Question 1

What cmdlet can be run on a remote Windows computer to allow PowerShell

remote management?

Enable-PSSession

Enable-PSRemoting

Enable-PSSessionConfiguration

Explanation

The Enable-PSRemoting cmdlet will allow PowerShell remote management.

PowerShell remote management is enabled by default on Windows Servers
2012 and newer, but not on client computers.

Question 2

True or False: The Windows Admin Center is supported on Internet Explorer

11.

True

False

Explanation

The Windows Admin Center is not supported on Internet Explorer and will
return an error if you try to launch it.

Question 1

You are the administrator of a small company of 50 users. Most of your

business applications are cloud based. You're going to set up two Windows
Servers, one as a domain controller and one as a file and print server. Which
edition of Windows Server will best suit your needs?

Standard

Essentials

Hyper-V

Datacenter
Explanation

The Standard edition is the best choice because its license allows two VMs to
run and you need two servers. The Essentials edition does not allow that
many users and Datacenter would be expensive for only two servers. Hyper-
V is free but you would have to pay for two server licenses for the VMs that
run on it.

Question 2

Which tool can help you inventory your organization’s IT infrastructure?

Microsoft Deployment Toolkit

Microsoft Assessment and Planning Toolkit

Explanation

The Microsoft Assessment and Planning Toolkit is an agentless solution

accelerator that analyzes the inventory of an organization’s server
infrastructure, performs an assessment, and then creates reports that you
can use for upgrade and migration plans. The Microsoft Deployment Toolkit
is used for deploying standardized images.34 Module 1 Windows Server
administration

Question 1

Which of the following roles or role services can run on Server Core? Select
two.

SMTP server

Web Server IIS

Remote Desktop Gateway

Active Directory Certificate Services

Explanation

You can install certain roles on Server Core while some roles are not
available because Server Core does not have the code base required for
those roles.
Question 1

What tool is commonly used for the initial configuration of Server Core?

Windows Admin Center

Windows PowerShell

Sconfig

Server Manager

Explanation

Sconfig is the best tool for the initial configuration of Server Core. It allows
for IP address assignment, setting computer name, and domain membership.

Question 2

You have Windows Server Standard edition installed and it has DNS and
DHCP and Hyper-V installed. How many VMs can you run in Hyper-V before
you need to buy a license?

One

Two

Unlimited

None

Explanation

You can run one VM before you must buy a license because you are using
this host server for more than just a Hyper-V host.

Question 3

True or False: You must install an SSL certificate to use the Windows Admin
center.

True

False
Explanation

True, a self-generated one is included, but it is only valid for 60 days.‍Module

01 lab and review 35

Question 4

You want the helpdesk group to only be able to add and remove users from
security groups. How should you accomplish this?

Add the helpdesk group to the Account Operators group

Add the helpdesk group to the Server Operators group

Use the Delegation of Control Wizard to assign the task

Add the helpdesk group to the Domain Admins group

Explanation

Use the Delegation of Control Wizard to assign the task. Although Account
Operators and Domain Admins would work, it would give too much
administrative rights to the helpdesk group.

MODULE 02

What is the Active Directory Domain Services (AD DS) schema?

The AD DS schema is the component that defines all the object classes and
attributes that AD DS uses to store data.

Is the Computers container an organizational unit (OU)?

No, it is an object of the Container class.

What's a domain controller?

A domain controller is a server that stores a copy of the Active Directory

Domain Services (AD DS) directory database (Ntds.dit) and a copy of the
SYSVOL folder. All domain controllers except read-only domain controllers
(RODCs) store a read/write copy of both Ntds.dit and the SYSVOL folder.

What would you use to synchronize user details to Microsoft Azure Active
Directory (Azure AD) from Active Directory Domain Services (AD DS)?
You would use Azure AD Connect to synchronize user details to Azure AD
from AD DS.

Which version of Azure AD supports Azure AD Join + mobile device

management (MDM) autoenroll-ment?

Both Azure AD Premium P1 and P2 editions support this feature.

If you linked a Group Policy Object (GPO) to the domain object in your Active
Directory Domain Services (AD DS), what are the different ways to prevent
this policy from applying to all users in the domain?

There are several possible approaches, which include:

You could unlink the GPO from the domain. You could use Security Group
filtering to target the GPO settings to a specific group. You could also use
Block Inheritance on child OUs.

What are the default domain GPOs called?

The two default GPOs are called Default Domain Policy and Default Domain
Controllers Policy.

In general, what are the three categories of certification authority (CA)

hierarchies?

The three categories of CA hierarchies include CA hierarchies with a policy

CA, CA hierarchies with cross-certification trust, and CAs with a two-tier
hierarchy.

What is certificate revocation?

Revocation is the process in which you disable the validity of one or more
certificates. By initiating the revocation process, you publish a certificate
thumbprint in the corresponding certificate revocation list (CRL). This
indicates that a specific certificate is no longer valid.

What are the two reasons to create organizational units (OUs) in a domain?

The first reason is because you want to group users and computers, for
example, by geography or depart-ment. The second reason is that you might
want to delegate administration on the OU or configure the objects in an OU
by using Group Policy Objects (GPOs).

If the domain controller that holds the primary domain controller (PDC)
Emulator operations master role is going to be offline for an extended period,
what should you do?
You should transfer the operations master role to another server in the same
domain ahead of the planned outage.

True or false? Azure Active Directory (Azure AD) is hierarchical

False. Azure AD has a flat structure.

If you have a new version of Microsoft Office to deploy in your on-premises

environment, and you want to configure settings with GPOs, what would you
do?

You could download and install the latest .admx files for Office. If you install
these into the Central Store, you could configure the new Office settings in
one location.

What is a certificate template?

Certificate templates define how you can request or use a certificate, such as
for file encryption or email signing.

