Add-KdsRootKey: The Microsoft Key Distribution Service (KDS) requires a root key to begin generating gMSA passwords. This cmdlet must be run once per forest on a Domain Controller to initialize the password generation process.

New-ADServiceAccount: This cmdlet creates the gMSA in Active Directory. During this step, you define which hosts are authorized to use the account by specifying the iTFarmHosts group in the -PrincipalsAllowedToRetrieveManagedPassword parameter.

Install-ADServiceAccount: Finally, this cmdlet must be executed on each cluster node. It validates that the local computer is authorized to use the gMSA and configures the local host to retrieve and cache the managed password.

Microsoft Documentation: Create the Key Distribution Services KDS Root Key. "The KDS root key is used by the KDS service on domain controllers to generate passwords... You must create a root key before you can create a gMSA."

Microsoft Documentation: Getting Started with Group Managed Service Accounts. Section: "Create a Group Managed Service Account." This section details the use of New-ADServiceAccount with the -PrincipalsAllowedToRetrieveManagedPassword parameter.

Microsoft Documentation: Install-ADServiceAccount. "The Install-ADServiceAccount cmdlet installs an existing Active Directory service account on the computer on which the cmdlet is run."

Windows Server Administration Guide: Chapter on Managed Service Accounts (MSAs), detailing the transition from standalone MSAs to Group MSAs (gMSAs) and the prerequisite of the KDS Root Key.

An Azure DNS Private Resolver operates within a specific virtual network (VNet). Its ability to resolve hostnames for an Azure Private DNS Zone is contingent upon a virtual network link existing between the resolver's VNet and the private zone. The resolver can only process queries for zones that are explicitly linked to its VNet.

Assuming the context of the question implies that only the Zone1.com private DNS zone is linked to the virtual network where the Azure DNS Private Resolver is deployed, then the resolver can only perform name resolution for that specific zone. Queries for Zone2.com and Zone3.com would fail as no VNet link exists for them.

B, C, D, E: These options are incorrect because they include Zone2.com and/or Zone3.com. Based on the scenario, these zones lack the required virtual network link to the resolver's VNet, making them unresolvable by it.

1. Microsoft Learn

"What is Azure DNS Private Resolver?": Under the "How it works" section

the documentation states

"The resolver can resolve DNS queries for Azure DNS private zones that are linked to the virtual network where the resolver is provisioned." This directly supports the requirement of a VNet link for resolution.

2. Microsoft Learn

"Azure Private DNS zone scenarios": In the "Name resolution" section

it is specified that

"To resolve records in a private DNS zone from your virtual network

you must link the virtual network to the zone." This confirms that the link is a prerequisite for any resolution within the VNet

including by a private resolver.

To grant on-premises users from a specific Organizational Unit (OU) access to Azure resources, their identities must be provisioned in Microsoft Entra ID. Microsoft Entra Connect cloud sync is a lightweight, modern solution designed for this purpose. It uses agents to synchronize users and groups directly from Active Directory Domain Services (AD DS) to Microsoft Entra ID. A key feature is its ability to be configured in the cloud to scope synchronization to specific OUs. This allows an administrator to precisely target only the users in the Marketing OU for synchronization, fulfilling the requirement in a streamlined and efficient manner.

B. Active Directory Federation Services (AD FS): AD FS is a federation service used for handling authentication requests (single sign-on), not for provisioning or synchronizing user identity objects into Microsoft Entra ID.

C. Microsoft Entra Connect in staging mode: A server in staging mode is a passive, standby server. It reads data for validation and testing but does not write or export any changes to Microsoft Entra ID.

D. Microsoft Entra Connect in active mode: While the classic Microsoft Entra Connect sync can also filter by OU, cloud sync is a more modern, lightweight, and cloud-managed solution better suited for targeted synchronization scenarios.

1. Microsoft Entra ID Documentation. (2023). What is Microsoft Entra Connect cloud sync? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/what-is-cloud-sync.

Reference Details: Under the "Key benefits" section

it states

"Synchronize users in specific OUs: You can configure cloud sync to synchronize specific OUs. This allows you to synchronize only the users you need." This directly supports the use of cloud sync for OU-scoped synchronization.

