cluster role.

Answer: C

Explanation:
The Hyper-V replica broker role is required on the cluster.
 Reference:
https://docs.microsoft.com/en-us/virtualization/community/team-blog/2012/20120327-why-is-the-hyper-v-re
plica-broker-required

Question: 127 CertyIQ

Introductory Info Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to
complete each case. However, there may be additional case studies and sections on this exam. You must manage
your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to
make changes before you move to the next section of the exam. After you begin a new section, you cannot return
to this section.

To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information such
as business requirements, existing environment, and problem statements. If the case study has an All Information
tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you
are ready to answer a question, click the Question button to return to the question.

Overview -
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and
Montreal.

Existing Environment -

Active Directory Environment -

Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with
an Azure Active Directory (Azure AD) tenant.
The AD DS domain contains the domain controllers shown in the following table.

Contoso recently purchased an Azure subscription.

The functional level of the forest is Windows Server 2012 R2. The functional level of the domain is Windows Server
2012. The forest has the Active Directory
Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.

The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.
The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.

Server Infrastructure -
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.

By using Windows Firewall with Advanced Security, the servers have isolation connection security rules configured
as shown in the following table.

Server4 has no connection security rules.

Server4 Configurations -
Server4 has the effective Group Policy settings for user rights as shown in the following table.

Server4 has the disk configurations shown in the following exhibit.

Virtualization Infrastructure -
The contoso.com domain has the Hyper-V failover clusters shown in the following table.

Technical Requirements -
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault.
Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin.
Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault.
Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4.
Whenever possible, use the principle of least privilege. Question DRAG DROP -
You need to meet the technical requirements for Cluster2.
Which four actions should you perform in sequence before you can enable replication? To answer, move the
appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
 Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/site-recovery/hyper-v-azure-tutorial

Question: 128 CertyIQ

Introductory Info Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to
complete each case. However, there may be additional case studies and sections on this exam. You must manage
your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to
make changes before you move to the next section of the exam. After you begin a new section, you cannot return
to this section.

To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information such
as business requirements, existing environment, and problem statements. If the case study has an All Information
tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you
are ready to answer a question, click the Question button to return to the question.

Overview -
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and
Montreal.

Existing Environment -

Active Directory Environment -

Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with
an Azure Active Directory (Azure AD) tenant.
The AD DS domain contains the domain controllers shown in the following table.

Contoso recently purchased an Azure subscription.

The functional level of the forest is Windows Server 2012 R2. The functional level of the domain is Windows Server
2012. The forest has the Active Directory
Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.
The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.

The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.

Server Infrastructure -
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.

By using Windows Firewall with Advanced Security, the servers have isolation connection security rules configured
as shown in the following table.

Server4 has no connection security rules.

Server4 Configurations -
Server4 has the effective Group Policy settings for user rights as shown in the following table.
Server4 has the disk configurations shown in the following exhibit.

Virtualization Infrastructure -
The contoso.com domain has the Hyper-V failover clusters shown in the following table.

Technical Requirements -
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault.
Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin.
Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault.
Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4.
Whenever possible, use the principle of least privilege. Question You need to meet technical requirements for
Share1.
What should you use?

A. Storage Migration Service

B. File Server Resource Manager (FSRM)
C. Server Manager
D. Storage Replica

Answer: A

Explanation:
 Reference:
https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/overview

Question: 129 CertyIQ

Introductory Info Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to
complete each case. However, there may be additional case studies and sections on this exam. You must manage
your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to
make changes before you move to the next section of the exam. After you begin a new section, you cannot return
to this section.

To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information such
as business requirements, existing environment, and problem statements. If the case study has an All Information
tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you
are ready to answer a question, click the Question button to return to the question.

Overview -
Fabrikam, Inc. is a manufacturing company that has a main office in Chicago and a branch office in Paris.

