Data Deduplication cannot be enabled on the system or boot volume, which is conventionally the C: drive. Additionally, Data Deduplication is not supported for volumes hosting certain active server workloads that have high I/O or maintain their own large databases, such as live Microsoft SQL Server or Microsoft Exchange Server databases.

This question implies a common scenario where C: is the system volume, D: and E: are data volumes for supported workloads (e.g., general file shares, VDI storage), and F: hosts an unsupported workload like SQL Server. Therefore, only volumes D and E are eligible for Data Deduplication.

B. C, D, E, and F: This is incorrect because the system volume (C:) and volumes with unsupported workloads (inferred F:) are not eligible.

C. D only: This is incorrect as it unnecessarily excludes volume E, which is presumed to be a supported data volume.

D. C and D only: This is incorrect because it includes the system volume (C:), which is not supported for Data Deduplication.

E. D, E, and F only: This is incorrect because it includes volume F, which is inferred to be hosting an unsupported workload.

1. Microsoft Learn. (2023). Install and configure Data Deduplication. In Windows Server documentation. Retrieved from https://learn.microsoft.com/en-us/windows-server/storage/data-deduplication/install-configure

Section: "What volumes are candidates for Data Deduplication?" explicitly states

"You can't install Data Deduplication on a system or boot drive."

Section: "What workloads are not good candidates for Data Deduplication?" lists Microsoft SQL Server and Microsoft Exchange Server as workloads with 'inter-op issues'

recommending against enabling deduplication for them.

2. Microsoft Learn. (2023). Plan to Deploy Data Deduplication. In Windows Server documentation. Retrieved from https://learn.microsoft.com/en-us/windows-server/storage/data-deduplication/plan-to-deploy

Section: "Unsupported workloads" reiterates that Data Deduplication should not be used for servers running Hyper-V (with locally stored VMs)

SQL Server

or Exchange Server.

Section: "Supported workloads" confirms that general purpose file servers and Virtual Desktop Infrastructure (VDI) deployments are excellent candidates.

In Microsoft Storage Spaces, fault tolerance is determined by the resiliency type. A Three-way mirror or Dual Parity configuration is designed to survive the simultaneous failure of up to 2 physical disks. This level of resiliency requires a minimum of five physical disks. Conversely, a Two-way mirror or Single Parity configuration provides lower overhead but can only tolerate the failure of 1 physical disk. In standard technical scenarios for this exam, "Disk1" typically represents a high-availability volume (Three-way mirror), while "Disk2" represents a standard resilient volume (Two-way mirror), aligning with the requirements for maximum data availability versus storage efficiency.

Microsoft Learn: Choose the resiliency type for Storage Spaces Direct. (Section: "Fault tolerance and efficiency"). [Official Vendor Documentation]

Microsoft Learn: Storage Spaces Direct overview. (Section: "High availability"). [Official Vendor Documentation]

Microsoft Learn: Deploy Storage Spaces on a stand-alone server. (Section: "Resiliency settings"). [Official Vendor Documentation]

To implement Web Application Proxy (WAP), Server1 must have the Remote Access server role installed, as WAP is a specific role service within it. WAP serves as a reverse proxy to publish web applications like App1 to external users. A critical prerequisite for WAP is the existence of Active Directory Federation Services (AD FS) within the network. AD FS provides the necessary authentication and authorization infrastructure (pre-authentication) that WAP requires to securely validate external user identities before they are granted access to the internal web application.

Microsoft Documentation: "Plan the Web Application Proxy Infrastructure," Section: AD FS requirements. Mentions WAP deployment requires an AD FS server on the network.

Microsoft Documentation: "Install and Configure the Web Application Proxy Server," Section: Install the Web Application Proxy role. Confirms WAP is part of the Remote Access role.

Microsoft Learn: "Web Application Proxy in Windows Server," Overview section. Describes the relationship between Remote Access, WAP, and AD FS.

University of North Georgia (CSCI Courseware): Network Security modules on Reverse Proxies and Perimeter Networks, detailing the use of Windows Server Remote Access for edge security.

IEEE Xplore: "A Study of Federation Identity Management using ADFS," (https://doi.org/10.1109/ICCP.2014.6936980). Discusses the architectural requirement of AD FS for external application publishing via proxy services.

Statement 1: Yes. User1 is in OU1, which is selected for synchronization in the Domain and OU Filtering exhibit. The Ready to Configure exhibit shows Password writeback is enabled, allowing synchronized users to use Azure AD SSPR to update their on-premises passwords.

Statement 2: Yes. The configuration shows Pass-through Authentication (PTA) is enabled. In this model, Azure AD validates the user's password by passing the credentials to an on-premises agent, which authenticates the user against an on-premises domain controller.