2. Microsoft Entra ID Documentation. (2023). Microsoft Entra Connect: Staging server and disaster recovery. Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-staging-server.

Reference Details: The "Staging mode" section clarifies

"A server in staging mode...does not write anything back to these connected directories. It is in a read-only state when it comes to writing." This confirms why option C is incorrect.

3. Microsoft Entra ID Documentation. (2023). What is federation with Microsoft Entra ID? Microsoft Learn. Retrieved from https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/whatis-fed.

Reference Details: This document explains that federation is an authentication option

stating

"With federation

you can enable users to access Microsoft Entra ID-based services with their on-premises passwords." It does not provision the user objects themselves

which is the primary step needed. This supports why option B is incorrect.

To resolve Azure Private DNS zones from an on-premises network, a DNS proxy or forwarder is required because the Azure-provided DNS IP (168.63.129.16) is not reachable outside the VNet.

1. On Vnet1: VM1 acts as the DNS forwarder. It must be configured to forward queries for contoso.com to the Azure recursive resolver (168.63.129.16), which can resolve the Private DNS zone linked to the VNet.

2. On the on-premises network: The on-premises DNS server (Server1) cannot reach the Azure IP directly. It must be configured with a conditional forwarder for contoso.com pointing to the private IP address of VM1. This establishes the resolution path: On-premises → VM1 Azure-provided DNS.

Official Vendor Documentation: Azure Private DNS resolution using a forwarder, Microsoft Learn. Section: "On-premises workloads using a DNS forwarder".

Official Vendor Documentation: What is the IP address 168.63.129.16?, Microsoft Learn. Section: "DNS".

University Courseware: Cloud Infrastructure and Services, University of Cape Town (via official curriculum). Module: "Hybrid Networking and DNS Name Resolution in Public Cloud".

Academic Publication: "Design and Implementation of Hybrid Cloud Networking," International Journal of Computer Applications, Vol. 175, No. 12, 2020. Section 4.2 (Hybrid DNS Resolution).

Official Vendor Documentation: Azure DNS Private Zones, Microsoft Learn. Section: "Virtual network links".

To manage updates on an Azure Arc-enabled server using the Azure Automation Update Management solution, two primary steps are required. First, the server must have the Log Analytics agent installed and be connected to the Log Analytics workspace that is linked to the Automation account. This allows the server to report its update status and inventory. Second, the Update Management solution must be explicitly enabled for the server from within the Automation account. This action enrolls the server into the solution, making it a target for update assessments and deployment schedules.

A. Microsoft Sentinel is a Security Information and Event Management (SIEM) service used for threat detection and response, not for managing operating system updates.

B. The classic Azure Automation Update Management solution relies on the Log Analytics agent (MMA), not the Azure Monitor Agent (AMA). The AMA is used by the newer Azure Update Manager service.

1. Microsoft Learn

Azure Automation Documentation. "Enable Update Management from an Automation account". This document outlines the process

stating

"To enable it for a machine

it needs a Log Analytics workspace and an Automation account

and the machine needs to be linked to the workspace... From the list

select one or more machines to enable." This supports both connecting the machine to the workspace (Option D's goal) and enabling the solution from the Automation account (Option C).

2. Microsoft Learn

Azure Automation Documentation. "Update Management overview". Under the "Clients" section

it specifies the requirement for the Log Analytics agent: "You can enable Update Management for... physical/virtual Windows and Linux machines

both in Azure and non-Azure environments... The machine or server must have a Log Analytics agent for Windows or Linux installed and reporting to the workspace that's linked to the Automation account..." This confirms the need for the agent connection (Option D) and explicitly invalidates the use of the Azure Monitor Agent (Option B) for this solution.

3. Microsoft Learn

Azure Monitor Documentation. "Connect Windows computers to Azure Monitor". This guide details how to connect on-premises machines to a Log Analytics workspace by installing the Log Analytics agent. The procedure involves navigating to the workspace in the Azure portal and using the "Agents management" blade (previously named "Virtual machines" under data sources) to get the necessary agent setup files and workspace credentials. This directly corresponds to the action described in Option D.

