Visit here for our full Microsoft AZ-800 exam dumps and practice test questions.
Question 181
You have a Windows Server 2022 domain controller named DC1. You need to ensure that all user account password changes are logged for security auditing purposes. Which audit policy should you configure?
A) Audit Account Management
B) Audit Directory Service Access
C) Audit Logon Events
D) Audit Object Access
Answer: A
Explanation:
To track password changes in Active Directory, you need to configure the appropriate audit policy that captures account modification events. The Audit Account Management policy is specifically designed to log events related to user account modifications, including password changes, account creation, deletion, and other account management activities. When this policy is enabled, Event ID 4724 is generated whenever a password reset occurs, and Event ID 4723 is logged when a user changes their own password. This makes A the correct answer for monitoring password changes.
B is incorrect because Audit Directory Service Access is used to track access to Active Directory objects and their properties. While this policy can log directory service changes, it requires additional configuration of SACLs (System Access Control Lists) on specific AD objects and generates more granular events. It’s primarily used for tracking who accesses or modifies specific directory attributes rather than general account management operations like password changes.
C is incorrect because Audit Logon Events tracks authentication attempts, both successful and failed, including interactive logons, network logons, and service logons. This policy helps monitor who is accessing systems and when, but it does not capture password modification events. It’s useful for detecting unauthorized access attempts but not for tracking account changes.
D is incorrect because Audit Object Access is used to monitor access to files, folders, registry keys, and other securable objects in the file system. This policy requires configuring SACLs on the specific objects you want to audit and is not related to Active Directory account management activities like password changes.
Question 182
You manage a hybrid Active Directory environment with Azure AD Connect. Users report that password changes made on-premises are not synchronizing to Azure AD. Which Azure AD Connect feature should you verify is enabled?
A) Password hash synchronization
B) Password writeback
C) Seamless Single Sign-On
D) Device writeback
Answer: A
Explanation:
In a hybrid Active Directory environment using Azure AD Connect, password synchronization from on-premises to Azure AD is handled by the Password Hash Synchronization feature. This feature captures password changes from the on-premises Active Directory and synchronizes the password hashes to Azure AD, typically within minutes of the change. When users change their passwords on-premises, this feature ensures that the same credentials work for cloud services. This makes A the correct answer for ensuring on-premises password changes synchronize to Azure AD.
B is incorrect because Password Writeback works in the opposite direction—it allows password changes made in Azure AD (such as self-service password reset) to be written back to the on-premises Active Directory. This feature is part of Azure AD Premium and enables cloud-initiated password changes to synchronize down to on-premises, not the scenario described in the question where on-premises changes need to flow to the cloud.
C is incorrect because Seamless Single Sign-On (SSO) is a feature that automatically signs users in when they are on their corporate devices connected to the corporate network. It eliminates the need for users to type in their passwords to sign in to Azure AD, but it doesn’t handle password synchronization between on-premises and cloud environments.
D is incorrect because Device Writeback is a feature that enables device information from Azure AD to be written back to on-premises Active Directory for conditional access scenarios. This feature is used for device-based access control and has no relationship to password synchronization between environments.
Question 183
You have a Windows Server 2022 file server with multiple shared folders. You need to implement a solution that automatically classifies files based on their content and applies appropriate permissions. Which Windows Server feature should you use?
A) File Server Resource Manager (FSRM)
B) Distributed File System (DFS)
C) Storage Replica
D) Data Deduplication
Answer: A
Explanation:
File Server Resource Manager (FSRM) is the appropriate Windows Server feature for automatically classifying files based on their content and applying management policies. FSRM includes File Classification Infrastructure (FCI), which can scan files, identify content based on patterns or properties, and automatically apply classification properties to files. These classifications can then be used to trigger file management tasks, apply encryption, set permissions, or generate reports. This automated classification capability makes A the correct answer for content-based file classification and permission application.
B is incorrect because Distributed File System (DFS) is designed for organizing shared folders across multiple servers into a logical namespace and providing redundancy through DFS Replication. While DFS improves file availability and provides location transparency, it doesn’t include content analysis or automatic classification capabilities. DFS focuses on file distribution and access rather than content-based management.
C is incorrect because Storage Replica is a disaster recovery and replication technology that enables synchronous or asynchronous replication of volumes between servers or clusters. This feature is used for creating redundant copies of data for business continuity purposes and doesn’t provide any file classification or content analysis functionality.