Existing Environment -

Identity Infrastructure -
Fabrikam has an Active Directory Domain Services (AD DS) forest that syncs with an Azure Active Directory (Azure
AD) tenant. The AD DS forest contains two domains named corp.fabrikam.com and europe.fabrikam.com.
Chicago Office On-Premises Servers
The office in Chicago contains on-premises servers that run Windows Server 2016 as shown in the following table.
All the servers in the Chicago office are in the corp.fabrikam.com domain.
All the virtual machines in the Chicago office are hosted on HV1 and HV2. HV1 and HV2 are nodes in a failover
cluster named Cluster1.
WEB1 and WEB2 run an Internet Information Services (IIS) website. Internet users connect to the website by using
a URL of https://www.fabrikam.com.
All the users in the Chicago office run an application that connects to a UNC path of \\Fileserver1\Data.

Paris On-Premises Servers -

The office in Paris contains a physical server named dc2.europe.fabrikam.com that runs Windows Server 2016 and
is a domain controller for the europe.fabrikam.com domain.

Network Infrastructure -
The networks in both the Chicago and Paris offices have local internet connections. The Chicago and Paris offices
are connected by using VPN connections.
The client computers in the Chicago office get IP addresses from DHCP1.

Security Risks -
Fabrikam identifies the following security risks:
Some accounts connect to AD DS resources by using insecure protocols such as NTLMv1, SMB1, and unsigned
LDAP.
Servers have Windows Defender Firewall enabled. Server administrators sometimes modify firewall rules and
allow risky connections.

Requirements -

Security Requirements -
Fabrikam identifies the following security requirements:
Prevent server administrators from configuring Windows Defender Firewalls rules.
Encrypt all the data disks on the servers by using BitLocker Drive Encryption (BitLocker).
Ensure that only authorized applications can be installed or run on the servers in the forest.
Implement Microsoft Sentinel as a reporting solution to identify all connections to the domain controllers that use
insecure protocols.

On-Premises Migration Plan -

Fabrikam plans to migrate all the existing servers and identifies the following migration requirements:
Move the APP1 and APP2 virtual machines in the Chicago office to a new Hyper-V failover cluster named Cluster2
that will run Windows Server 2022.
- Cluster2 will contain two new nodes named HV3 and HV4.
- All virtual machine files will be stored on a Cluster Shared Volume (CSV).
Migrate Archive1 to a new failover cluster named Cluster3 that will run Windows Server 2022.
- Cluster3 will contain two physical nodes named Node1 and Node2.
- The file shares on Cluster3 will be a failover cluster role in active-passive mode.
Migrate all users, groups, and client computers from europe.fabrikam.com to corp.fabrikam.com.
- The migration will be performed by using the Active Directory Migration Tool (ADMT).
- A computer named ADMTcomputer will be deployed to the corp.fabrikam.com domain to run ADMT migration
procedures.
- User accounts will retain their existing password.
Migrate the data share from Fileserver1 to a new server named Fileserver2 that will run Windows Server 2022.
After the migration, the data share must be accessible by using the existing UNC path.

Azure Migration Plan -

Fabrikam plans to migrate some resources to Azure and identifies the following migration requirements:
Create an Azure subscription named Sub1.
Create an Azure virtual network named Vnet1.
Use ExpressRoute to connect the Paris and Chicago offices to Vnet1.
License all servers for Microsoft Defender for servers.
Migrate APP3 and APP4 to Azure.
Migrate the www.fabrikam.com website to an Azure App Service web app named WebApp1.
Decommission WEB1 and WEB2.

DHCP Migration Plan -

Fabrikam plans to replace DHCP1 with a new server named DHCP2 and identifies the following migration
requirements:
Ensure that DHCP2 provides the same IP addresses that are currently available from DHCP1.
Prevent DHCP1 from servicing clients once services are enabled on DHCP2.
Ensure that the existing leases and reservations are migrated. Question HOTSPOT -
You are planning the www.fabrikam.com website migration to support the Azure migration plan.
How should you configure WebApp1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:
Box 1: Add a custom domain name -
To migrate www.fabrikam.com website to an Azure App Service web app, you need to add Fabrikam.com as a
custom domain in Azure. This will make the domain name available to use in the web app.