MODULE 03

Question 1

If you configure a DHCP scope with a lease length of four days, when will
computers attempt to renew the lease for the first time?

1 day

2 days

3 days

3.5 days

Explanation

Two (2) days is the correct answer. If you configure a DHCP scope with a
lease length of four days, computers will attempt to renew the lease for the
first time after two days.

Question 2

Which permissions are required to authorize a DHCP server in a multiple

domain AD DS forest?

Member of "Enterprise Admins" group

 Member of "Domain Admins" group

Member of local "Administrators" group on the DHCP server

Member of "DHCP Administrators"

Explanation

Member of "Enterprise Admins" group is the correct answer. In an Active

Directory Domain Services (AD DS) forest with multiple domains, you need
permissions in all domains to authorize DHCP servers in all the domains. The
"Enterprise Admins" group has permissions to authorize DHCP servers in all
the domains in an AD DS forest.

Question 1

Which type of resource record is used only for IPv6 addresses?

PTR record

TXT record

AAAA record

CNAME record

Explanation

The correct answer is AAAA record. An AAAA record is a host record that
resolves a name to an IPv6 address. IPv4 uses an A record.

Question 2

Which DNS functionality should you use to direct DNS queries for a single
domain to a partner organization through firewalls?

Forwarder

Stub zone

Root hints

Conditional forwarder

Explanation
The correct answer is conditional forwarder. Partner organizations commonly
use a conditional forwarder because it defines settings for a single domain.
Also, you can configure specific IP addresses for communication, which
simplifies firewall configuration.

Question 1

Which of the following are valid options for storing IP Address Management
(IPAM) data? (Choose two.)

Windows Internal Database

JET database

Access database

Microsoft SQL Server database

Explanation

Windows Internal Database and Microsoft SQL Server database are the
correct answers.

Question 2

Which IPAM security groups can manage IP address blocks and IP address
inventory? (Choose two.)

IPAM DHCP Administrator

IPAM ASM Administrator

IPAM MSM Administrator

IPAM Administrator

Explanation

IPAM ASM Administrator and IPAM Administrator are the correct answers.

Question 1

Which network infrastructure service in Windows Server allows you to

monitor and manage IP address ranges for the entire organization?

Domain Name System (DNS)

 NPS

IP Address Management (IPAM)

Remote access services

Explanation

IPAM is the correct answer. IPAM is used to centrally monitor and manage
DNS, DHCP, and IP address ranges.

Question 2

Which of the following are true about DHCP Failover? (Select two.)

IP address ranges must split 80:20 between servers.

A failover relationship can have up to four partners.

A failover relationship can have only two partners.

Load balance mode configures one server as primary to service all

requests.

The necessary firewall rules are configured automatically when the

DHCP role is installed.

Explanation

The correct answers are "A failover relationship can have only two partners"
and "The necessary firewall rules are configured automatically when the
DHCP role is installed."

Question 3

Which of the following options are required when configuring a DHCP

reservation? (Select three.)

MAC address

Description

IP address

Reservation name

Computer name
Explanation

The correct answers are MAC address, IP address, and reservation name.

Question 4

Which type of DNS zone automatically replicates to all domain controllers in

a domain that have the DNS role installed?

Primary

Secondary

Stub

Active Directory-integrated

Explanation

Active Directory-integrated is the correct answer. Active Directory-integrated

zones are stored in Active Directory Domain Services (AD DS) and are
replicated to domain controllers that have the DNS role installed.

Question 5

Which service running on domain controllers creates the SRV records used by
clients to locate the domain controller?

Netlogon

DNS client

Workstation

DHCP Client

Explanation

Netlogon is the correct answer. When the Netlogon service starts, it

dynamically registers the SRV records in DNS.
Question 6

Which feature of DNS can you use to resolve a host record to different IP
addresses depending on user location?

DNSSEC

Stub zone

Conditional forwarder

DNS policies

Explanation

DNS policies is the correct answer. When you create a DNS policy, you can
specify conditions that control how a DNS server responds to a request. This
includes alternate host records based on the client IP address.

Question 7

How do you create the Group Policy Objects (GPOs) used to configure a
server that is managed by IPAM?

Run the Install-WindowsFeature cmdlet

Run the Invoke-IpamGpoProvisioning cmdlet

Select Group Policy provisioning in the configuration wizard

Run the New-GPO cmdlet

Explanation

Run the Invoke-IpamGpoProvisioning cmdlet is the correct answer. When you

run this cmdlet, you specify the prefix to use for the GPO names. The GPOs
are created and linked to the root of the domain.

MODULE 04
Question 1

What are the two disk types in Windows 10 Disk Management?

The two types of disks are basic and dynamic.

Question 2

What file system do you currently use on your file server and will you
continue to use it?

Answers could vary. A common answer is NT File System (NTFS), because

NTFS should be the basis for any file system used on a Windows Server
operating system. If you use FAT32 or Extended FAT (exFAT), you should be
able to support your decision, because these file systems don't support
security access control lists (ACLs) on files and folders.

Question 3

If permissions on a file are inherited from a folder, can you modify them on a
file?

No, you can't modify inherited permissions. You can modify them on the
folder where they were set explicitly, and then your modified permissions will
be inherited with a file. Conversely, you can disable inheritance on a file,
select or convert inherited permissions to explicit permissions, and then
modify explicit permissions on it.

Question 4

Can you set permissions only on files in NTFS volumes?

No. You can set permissions on folders and entire volumes, including the root
folder. Permissions that you set on folders or volumes are inherited to all
content on that volume or in that folder, by default. You can set permissions
on NTFS volumes and on Resilient File System (ReFS) volumes.

Question 1

Can any user connect to any shared folder?

No. Only users with the appropriate permissions can connect to shared
folders. You configure permissions on shared folders when you share a folder,
and you can modify permissions.

Question 2
What could be a reason that a user can't open files on a share?