D is incorrect because Data Deduplication is a storage optimization technology that eliminates redundant data blocks to reduce storage consumption. While it analyzes file content to identify duplicate blocks, this analysis is solely for space savings and doesn’t classify files or apply permissions based on content types or sensitivity.
Question 184
You are configuring Windows Admin Center to manage multiple Windows Server 2022 servers. You need to ensure that all communications between Windows Admin Center and managed servers are encrypted. Which port should you configure for HTTPS communication?
A) 443
B) 5985
C) 5986
D) 3389
Answer: C
Explanation:
Windows Admin Center uses Windows PowerShell remoting over WinRM (Windows Remote Management) to communicate with managed servers. When secure, encrypted communication is required, WinRM over HTTPS uses port 5986 by default. This port provides SSL/TLS encryption for all management traffic between Windows Admin Center and the target servers, ensuring that administrative commands and data transmission are protected from eavesdropping or tampering. This makes C the correct answer for encrypted Windows Admin Center communications.
A is incorrect because while port 443 is the standard HTTPS port used by web browsers and many web applications, Windows Admin Center’s gateway itself may listen on port 443 for user browser connections, but the backend communication to managed Windows Servers uses WinRM over HTTPS on port 5986, not standard HTTPS on port 443.
B is incorrect because port 5985 is the default port for WinRM over HTTP (unencrypted). While this port can be used for Windows Admin Center communication in trusted network environments, it does not provide encryption. The question specifically requires encrypted communications, which necessitates using the HTTPS variant rather than the HTTP version.
D is incorrect because port 3389 is the default port for Remote Desktop Protocol (RDP), which is used for interactive desktop sessions. While RDP connections can be encrypted, this protocol and port are not used by Windows Admin Center for server management. Windows Admin Center relies on WinRM for its remote management capabilities.
Question 185
You have a Windows Server 2022 Hyper-V host with multiple virtual machines. You need to ensure that a specific VM can access physical GPU resources for graphics-intensive applications. Which feature should you configure?
A) Discrete Device Assignment (DDA)
B) RemoteFX vGPU
C) Enhanced Session Mode
D) Virtual Machine Queue (VMQ)
Answer: A
Explanation:
Discrete Device Assignment (DDA) is the technology in Windows Server 2022 Hyper-V that allows you to assign physical PCIe devices, including GPUs, directly to virtual machines. DDA provides the VM with direct, exclusive access to the physical hardware, bypassing the Hyper-V virtualization layer for that device. This results in near-native performance for graphics-intensive applications, making it ideal for scenarios requiring GPU acceleration such as CAD applications, video rendering, or machine learning workloads. This makes A the correct answer for providing physical GPU access to VMs.
B is incorrect because RemoteFX vGPU was a virtualization technology that allowed multiple VMs to share a physical GPU, but it has been deprecated and removed from Windows Server 2022. Microsoft discontinued RemoteFX due to security vulnerabilities and now recommends Discrete Device Assignment as the replacement technology for GPU virtualization scenarios.
C is incorrect because Enhanced Session Mode is a Hyper-V feature that improves the user experience when connecting to VMs through VMConnect by enabling clipboard sharing, drive redirection, and better display resolution handling. While it enhances the remote desktop experience, it doesn’t provide direct access to physical GPU hardware for graphics-intensive applications.
D is incorrect because Virtual Machine Queue (VMQ) is a network optimization technology that improves network throughput by allowing network adapters to deliver packets directly to VMs, reducing CPU overhead for network processing. VMQ is related to network performance optimization and has no connection to GPU resources or graphics processing capabilities.
Question 186
You need to implement a storage solution on Windows Server 2022 that provides fault tolerance and can survive the loss of two disks simultaneously. The solution should optimize storage efficiency. Which Storage Spaces configuration should you use?
A) Three-way mirror
B) Two-way mirror
C) Simple space
D) Parity space
Answer: A
Explanation:
Storage Spaces in Windows Server 2022 offers several resiliency types for protecting data against disk failures. A three-way mirror maintains three complete copies of your data across different physical disks, which means the system can tolerate the simultaneous failure of two disks while maintaining data availability and integrity. Each piece of data is written to three separate locations, ensuring redundancy and high performance for both reads and writes. This makes A the correct answer for surviving two simultaneous disk failures while maintaining data protection.