Box 2: Modify a DNS record -

You need to change the DNS record for www.fabrikam.com to point to the Azure web app.
HTTP redirect rules won't work because WEB1 and WEB2 will be decommissioned.

Reference:
https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-domain?tabs=a%2Cazu
recli

Question: 130 CertyIQ

HOTSPOT -
You are planning the DHCP1 migration to support the DHCP migration plan.
Which two PowerShell cmdlets should you run on DHCP1, and which two PowerShell cmdlets should you run on
DHCP2? To answer, drag the appropriate cmdlets to the correct servers. Each cmdlet may be used once, more than
once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
 Answer:

Explanation:

Reference:
https://theitbros.com/how-to-migrate-dhcp-to-windows-server-2016/

Question: 131 CertyIQ

You are planning the data share migration to support the on-premises migration plan.
What should you use to perform the migration?

A.Storage Migration Service

B.Microsoft File Server Migration Toolkit
C.File Server Resource Manager (FSRM)
D.Windows Server Migration Tools

Answer: A

Explanation:

Storage Migration Service is the best option for performing the data share migration. It is a free Microsoft tool
that simplifies the process of migrating servers and their data to newer versions of Windows Server or to
Azure. It supports migrating file servers, including their shares, permissions, and data, while preserving
security, share, and folder configurations. It can also perform the migration with minimal downtime and can be
managed through the Storage Migration Service user interface.

Reference:

https://docs.microsoft.com/en-us/windows-server/storage/storage-migration-service/migrate-data
Question: 132 CertyIQ
HOTSPOT -
You are planning the migration of APP3 and APP4 to support the Azure migration plan.
What should you do on Cluster1 and in Azure before you perform the migration? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/migrate/tutorial-discover-hyper-v
Question: 133 CertyIQ
HOTSPOT -
You are planning the europe.fabrikam.com migration to support the on-premises migration plan.
Where should you install the Password Export Server (PES) service, where should you generate the encryption
key? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:
Box 1: dc2.europe.fabrikam.com -
To migrate passwords, select or install a backup domain controller in the source Windows NT 4.0 domain to
act as the Secure Password Export server.
Run the PES service on the dc2 domain controller in source domain europe.fabrikam.com domain.
Scenario:
* Migrate all users, groups, and client computers from europe.fabrikam.com to corp.fabrikam.com.
* The migration will be performed by using the Active Directory Migration Tool (ADMT).
* A computer named ADMTcomputer will be deployed to the corp.fabrikam.com domain to run ADMT
migration procedures.
* User accounts will retain their existing password.
 Box 2: dc1.corp.fabrikam.com -
dc1.corp.fabrikam.com is the target server, and we generate the encryption key on it.
To migrate passwords, select or install a backup domain controller in the source Windows NT 4.0 domain to
act as the Secure Password Export server. This server will communicate with the Active Directory Migration
Tool (ADMT) Server in the Target Domain.
Note: Create an encryption key to install on the Password Export server Using an Encryption Key on the
Password Export Server.
The Password server encryption key is a key created on the ADMT server and is required to complete the
installation of the Password Export Server. The encryption key can be created and stored in one or both of the
following methods, by copying to the local floppy disk drive for transport to the password export server or by
storing the encryption key in a folder on the local hard drive.

Reference:
https://www.serverbrain.org/secrets-2003/setting-up-an-admt-password-migration-server.html

Question: 134 CertyIQ

HOTSPOT -
You need to implement alerts for the domain controllers. The solution must meet the technical requirements.
What should you do on the domain controllers, and what should you create on Azure? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Answer:

Explanation:
 Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-overview?tabs=PowerShe
llWindows

Question: 135 CertyIQ

You need to meet the technical requirements for User1.
To which group in contoso.com should you add User1?

