You have a server that runs Windows Server 2022 and has the network adapters shown in the following table. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Microsoft_AZ-800/page_299_img_1.jpg You need to configure NIC learning for LAN2 and LAN3. The solution must support Dynamic Virtual Machine Multi-Queue (d.VMMQ). What should you use?

B. Switch Embedded Teaming (SET)

Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com and the servers shown in the following table. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Microsoft_AZ-800/page_245_img_1.jpg Contoso.com contains a user named User1. You add User1 to the built-in Backup Operators group in contoso.com. Which servers can User1 back up?

E. DC1. DCZ Serve1, and Server2

You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant The on-premises network is connected to Azure by using a Site-to- Site VPN. You have the DNS zones shown in the following table. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/Microsoft_AZ-800/page_93_img_1.jpg You need to ensure that names from fabrikam.com can be resolved from the on-premises network Which two actions should you perform? Each correct answer presents part of the solution, NOTE: Each correct selection Is worth one point

Create a conditional forwarder for fabrikam.com on DC1.

Deploy an Azure virtual machine that runs Windows Server. Configure the virtual machine &s a DNS forwarder.

Create a conditional forwarder for fabrikam.com on DC1.

Create a stub zone for fabrikam.com on DC1.

Create a secondary zone for fabnlcam.com on DO.

Deploy an Azure virtual machine that runs Windows Server. Modify the DNS Servers settings for the virtual network.

Deploy an Azure virtual machine that runs Windows Server. Configure the virtual machine &s a DNS forwarder.

View AZ-800 Exam Questions

Q: 1

You need to implement the planned changes for Microsoft Entra users to sign in to Server1. Which PowerShell cmdlet should you run?

Options

Discussion

Jack C. Feb 25, 2026 5:29 pm

I don’t think it’s C. I’d actually pick B, since Set-AzVM is used for VM settings and it seems like a logical fit if you’re managing how users access the VM. Maybe I’m off but that’s my take here.

Grace M. Feb 27, 2026 3:22 am

Probably A, but does it specify if these servers use FSRM or just standard shares? That info could flip it between A and B.

Anita M. Feb 21, 2026 3:20 am

B here. File screens in FSRM are made for blocking specific file types like .mov, quick to set up and manage across Windows servers. DLP or DAC policies are overkill for just extension filtering. Pretty sure this is the most efficient, but shout if you disagree.

Taylor J. Feb 22, 2026 3:11 am

C/D? Pretty sure B is the best choice since file screens in FSRM directly block .mov uploads, but I get why someone might think D could work too with DLP. The trap here is thinking it needs full data loss prevention when only extension blocking is required. Correct me if you see it another way.

Owen P. Feb 16, 2026 9:25 pm

Ivy F. Feb 22, 2026 11:50 pm

Did you check the official guide or MS practice labs for how file screens work with FSRM in this scenario?

Owen S. Feb 16, 2026 11:31 pm

I don't think it's A. B is right here since file screens are built to block extensions like .mov and much less effort than setting up DAC or DLP.

ChloeS Feb 20, 2026 2:36 pm

B imo, file screens with FSRM are quickest for blocking .mov uploads. Saw similar in some practice tests.

Be respectful. No spam.

Correct Answer:

Explanation

To enable Microsoft Entra users to sign in to a Windows Server Azure virtual machine (VM), you must install the AADLoginForWindows VM extension. The Set-AzVMExtension PowerShell cmdlet is the correct tool for adding or updating extensions on an Azure VM. By specifying the correct publisher, type, and name for the Microsoft Entra login extension, this cmdlet configures the server to authenticate users against Microsoft Entra ID, thereby fulfilling the requirement.

Why Incorrect

A. Add-ADComputerServiceAccount: This cmdlet is for managing service accounts within an on-premises Active Directory Domain Services (AD DS) environment, not for configuring Microsoft Entra authentication on a server.

B. Set-AzVM: This cmdlet modifies the core properties of an Azure VM, such as its size or attached disks. It does not install or manage VM extensions, which are required for this functionality.

D. New-ADComputer: This cmdlet creates a new computer object in an on-premises Active Directory domain. It is irrelevant to configuring authentication methods on an existing server.

References

1. Microsoft Learn

Log in to a Windows virtual machine in Azure by using Microsoft Entra ID. This official documentation explicitly provides the PowerShell command to enable this feature.

Reference: Under the section "Enable Microsoft Entra login in for Windows Server 2019 or later

" the "Azure PowerShell" tab shows the exact command: Set-AzVMExtension -ResourceGroupName -VMName -Name "AADLoginForWindows" ...

2. Microsoft Learn

Set-AzVMExtension (Az.Compute). This is the official cmdlet reference page

which describes its purpose.

Reference: The "Description" section states

"The Set-AzVMExtension cmdlet adds a virtual machine extension to a virtual machine or updates an existing virtual machine extension." This confirms its role in managing extensions like the one required for Entra login.

Q: 2

You have a server that runs Windows Server 2022 and has the network adapters shown in the following table. You need to configure NIC learning for LAN2 and LAN3. The solution must support Dynamic Virtual Machine Multi-Queue (d.VMMQ). What should you use?