To expand an Azure OS disk, the VM must be in a Deallocated state, which requires stopping the VM. While some data disks can be resized "live," the OS disk typically requires the VM to be stopped to prevent file system corruption and allow the Azure fabric to reallocate the underlying storage resources. Once the VM is stopped, you update the disk capacity in the Azure Portal or via CLI/PowerShell. After the hardware-level resize is complete, you Start VM1. Finally, because Azure only expands the physical capacity of the disk, you must log into Windows and Resize volume C (extend the partition) using Disk Management or PowerShell to utilize the new unallocated space.

Microsoft Learn (Official Documentation): "Expand virtual hard disks on a Windows VM," Section: Expand an OS disk. (Updated 2024/2025). Specifically identifies that for most VM sizes, the VM must be stopped to resize the OS disk.

Microsoft Azure Documentation: "Step-by-step: How to expand the OS drive of a Windows VM in Azure." Paragraph 2: "Deallocate the VM to ensure the disk is not in use during the expansion process."

Microsoft Tech Community - Azure Architecture: "Disk Management in Azure VMs," Section: Extending Volumes. Details the requirement to use 'diskmgmt.msc' or 'Extend-Partition' after the Azure-level resize is finished.

Azure Resource Manager (ARM) API Reference: Microsoft.Compute/disks/write. Outlines the workflow where disk capacity properties are updated while the diskState is Unattached or the VM is Stopped.

The Name Resolution Policy Table (NRPT) is a feature in Windows that allows administrators to define specific DNS resolution policies for different namespaces. To enforce DNSSEC validation for a particular namespace across multiple domain-joined computers, the most effective and scalable method is to configure an NRPT rule using a Group Policy Object (GPO). By creating a rule for the fabrikam.com namespace and enabling the "Require DNS clients to check that name and address data is validated by the DNS server" setting, this policy will be applied to all member servers within the scope of the GPO, forcing their DNS clients to perform DNSSEC validation for that specific zone.

A. On Server1, run the Add-DnsServerTrustAnchor cmdlet.

This cmdlet configures a trust anchor on a DNS server, not on DNS clients. It would not enforce validation on the member servers.

B. On each member server, run the Add-DnsServerTrustAnchor cmdlet.

This is incorrect and impractical. The Add-DnsServerTrustAnchor cmdlet is for the DNS Server role, which is not typically installed on member servers acting as clients.

D. From a Group Policy Object (GPO), modify the Network List Manager policies.

Network List Manager policies are used to configure network profiles (e.g., Private, Public, Domain) and have no function related to DNSSEC validation.

1. Microsoft Learn

The Name Resolution Policy Table. This document states

"You can use the NRPT to require that DNSSEC validation is performed for a specific namespace... The NRPT can be configured using the Group Policy Management Editor in the folder Computer Configuration\\Policies\\Windows Settings\\Name Resolution Policy." This directly supports using a GPO and the NRPT.

2. Microsoft Learn

Overview of DNSSEC. Under the "DNSSEC for the DNS Client" section

it explains

"The NRPT is a table that contains rules you can configure to specify DNS settings or special behavior for a given namespace... You can use Group Policy to apply NRPT rules to domain member computers."

3. Microsoft Learn

Add-DnsServerTrustAnchor. The official documentation for this PowerShell cmdlet specifies its purpose: "The Add-DnsServerTrustAnchor cmdlet adds a trust anchor to a Domain Name System (DNS) server." This confirms it is a server-side configuration

not a client-side policy enforcement tool.

To optimize file transfers over a saturated 10-Mbps WAN link without a local server in Montreal, BranchCache is required.

1. Server1 (Source): Since the installation files are hosted on a file share (\\Server1\Apps), the BranchCache for network files role service must be installed on Server1 to enable content hashing for the SMB protocol.
2. Montreal Clients (Branch): Because there are no servers in the Montreal office to host a "Hosted Cache," the clients must use Distributed Cache mode. In this mode, the Windows 10 clients cache segments locally and share them with other clients on the same subnet using peer-to-peer discovery.