There can be many reasons why a user can't open files on a share, including
network connectivity issues, authentication problems, and issues with share
and file permissions.

Question 3

What is the main difference between sharing a folder by using "Network File
and Folder Sharing" and by using the "Advanced Sharing" option?

If you share a folder by using "Network File and Folder Sharing", you can set
share and file permissions in a single step. If you share a folder by using the
"Advanced Sharing" option, you can set only share folder permissions. You
can't modify file permissions by using the "Advanced Sharing" option in a
single step.

Question 4

What could be a reason that a user doesn't have the "Always available
offline" option when they right-click or access the context menu for a file in
the share, but when they right-click or access the context menu for a file in
another share, the "Always available offline" option is available?

The most probable reason for such behavior is that the share doesn't allow
offline files, and it has been configured with the "No files or Programs from
the shared folder are available offline" option.

Question 1

What are the advantages of using Storage Spaces compared to using system
area networks (SANs) or a network access server (NAS)?

Storage Spaces provides an inexpensive way to manage storage on servers.

With Storage Spaces, you don't need to buy specialized storage or network
devices. You can attach almost any kind of disk to a server and manage all
the disks on your server as a block. You can provide redundancy by
configuring mirroring or parity on the disks. Storage Spaces also are easy to
expand by adding more disks. By using Storage Spaces tiering, you can also
optimize the use of fast and slow disks in your storage space.

Question 2

What are the disadvantages of using Storage Spaces compared to using

SANs or NAS?
Most SAN and NAS devices provide many of the same features as Storage
Spaces. These storage devices also provide redundancy, data tiering, and
easier capacity expansion. Additionally, they improve performance by
removing all the storage-related calculations from the server and performing
these tasks on dedicated hardware devices. This means that NAS and SAN
devices (SAN devices in particular), are likely to provide better performance
than using Storage Spaces.

Question 1

Can you configure data deduplication on a boot volume?

No, you can't configure data deduplication on a boot volume. You can
configure data deduplication only on volumes that aren't system or boot
volumes.

Question 2‍

Can I change the Data Deduplication settings for my selected usage type?

Yes. Although Data Deduplication provides reasonable defaults for

recommended workloads, you might still want to tweak Data Deduplication
settings to get the most out of your storage. Additionally, other workloads
will require some tweaking as well, to ensure that Data Deduplication
doesn't interfere with the workload.

Question 3

Is Data Deduplication allowed on Resilient File System (ReFS)–formatted

drives?

With Windows Server 2016, Data Deduplication wasn't available for ReFS,
and only available for NTFS file system. Now, with Windows Server 2019,
Data Deduplication is available for both ReFS and NTFS file systems.

Question 1

What are the required components of an Internet Small Computer System

Interface (iSCSI) solution? Select all that apply.

IP network
 iSCSI targets

iSCSI initiators

iSCSI qualified name

Domain Name System (DNS)

Explanation

If you access the iSCSI target through IP addresses, DNS isn't a required part
of an iSCSI solution. iSCSI has its own name service, *internet Storage Name
Service (iSNS)*. DNS is required only if you want to use fully qualified
domain names (FQDN) to access your iSCSI storage.

Question 2

You can use Server Manager to configure both the iSCSI Target Server and
the iSCSI initiator.

True

False

Explanation

You can configure the iSCSI Target Server by using Server Manager and
Windows PowerShell. However, you can't configure the iSCSI initiator by
using Server Manager; you can only configure the iSCSI initiator through its
own interface, or through Windows PowerShell.

Question 1

What kinds of Distributed File System (DFS) namespaces are there and how
do you ensure their availability?

There are two kinds of DFS Namespaces: Standalone, and domain-based. For
standalone DFS namespaces, you ensure the availability of a standalone DFS
root by creating it on the cluster storage of a clustered file server by using
the Cluster Administrator snap-in. For domain-based DFS namespaces, you
ensure the availability of domain-based DFS roots by creating multiple root
targets on non-clustered file servers or on the local storage of the nodes of
server clusters. (Domain-based DFS roots can't be created on cluster
storage.) All root targets must belong to the same domain. To create root
targets, use the DFS snap-in or the Dfsutil.exe command-line tool.
Question 2

Is DFS Replication compatible with Data Deduplication?

Yes, DFS Replication can replicate folders on volumes that use Data
Deduplication in Windows Server.

Question 3

Can you use the Volume Shadow Copy Service (VSS) with DFS Replication?

Yes. DFS Replication is supported on VSS volumes, and you can restore
previous snapshots successfully with the previous version's client.

Question 4

Is DFS Replication cluster aware?

Yes, DFS Replication is cluster aware. DFS Replication in Windows Server

2008 R2 through Windows Server 2019 includes the ability to add a failover
cluster as a member of a replication group.

Question 1

You attach five 2-terabyte (TB) disks to your Windows Server 2012 computer.
You want to simplify the process of managing the disks. In addition, you want
to ensure that if one disk fails, the failed disk’s data isn't lost. What feature
can you implement to accomplish these goals?

You can use Storage Spaces to create a storage pool of all five disks, and
then create a virtual disk with parity or mirroring to make it highly available.

Question 2

Your manager has asked you to consider using Data Deduplication within
your storage architecture. In what scenarios are the Data Deduplication role
service particularly useful?

You should consider using deduplication for file shares, software deployment
shares, and VHD and VHDX file libraries. For file shares, include group
content publication or sharing, user home folders, and profile redirection for
accessing offline files. With the release to manufacturing (RTM) version of
Windows Server 2012, you could save approximately 30 to 50 percent of
your system’s disk space. With the Cluster Shared Volume (CSV) support in
Windows Server 2012 R2, the disk savings can increase up to 90 percent in
certain scenarios. Software deployment shares include software binaries,
images, and updates. You might be able to save approximately 70 to 80
percent of your disk space. VHD and VHDX file libraries include VHD and
VHDX file storage for provisioning to hypervisors. You might be able to save
disk space of approximately 80 to 95 percent.

