Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Microsoft
  3. AZ-800

Microsoft AZ-800 Exam (page: 6)
Microsoft Administering Windows Server Hybrid Core Infrastructure
Updated on: 15-Feb-2026

Viewing Page 6 of 34
AZ-800 PDF 292 Questions

Your network contains a Active Directory Domain Service (AD DS) forest named contoso.com. The forest root domain contains a server named server1. contoso.com. A two-way forest trust exists between the contoso.com forest and an AD DS forest named fabrikam.com. The fabrikam.com forest contains 10 child domains. You need to ensure that only the members of a group named fabrikam\Group1 can authenticate to server1.contoso.com. What should you do first?

  1. Add fabrikam\Group1 to the local Users group on server1.contoso.com.
  2. Enable SID filtering for the trust.
  3. Enable Selective authentication for the trust.
  4. Change the trust to a one-way external trust.

Answer(s): C

Explanation:

Selective authentication restricts access over an external or forest trust to only those users in a trusted domain or forest who have been explicitly given authentication permissions to computer objects (resource computers) residing in the trusting domain or forest. This authentication setting must be manually enabled.
Note: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.
Incorrect:
Not B: When SID Filtering is enabled, all the foreign SIDs will be removed (quarantined) from user's access token while accessing any resource through Forest
Trust. The most common impact of this is, a migrated user account which is still using any resource using old SID will not be able to access that resource anymore. This is because when SID Filtering is enabled, it will block (filter) SID History through a Forest Trust.
When we create a forest Trust, SID Filtering is enabled by default. In some cases, we need to disable SID Filtering.
Not D: When a two way Forest Trust is created between Forest A and Forest B, all domains in Forest A will trust all domains in Forest B and vice versa.
If a one way Forest Trust is created, where Forest A is Trusting Domain and Forest B is Trusted Domain, then Forest B can access resources within Forest A, however Forest A cannot access resources within Forest B.


Reference:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)



Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com and the servers shown in the following table.



Contoso.com contains a user named User1.
You add User1 to the built-in Backup Operators group in contoso.com.
Which servers can User1 back up?

  1. DC1 only
  2. Server1 only
  3. DC1 and DC2 only
  4. DC1 and Server1 only
  5. DC1, DC2, Server1, and Server2

Answer(s): A

Explanation:

A member of the Backup Operators group can perform backup operations for all domain controllers in the domain.

Note: Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group can't be renamed, deleted, or removed. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.


Reference:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups



HOTSPOT (Drag and Drop is not supported)
Your network contains an Azure Active Directory Domain Services (Azure AD DS) domain named contoso.com.

You need to configure a password policy for the local user accounts on the Azure virtual machines joined to contoso.com.

What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: AAD DC Administrators group
To create a custom password policy in a managed domain, you must be signed in to a user account that's a member of the AAD DC Administrators group.

Box 2: AADDC Users organizational unit (OU)
Password policies can only be applied to groups. In the Locations dialog, expand the domain name, such as aaddscontoso.com, then select an OU, such as AADDC Users. If you have a custom OU that contains a group of users you wish to apply, select that OU.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory-domain-services/password-policy



SIMULATION
You need to create a user named Admin1 in contoso.com. Admin1 must be able to back up and restore files on SRV1. The solution must use principle of the least privilege.

To complete this task, sign in the required computer or computers.

  1. See Explanation section for answer.

Answer(s): A

Explanation:

Step 1: Sign in to the Azure portal in the User Administrator role for the organization.
Add a new user
You can create a new user using the Azure Active Directory portal.
To add a new user, follow these steps:

Step 1. Sign in to the Azure portal in the User Administrator role for the organization.

Step 2: Search for and select Azure Active Directory from any page.

Step 3: Select Users, and then select New user.



Step 4: On the User page, enter information for this user:
Name: Admin1
User name: Admin1
Groups. Optional
Groups. Optional: Backup Operator

Step 5: Copy the autogenerated password provided in the Password box. You'll need to give this password to the user to sign in for the first time.

Step 6: Select Create.
The user is created and added to your Azure AD organization.

Note:
Azure Backup provides three built-in roles to control backup management operations.
Backup Operator - This role has permissions to everything a contributor does except removing backup and managing backup policies. This role is equivalent to contributor except it can't perform destructive operations such as stop backup with delete data or remove registration of on-premises resources.
Incorrect:
Backup Contributor - This role has all permissions to create and manage backup except deleting Recovery Services vault and giving access to others. Imagine this role as admin of backup management who can do every backup management operation.

Backup Reader - This role has permissions to view all backup management operations. Imagine this role to be a monitoring person.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory
https://learn.microsoft.com/en-us/azure/backup/backup-rbac-rs-vault



SIMULATION
You need to ensure that the minimum password length for members of the BranchAdmins group is 12 characters. The solution must affect only the BranchAdmins group.

To complete this task, sign in the required computer or computers.