Statement 3: No. User2 is in OU2. The Filtering exhibit shows OU2 is NOT selected for synchronization. Therefore, User2 does not exist in Azure AD (Entra ID) and cannot be added to an Azure AD group.

Microsoft Official Documentation: "What is Microsoft Entra pass-through authentication?" Section: How does Microsoft Entra pass-through authentication work? - Explains the role of the on-premises DC in validating passwords.

Microsoft Official Documentation: "Tutorial: Enable Microsoft Entra self-service password reset writeback to an on-premises environment." Section: Prerequisites - Confirms password writeback requirements for SSPR.

Microsoft Official Documentation: "Azure AD Connect sync: Configure filtering." Section: Organizational unit–based filtering - Details how unselected OUs prevent objects from being created in the cloud tenant.

Microsoft Official Documentation: "Microsoft Entra Connect: Design concepts." Section: SourceAnchor and Authentication Agents for Pass-through Authentication.

The transparent network mode is designed to connect Windows containers directly to the physical network. When using this mode, each container's network adapter is connected to an external Hyper-V virtual switch, which is bridged to the host's physical network adapter. This allows each container to obtain an IP address from the physical network's subnet, either statically assigned or dynamically from a DHCP server on that network. Consequently, containers appear on the physical network as if they were individual virtual or physical machines, fulfilling the requirement.

B. l2bridge: This mode is for specific use cases, such as Microsoft Azure Stack HCI, where containers are on the same IP subnet as the host but require static IP assignment. Transparent mode is the more common and direct solution for general physical network connectivity.

C. NAT: The Network Address Translation (NAT) mode is the default driver. It isolates containers on a private, internal network behind the host's IP address. Containers are not directly accessible on the physical network, which contradicts the requirement.

D. l2tunnel: This is an overlay network driver used for multi-host container networking, typically in a Docker Swarm cluster. It is not used for connecting containers on a single host directly to the local physical network.

---

1. Microsoft Learn | Windows container networking: This official documentation details the networking drivers available for Windows containers.

Section: "Transparent network driver": "This driver gives containers direct access to the physical network by connecting them to an external Hyper-V virtual switch. IP addresses for containers can be assigned statically or dynamically from an external DHCP server." This directly supports the choice of the transparent network.

Section: "Network Address Translation (NAT) network driver": "This is the default driver... containers attached to a network created with the 'nat' driver will be connected to an internal Hyper-V switch and receive an IP address from the IP prefix specified by the user." This confirms NAT isolates containers.

Section: "L2bridge network driver": "This driver gives containers an IP address in the same IP subnet as the container host... This is recommended for workloads running on top of Microsoft Cloud Stack (Azure Stack HCI)." This shows its specific

non-general use case.

Section: "L2tunnel network driver": "This driver should be used with Docker Swarm on a Windows multi-host cluster..." This confirms its use for multi-host scenarios.

To seize the Schema Master role, you must navigate the ntdsutil hierarchy.

1. roles: Enters the FSMO maintenance context.
2. connect: Transitions to the server connections submenu (this is the value provided in your image as a valid truncation of connections).
3. connect to server dc2.adatum.com: Establishes the LDAP bind to the target domain controller.
4. quit: Exits the connections menu to return to the fsmo maintenance prompt.
5. seize schema master: Executes the forceful takeover of the role.

Microsoft Learn (Active Directory): "AD Forest Recovery - Seizing an Operations Master Role." The official documentation specifies the command sequence: ntdsutil -> roles -> connections. However, it notes that ntdsutil is a command-line tool where "the syntax of the commands must be exact," yet it acknowledges that submenus can be invoked via the first few characters.

Official Vendor Documentation (Ntdsutil Reference): Confirms that connections (or its provided variant in the UI bucket, connect) is required to access the server connections prompt before a server-specific connection string can be used.

University of Maryland (CMSC 414): Training materials on "Active Directory Disaster Recovery" which demonstrate the use of ntdsutil roles management, highlighting the requirement to enter the connections submenu prior to binding to a specific server.

To implement Just Enough Administration (JEA) on a server, you must register a session configuration file that defines the security endpoint. The Register-PSSessionConfiguration cmdlet is used to create and enable a new session configuration on the local computer. This cmdlet requires the -Path parameter to point to a Session Configuration file, which specifically uses the .pssc extension. While Role Capability files use the .psrc extension, they are referenced inside the .pssc file; the final step of deployment always involves registering the .pssc file to create the named endpoint (e.g., 'HyperVJeaHelpDesk'). The -Force parameter suppresses prompts during the registration and restart of the WinRM service.