Question 3‍

Can you use both local and shared storage with Storage Spaces Direct?

No. Storage Spaces Direct can use only local storage. A standard storage
space can use shared storage.

MODULE 05

Question 1

What is the correct term for the virtualization layer that is inserted into the
boot process of the host machine that controls access to the physical
hardware?

A software layer known as the **hypervisor** is inserted into the boot

process. The hypervisor is responsible for controlling access to the physical
hardware.

Question 2

Name four methods for managing Hyper-V virtual machines.

Four methods include Hyper-V Manager, Windows PowerShell, PowerShell

Direct, and Windows Admin Center.

Question 3

What is the PowerShell command for enabling nested virtualization?

Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions

$true

Question 1

You need to create a virtual machine (VM) that supports Secure boot. Which
generation would you choose when you create the VM?

You need to select generation 2, which is needed to support Secure boot.

Question 2

Which virtual hard disk (VHD) type only uses the amount of space that needs
to be allocated and grows in size as more space is necessary?

Dynamically expanding VHD.

Question 3

Which Hyper-V virtual switch allows communication between the VMs on a

host computer and also between the VMs and the host itself only?

The Internal network switch

Question 4

You need to preserve the state and configuration of a VM at a set time

period. What can you do?

You can create a checkpoint to preserve the state and configuration of a VM

at a set time period.

Question 1‍Module 05 lab and review 277

Describe three main benefits of running protected virtual machines (VMs) in

a guarded fabric.

Benefits include securing an authorized Hyper-V host, verification that a host

is in a healthy state, and providing a secure method to release keys to
healthy hosts to allow for unlocking and starting a protected VM.

Question 2

Which component in a guarded fabric is used to enforce security and

manage the keys to start protected VMs?

The Host Guardian Service.

Question 3

Describe three types of VMs that can be run in a guarded fabric.

A shielded VM, an encryption-supported VM, and a normal VM.

Question 4

Which tool is used to prepare and encrypt a VM template disk?

The Shielded Template Disk Creation Wizard, which is part of the Shielded
VM Tools available from the Remote Administration Tools feature.

Question 1

Describe the primary difference between a container and a virtual machine.

A container shares the kernel with the host operating system and other
containers. A virtual machine is totally isolated and has its own kernel and
user mode.

Question 2

Which container management provider is supported with Windows?

Docker containers are fully supported by the latest releases of the Windows
operating system.

Question 3

Which container base image is used primarily to support .NET core APIs and
is good to use if you want to have a very small base image starting point?

The Nano Server container base image is the smallest images and has
support for the .NET Core APIs.

Question 4

What can you use to help automate container image creation and
management?

A Dockerfile is used to automate tasks, which contains instructions on how to

create a new container.

Question 1

Describe three tasks that a typical container orchestrator performs.

Tasks may include scheduling, affinity/anti-affinity, health monitoring,

failover, scaling, networking, service discovery, and coordinated application
upgrades.

Question 2

Describe the primary components of a Kubernetes cluster.

A Kubernetes cluster contains at least one Master/Control plane and one or
more Linux or Windows-based worker nodes.

Question 3

Which Microsoft cloud-based service can be used to provide a hosted

Kubernetes environment?

The Azure Kubernetes Service (AKS).

Question 1

Which of the following are requirements for installing the Hyper-V server role
in Windows Server? Choose two.

A 32-bit processor

Minimum 32 GB of memory

A 64-bit processor

BitLocker enabled

Intel VT or AMD-V enabled

Explanation

To install the Hyper-V server role, you need a 64-bit processor with second-
level address translation (SLAT). You also need to enable Intel VT or AMD-V.
You also must have a processor with VM Monitor Mode extensions and must
enable Hardware-enforced Data Execution Prevention (DEP).

Question 2

You plan to enable nested virtualization on a Hyper-V host. What do you need
to do to ensure that network traffic of nested VMs can reach an external
network?

Enable BitLocker

Enable MAC address spoofing

Enable Device Guard

Configure a switch with the Internal Network type

Configure a switch with the Private Network type

Explanation

To enable network packets to be routed through two virtual switches, you

must enable MAC address spoofing on the physical Hyper-V host.

Question 3

Which of the following are true for considerations when implementing a Host
Guardian service? Choose two.

A new Active Directory forest is created dedicated to the Host Guardian

service.

The Host Guardian service must be installed on a server containing the

Linux operating system.

The Host Guardian service must be installed in a virtual machine.

The Host Guardian service uses certificates for signing and encryption
tasks.

The Host Guardian service must be installed in the same domain as the
Hyper-V guarded hosts.

Explanation

The Host Guardian Service (HGS) can be run on physical or virtual machines.
The HGS can run on Windows Server 2019 or Windows Server 2016 Standard
or Datacenter editions. The HGS will set up the server in a new AD DS forest
dedicated so that HGS ensures sensitive key information is as secure as
possible. The Hyper-V guarded hosts are installed in the standard AD DS
environment.

Question 4

Which of the following are requirements for creating a shielded template

disk? Choose two.

A generation 2 virtual machine

A basic disk

A generation 1 virtual machine

A dynamic disk
 Must be generalized

Explanation

When creating a shielded template disk, the disk must be Basic and cannot
be dynamic because BitLocker does not support dynamic disks. The
operating system also needs to be generalized, which can be done using
sysprep.exe.

Question 5

You download a container base image. When you attempt to create and run a
container using the base image, you get an error message that relates to
incompatibility with the host machine. What should you do?

Download a new container base image that matches the version of the
operating system installed on the host machine.

Run the container using the --isolation=process switch.

Update the version of Docker installed on the host machine.

Install a self-signed authentication certificate on the host machine.

Use BitLocker to encrypt the Operating system drive of the host

machine.