  1. See Explanation section for answer.

Answer(s): A

Explanation:

Create a new fine-grained password policy.
In the following procedure you will create a new fine-grained password policy using the UI in ADAC.
To create a new fine grained password policy.

Step 1: Right click the Windows PowerShell icon, click Run as Administrator and type dsac.exe to open ADAC.

Step 2: Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

Step 3: Click Manage, click Add Navigation Nodes and select the appropriate target domain in the Add Navigation Nodes dialog box and then click OK.

Step 4: In the Tasks pane, click New, and then click Password Settings.
Fill in or edit fields inside the property page to create a new Password Settings object. The Name and Precedence fields are required.

In our case:
Minimum password length: 12



Step 5: Under Directly Applies To, click Add, type BranchAdmin, and then click OK.


Reference:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-#bkmk2_test_fgpp1



You need to configure a Group Policy preference to ensure that users in the organizational unit (OU) named Server Admins have a shortcut to a folder named \\srv1.contoso.com\data on their desktop when they sign in to the computers in the domain.

To complete this task, sign in the required computer or computers.

  1. See Explanation section for answer.

Answer(s): A

Explanation:

Create Desktop Shortcuts on Domain Computers via GPO.
Step 1: Open the Group Policy Management Console (gpmc.msc).

Step 2: Right-click an AD container (Organizational Unit) you want to apply a shortcut creation policy. In this case right-click on the OU Server Admins.



Step 3: Select Create a GPO in this domain, and Link it here..

Step 4: Go to the Group Policy Preferences section: User Configuration –> Preferences -> Windows Settings -> Shortcuts. Click it and select New -> Shortcut;



Step 5: Create a new shortcut item with the following settings:
Name: Something
Target Type: File System Object (you can select a URL or a Shell object here)
Location: Desktop
Target Path: \\srv1.contoso.com\data


Reference:

http://woshub.com/create-desktop-shortcuts-group-policy/



You plan to promote a domain controller named DC3 in a site in Seattle.
You need to ensure that DC3 only replicates with DC1 and DC2 between 8 PM and 6 AM.

To complete this task, sign in the required computer or computers.

  1. See Explanation section for answer.

Answer(s): A

Explanation:

Step 1: Create a site link between Seattle and the site in which DC1 and DC2 are located (if the site link does not already exist. If the site link already exists, then skip Step 1).

Step 2: To open Active Directory Sites and Services, click Start, click Administrative Tools, and then click Active Directory Sites and Services.
Open Active Directory Sites and Services.

Step 3: In the console tree, click the intersite transport folder that contains the site link for which you are configuring intersite replication availability.

Step 4: In the details pane, right-click the site link whose schedule you want to configure, and then click Properties.

Step 5: Click Change Schedule.

Step 6: Select the block of time during which you want replication to be either available or not available, and then click Replication Not Available or Replication Available, respectively.
Change the schedule to: from 8 PM to 6 AM.

Note: Site link
Site links are Active Directory objects that represent logical paths that the KCC uses to establish a connection for Active Directory replication. A site link object represents a set of sites that can communicate at uniform cost through a specified intersite transport.

All sites contained within the site link are considered to be connected by means of the same network type. Sites must be manually linked to other sites by using site links so that domain controllers in one site can replicate directory changes from domain controllers in another site. Because site links do not correspond to the actual path taken by network packets on the physical network during replication, you do not need to create redundant site links to improve Active Directory replication efficiency.

When two sites are connected by a site link, the replication system automatically creates connections between specific domain controllers in each site that are called bridgehead servers.


Reference:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770712(v=ws.10)
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts



You need to ensure that DC2 is the schema master for contoso.com.

To complete this task, sign in the required computer or computers.

  1. See Explanation section for answer.

Answer(s): A

Explanation:

Seize operations master roles
You cannot use AD DS snap-ins to seize operations master roles. Instead, you must use either the ntdsutil.exe command-line tool or Windows PowerShell to seize roles.

To seize or transfer the FSMO roles by using the Ntdsutil utility, follow these steps:

Step 1: Sign in to a member computer, in our case DC2, that has the AD RSAT tools installed, or a DC that is located in the forest where FSMO roles are being transferred.

Step 2: Select Start > Run, type ntdsutil in the Open box, and then select OK.

Step 3: Type roles, and then press Enter.
Note:
To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press Enter.

Step 4: Type connections, and then press Enter.

Step 5: Type connect to server <servername>, and then press Enter.

Step 6: At the server connections prompt, type q, and then press Enter.

Step 7: To seize the role: Type seize <role>, and then press Enter.
In our case we type: size schema master.

Step 8: At the fsmo maintenance prompt, type q, and then press Enter to gain access to the ntdsutil prompt. Type q, and then press Enter to quit the Ntdsutil utility.


Reference:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds



Viewing Page 6 of 34



Share your comments for Microsoft AZ-800 exam with other users:

Saint Pierre 10/24/2023 6:21:00 AM

i would give 5 stars to this website as i studied for az-800 exam from here. it has all the relevant material available for preparation. i got 890/1000 on the test.
Anonymous