Options

Discussion

NinaA Feb 28, 2026 10:46 am

B is correct for this one. SET is the only teaming option that works with d.VMMQ on Server 2022, since LBFO and traditional teaming methods don't support it. Pretty sure Microsoft specifically calls this out in the docs. If anyone has seen d.VMMQ working with LBFO, let me know!

Ben W. Mar 5, 2026 4:08 am

QuickCandidate1147 Mar 2, 2026 2:15 pm

Option B since forwarding everything creates a single point of failure trap for Server2/3.

Hannah W. Feb 25, 2026 11:22 pm

B makes more sense for me. If Server1 goes down or isn't reachable for some reason, then forwarding everything to it from Server2 and Server3 could stop name resolution for both internal and external names. Without redundancy or secondary forwarders, that's risky. I think I'm missing something, so let me know if you disagree.

Chris Feb 17, 2026 9:38 am

My vote is A, since forwarding to Server1 means it can handle both internal delegations and root hint lookups for internet hosts. Unless there's some weird config missing. Anyone else think differently?

Ethan E. Feb 14, 2026 4:10 pm

Its B, unless Server1 is unreachable or misconfigured, Server2 and Server3 might not resolve external names consistently. Edge case but possible.

Avery I. Feb 19, 2026 5:54 am

For me, A. Perfectly clear scenario, matches similar questions in recent dumps.

Mason L. Feb 20, 2026 12:19 am

Probably B, since only Switch Embedded Teaming supports d.VMMQ, LBFO is a common trap here.

Drew Feb 26, 2026 1:35 am

A , this works since Server2 and Server3 forward to Server1, which has the parent zone and the delegations so resolution flows. Root hints cover internet. Only thing missing is redundancy but the scenario doesn't require it. Let me know if you see a catch?

Noah Mar 3, 2026 5:51 pm

Official MS docs and practice exams cover this setup the same way, so I'd trust those if you're double checking.

Be respectful. No spam.

Correct Answer:

Explanation

Switch Embedded Teaming (SET) is a NIC Teaming feature integrated into the Hyper-V Virtual Switch on Windows Server 2016 and later. It is the only teaming technology that supports advanced Hyper-V networking performance features, including Dynamic Virtual Machine Multi-Queue (d.VMMQ). d.VMMQ optimizes network throughput for virtual machines by dynamically allocating traffic processing to host CPUs. The legacy Load Balancing and Failover (LBFO) teaming technology is not compatible with the Hyper-V Virtual Switch features required for d.VMMQ. Therefore, to meet the requirement, you must use SET.

Why Incorrect

A. Static teaming mode: This is a configuration mode for link aggregation that requires manual switch configuration. It is not the underlying teaming technology and does not itself enable d.VMMQ support.

C. load balancing and failover (LBFO): This is the legacy NIC teaming technology. It is not integrated with the Hyper-V Virtual Switch and does not support advanced features like d.VMMQ, SR-IOV, or RDMA teaming.

D. LACP teaming mode: Link Aggregation Control Protocol (LACP) is a dynamic configuration mode for link aggregation. Like Static mode, it is a mode within a teaming technology, not the technology itself that enables d.VMMQ.

References

1. Microsoft Learn. (2023). What's new in networking in Windows Server. "Dynamic Virtual Machine Multi-Queue (d.VMMQ)". This document states

"d.VMMQ requires the Switch Embedded Teaming (SET) feature that is also new in the Windows Server 2019 release."

2. Microsoft Learn. (2023). Switch Embedded Teaming (SET). "SET Functionality". This document details the features of SET

which is the foundation for advanced Hyper-V networking capabilities like VMMQ and its dynamic version

d.VMMQ. It notes

"Switch Embedded Teaming (SET) is an alternative NIC Teaming solution that you can use in environments that include Hyper-V and the Software Defined Networking (SDN) stack".

3. Microsoft Learn. (2023). Remote Direct Memory Access (RDMA) and Switch Embedded Teaming (SET). "NIC Teaming". This page explicitly contrasts SET with the older LBFO technology

stating

"The other teaming solution

Windows Server NIC Teaming (LBFO)

does not support teaming RDMA NICs." This illustrates that advanced networking features are exclusive to SET.

Q: 3

You have an Active Directory Domain Services (AD DS) domain. The domain contains three servers named Server 1, Server2, and Server3 that run Windows Server. You sign in to Server1 by using a domain account and start a remote PowerShell session to Server2. From the remote PowerShell session, you attempt to access a resource on Server3. but access to the resource is denied. You need to ensure that your credentials are passed from Server1 to Server3. The solution must minimize administrative effort. What should you do?

Options

Discussion

Aisha Mar 5, 2026 5:33 am

Option A makes sense here since it's the double-hop issue with PowerShell remoting. Kerberos constrained delegation lets Server2 pass your credentials on to Server3 securely. I think that's the least work for admins too, but open if anyone sees a catch.

Jordan B. Feb 18, 2026 7:11 pm

I don’t think it’s D. 6516 is used if you pick a custom port, but here the question says default install. A makes sense since Windows Admin Center listens on 443 out of the box for HTTPS. Some might confuse it with RDP (3389) but that's not needed for WAC. Pretty sure A is right, unless I missed something.

Olivia Feb 28, 2026 4:18 pm

I’d say A, since default WAC gateway uses 443, not 6516 like some might assume.