Explanation

The Windows host operating system version needs to match the container
operating system version. To run a container based on a newer Windows
build, you need to ensure that an equivalent operating system version is
installed on the host. Note that if your host server contains a newer
operating system version, you can use Hyper-V isolation mode to run an
older version of Windows containers.

Question 6

Which of the following can be used as worker nodes in a Kubernetes cluster?

Choose two.

Nano Server

Windows Server 2019

 MacOS

Linux

Explanation

Windows Server 2019 and Linux are both supported as worker nodes in a
Kubernetes cluster.

MODULE 06

Question 1

What component provides block-level replication for any type of data in

complete volumes?

Storage Replica

Cluster Shared Volume (CSV) Replica

Cluster set

Quorum

Explanation

Storage Replica is the correct answer. Storage Replica provides block-level

replication for any type of data in complete volumes. This allows disaster
recovery in stretch cluster, cluster-to-cluster, or server-to-server situations.

Question 2

Which term is defined as the majority of voting nodes in an active cluster

membership plus a witness vote?
 Failover voting

CSV

Cluster set

Quorum

Explanation

Quorum is the correct answer. A quorum is the majority of voting nodes in an

active cluster membership plus a witness vote. In effect, each cluster node is
an element that can cast one vote to determine whether the cluster
continues to run. In case an even number of nodes exists, another element,
referred to as a "witness," is assigned to the cluster. The witness element
can be a disk, a file share, or a Microsoft Azure Cloud Witness. Each voting
element contains a copy of the cluster configuration, and the Cluster service
works to always keep all the copies synced.

Question 3

What quorum configuration is a best practice for Windows Server 2019

failover clusters?

Dynamic quorum mode and dynamic witness provide the highest level of
scalability for a cluster in most standard configurations.

Question 1

Does Windows Server 2019 require all nodes to be in the same domain?

Yes

No

Explanation

No is the correct answer. Windows Server 2019 doesn't require all nodes to
be in the same domain; however, we recommend having all nodes in the
same domain.

Question 2

Can a node that runs Windows Server 2016 and one that runs Windows
Server 2019 both run in the same cluster?
 Yes

No

Explanation

Yes is the correct answer. A node that runs Windows Server 2016 and one
that runs Windows Server 2019 both can run in the same cluster. This is part
of the Cluster Operating System Rolling Upgrade feature that's new in
Windows Server 2016. It's a best practice to move toward having the cluster
run the same operating system and not run in mixed mode for an extended
period.

Question 3

You must install what feature on every server that you want to add as a
failover cluster node?

Cluster set

Failback Clustering

Hyper-V

Failover Clustering

Explanation

Failover Clustering is the correct answer. You must install the Failover
Clustering feature on every server that you want to add as a failover cluster
node.

Question 4

When running the Validate a Configuration Wizard, what does the yellow
yield symbol indicate?

The failover cluster needs to fail back to the original node.

 The wizard is waiting for a file to download.

The failover cluster creation is in progress.

The failover cluster that's being tested isn't in alignment with Microsoft
best practices.

Explanation

When running the Validate a Configuration Wizard, the yellow yield symbol
indicates that the aspect of the proposed failover cluster that's being tested
isn't in alignment with Microsoft best practices. Investigate this aspect to
make sure that the configuration of the cluster is acceptable for the
environment of the cluster, for the requirements of the cluster, and for the
roles that the cluster hosts.

Question 1

Which type of witness uses a basic format and doesn't keep a copy of the
cluster database?

USB witness

Failback witness

File share witness

Microsoft Azure Cloud Witness

Explanation

Microsoft Azure Cloud Witness is the correct answer. An Azure Cloud Witness
builds on the foundation of the file share witness. An Azure Cloud Witness
uses the same basic format as the file share witness regarding its arbitration
logic, and it doesn't keep a copy of the cluster database.

Question 2
What technology enables replication of volumes between servers or clusters
for disaster recovery?

File share witness

Cluster set

Cluster Shared Volume (CSV)

Storage Replica

Explanation

Storage Replica is the correct answer. Storage Replica is Windows Server

technology that enables replication of volumes between servers or clusters
for disaster recovery. With it, you can also create stretch failover clusters
that span two sites, with all nodes staying in sync.

Question 3

What added features does enabling site-aware clustering in a stretch cluster

provide?

Your answers might vary, but they might include:

Question 1

Which feature would you use to configure a failover cluster when you use
Hyper-V host servers?

Site-aware clustering

Client clustering

Live clustering

Host clustering

Explanation

Host clustering is the correct answer. By using host clustering, you can
configure a failover cluster when you use the Hyper-V host servers. When
you configure host clustering for Hyper-V, you configure the virtual machines
(VMs) as a highly available resource. You implement failover clustering
protection at the host server–level. This means that the guest operating
system and applications that run within the VM don't have to be cluster-
aware. However, the VM is still highly available.
Question 2

Which feature can you use to transparently move running VMs from one
Hyper-V host to another without perceived downtime?

Site-aware cluster

Storage migration

Cluster set

Live Migration

Explanation

Live Migration is the correct answer. You can use Live Migration, a Hyper-V
feature in Windows Server, to transparently move running VMs from one
Hyper-V host to another without perceived downtime.

Question 1

What term describes a loosely coupled grouping of multiple failover clusters?

Cluster set

Failback Clustering

Hyper-V

Failover Clustering

Explanation

Cluster set is the correct answer. A cluster set is a loosely coupled grouping
of multiple failover clusters; it enables virtual machine (VM) fluidity across
member clusters within the set and a unified storage namespace across the
set.

Question 2

When running the Validate a Configuration Wizard, what does the red "X"
indicator mean?
 The failover cluster needs to fail back to the original node.

You can't use the part of the failover cluster that failed.

Failover cluster creation is in progress.

The failover cluster that's being tested isn't in alignment with Microsoft
best practices.