B is incorrect because a two-way mirror maintains only two copies of data across different physical disks. While this provides redundancy and can survive a single disk failure with no data loss, it cannot tolerate two simultaneous disk failures. If two disks fail in a two-way mirror configuration, data loss will occur, making it insufficient for the requirement specified in the question.
C is incorrect because a simple space provides no fault tolerance or redundancy whatsoever. Data is striped across available disks for maximum capacity utilization and performance, but there’s no data protection. If any single disk fails in a simple space configuration, all data in that storage space is lost, making it completely unsuitable for scenarios requiring fault tolerance.
D is incorrect because while parity spaces provide fault tolerance through distributed parity information similar to RAID 5 or RAID 6, a single-parity space can only survive one disk failure. Dual-parity spaces can survive two disk failures but require significantly more disks and have lower write performance compared to three-way mirrors, and the question specifically asks about optimizing efficiency alongside fault tolerance.
Question 187
You are configuring Active Directory Certificate Services (AD CS) on Windows Server 2022. You need to ensure that the certificate revocation list (CRL) is accessible to clients over HTTP. Which AD CS component should you configure?
A) CRL Distribution Point (CDP)
B) Authority Information Access (AIA)
C) Online Responder
D) Network Device Enrollment Service (NDES)
Answer: A
Explanation:
The CRL Distribution Point (CDP) is the AD CS component that specifies where certificate revocation lists are published and how clients can retrieve them. When configuring a Certificate Authority, you must configure CDP locations to include HTTP URLs so that clients can download and verify current CRLs to check if certificates have been revoked. The CDP extension is included in every issued certificate, pointing clients to the location where they can retrieve the CRL for revocation checking. This makes A the correct answer for making CRLs accessible over HTTP.
B is incorrect because Authority Information Access (AIA) extension points to the location of the issuing CA’s certificate, not the CRL. The AIA helps clients build a complete certificate chain by providing access to parent CA certificates. While both CDP and AIA are important certificate extensions published via HTTP, AIA specifically handles CA certificate retrieval rather than revocation information.
C is incorrect because an Online Responder provides real-time certificate status information using the Online Certificate Status Protocol (OCSP) rather than distributing CRLs. While OCSP is an alternative to CRL-based revocation checking and can be more efficient, the question specifically asks about making the CRL accessible, not implementing OCSP-based revocation checking.
D is incorrect because Network Device Enrollment Service (NDES) is an AD CS role service that implements the Simple Certificate Enrollment Protocol (SCEP), allowing network devices like routers and mobile devices to obtain certificates. NDES handles certificate enrollment for non-domain devices and has no relationship to CRL distribution or revocation checking functionality.
Question 188
You have a Windows Server 2022 domain controller. You need to configure the server to forward security event logs to a central log collection server. Which feature should you implement?
A) Event Subscriptions
B) Event Viewer
C) Performance Monitor
D) Task Scheduler
Answer: A
Explanation:
Event Subscriptions, also known as Windows Event Forwarding (WEF), is the built-in Windows feature designed to collect events from multiple computers and forward them to a central collector server. This feature allows you to configure source-initiated or collector-initiated subscriptions to gather security logs and other event types from domain controllers and other servers into a centralized location for analysis, compliance, and monitoring. Event Subscriptions uses the Windows Remote Management (WinRM) protocol and can filter events based on specific criteria before forwarding. This makes A the correct answer for centralized log forwarding.
B is incorrect because Event Viewer is a Microsoft Management Console (MMC) snap-in used to view and analyze event logs on local or remote computers. While Event Viewer allows you to manually connect to remote computers to view their logs, it doesn’t provide automated forwarding or centralized collection capabilities. It’s a viewing and analysis tool rather than a log forwarding solution.
C is incorrect because Performance Monitor is a tool used to collect and analyze performance data such as CPU usage, memory consumption, disk I/O, and network statistics. While Performance Monitor can collect data from multiple computers using Data Collector Sets, it focuses on performance metrics rather than event log forwarding and doesn’t handle security event logs.
D is incorrect because Task Scheduler is used to automate the execution of scripts and programs based on triggers such as time, system events, or user logon. While you could theoretically create custom scripts using Task Scheduler to export and transfer logs, this would be a manual workaround rather than the built-in, supported solution for event log forwarding.