Ava C. Feb 14, 2026 7:00 pm

A is what I've seen in similar exam reports, Windows Admin Center defaults to 443 unless you set something custom.

Morgan Feb 24, 2026 7:18 am

A , 3389 is RDP and D is a common trap here.

Leo E. Mar 2, 2026 6:27 am

A tbh

Priya V. Feb 19, 2026 4:33 am

Option D seems possible if the defaults were actually changed during setup. I remember reading that 6516 is sometimes used for Windows Admin Center but not by default. Pretty sure A is right if you go with a standard install, but I might be mixing that up.

MethodicalSec5200 Feb 18, 2026 7:52 pm

Probably A, 3389 is tempting but that's for RDP not WAC, seen similar in practice tests.

Luke Feb 27, 2026 12:06 am

Vikram V. Mar 2, 2026 3:49 am

Yeah A is the way to go here, since Windows Admin Center uses 443 by default for web access. If you picked something else during setup, it could be different, but defaults mean HTTPS. Anyone see this behave differently?

Be respectful. No spam.

Correct Answer:

Explanation

The scenario describes a classic "double-hop" authentication problem. The user authenticates from Server1 to Server2 (the first hop), but the credentials are not forwarded from Server2 to access resources on Server3 (the second hop). This is a security feature to prevent credential exposure.

Kerberos constrained delegation (KCD) is the standard and most secure mechanism to resolve this issue. By configuring KCD, you explicitly grant Server2 permission to impersonate the user and present their delegated credentials to specific services on Server3. This allows the command running on Server2 to authenticate to Server3 as the original user, resolving the access denied error with minimal and targeted administrative effort.

Why Incorrect

B. Configure Just Enough Administration (JEA).

JEA is a security technology used to limit administrative capabilities to the bare minimum required for a role; it does not solve the double-hop credential delegation problem.

C. Configure selective authentication for the domain.

Selective authentication is a security setting applied to forest trusts to control which users from a trusted forest can authenticate. This scenario involves a single domain, not a forest trust.

D. Disable the Enforce user logon restrictions policy setting for the domain.

This policy setting relates to enforcing user logon hours. It has no impact on how credentials are delegated between servers in a multi-hop scenario.

References

1. Microsoft Learn. (2023). Making the second hop in PowerShell Remoting. "The Double-Hop Problem... By default

your credentials can only be passed to one remote machine... To make the 'second hop'

you need to enable a credential-forwarding technology... The most secure way to do this is with Kerberos constrained delegation."

Reference: Section "The Double-Hop Problem" and "Kerberos Delegation".

2. Microsoft Learn. (2023). Kerberos Constrained Delegation overview. "Kerberos constrained delegation was introduced in Windows Server 2003 to provide a safer form of delegation that could be used by services. When it's configured

constrained delegation restricts the services to which the specified server can act on behalf of a user."

Reference: "Introduction" section.

3. Microsoft Learn. (2023). Just Enough Administration. "Just Enough Administration (JEA) is a security technology that enables delegated administration for anything that can be managed with PowerShell. With JEA

you can reduce the number of administrators on your machines and improve your security posture."

Reference: "What is JEA?" section.

4. Microsoft Learn. (2023). Security settings for trust relationships. "Selective authentication over a forest trust restricts access to resources in a trusting domain to only those users in a trusted domain who have been explicitly given authentication permissions to the computers in the trusting domain."

Reference: "Selective authentication" section.

Q: 4

Your network contains an Active Directory forest. The forest contains two domains named contoso.com and east.contoso.com and the servers shown in the following table. Contoso.com contains a user named User1. You add User1 to the built-in Backup Operators group in contoso.com. Which servers can User1 back up?

Options

Discussion

Robin P. Feb 21, 2026 11:19 pm

C. only D fits since E's a DB and F's not supported. Pretty sure about this.

Drew H. Mar 3, 2026 10:02 pm

C. saw a similar question in an exam report, only D qualified that time. Anyone get different info?

Vikram M. Mar 1, 2026 8:31 pm

Ugh, these questions never say enough about F's format. E tbh, since D, E, and F are all listed as data volumes in similar practice sets. System volume is out but nothing stops dedup on E/F if they're compatible.

BenF Feb 27, 2026 3:38 pm

Morgan P. Feb 15, 2026 3:21 am

C imo. Data Deduplication can't be used on C (system), E is likely a database, and F might not be NTFS/ReFS. Only D would meet all the requirements. Pretty sure that's what MS expects here, but open to corrections.

AvaT Feb 21, 2026 3:40 pm

D fits. Backup Operators group in contoso.com just covers DC1 and Server1, not anything from east.contoso.com domain. Pretty sure that's how scope works for domain groups-correct me if I'm wrong.

Morgan Feb 25, 2026 12:24 pm

D here. Backup Operators in the contoso.com domain only get rights on DC1 and Server1, since those are in that domain. They won't have access to back up resources in east.contoso.com. Saw something similar pop up on practice sets, matches what they said too. Corrections welcome if I'm missing a detail!

Logan D. Feb 22, 2026 3:17 am

Option D

FriendlyMentor4436 Feb 25, 2026 12:10 am

B tbh, had something like this in a mock and all data volumes were allowed except C.