Explanation

When running the Validate a Configuration Wizard, when a failover cluster

receives a red "X" (fail) in one of the tests, it means that you can't use the
part of the failover cluster that failed in a Windows Server failover cluster.
Additionally, when a test fails, all other tests don't run, and you must resolve
the issue before you install the failover cluster.

Question 3

What component provides a consistent, distributed namespace that

clustered roles can use to access shared storage from all nodes?

Storage Replica

Cluster Shared Volume (CSV)

Cluster set

Quorum

Explanation

Cluster Shared Volume (CSV) is the correct answer. Failover clusters provide
CSV functionality that provides a consistent, distributed namespace that
clustered roles can use to access shared storage from all nodes. With the
Failover Clustering feature, users experience a minimum of disruptions in
service.336 Module 6 High availability in Windows Server

Question 4

Which type of witness is ideal when shared storage isn't available or when
the cluster spans geographical locations?

USB witness

Failback witness
 File share witness

Microsoft Azure Cloud Witness

Explanation

File share witness is the correct answer. A file share witness is ideal when
shared storage isn't available or when the cluster spans geographical
locations. This option doesn't store a copy of the cluster database.

Question 5

What technology provides high availability where each site has a separate
storage system with replication among the sites?

Stretch cluster

Cluster set

CSV

Storage Replica

Explanation

Stretch cluster is the correct answer. A stretch cluster provides high

availability where each site has a separate storage system with replication
among the sites.

Question 6

Which feature provides high availability for applications or services running

on the VM that don't have to be compatible with failover clustering?

Site-aware clustering

Client clustering

Live clustering

Host clustering

Explanation
Host clustering is the correct answer. Host clustering provides high
availability for applications or services running in the VM that don't have to
be compatible with failover clustering; additionally, they don't have to be
aware that the VM is clustered. Because the failover is at the VM-level, there
are no dependencies on the software that's installed in the VM.

Question 7

Which feature distributes IP traffic to multiple instances of a TCP/IP service?

Site-aware cluster

Storage migration

Network Load Balancing (NLB)

Live Migration

Explanation

Network Load Balancing (NLB) is the correct answer. NLB distributes IP traffic
to multiple instances of a TCP/IP service.

Module 08

Question 1

What's the difference between a planned failover and a failover?

You can perform a planned failover when both Hyper-V hosts—at the primary
site and at the recovery site—are available. A planned failover is performed
without any data loss. When this isn't possible, for example if the primary
site is no longer available because of a disaster, you can perform failover,
which means unplanned failover. After failover, you'll be able to use a
replicated virtual machine (VM), but changes that were performed at the
primary site and weren't yet replicated will be lost.

Question 2

Can you use Hyper-V Replica to replicate only VMs that have integration
services installed?
No. You can use Hyper-V Replica to replicate any VM regardless of whether it
has integration services installed. However, some features such as Failover
TCP/IP settings are applied to a replicated VM only if it has integration
services installed.

Question 1

Can you use Microsoft Azure Site Recovery to manage virtual machine (VM)
replication between two Hyper-V hosts?

No. You can't use Site Recovery to manage replication between two Hyper-V
hosts. You can use Site Recovery to manage VM replication from a Hyper-V
host to Azure or between two clouds that Microsoft System Center Virtual
Machine Manager manages. If you want to manage VM replication between
two Hyper-V hosts, you should use Hyper-V Manager.

Question 2

Is Site Recovery used only as a disaster recovery solution?

No. Although administrators often use Site Recovery as a disaster recovery

solution, you can also use it in several other scenarios, such as migrating
workloads to Azure, cloud bursting, DevTest, and analytics and reporting.

Question 1

How can you monitor virtual machine (VM) replication health by using
Windows PowerShell?

At a Windows PowerShell command prompt, you can run the Get-

VMReplication and Measure-VMReplication cmdlets.

Question 2‍

What's the difference between planned failover and failover?

You can perform planned failover when both the Hyper-V hosts at the
primary site and the recovery site are available and planned failover is
performed without any data loss. When this isn't possible—for example, if
the primary site is no longer available because of a disaster—you can
perform failover, which means unplanned failover. After failover, you'll be
able to use a replicated VM, but changes at the primary site that weren't yet
replicated will be lost.

Question 3

Is Azure Site Recovery used only as a disaster recovery solution?

No. You can use it to manage the failover of VMs and Microsoft System
Center Virtual Machine Manager (VMM) clouds, to coordinate and monitor
asynchronous replication, to continually monitor service availability, to test
the recovery, and to manage virtual network mappings between sites.

Question 4

Can you use Azure Backup to back up VMs?

Yes. It's possible to back up both on-premises and Azure VMs by using
Backup.

MODULE 08

Which security setting should not be enabled when configuring

administrative user accounts?

Logon Hours

Account is sensitive and cannot be delegated

This account supports Kerberos AES (Advanced Encryption Standard)

256-bit encryption

Do not require Kerberos preauthentication

Explanation
"Do not require Kerberos preauthentication" is the correct answer. Kerberos
preauthentication reduces the risk of replay attacks. Therefore, you should
not enable this option. All other answers are valid ways to configure
additional security for administrative user accounts.

Question 2

Which feature allows you to configure TGT (Ticket-granting tickets) lifetime

and access-control conditions for a user?

Protected Users group

Authentication policies

Authentication policy silos

NTLM blocking

Explanation

"Authentication policies" is the correct answer. Authentication policies allow

you to configure TGT lifetime and access-control conditions for a user,
service, or computer account. The AD DS (Active Directory) security group
Protected Users helps you protect highly privileged user accounts against
compromise Authentication policy silos allow administrators to assign
authentication policies to user, computer, and service accounts. NTLM
blocking prevents the user of the NTLM authentication protocol, which is less
secure than the Kerberos authentication protocol.