Question 189
You are implementing Windows Server Update Services (WSUS) on Windows Server 2022. You need to configure WSUS to automatically approve critical and security updates for production servers. Which WSUS feature should you configure?
A) Automatic Approvals
B) Synchronization Schedule
C) Computer Groups
D) Update Classifications
Answer: A
Explanation:
Automatic Approvals in WSUS is the feature that allows administrators to create rules that automatically approve specific types of updates for designated computer groups. You can configure automatic approval rules based on update classification (such as Critical Updates or Security Updates), product categories, and target computer groups. When new updates matching the criteria are synchronized to the WSUS server, they are automatically approved for installation on the specified computers without manual intervention. This makes A the correct answer for automatically approving critical and security updates for production servers.
B is incorrect because Synchronization Schedule determines when the WSUS server connects to Microsoft Update (or an upstream WSUS server) to download new update metadata and files. While synchronization is necessary to obtain updates, it doesn’t handle the approval process. Synchronization simply retrieves available updates; administrators must still approve them (manually or automatically) before client computers can install them.
C is incorrect because Computer Groups are organizational containers in WSUS used to logically group computers for targeted update deployment. While computer groups are essential for organizing your infrastructure and are used in conjunction with automatic approval rules, creating computer groups alone doesn’t enable automatic approval. They provide the targeting mechanism but not the approval automation itself.
D is incorrect because Update Classifications are categories that define the type of updates, such as Critical Updates, Security Updates, Definition Updates, Feature Packs, and Service Packs. While you select update classifications during WSUS configuration and in automatic approval rules, classifications themselves don’t provide the automation—they’re simply criteria used by the Automatic Approvals feature to determine which updates to approve.
Question 190
You have a Windows Server 2022 server running the DHCP role. You need to configure the DHCP server to assign specific IP addresses to devices based on their MAC addresses. Which DHCP feature should you configure?
A) Reservations
B) Exclusions
C) Scope Options
D) Policies
Answer: A
Explanation:
DHCP Reservations allow you to map specific IP addresses to devices based on their MAC (Media Access Control) addresses. When you create a reservation, you associate a particular IP address within your DHCP scope with a client’s unique MAC address. Whenever that device requests an IP address from the DHCP server, it will always receive the same reserved IP address. This is useful for servers, printers, network devices, or any equipment that needs a consistent IP address while still being managed through DHCP. This makes A the correct answer for assigning specific IP addresses based on MAC addresses.
B is incorrect because Exclusions define ranges of IP addresses within a DHCP scope that should not be assigned to any clients. Exclusions are typically used to prevent the DHCP server from assigning addresses that are already statically configured on other devices or reserved for specific purposes. While exclusions control which addresses aren’t distributed, they don’t provide the ability to assign specific addresses to particular devices.
C is incorrect because Scope Options configure additional network parameters that the DHCP server provides to clients along with IP addresses, such as default gateway, DNS servers, domain name, WINS servers, and other network configuration settings. Scope options apply to all clients receiving addresses from that scope and don’t provide device-specific IP address assignment based on MAC addresses.
D is incorrect because DHCP Policies allow you to create conditional rules for assigning IP addresses and options based on criteria such as vendor class, user class, MAC address prefix, or client identifier. While policies provide flexibility and can be used for more complex scenarios, they’re typically used for assigning addresses from different ranges or applying different options rather than guaranteeing a specific single IP address to a device like reservations do.
Question 191
You manage a Windows Server 2022 failover cluster. You need to ensure that cluster nodes can communicate even if the primary network fails. Which feature should you configure?
A) Network redundancy with multiple networks
B) Network Load Balancing
C) NIC Teaming
D) Virtual Machine Queue
Answer: A
Explanation:
In Windows Server failover clustering, configuring network redundancy with multiple networks is the proper approach to ensure continuous cluster communication if the primary network fails. Failover clusters support multiple networks for different types of traffic, including cluster heartbeat communication, client access, and live migration. By configuring multiple networks and properly setting their roles and priorities, you ensure that if one network path fails, cluster nodes can maintain communication through alternative network paths. The cluster automatically detects network failures and redirects traffic to available networks. This makes A the correct answer for maintaining cluster communication during network failures.
B is incorrect because Network Load Balancing (NLB) is a separate Windows Server feature used to distribute incoming network traffic across multiple servers for applications like web servers. NLB provides high availability and scalability for stateless applications but is not related to cluster node communication or failover cluster infrastructure. NLB and failover clustering serve different purposes and cannot be used together on the same network adapters.
C is incorrect because NIC Teaming combines multiple physical network adapters into a single logical adapter for bandwidth aggregation and failover at the individual server level. While NIC teaming provides redundancy for a single server’s network connection, it doesn’t address the failover cluster requirement for multiple distinct networks that the cluster service can manage independently. Cluster network redundancy operates at a different level than NIC teaming.
D is incorrect because Virtual Machine Queue (VMQ) is a network adapter hardware feature that improves network performance for virtual machines by allowing network adapters to use direct memory access (DMA) to transfer network traffic directly to virtual machines. VMQ is a performance optimization technology and has no relationship to network redundancy or cluster communication reliability.
Question 192
You are configuring Azure Arc-enabled servers to manage on-premises Windows Server 2022 machines. You need to ensure that servers can send monitoring data and receive management commands from Azure. Which component must be installed on each server?
A) Connected Machine agent
B) Log Analytics agent
C) Azure AD Connect
D) Azure File Sync agent
Answer: A
Explanation:
The Connected Machine agent is the essential component required to onboard on-premises or multi-cloud servers to Azure Arc. This agent establishes a secure connection between the physical or virtual server and Azure, enabling Azure management capabilities for servers outside of Azure. Once installed, the agent registers the server as an Azure Arc-enabled server resource in Azure, allowing you to use Azure services like Azure Policy, Azure Monitor, Azure Update Management, and other Azure management tools. This makes A the correct answer for enabling Azure Arc functionality on servers.
B is incorrect because while the Log Analytics agent (also called Microsoft Monitoring Agent or MMA) can be used to collect monitoring data and send it to Azure Monitor or Log Analytics workspaces, it is not the core component required for Azure Arc enablement. The Log Analytics agent is often deployed after the Connected Machine agent is installed, as a separate monitoring solution, but it doesn’t provide the fundamental Azure Arc connectivity and management capabilities.
C is incorrect because Azure AD Connect is used to synchronize on-premises Active Directory identities with Azure Active Directory for hybrid identity scenarios. It handles user, group, and device synchronization between on-premises AD and Azure AD, enabling single sign-on and unified identity management. Azure AD Connect is unrelated to server management through Azure Arc and serves a completely different purpose.
D is incorrect because Azure File Sync agent is specifically designed to synchronize on-premises Windows Server file servers with Azure Files, enabling cloud tiering and multi-site file sharing scenarios. While this agent connects on-premises servers to Azure for file synchronization purposes, it doesn’t provide the broader management capabilities or infrastructure required for Azure Arc-enabled servers.
Question 193
You have a Windows Server 2022 file server with Distributed File System (DFS) Replication configured. You need to view a report showing files that have conflicts between replicated folders. Which tool should you use?
A) DFS Management console
B) File Server Resource Manager
C) Event Viewer
D) Performance Monitor
Answer: A
Explanation:
The DFS Management console is the primary administrative tool for managing and monitoring Distributed File System Namespaces and DFS Replication. This console provides comprehensive reporting capabilities specifically designed for DFS Replication, including the ability to generate health reports, propagation reports, and conflict and deleted reports. The conflict report shows files that have replication conflicts, which occur when the same file is modified on multiple servers before replication can occur. The DFS Management console provides detailed information about these conflicts and their resolution. This makes A the correct answer for viewing DFS replication conflict reports.
B is incorrect because File Server Resource Manager (FSRM) is designed for quota management, file screening, storage reports, and file classification on file servers. While FSRM generates various storage-related reports such as duplicate files, large files, and file screening audits, it doesn’t have visibility into DFS Replication status or conflicts. FSRM operates at the file system level without awareness of replication topology.
C is incorrect because while Event Viewer logs DFS Replication events and errors in the DFS Replication event log, it doesn’t provide consolidated reports showing all conflicted files across the replication topology. Event Viewer shows individual events as they occur but requires manual analysis to identify patterns. The DFS Management console provides purpose-built reporting that aggregates and presents conflict information more effectively.