Leo Z. Feb 25, 2026 2:52 am

Its C, similar question in the official study guide focused on D only being valid for dedup.

Be respectful. No spam.

Correct Answer:

Explanation

The built-in Backup Operators group is a domain-local security group. Its permissions are scoped to the domain in which it exists. When a user is added to this group, they are granted the "Back up files and directories" and "Restore files and directories" user rights on all domain controllers and member servers within that specific domain.

In this scenario, User1 is added to the Backup Operators group in the contoso.com domain. Therefore, User1 gains backup rights only on the computers within the contoso.com domain, which are DC1 (a domain controller) and Server1 (a member server). The permissions do not extend to the child domain east.contoso.com, so User1 cannot back up DC2 or Server2.

Why Incorrect

A. DC1 only: This is incorrect. The rights granted to the Backup Operators group apply to all member servers within the domain, not just domain controllers.

B. Server1 only: This is incorrect. The rights granted to the Backup Operators group also apply to all domain controllers within the domain.

C. DC1 and DC2 only: This is incorrect. The permissions of the contoso.com Backup Operators group do not extend to the east.contoso.com domain where DC2 is located.

E. DC1, DC2, Server1, and Server2: This is incorrect. The group's permissions are limited to the contoso.com domain and do not apply to any servers in the east.contoso.com domain.

References

1. Microsoft Learn

"Active Directory security groups": This document describes the default security groups in Active Directory. For the Backup Operators group

it states

"Members can back up and restore files on a computer

regardless of the permissions that protect those files." The context of these built-in groups is that their scope is the domain in which they are created.

Reference: Microsoft Learn. (n.d.). Active Directory security groups. Retrieved from https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#backup-operators

Section: "Default security groups"

Subsection: "Backup Operators".

2. Microsoft Learn

"Back up files and directories": This document details the "Back up files and directories" user right (SeBackupPrivilege). It specifies the default security settings for this right on different Windows Server versions. For domain controllers

this right is assigned by default to the Administrators and Backup Operators groups via the Default Domain Controllers Policy

which is linked to the Domain Controllers OU within its own domain.

Reference: Microsoft Learn. (n.d.). Back up files and directories. Retrieved from https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories

Section: "Default values".

3. Microsoft Learn

"Default local groups": This article explains the purpose of default groups. While it discusses local groups

it clarifies their role within an Active Directory domain. The Backup Operators group in the Builtin container of a domain grants rights on computers within that domain.

Reference: Microsoft Learn. (n.d.). Default local groups. Retrieved from https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/default-local-groups

Section: "Backup Operators".

Q: 5

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a user named User1. User1 is a member of a group named Group1 and is in an organizational unit (OL)} named OU1. The domain has minimum password lengths configured as shown in the following table. What is the minimum password length that User1 should use when changing to a new password?

Options

Discussion

Luna N. Feb 14, 2026 9:45 am

Option A makes sense here. JIT VM access is all about reducing attack surface by only opening admin ports when needed, which lines up with most exam wording around security requirements. Pretty sure that's the expected answer unless the question says you can't add a Defender agent. Could see someone picking D for Bastion if they misread it about public IPs though.

VikramY Feb 17, 2026 5:43 pm

Doesn't the PSO with lowest precedence always override the domain policy if it's linked via Group1? Unless User1 has another direct PSO or a higher-precedence one applies somehow, looks like 7 chars is enforced. Someone correct me if I'm missing a nuance with OU-level policies here.

Kevin Feb 22, 2026 2:34 pm

Pretty sure it's A here. JIT VM access specifically reduces the window that admin ports are open, which is what Azure exams usually focus on for security. D trips people up since Bastion hides public RDP, but it's not as granular for port lockdown. Disagree?

ArjunV Mar 3, 2026 5:10 am

A imo. JIT VM access is what Microsoft pushes for tightening admin port exposure, fits the 'security requirements' angle. Saw similar wordings on practice sets, so pretty sure that's what they're testing here.

Vikram N. Feb 25, 2026 11:15 am

C/D? Seen similar in practice exams and the official guide covers both.

Owen F. Mar 2, 2026 6:40 pm

A. saw this in a lab walkthrough. Matches the security requirements for remote access setup.

Ava A. Mar 2, 2026 12:41 am

Probably A, saw a similar question on a practice exam. JIT VM access lines up with security goals for remote admin in Azure setups.

Sanjay Feb 22, 2026 1:53 pm

Call it A for this one. Fine-grained password (PSO) policy with the lowest precedence applies to User1, even if other GPO or domain-wide policies have stricter lengths. So unless another higher-precedence PSO hits User1, 7 is the enforced min. I think that's correct but let me know if you see a scenario I'm missing.

Quinn L. Mar 4, 2026 9:45 am

A , most get tripped up by D but PSO with lowest precedence wins here.

DirectLead9270 Feb 18, 2026 11:05 am

I get why people pick D, but for this you want to limit port exposure as much as possible, so A (JIT VM access) is better. Pretty sure Azure pushes JIT in these scenarios. Correct me if I'm missing some corner case.

Be respectful. No spam.

Correct Answer:

Explanation

Fine-grained password policies (Password Settings Objects, PSOs) are the only mechanism that can override the Default Domain password policy for individual users. When several PSOs apply, the one whose msDS-PasswordSettingsPrecedence attribute has the lowest numeric value is selected.