Question 3

Which is not a valid way to enable Windows Defender Credential Guard on a

server?

Group policy

Adding server role

Updating the registry

Using a Windows PowerShell script

Explanation
"Adding server role" is the correct answer. You cannot enable Windows
Defender Credential Guard through a server role. However, you can enable
Windows Defender Credential Guard by using a Group Policy object, by
updating the registry on the server, or by running the Hypervisor-Protected
Code Integrity and Windows Defender Credential Guard hardware readiness
tool, which is a Windows PowerShell script.404 Module 8 Windows Server
security

Question 4

What are two types of problematic user accounts you should check for
regularly?

Users with passwords that do not expire

Users that have not signed in recently

Users with complex passwords

Users with few administrative permissions

Explanation

Users with passwords that do not expire or who have not signed in for an
extended period of time are both problematic accounts that you should
identify and remediate on a regular schedule. Passwords that do not expire
are considered insecure. Therefore, you should disable user accounts that
are not being used to limit a potential avenue of attack. Complex passwords
are not considered insecure, and limiting user permissions to only those
needed (the principle of least privilege) is considered a best practice.

Question 1

Which of these is a capability of LAPS (Local Administrator Password

Solution)?

Verify the local administrator password is the same on all managed

servers.

Store local administrator passwords in Microsoft Exchange.

Prevent local administrator passwords from expiring.

 Ensure that local administrator passwords are unique on each
managed server.

Explanation

"Ensure local administrator passwords are unique on each managed server"

is the correct answer. LAPS doesn't verify the local administrator password is
the same on all managed servers, but it does makes sure they are unique.
LAPS doesn't store local administrator passwords in Exchange, it stores them
in AD DS. Finally, LAPS doesn't prevent local administrator passwords from
expiring, but it does set an expiration date and automatically changes the
password before that date.

Question 2

When configuring a PAW (Privileged Access Workstation), which of these

should you not do?

Ensure that only authorized users can sign in to the PAW. Standard user
accounts should not be able to sign in.

Enable Windows Defender Credential Guard to help protect against

credential theft.

Ensure the PAW can access the internet.

Limit physical access to the PAW.

Explanation

"Ensure the PAW can access the internet" is the correct answer. You should
not enable PAWs to access the internet, because it's a significant source of
cyberattacks. All the other options are valid ways to secure PAWs.‍Module 08
lab and review 405

Question 3
Which options are valid ways to secure a domain controller? Select all that
apply.

Ensure that domain controllers run the most recent version of the
Windows Server operating system and have current security updates.

Deploy domain controllers by using the "Server Core" installation

option.

Configure RDP (Remote Desktop Protocol) through Group Policy to limit

RDP connections to domain controllers, so they can occur only from PAWs.

Configure the perimeter firewall to block outbound connections to the

internet from domain controllers.

Explanation

All of these are valid options for securing domain controllers. In addition, you
should keep physically deployed domain controllers in dedicated, secure
racks that are separate from other servers. You should run virtualized
domain controllers either on separate virtualization hosts or as a shielded
virtual machine on a guarded fabric. You should also review CIS (Center for
Internet Security) benchmarks for Windows Server operating systems for
security guidance specific to domain controllers and use Device Guard to
control the execution of scripts and executables on the domain controller.

Question 4

What CIS hardening level maps to the security configuration baselines

included in the SCT (Microsoft Security Compliance Toolkit)?

Level 0

Level 1

Level 2

None

Explanation

"Level 1" is the correct answer. The security baselines included in the SCT
align closely to CIS Level 1 benchmark hardening guidelines.

Question 1
What security benefit does JEA (Just Enough Administration) provide?

Enables RBAC functionality for Windows PowerShell remoting

Ensures only privileged user accounts can connect remote servers

Allows remote users to perform all the same actions as a local

administrator

Prevents remote users from running any scripts on a remote server

Explanation

"RBAC functionality for Windows PowerShell remoting" is the correct answer.

JEA provides Windows Server and Windows client operating systems with
RBAC functionality built on Windows PowerShell remoting. It also allows user
accounts that are not privileged to connect to a JEA endpoints and perform
administrative tasks. While JEA gives a user local administrator privileges on
a remote server, JEA endpoints limit users only to specific activities defined
by JEA. JEA endpoints can be configured to allow remote users to run some
scripts, providing they run them from within Windows PowerShell.406
Module 8 Windows Server security

Question 2

What file allows you to define which commands are available from a JEA
endpoint?

Role capability file

Session configuration file

Endpoint configuration file

Session capability file

Explanation

"Role capability file" is the correct answer. role capability files help you
specify what can be done in a Windows PowerShell session. Session
configuration files are used to register a JEA endpoint, and there are no
Endpoint configuration files or Session capability files in JEA.
Question 3

When connected to remote Windows PowerShell session with the prefix

DNSOps, which of the following commands would provide the available
cmdlets?

Get-DNSOpsCommand

Get-Command -Noun DNSOps

Get-Command -Name DNSOps

List-Command -Name DNSOps

Explanation

"Get-DNSOpsCommand" is the correct answer. The following command will

add the prefix DNSOps to the commands available in a remote PowerShell
session: Import-PSSession -Session MySessionObject -Prefix 'DNSOps'. "Get-
Command -Noun DNSOps" would retrieve any cmdlets that have the noun
DNSOps in their name. "Get-Command -Name DNSOps" would retrieve a
cmdlet named DNSOps, which would be a non-standard cmdlet name, and
"List-Command" is not a valid PowerShell command.

Question 1

What SMB (Server Message Block) version is enabled in Windows Server

2019 by default?

SMB 3.1.1.c

SMB 3.2.2.c

SMB 1.0

SMB 1.1.2

Explanation

"SMB 3.1.1.c" is the correct answer. Windows Server 2019 supports SMB 3.x
and SMB 2.x, but SMB 2.x is not listed. The default server configuration for
Windows Server 2019 does not install support for SMB 1.x, but it is available.‍
Question 2

Which cmdlet would you use to create a new, encrypted SMB file share?