A. Domain Admins
B. Account Operators
C. Schema Admins
D. Backup Operators

Answer: A

Explanation:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-
2008/dd379509(v=ws.10)#displaying-the-deleted-objects-container

Question: 136 CertyIQ

Introductory Info Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to
complete each case. However, there may be additional case studies and sections on this exam. You must manage
your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the
case study. Case studies might contain exhibits and other resources that provide more information about the
scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to
make changes before you move to the next section of the exam. After you begin a new section, you cannot return
to this section.

To start the case study -

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore
the content of the case study before you answer the questions. Clicking these buttons displays information such
as business requirements, existing environment, and problem statements. If the case study has an All Information
tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you
are ready to answer a question, click the Question button to return to the question.

Overview -
Contoso, Ltd. is a manufacturing company that has a main office in Seattle and branch offices in Los Angeles and
Montreal.

Existing Environment -

Active Directory Environment -

Contoso has an on-premises Active Directory Domain Services (AD DS) domain named contoso.com that syncs with
an Azure Active Directory (Azure AD) tenant.
The AD DS domain contains the domain controllers shown in the following table.
Contoso recently purchased an Azure subscription.
The functional level of the forest is Windows Server 2012 R2. The functional level of the domain is Windows Server
2012. The forest has the Active Directory
Recycle Bin enabled.
The contoso.com domain contains the users shown in the following table.

The contoso.com domain has the Group Policy Objects (GPOs) shown in the following table.

The contoso.com domain has the Password Settings Objects (PSOs) shown in the following table.

Server Infrastructure -
The contoso.com domain contains servers that run Windows Server 2022 as shown in the following table.

By using Windows Firewall with Advanced Security, the servers have isolation connection security rules configured
as shown in the following table.
Server4 has no connection security rules.

Server4 Configurations -
Server4 has the effective Group Policy settings for user rights as shown in the following table.

Server4 has the disk configurations shown in the following exhibit.

Virtualization Infrastructure -
The contoso.com domain has the Hyper-V failover clusters shown in the following table.
Technical Requirements -
Contoso identifies the following technical requirements:
Promote a new server named DC4 that runs to Windows Server 2022 to a domain controller.
Replicate the virtual machines from Cluster2 to an Azure Recovery Services vault.
Centrally manage performance alerts in Azure for all the domain controllers.
Ensure that User1 can recover objects from the Active Directory Recycle Bin.
Migrate Share1 to Server2, including all the share and folder permissions.
Back up Server4 and all data to an Azure Recovery Services vault.
Use Hyper-V Replica to protect the virtual machines in Cluster3.
Implement BitLocker Drive Encryption (BitLocker) on Server4.
Whenever possible, use the principle of least privilege. Question Which domain controller should be online to meet
the technical requirements for DC4?

A. DC1
B. DC2
C. DC3

Answer: A

Explanation:

The RID Master holds the global RID pool for the domain. The size is limited to 30-bits by default, so the
maximum RID size is 2 to the power of 30, or about one billion. The RID Master assigns each Domain Controller
a pool of RIDs to use for SID creation. By default, DCs are assigned 500 contiguous RIDs at a time and request
a standby pool containing another 500 RIDs when they have used 50% of their original allocation.If a RID
master is not online, the DC promotion cannot complete.

OK - Never the obvios answer- the domain naming master names domains - not domain controllers- so - the
only one that "may" be needed is the Rid MASTER - so a the 2012 server
https://social.technet.microsoft.com/Forums/windows/en-US/55cdc487-c3c4-4090-9c41-
38d768fb26e8/which-fsmo-role-is-responsible-for-adding-a-new-domain-controller-in-the-existing-root-
domain-
or#:~:text=There%20are%20no%20FSMO%20roles%20needed%20or%20required,is%20asking%20about%20adding%

20controllers%2C%20not%20domains.