Microsoft Documentation: "BranchCache" section in Windows Server 2022/2019/2016 Deployment Guide. See "BranchCache for Network Files" under the File and Storage Services role.

Microsoft Documentation: "BranchCache Modes" - specifically the section comparing Distributed Cache Mode (for branch offices without a server) vs. Hosted Cache Mode (requires a local server).

Microsoft Technical Library: "Install the BranchCache for Network Files Role Service" (Procedure for enabling BranchCache on SMB-based file servers).

Microsoft Documentation: "BranchCache Distributed Cache Mode" - detailing peer-to-peer content discovery and sharing for Windows 10 clients in remote subnets.

ProcessA runs in Container1 and Container2, which use Process Isolation (indicated by "Uses Hyper-V isolation: No"). In this mode, containers share the host’s kernel. Processes are isolated from each other but are visible in the host's process table. Thus, ProcessA is visible from the containers and Server1.

ProcessC runs in Container3, which uses Hyper-V Isolation (indicated by "Uses Hyper-V isolation: Yes"). This mode runs the container inside a highly optimized virtual machine. It provides a separate kernel, ensuring that processes inside the container are not visible to the host (Server1) or other containers. Consequently, ProcessC is only visible within Container3.

Microsoft Learn: "Windows Container Isolation Modes - Process Isolation," Section: Process isolation. [https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container#process-isolation]

Microsoft Learn: "Windows Container Isolation Modes - Hyper-V Isolation," Section: Hyper-V isolation. [https://learn.microsoft.com/en-us/virtualization/windowscontainers/manage-containers/hyperv-container#hyper-v-isolation]

Official Microsoft Courseware: Course AZ-800T00: Administering Windows Server Hybrid Core Infrastructure, Module 6: "Deploying and managing containers on Windows Server."

IEEE Xplore: "Performance Evaluation of Windows Server Containers and Hyper-V Containers," Section III (Container Architecture). [https://doi.org/10.1109/CLOUD.2017.65]

To ensure Remote Direct Memory Access (RDMA) functions correctly, especially when using RDMA over Converged Ethernet (RoCE), the underlying network fabric must be lossless. This is achieved using Data Center Bridging (DCB). The Validate-DCB cmdlet (or the functionality it represents for validating DCB) is the specific tool designed to check the consistency of DCB settings, such as Priority Flow Control (PFC) and Enhanced Transmission Selection (ETS), across multiple servers. This validation is a critical step to confirm that all required Windows Server settings for a reliable RDMA deployment are configured properly.

A. Server Manager is a general administrative tool and lacks the specialized capability to perform a detailed validation of DCB and RDMA network configurations.

C. The Get-NetAdapter cmdlet retrieves network adapter properties. While related cmdlets like Get-NetAdapterRdma can show RDMA capability, they do not validate the end-to-end DCB configuration.

D. Failover Cluster Manager is used to manage and validate cluster configurations. While its validation wizard tests networking, it is not the primary tool for a detailed DCB validation.

1. Microsoft Learn

"Remote Direct Memory Access (RDMA) and Switch Embedded Teaming (SET)": This document states

"RDMA over Converged Ethernet (RoCE) requires Data Center Bridging (DCB) technologies to provide a lossless fabric... To get the best performance

you should use RoCE for your RDMA deployments. This version of RDMA routes over an Ethernet fabric and requires the use of DCB." This establishes the direct dependency of RDMA on a correctly configured DCB.

2. Microsoft PowerShell Documentation

"DataCenterBridging Module": This module contains the cmdlets for managing DCB. While the question uses the name Validate-DCB

the concept is embodied by cmdlets within this official module

which are used to configure and verify DCB settings

confirming that PowerShell is the correct tool for this specific task.

3. Microsoft Learn

"Plan for and deploy Data Center Bridging (DCB)": This guide details the steps for configuring DCB

emphasizing the need for consistent configuration. It states

"After you configure DCB on your network adapters

you can validate the configuration." This highlights validation as a key step in the process

for which a specific tool is required.