New-SmbShare –Name <sharename> -Path <pathname> –

EncryptData $true

Set-SmbShare –Name <sharename> -EncryptData $true

Set-SmbServerConfiguration –EncryptData $true

Set-SmbServerConfiguration –EnableSMB1Protocol $false

Explanation

"New-SmbShare –Name <sharename> -Path <pathname> –EncryptData

$true" is the correct answer. "Set-SmbShare –Name <sharename> -
EncryptData $true" encrypts an existing SMB share. "Set-SmbServer-
Configuration –EncryptData $true" encrypts all existing SMB shares on a
server. "Set-SmbServerConfiguration –EnableSMB1Protocol $false" disables
SMB 1.x support if was previously enabled.

Question 1

What are the options for a WSUS (Windows Server Update Services)
database? Choose two:

Windows Internal Database (WID)

SQL Server

MariaDB

MySQL

Explanation

"Windows Internal Database (WID)" and "SQL Server" are both correct
answers. MySQL and MariaDB are not valid database options for the WSUS
database.
Question 2

Which is not a valid WSUS server deployment option?

Single WSUS server

Multiple WSUS servers

Disconnected WSUS servers

Autonomous WSUS servers

Explanation

"Autonomous WSUS servers" is the correct answer. "Autonomous WSUS

servers" is not a valid deployment option. Downstream WSUS servers can be
deployed in "Autonomous mode". The remaining options are all valid options
for deploying WSUS servers.408 Module 8 Windows Server security

Question 3

Which are steps in the update management process? Choose three.

Assess

Identify

Classify

Deploy

Explanation

"Assess", "Identify", and "Deploy" are the correct answers. The update
management process includes the following steps: Access, Identify, Evaluate
and Plan, and Deploy. Classify is not a step in the update management
process. However, during the Assess phase you will decide what
classification of updates you want to deploy.
Question 4

Azure Update Management is part of what Azure service?

Azure Automation

Azure Sentinel

Azure Monitor

Azure AD DS (Active Directory)

Explanation

"Azure Automation" is the correct answer. Update Management is a free

service within Azure Automation that helps you manage operating system
updates for both Windows and Linux machines, both in the cloud and on-
premises. Update Management is not included with the other services listed:

Question 1

What should an organization do before it institutes NTLM blocking?

Audit NTLM usage

Configure the Restrict NTLM: NTLM Authentication Group Policy

Enable Kerberos authentication

Explanation

Prior to blocking NTLM, you should ensure that existing applications are no
longer using the protocol. You can audit NTLM traffic by enabling policies in
the Computer Configuration\Policies\Windows Settings\ Security Settings\
Local Policies\Security Options node. After you perform the audit and
determine there are no existing applications that use the protocol, you will
configure the Restrict NTLM: NTLM Authentication Group Policy to enable
NTLM blocking. Kerberos authentication is already enabled in Windows
Server.
Question 2

Which Windows PowerShell cmdlet do you use to configure a specific OU so

that computers within that OU can use LAPS (Local Administrator Password
Solution)?

Disable-ADAccount

Update-AdmPwdADSchema

Get-AdmPwdPassword

Set-AdmPwdComputerSelfPermission

Explanation

You use the Set-AdmPwdComputerSelfPermission cmdlet to configure a

specific OU so that computers within that OU can use LAPS. The Get-
AdmPwdPassword cmdlet retrieves a local administrator password assigned
to a computer. The Update-AdmPwdADSchema cmdlet updates the AD DS
(Active Directory) schema in preparation for using LAPS. The Disable-
ADAccount disables user accounts in AD DS.

Question 3

Which SMB (Server Message Block) version is negotiated by Windows Server

2019 when communicating with Windows Server 2012 R2?

SMB 1.0

SMB 2.0

SMB 3.02

SMB 3.1.1

Explanation

When communicating with a Windows Server 2012 R2 server, Windows

Server 2019 (and windows Server 2016) negotiate using SMB 3.02. Windows
Server 2019 uses SMB 3.1.1 when communicating with Windows Server
2016 or later. Windows Server 2019 uses SMB 2.0 for communicating with
operating systems prior to Windows 8. After disabling SMB 1.0, as
recommended in this course, Windows Server 2019 will not use it to
communicate with any device.

MODULE 11

Question 1

If you wanted to observe the performance of the processor in your computer

over a period, which tool would you use?

Although Task Manager and Resource Monitor provide performance

detail, you can't observe data for a long period. Performance Monitor
data collector sets would be better.

Question 2

Which port does Windows Admin Center typically use?

TCP port 6516.

Question 1

What's the purpose of creating a baseline?

You can use a baseline to compare current performance with historic

performance data.

Question 2

To use Windows Admin Center to measure server performance, you need

to measure disk performance. What must you do?

You must enable disk metrics to collect data about disk performance.

Question 1

What group memberships must you change to establish an event

subscription?

You must add the computer account of the collector computer to the local
Event Log Readers group on each of the source computers.

Question 2
On which computer must you run the wecutil qc command when
establishing an event subscription?

You run that command on the collector computer to enable the Wecsvc
service.

Question 1

What significant counters should you monitor in Performance Monitor?

You should monitor Processor\% Processor Time, System\Processor

Queue Length, Memory\ Pages/sec, Physical Disk\% Disk Time, and
Physical Disk\Avg. Disk Queue Length.

Question 2‍

Why is it important to monitor server performance periodically?

By monitoring server performance, you can perform capacity planning,

identify and remove performance bottlenecks, and assist with server
troubleshooting.

Question 3

Why should you use performance alerts?

By using alerts, you can react more quickly to emerging performance-related

problems, perhaps before they impinge on users' productivity.