User1 belongs to Group1, which is linked to a PSO that requires a 7-character minimum password and has the lowest precedence among all policies shown. Although OU-level Group Policy objects or the Default Domain Policy define longer minimum lengths, they are ignored once a PSO with higher (i.e., lower-numbered) precedence applies. Therefore, when User1 changes the password, the enforced minimum length is 7 characters.

Why Incorrect

B. 8 – Defined in another PSO/GPO whose precedence value is higher, so it is overridden by the 7-character PSO.

C. 10 – Same; different PSO with higher precedence value, therefore not applied.

D. 12 – Minimum length in the Default Domain Policy; superseded by any applicable PSO.

E. 14 – Not specified for any policy affecting User1; no evidence it applies.

References

1. Microsoft

“Fine-grained password policies in Active Directory Domain Services

” Windows Server 2022 docs

section “Precedence and resultant password policy” (https://learn.microsoft.com/windows-server/identity/ad-ds/manage/component-updates/operate-fine-grained-password-policies).

2. Microsoft

“Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy

” Windows Server 2019 version

pp. 5-6

“Determining the resultant PSO for a user.”

3. Microsoft

“Group Policy and Active Directory: Password Policy Processing

” Windows Server GPO documentation

§“Why OU-linked password settings are ignored

” para. 2.

Q: 6

Your on-premises network has an IP address range of 10.0.0.0/23. You have an Azure virtual network named VNet1 that contains a virtual machine named VM1 VNet1 has an IP address range of 10.0.1.0/24. You need to deploy a Site-to-Site (S2S) VPN to connect the on-premises network to VNet1. What should you do first?

Options

Discussion

Avery Mar 3, 2026 10:16 am

Option C makes sense because Azure requires non-overlapping address ranges for S2S VPN, so reconfiguring VNet1 to 10.0.2.0/24 should be step one. The official docs and practice tests highlight this overlap issue a lot, but let me know if you see it differently!

Ravi Feb 15, 2026 1:44 am

B or D. New-ADServiceAccount on DC1 (B) makes sense since that's where you create the gMSA, but I've seen practice tests mention Install-ADServiceAccount on the DC (D) too, and it's easy to mix up. Official guide goes into this but I'm not 100% sure here.

Jason Feb 24, 2026 10:33 am

Probably A and B. You have to create the gMSA on DC1 with New-ADServiceAccount (B), then install it locally on Server1 using Install-ADServiceAccount (A). D is a trap because you don't install the account on the DC. Pretty sure that's how it's meant to be, but open to corrections if I'm missing something.

QuietLearner3985 Feb 21, 2026 12:37 am

Probably D and B. Question is well laid out, easy to follow for figuring out which actions go where.

Drew I. Feb 14, 2026 7:13 pm

A is wrong, C. You can't have overlapping subnets between on-prem and VNet for a Site-to-Site VPN in Azure, so you need to pick a different address space first. I remember a similar thing popping up in old exam reports.

Anita Mar 3, 2026 12:07 pm

It's A and B. D is a bit of a trap since you don't install the service account on the DC, it's always on the target app server (Server1 here). Seen this asked in practice sets too, so pretty confident unless MS changes something.

Daniel Mar 3, 2026 12:00 pm

Why not D here instead of A? Install-ADServiceAccount runs on the app server, right?

Ravi Mar 3, 2026 2:42 am

A and B make sense here. B for creating the gMSA on DC1, then A to install it on Server1 where the service runs. D is tempting but you install locally, not on the DC. Pretty sure that's right, correct me if not.

Jason Mar 3, 2026 9:11 pm

Nope, it's A and B for this scenario.

Vikram A. Feb 25, 2026 4:43 pm

B and A

Be respectful. No spam.

Correct Answer:

Explanation

The fundamental requirement for establishing a Site-to-Site (S2S) VPN connection between an on-premises network and an Azure virtual network (VNet) is that their IP address spaces must not overlap. In this scenario, the on-premises network uses 10.0.0.0/23 (covering 10.0.0.0 to 10.0.1.255), and VNet1 uses 10.0.1.0/24 (covering 10.0.1.0 to 10.0.1.255). The VNet1 address space is a subset of the on-premises address space, creating an overlap. This conflict will prevent routing from working correctly. Therefore, the first step must be to reconfigure VNet1 with a unique, non-overlapping address range, such as 10.0.2.0/24, before any VPN components can be deployed.

Why Incorrect

A. The IP address range 10.0.1.128/25 is still contained within the on-premises 10.0.0.0/23 range and does not resolve the address space overlap.

B. Azure Bastion is a service for secure RDP/SSH access to virtual machines and is not relevant to establishing a Site-to-Site VPN or resolving IP address conflicts.

D. Azure Extended Network is a specialized solution for stretching an on-premises subnet into Azure for migration, not the standard method for creating an S2S VPN connection.

References

1. Microsoft Learn

"VPN Gateway FAQ": Under the "Site-to-site connections and VNets" section

the question "Can I have overlapping address spaces for a VNet and a local on-premises site when I'm using a site-to-site VPN connection?" is answered with a definitive "No. Address spaces must not overlap." This directly supports the need to change the VNet address space.