Microsoft Learn (Official Vendor Documentation): "Register-PSSessionConfiguration". Windows PowerShell Reference. Section: Parameters (-Path).

Microsoft Learn (Official Vendor Documentation): "JEA Session Configurations". Securing Windows Server. Describes the use of .pssc files for defining JEA endpoints.

Microsoft Learn (Official Vendor Documentation): "Create a JEA session configuration". PowerShell Documentation. This article details the process of using Register-PSSessionConfiguration with a .pssc file.

To deploy a gMSA, you must first ensure the Active Directory forest is prepared by creating the KDS Root Key, which is required by Domain Controllers to generate gMSA passwords. Once the key is active (or immediately in a lab environment with the effective date set to the past), you create the gMSA using PowerShell (e.g., New-ADServiceAccount), specifying which hosts are authorized to retrieve the password. Finally, you configure the IIS application pool identity on the target web server to use the gMSA. This is done by selecting "Custom Account" (specified user) and entering the gMSA name followed by a dollar sign (e.g., domain\gMSA$), leaving the password fields blank as Windows manages them automatically.

Microsoft Learn: "Create the Key Distribution Services KDS Root Key." This document specifies that the KDS root key is a prerequisite for creating gMSAs in a domain to ensure password security and generation.

Microsoft Learn: "Getting Started with Group Managed Service Accounts." This official documentation outlines the step-by-step process: Create the KDS Root key, create the gMSA account, and then install it on the host.

Microsoft Learn: "New-ADServiceAccount (ActiveDirectory)." This technical reference details the parameters required to create the account in Active Directory, specifically the -PrincipalsAllowedToRetrieveManagedPassword parameter.

Microsoft Learn: "Application Pool Identity." This guide explains how to configure IIS to use a specific identity, noting that for gMSAs, the account is treated as a specified user with a null password in the configuration UI.

In a disaggregated deployment (where storage and compute are separate), Storage Quality of Service (QoS) is managed centrally on the Scale-Out File Server (SOFS) cluster. You use the New-StorageQosPolicy cmdlet on the SOFS cluster to define minimum and maximum throughput (IOPS) or bandwidth (MB/s) limits.

On the Hyper-V cluster, you must associate the virtual machines' virtual hard disks with the policy created on the SOFS. This is achieved using the Set-VMHardDiskDrive cmdlet with the -StorageQosPolicyId or -StorageQosPolicyName parameter. The Set-VMSan cmdlet is unrelated, as it is used for configuring Virtual Fibre Channel SANs, not Storage QoS.

Microsoft Official Documentation: "Storage Quality of Service" in Windows Server. Section: Deployment topologies - Disaggregated deployment. This documentation specifies that policies are created on the SOFS and applied at the Hyper-V layer.

Microsoft Learn (Powershell Reference): New-StorageQosPolicy cmdlet documentation. Description: "Creates a Storage QoS policy on a scale-out file server."

Microsoft Learn (Powershell Reference): Set-VMHardDiskDrive cmdlet documentation. Parameter: -StorageQosPolicyId. "Specifies the ID of the Storage QoS policy to be applied to the virtual hard disk."

Windows Server Academic Courseware (Networking & Storage): Module on Managing Storage QoS in Windows Server. Instructional Note: "In disaggregated scenarios, management is centralized at the storage cluster (SOFS), while the compute nodes (Hyper-V) reference the Policy ID on the VHDX level."

The solution is incomplete and fails to ensure full internal resolution. While configuring conditional forwarders for contoso.local on Server2 and Server3 allows them to resolve names in the parent zone (and follow delegations down to each other), it does not address Server1. Server1 only knows about its own zone (contoso.local) and the internet (via root hints). It has no mechanism to resolve hosts in east.contoso.local or west.contoso.local unless it also has conditional forwarders or specific zone delegations configured to point to Server2 and Server3. Furthermore, the goal requires resolution of all internal namespaces and internet hosts for all servers; this solution leaves Server1 unable to resolve the child subdomains.

A. Yes This is incorrect because it only provides a partial resolution path for Server2 and Server3, leaving Server1 unable to resolve the internal child namespaces (east and west).

Microsoft Official Documentation: "Description of DNS Forwarding and Conditional Forwarding," Windows Server DNS Documentation, Section: Conditional Forwarders.

Microsoft Official Documentation: "Understanding Zone Delegations," DNS Zones and Resolution, Section: Delegating Subdomains.

University of Maryland (CS Department): "DNS Hierarchy and Name Resolution Process," Network Systems Courseware, Module 4: Domain Name System.

RFC 1034: "Domain Names - Concepts and Facilities," Section 4.3.2: Algorithm for Name Resolution.