D is incorrect because Performance Monitor collects and displays real-time or historical performance metrics such as CPU usage, memory consumption, disk activity, and network throughput. While DFS Replication has performance counters that can be monitored, Performance Monitor doesn’t provide file-level conflict reports or information about which specific files have replication conflicts.
Question 194
You are implementing Just Enough Administration (JEA) on Windows Server 2022. You need to create a configuration that allows help desk staff to restart specific services but prevents them from accessing other administrative functions. What should you create?
A) Role capability file and session configuration file
B) Group Policy Object
C) Security group and NTFS permissions
D) Restricted Groups policy
Answer: A
Explanation:
Just Enough Administration (JEA) is implemented through two key components: role capability files and session configuration files. Role capability files (.psrc) define what commands, functions, and scripts specific users or groups can execute within a JEA endpoint. Session configuration files (.pssc) define who can connect to the JEA endpoint and which role capabilities they receive. Together, these files create a restricted PowerShell environment where help desk staff can perform only the specific tasks defined in their role capabilities, such as restarting designated services, without gaining broader administrative access. This makes A the correct answer for implementing granular administrative delegation through JEA.
B is incorrect because while Group Policy Objects (GPOs) can configure many Windows settings and security policies across an Active Directory environment, they don’t provide the granular, command-level access control that JEA offers. GPOs might be used to deploy JEA configurations or restrict PowerShell in general ways, but they cannot create the fine-grained, task-specific administrative delegations that JEA role capabilities provide.
C is incorrect because security groups combined with NTFS permissions control access to files, folders, and other file system resources. While security groups are used to determine who can connect to JEA endpoints, NTFS permissions alone cannot restrict which PowerShell commands users can execute. This traditional approach doesn’t provide the administrative task delegation that JEA delivers through its role-based access model.
D is incorrect because Restricted Groups policy is a Group Policy feature used to control the membership of security-sensitive groups like Administrators, Backup Operators, or other privileged groups. While this helps manage who belongs to powerful groups, it doesn’t provide task-specific delegation or limit what actions those group members can perform. Restricted Groups is about group membership management, not granular command-level access control.
Question 195
You have a Windows Server 2022 web server running IIS. You need to configure the server to automatically redirect HTTP traffic to HTTPS. Which IIS feature should you configure?
A) URL Rewrite
B) Request Filtering
C) IP and Domain Restrictions
D) Authentication
Answer: A
Explanation:
URL Rewrite is an IIS extension that provides rule-based URL manipulation capabilities, including the ability to redirect traffic based on various conditions. To redirect HTTP traffic to HTTPS, you create a URL Rewrite rule that matches incoming HTTP requests and redirects them to the HTTPS equivalent using a 301 (permanent) or 302 (temporary) redirect response. This rule automatically intercepts HTTP requests on port 80 and redirects clients to port 443 using HTTPS, ensuring all traffic uses encrypted connections. This makes A the correct answer for implementing HTTP to HTTPS redirection in IIS.
B is incorrect because Request Filtering is a security feature in IIS that blocks potentially malicious requests based on criteria such as URL length, query string length, specific file extensions, or HTTP verbs. Request Filtering helps protect web applications from various attacks by rejecting requests that don’t meet security requirements, but it doesn’t provide redirection capabilities. It blocks or allows requests rather than redirecting them to different URLs or protocols.
C is incorrect because IP and Domain Restrictions is an IIS security feature that controls which clients can access web content based on their IP addresses or domain names. This feature allows you to create allow lists or deny lists to restrict access from specific sources, enhancing security by limiting who can reach your web applications. However, it doesn’t handle protocol redirection from HTTP to HTTPS.
D is incorrect because Authentication features in IIS determine how users prove their identity when accessing web content, including options like Anonymous Authentication, Windows Authentication, Forms Authentication, and others. While authentication is important for security and can be combined with HTTPS requirements, the authentication settings themselves don’t redirect HTTP traffic to HTTPS; they only verify user credentials.
Question 196
You manage a Windows Server 2022 environment with multiple servers. You need to implement a solution that automatically deploys security baselines and configuration settings to all servers. Which tool should you use?
A) Group Policy
B) Windows Admin Center
C) Server Manager
D) PowerShell Direct
Answer: A
Explanation:
Group Policy is the native Active Directory feature designed to centrally manage and enforce configuration settings, security policies, and administrative templates across Windows computers and servers in a domain environment. Group Policy Objects (GPOs) can deploy security baselines such as those published by Microsoft or CIS (Center for Internet Security), configure security settings, install software, manage Windows features, and enforce compliance requirements. GPOs automatically apply settings to computers in their scope during startup and periodic refresh intervals, making A the correct answer for automated, organization-wide security baseline deployment.
B is incorrect because Windows Admin Center is a browser-based management tool that provides a centralized interface for managing Windows Servers, including monitoring, configuration, and troubleshooting capabilities. While Windows Admin Center can manage individual servers or clusters and provides useful administrative functions, it doesn’t offer the automatic, policy-driven configuration enforcement that Group Policy provides. Windows Admin Center is more interactive rather than automated.
C is incorrect because Server Manager is a management console built into Windows Server for managing local and remote servers, installing roles and features, and monitoring server status. While Server Manager can configure individual servers or small groups of servers, it doesn’t provide automated, continuous policy enforcement or baseline deployment capabilities. It’s primarily an interactive management tool rather than an automated configuration management system.
D is incorrect because PowerShell Direct is a feature that allows you to run PowerShell commands inside Hyper-V virtual machines from the host without network connectivity. It’s useful for configuring VMs when network isn’t available or for secure VM management, but it’s specifically for Hyper-V VM scenarios and doesn’t provide organization-wide automated configuration management or security baseline deployment capabilities.
Question 197
You have a Windows Server 2022 DNS server. You need to configure the DNS server to forward queries for external domains to your ISP’s DNS servers while handling internal domain queries locally. Which DNS feature should you configure?
A) Conditional forwarders
B) Zone transfers
C) Root hints
D) Stub zones
Answer: A
Explanation:
Conditional forwarders in DNS allow you to specify which DNS servers should be used to resolve queries for specific domain names. In this scenario, you can configure a conditional forwarder for all external domains (or use standard forwarders for all non-authoritative queries) that directs those queries to your ISP’s DNS servers, while your DNS server continues to authoritatively answer queries for your internal domain zones. Forwarders improve performance by leveraging your ISP’s DNS infrastructure for external resolution while maintaining local control over internal resources. This makes A the correct answer for selectively forwarding external DNS queries.
B is incorrect because zone transfers are the mechanism by which DNS zone data is replicated between DNS servers, typically from primary to secondary zones. Zone transfers ensure that multiple DNS servers have consistent copies of zone information for redundancy and load distribution. While zone transfers are important for DNS infrastructure, they don’t handle query forwarding or determine where DNS queries are sent for resolution.
C is incorrect because root hints are a list of DNS servers that host the root zone of the DNS namespace (the “.” zone). Root hints are used when a DNS server needs to perform recursive resolution by starting at the root servers and working down through the DNS hierarchy. While root hints enable your DNS server to resolve external queries independently, they don’t provide the optimized forwarding to ISP DNS servers as specified in the question.
D is incorrect because stub zones contain only the necessary resource records to identify the authoritative DNS servers for a specific zone (SOA, NS, and glue A records). Stub zones help maintain delegation information and ensure proper resolution paths, but they don’t forward queries to external DNS servers. Stub zones are used for maintaining zone delegation information rather than query forwarding.
Question 198
You are configuring Storage Spaces Direct on Windows Server 2022. You need to ensure that the storage pool uses the fastest available storage tier for frequently accessed data. Which Storage Spaces Direct feature should you enable?
A) Storage tiering
B) Storage Replica
C) Data Deduplication
D) Storage QoS
Answer: A
Explanation:
Storage tiering in Storage Spaces Direct automatically moves frequently accessed data blocks (hot data) to faster storage media like SSDs or NVMe drives, while less frequently accessed data (cold data) remains on slower, higher-capacity HDDs. This tiering mechanism optimizes performance by ensuring that the most actively used data benefits from fast storage while maintaining cost-effective capacity for infrequently accessed information. The system continuously monitors access patterns and adjusts data placement accordingly, providing automatic performance optimization. This makes A the correct answer for leveraging fast storage tiers for frequently accessed data.
B is incorrect because Storage Replica is a disaster recovery and replication technology that synchronously or asynchronously replicates volumes between servers, clusters, or sites. While Storage Replica is important for data protection and business continuity, it replicates data for redundancy purposes and doesn’t optimize data placement based on access frequency or move data between storage tiers for performance enhancement.
C is incorrect because Data Deduplication is a storage optimization technology that eliminates redundant data blocks to reduce storage capacity requirements. Deduplication saves space by storing only unique data blocks and using pointers for duplicates, but it doesn’t move data between storage tiers based on access patterns. While deduplication can improve storage efficiency, it doesn’t address performance optimization through tiering.
D is incorrect because Storage Quality of Service (QoS) allows administrators to define minimum and maximum IOPS limits for virtual machine virtual hard disks to ensure fair resource allocation and prevent storage performance monopolization. Storage QoS manages performance through bandwidth allocation and throttling but doesn’t move data between different storage tiers. It controls access to storage rather than optimizing data placement.
Question 199
You have a Windows Server 2022 domain controller. You need to configure the server to prevent users from logging on during specific maintenance windows. Which Active Directory feature should you configure?
A) Logon Hours
B) Account Lockout Policy
C) Password Policy
D) Kerberos Policy
Answer: A
Explanation:
Logon Hours is an Active Directory user account property that allows administrators to specify the days and times when users are permitted to log on to the network. By configuring logon hours, you can restrict user access during maintenance windows, off-hours, or any other time period when user access should be prohibited. When users attempt to log on outside their permitted hours, authentication is denied, and existing sessions can be configured to disconnect when the permitted time expires. This makes A the correct answer for preventing user logons during specific maintenance windows.
B is incorrect because Account Lockout Policy controls what happens when users enter incorrect passwords multiple times. This policy defines the account lockout threshold (number of failed logon attempts), account lockout duration (how long accounts remain locked), and the reset counter time. Account lockout is a security measure to prevent brute-force password attacks and has no relationship to scheduled maintenance windows or time-based access restrictions.
C is incorrect because Password Policy defines requirements for user passwords, including minimum length, complexity requirements, password history, minimum and maximum password age, and reversible encryption settings. Password policies enforce strong authentication credentials but don’t control when users can log on to the network. These policies focus on password strength and lifecycle rather than access scheduling.
D is incorrect because Kerberos Policy controls settings related to the Kerberos authentication protocol, including maximum lifetime for user tickets, service tickets, and ticket renewal periods. While Kerberos handles authentication in Active Directory domains, the Kerberos policy settings don’t provide time-based access control or the ability to restrict logons during specific periods. Kerberos policies manage ticket lifetime and authentication behavior, not logon scheduling.
Question 200
You manage a Windows Server 2022 environment with Network Policy Server (NPS). You need to configure the NPS server to authenticate wireless clients using certificates. Which authentication method should you configure?
A) EAP-TLS
B) PAP
C) CHAP
D) MS-CHAP v2
Answer: A
Explanation:
EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) is the most secure authentication method for wireless networks and is specifically designed for certificate-based authentication. EAP-TLS requires both the client and the server to present digital certificates for mutual authentication, providing strong security through public key cryptography. When configuring Network Policy Server for wireless authentication using certificates, EAP-TLS is the industry-standard protocol that ensures encrypted authentication and establishes secure wireless connections. This makes A the correct answer for certificate-based wireless client authentication.
B is incorrect because PAP (Password Authentication Protocol) is an outdated, insecure authentication method that transmits usernames and passwords in clear text without encryption. PAP is the least secure authentication protocol and should never be used in modern networks, especially for wireless authentication. It doesn’t support certificate-based authentication and provides no protection against eavesdropping or credential theft.
C is incorrect because CHAP (Challenge Handshake Authentication Protocol) is a password-based authentication protocol that uses a challenge-response mechanism with one-way hashing to avoid sending passwords in clear text. While CHAP is more secure than PAP, it still relies on shared secrets (passwords) rather than certificates and is considered outdated for wireless authentication. CHAP doesn’t provide the mutual authentication and strong security that certificate-based methods offer.
D is incorrect because MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol version 2) is a Microsoft-enhanced version of CHAP that provides improved security and mutual authentication using password-based credentials. While MS-CHAP v2 is commonly used with PEAP (Protected EAP) for wireless authentication, it relies on username and password authentication rather than certificates. For certificate-based authentication, EAP-TLS is the appropriate choice.