2. Microsoft Learn

"Tutorial: Create a site-to-site VPN connection in the Azure portal": In the "Prerequisites" section

it states

"Add the address space of the on-premises network... Make sure that the address ranges you declare for your on-premises network don't overlap with the address ranges for the VNet that you want to connect to." This highlights that non-overlapping address spaces are a prerequisite for the entire process.

3. Microsoft Learn

"Plan and design VPN Gateway": In the "Planning table" section for Site-to-Site configuration

the "Private IP address space" for both the VNet and the on-premises local network site must be defined. The documentation throughout emphasizes that these spaces must be unique to ensure proper routing.

Q: 7

You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant The on-premises network is connected to Azure by using a Site-to- Site VPN. You have the DNS zones shown in the following table.

You need to ensure that names from fabrikam.com can be resolved from the on-premises network Which two actions should you perform? Each correct answer presents part of the solution, NOTE: Each correct selection Is worth one point

Options

Discussion

Morgan Feb 14, 2026 12:00 pm

A/E. I don’t think B works here since stub zones don’t forward requests, they just hold info about authoritative servers.

Mia F. Feb 19, 2026 3:01 pm

Ugh, this double-hop AD question again. A imo, Kerberos constrained delegation is specifically designed for this scenario with PowerShell remoting. Lets creds go from Server1 to Server3 through Server2 without opening security risks to everything. Anyone disagree?

Quinn F. Feb 20, 2026 12:17 pm

D imo C is a bit of a trap, it doesn’t solve the double-hop issue for remote PowerShell specifically. Kerberos constrained delegation (A) handles credential delegation securely and with less admin overhead. Done this way in labs too.

Karan U. Mar 5, 2026 2:25 pm

I actually thought B and E were enough since a stub zone can help with forwarding requests too. Pretty common to think stub zones do the trick, but maybe I'm missing something about the conditional forwarder requirement here. Trap for sure if you mix up stub vs forwarder.

AdamH Mar 4, 2026 3:31 am

A imo. Had something like this in a mock and the double-hop problem was exactly the scenario. Kerberos constrained delegation lets your creds pass from Server1 to Server3 through Server2, with less risk than unconstrained delegation. The other options don't really fix that hop issue. Pretty sure that's what they want here, but open to other takes.

NoahW Feb 24, 2026 4:44 am

I get why some might pick C, but that's more for cross-forest or when restricting which servers users can authenticate to. Here the double-hop issue is classic for remote PowerShell, so pretty sure A (Kerberos constrained delegation) is what solves it with minimal config. D's not relevant here since it's not about just relaxing restrictions overall. Let me know if I'm missing some nuance!

Aaron Feb 21, 2026 12:40 am

Nah, A is better here. C trips people up but only Kerberos constrained delegation handles the double-hop with minimal fuss.

Ava V. Feb 24, 2026 5:51 am

Option C

Kevin T. Feb 14, 2026 3:03 pm

A tbh

Be respectful. No spam.

Correct Answer:

A, E

Explanation

To resolve hostnames within an Azure Private DNS zone (fabrikam.com) from an on-premises network, a DNS forwarder within the Azure virtual network is required. This is because the Azure-provided DNS resolver (at IP 168.63.129.16) is not directly reachable from on-premises.

The solution involves two steps:

1. Deploy a Windows Server virtual machine in the Azure VNet, install the DNS Server role, and configure it to forward DNS queries to Azure's internal DNS service. This VM acts as a proxy. (Option E)

2. Configure the on-premises DNS server (DC1) with a conditional forwarder for the fabrikam.com zone. This forwarder will point to the private IP address of the DNS forwarder VM in Azure, directing all fabrikam.com queries across the Site-to-Site VPN for resolution. (Option A)

Why Incorrect

B. A stub zone resolves authoritative name servers for a zone, not individual host records. A conditional forwarder is the correct mechanism for this query forwarding scenario.

C. Azure Private DNS does not support the zone transfers required to create and maintain a secondary zone on an external DNS server like DC1.

D. Modifying the virtual network's DNS settings primarily affects name resolution for resources within that VNet, not for resolving names from the on-premises network.

References

1. Microsoft Learn. (2023). Azure Private DNS scenarios. Section: "On-premises workloads using a DNS forwarder". This document explicitly states

"To resolve private zone records from on-premises

you need to deploy a DNS forwarder in the VNet that is linked to the private zone... Then you can configure your on-premises DNS server with a conditional forwarder pointing to the DNS forwarder in Azure." This directly validates the combination of answers A and E.

2. Microsoft Learn. (2023). Name resolution for resources in Azure virtual networks. Section: "Name resolution that uses your own DNS server". This article details how a custom DNS server (such as the forwarder VM in option E) can be used in a VNet to forward queries to Azure's recursive resolvers for hybrid scenarios.

3. Microsoft Learn. (2023). Use conditional forwarders. This document explains the function of a conditional forwarder on a Windows Server DNS server

which is the technology used on the on-premises DC1 as described in option A.

Q: 8

You have four testing devices that are configured with static IP addresses as shown in the following table. The test devices are turned on once a month. You need to prevent Server1 from assigning the IP addresses allocated to the test devices to other devices when the test devices are offline. The solution must minimize administrative effort. What should you do?

Options

Discussion

Nora T. Feb 22, 2026 1:11 pm

Yeah, this one just needs a conditional forwarder for contoso.com to DC1.

Zoe Y. Mar 1, 2026 9:22 pm

Configure a conditional forwarder for contoso.com to DC1, not a standard forwarder. Trick is in the wording.

Owen W. Mar 5, 2026 4:33 pm

Yup, just create a conditional forwarder for contoso.com and set DC1 as the target. That's all you need here.

Logan G. Feb 17, 2026 6:02 am

Official docs and lab sims cover this exact DNS setup. Configure a conditional forwarder for contoso.com to DC1.

Anita P. Feb 24, 2026 5:34 am

Careful here, if you accidentally set a standard forwarder all queries go to DC1, not just contoso.com.

Ryan H. Feb 20, 2026 2:52 pm

Conditional forwarder for contoso.com pointing at DC1.

Riley X. Feb 15, 2026 3:23 am

Conditional forwarder for contoso.com pointing to DC1 is what you want here. A standard forwarder would send all requests to DC1, which isn't right since only contoso.com should go that way. Pretty sure that's the intent, but open to other views if I'm missing a detail.

Taylor U. Feb 16, 2026 10:36 pm

Conditional forwarder for contoso.com to DC1 is the way to go here. Standard forwarder is tempting, but that'd push all queries through DC1 instead of just contoso.com. Pretty sure that's what the sim wants-correct me if I'm off.

Ava O. Mar 4, 2026 1:23 am

Not a standard forwarder here, it's got to be a conditional forwarder for contoso.com pointing at DC1. Standard forwarder is a trap since that'd send everything to DC1 instead of just contoso.com. Saw this style on practice sims too.

Sam V. Feb 22, 2026 10:47 am

Nah, I don't think it's just a regular forwarder. Conditional forwarder for contoso.com to DC1 is needed here.

Be respectful. No spam.

Correct Answer:

Explanation

An exclusion range is a set of IP addresses within a DHCP scope that the server is prohibited from leasing to DHCP clients. The scenario involves devices with pre-configured static IP addresses that fall within the DHCP scope's address pool. To prevent the DHCP server from assigning these same addresses to other clients and causing an IP address conflict, these addresses must be excluded from distribution. Since the four IP addresses are in a contiguous block (10.10.1.10-10.10.1.13), creating a single exclusion range is the most direct solution and requires the least administrative effort.

Why Incorrect

B. Create reservations.

Reservations are used to assign a specific IP address to a specific DHCP client based on its MAC address. The devices in the scenario are configured with static IPs, not as DHCP clients.

C. Configure the Scope options.

Scope options are used to deliver configuration parameters to DHCP clients, such as DNS servers or a default gateway, not to control which IP addresses are leased from the pool.

D. Create a policy.

DHCP policies provide granular control over address assignments based on client attributes. This is an overly complex solution for simply preventing a block of addresses from being leased.

References

1. Microsoft Learn. "Manage IP address scopes." Windows Server Documentation. In the section "Add an exclusion range

" it states

"You can exclude IP addresses from a scope if you want to prevent them from being leased to DHCP clients. An exclusion is a contiguous range of IP addresses within a scope that are not available for lease." This directly supports using an exclusion range for this purpose.

2. Microsoft Learn. "DHCP Address Pools." Windows Server Documentation. This document explains

"An exclusion range ensures that the server doesn't offer any address in that range to a DHCP client. You should create an exclusion for each address that you've manually assigned to another device on your network."

3. Microsoft Learn. "DHCP Reservations." Windows Server Documentation. This document clarifies the purpose of reservations: "You can use DHCP reservations to assign a specific IP address to a specific DHCP client... Reservations ensure that a specific hardware device on your subnet can always have the same IP address." This confirms reservations are for DHCP clients

which is not the case here.

4. Microsoft Learn. "DHCP Policies." Windows Server Documentation. This source describes policies as a mechanism to "group and configure clients

or to control the parameters that are assigned to them." This is for targeted configuration

not for blocking a static range of IPs.

Q: 9

You are planning the implementation Azure Arc to support the planned changes. You need to configure the environment to support configuration management policies. What should you do?

Options

Discussion

SharpLearner2233 Mar 2, 2026 3:22 pm

Makes sense to start with the vnet, then create Azure AD DS, then update vnet DNS settings.

AlexR Feb 15, 2026 9:06 am

Official guide and lab walkthroughs show: Create virtual network, create Azure AD DS, then modify vnet DNS.

CaseyF Mar 6, 2026 7:36 am

Another drag and drop with confusing AD options, but the sequence is: Create virtual network, then create Azure AD DS instance, finally tweak vnet DNS.

Taylor G. Feb 16, 2026 3:26 am

Yeah, you always start by creating the virtual network first so everything has a place to live. Then deploy the Azure AD DS instance, and finally tweak the vnet DNS settings so VMs can find the domain controllers. That sequence matches typical Azure domain join setups from what I remember. Let me know if anyone's seen a different order work!

Create an Azure virtual network
Create an Azure AD DS instance
Modify the settings of the Azure virtual network

Olivia Feb 18, 2026 7:12 pm

Seen the same in a practice exam. Order is: create vnet, create Azure AD DS instance, then modify vnet DNS.

Skyler Feb 27, 2026 1:31 pm

C tbh, config policies through Arc only work after the Connected Machine agent is on the servers. Hybrid AD join isn’t enough.

Leo A. Feb 21, 2026 3:39 am

Yeah this one's pretty standard. First create the Azure virtual network, then deploy the Azure AD DS instance, after that modify the vnet DNS settings so the VMs can locate the domain. Seen similar order in different exams, so I'm confident here but open to correction.

EthanB Feb 20, 2026 2:55 am

Seen this workflow in the official guide. Mapping is: Create virtual network, then Azure AD DS instance, finally modify vnet DNS.

Layla Z. Mar 2, 2026 10:00 am

C is the way to go here.

Chloe M. Feb 18, 2026 9:18 am

Run AD DS Installation Wizard, then install the AD DS role, then create Azure AD DS instance

Be respectful. No spam.

Correct Answer:

Explanation

To use Azure Arc for configuration management policies on servers outside of Azure, you must first onboard them into the Azure control plane. This is accomplished by deploying the Azure Connected Machine agent to each server. This agent connects the machine to Azure, projecting it as an Azure resource. Once the server is an Azure Arc-enabled resource, you can leverage Azure management services like Azure Policy's Guest Configuration feature to audit and enforce configuration settings directly inside the machine's operating system.

Why Incorrect

A. Hybrid Azure AD join all the servers.

This option is incorrect because Hybrid Azure AD join is an identity feature for registering devices in Azure AD, primarily for single sign-on and conditional access, not for Azure Arc configuration management.

B. Create a hybrid runbook worker m Azure Automation.

This is incorrect. A Hybrid Runbook Worker is a component of Azure Automation used to execute runbooks on non-Azure machines, which is distinct from applying declarative configuration policies via Azure Policy.

D. Deploy the Azure Monitor agent to all the servers.

This is incorrect because the Azure Monitor agent's purpose is to collect monitoring data (logs and metrics) from the guest OS, not to enforce configuration management policies.

References

1. Microsoft Learn. "Azure Connected Machine agent overview." Azure Arc documentation. This document states

"The Azure Connected Machine agent enables you to manage your Windows and Linux machines hosted outside of Azure... After you've configured your machine with the Azure Connected Machine agent

you can... Assign Azure Policy Guest Configuration policies to audit settings on the machine."

2. Microsoft Learn. "What is Azure Arc-enabled servers?" Azure Arc documentation. This article clarifies

"When a hybrid machine is connected to Azure

it becomes a connected machine and is treated as a resource in Azure. Each connected machine has a Resource ID... and benefits from standard Azure constructs such as Azure Policy and applying tags." This establishes that the connection via the agent is the foundational step.

3. Microsoft Learn. "Understand Azure Policy's Guest Configuration feature." Azure Governance documentation. In the "Client" section

it specifies

"The configuration assignments are processed by the Guest Configuration extension for Azure virtual machines

or the Azure Connected Machine agent for Arc-enabled servers." This directly links the Connected Machine agent to the implementation of configuration policies.

Q: 10

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. You need to identify which server is the PDC emulator for the domain. Solution: From Active Directory Domains and Trusts, you right-click Active Directory Domains and Trusts in the console tree, and then select Operations Master. Does this meet the goal?

Options

Discussion

Anita I. Feb 15, 2026 1:25 pm

Why do you think Server3 needs a secondary zone if the contoso.com replication scope is just domain-wide?

Logan Mar 2, 2026 2:17 pm

All Yes. I've seen a similar setup in practice exams, the replication scopes match so nothing unexpected here.

Sara F. Mar 4, 2026 6:07 pm

All Yes, matches what I've seen in exam practice and official guide references.

Riley U. Feb 26, 2026 1:34 am

Yes, Yes, Yes. Similar question showed up on a practice set I did. Replication scopes line up with each statement - contoso.com only replicates to DNS servers in its domain, so Server2 syncs it but Server3 doesn't unless you add a secondary. Forest-wide scope on east.contoso.com means Server1 gets those records too. Pretty sure that's right, but open to corrections.

DirectLead3123 Feb 19, 2026 1:24 pm

Probably A. You can see the Operations Master option in Domains and Trusts so I think it shows the PDC emulator. Not 100% sure if it's only for Domain Naming Master, but seems like it could work?

Vikram Mar 3, 2026 4:11 am

All Yes here. Had something like this in a mock and the key is the replication scope-domain-wide for contoso.com means Server3 needs a secondary, but everything else lines up for AD DNS replication. Pretty sure that's right but open to correction if I missed anything subtle.

Noah X. Feb 17, 2026 9:23 am

Looks like all three statements are true here. The replication scopes match up: contoso.com only replicates to DNS servers in its domain, so Server2 gets updates but Server3 would need a secondary zone. east.contoso.com is set to forest-wide replication, so Server1 will get those records too. Someone correct me if I missed a detail, but pretty sure it's Yes for all.

Luna Q. Feb 25, 2026 11:43 pm

Nathan Q. Feb 23, 2026 9:48 pm

All Yes for this one. Saw a scenario like it before, replication scopes match exactly as described.

Quinn Feb 22, 2026 6:31 am

Nah, Server3 doesn't get contoso.com directly without a secondary. All Yes is correct, that domain scope catches people.

Be respectful. No spam.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE