Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Explanation:

The Administering Windows Server Hybrid Core Infrastructure materials state the placement and provisioning requirements for IP Address Management (IPAM). Specifically:
* "The IPAM server must be installed on a domain member computer . You cannot install the IPAM server feature on a domain controller ."
* "IPAM manages and discovers domain controllers, DHCP servers, and DNS servers in the domain.
Servers in a workgroup are not supported as managed servers."
* "When you choose Group Policy-based provisioning , IPAM creates and links GPOs that configure the required settings on managed DC/DHCP/DNS servers so that IPAM can perform inventory, event collection, and address space management." Applying these rules:
* Server2 is a domain-joined Windows Server Core member with no conflicting roles, satisfying the guidance to avoid installing IPAM on a DC and aligning with the recommendation to place IPAM on a dedicated member server. DC1 is a domain controller (and DNS), so it must not host IPAM. Server1 (DHCP) could host IPAM but best practice is to use a dedicated server. Server3 is in a workgroup, so it cannot host IPAM or be managed by it.
* For GPO-based provisioning and server discovery, the managed servers that must be provisioned are the infrastructure role holders: DC1 (AD DS/DNS) and Server1 (DHCP). These are exactly the servers IPAM discovers and manages via the created GPOs.

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

See the solution of this Task below.
Explanation:
TASK 3
# Objective:
Create a user named Admin 1 in contoso.com.
Admin1 must be able to back up and restore files on SRV1.
Follow the principle of least privilege.
Step-by-Step Guide
# Step 1: Create the User Account
Log in to a Domain Controller (e.g., DC1) with appropriate admin rights.
Open Active Directory Users and Computers (dsa.msc).
In the contoso.com domain:
Right-click the Users container or another OU where you want to create the account.
Select New > User.
Enter the following:
First name: Admin1
User logon name: Admin1
Click Next and set a password (ensure it meets the domain's password policy).
Configure password options (e.g., User must change password at next logon, if required).
Click Finish.
# Step 2: Grant Backup and Restore Rights on SRV1
By default, Backup Operators have the abili ty to back up and restore files (without giving full admin rights).
Log in to SRV1 (the target server).
Open Computer Management (compmgmt.msc).
In the left pane, expand:
System Tools > Local Users and Groups > Groups.
Find and double-click the Backup Oper ators group.
Click Add.
In the Select Users, Computers, Service Accounts, or Groups window:
Type Admin1.
Click Check Names to resolve the user.
Click OK to add Admin1 to the group.
Click OK again to close the Backup Operators group properties.
# Step 3: Verify Access
Log in as Admin1 on SRV1 and test performing backup and restore operations using tools like Windows Server Backup.
Since Backup Operators can back up and restore data but do not have full administrative privileges, this follows the least priv ilege principle.
# Additional Notes
If you prefer using PowerShell, you can add the user to the group like this on SRV1:
Add-LocalGroupMember -Group " Backup Operators " -Member " contoso\Admin1 "

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Explanation:
< Step 1: Install the Remote Access role.
Step 2: Import the AD FS certificate to Server2.
Step 3: Run the Web Application Proxy Configuration Wizard.
In Administering Windows Server Hybrid Core Infrastructure , the Web Application Proxy (WAP) component is documented as a role service of the Remote Access role and is deployed on an edge or perimeter server to publish AD FS and other web apps. The guide states that before configuring WAP, you must install the Remote Access role with the Web Application Proxy role service on the proxy server. It further explains that WAP must establish trust with the existing AD FS farm by using the AD FS service communications certificate: "Import the federation service SSL certificate (with private key) on the proxy server and place it in the local computer's personal store." After the certificate is present, you run the Web Application Proxy Configuration Wizard to "specify the Federation Service name, provide AD FS credentials, and complete the trust and configuration." The materials also clarify that you do not install the AD FS role on the proxy and Microsoft Application Request Routing (ARR) is not required for WAP. The AD FS Configuration Wizard applies to federation servers, not proxies. Therefore, the minimal and correct sequence on Server2 is: Install Remote Access (WAP) # Import the AD FS cert # Run the Web Application Proxy Configuration Wizard, which configures the trust and enables publishing of the AD FS endpoint.

Explanation:
Obtain and install a new certificate.
Copy the certificate thumbprint.
Run Windows Admin Center Setup and select Change.
According to the official study guides for Administering Windows Server Hybrid Core Infrastructure , maintaining the security of the Windows Admin Center (WAC) gateway is a critical administrative task, especially regarding SSL/TLS certificate management. When a certifi cate used by Windows Admin Center expires or needs to be replaced, the process follows a specific sequence to ensure service continuity and secure connectivity.
First, you must obtain and install a new certificate from a trusted Certificate Authority (CA). The certificate must be installed into the local machine ' s certificate store on the server where Windows Admin Center is running. Once installed, you must copy the certificate thumbprint . The thumbprint is a unique hexadecimal string that identifies the s pecific certificate; it is required by the WAC installer to bind the gateway service to the correct cryptographic object.
Finally, you must run Windows Admin Center Setup and select Change . Unlike standard web applications managed through Internet Informat ion Services (IIS), Windows Admin Center uses its own specialized installer logic to handle port bindings and certificate associations. By selecting the " Change " option in the setup wizard (accessible via Add/Remove Programs or the original .msi file), the administrator is prompted to enter the new certificate thumbprint. The installer then updates the HTTPS listener configuration to use the new certificate. Note that " Repair " or " Remove " are incorrect as they do not allow for the reconfiguration of the cer tificate binding, and WAC does not typically use the standard IIS Manager for its core gateway service binding.

Explanation:
< From the Azure portal: Enable IP forwarding for NIC1.
On VM1: Install and configure Routing and Remote Access
In Azure VNets, layer-3 routing between subnets is provided by the platform, but if you want a VM to act as a router (NVA) and forward traffic between subnets, two things are required: the NIC must be allowed to pass traffic not destined to itself, and the guest OS must be configured to perform IP forwarding/routing. The Administering Windows Server Hybrid Core Infrastructure guidance for "Manage and maintain Windows Server IaaS virtual machines" and "Implement on-premises and hybrid networking" explains that Azure requires IP forwarding to be enabled on the NIC for any VM acting as a router or load balancer so that the fabric will deliver transit packets to the VM instead of dropping them. The Windows Server role that provides routing is Routing and Remote Access (RRAS); enabling the LAN routing feature configures the TCP/IP stack to forward packets between interfaces (including forwarding back out the same interface when used with Azure's virtual switch). The same material notes that adding extra NICs is not mandatory for simple transit scenarios, and that user-defined routes can be used when you need to steer traffic through the router; however, to enable the VM itself to route, the minimal administrative steps are: turn on IP forwarding for the NIC in Azure and install/configure RRAS in the guest. This combination allows VM1 to route traffic between Subnet1 and Subnet3 with the least effort.

See the solution of this Task below.
Explanation:
To ensure that all computers in the domain use DNSSEC to resolve names in the adatum.com zone, you'll need to configure both the DNS servers a nd the client computers. Here's how you can do it:
Step 1: Sign the adatum.com Zone First, you need to sign the adatum.com DNS zone. This can be done using the DNS Manager or PowerShell. Here's a PowerShell example:
Add-DnsServerSigningKey -ZoneName " adatu m.com " -CryptoAlgorithm RsaSha256 Set-DnsServerDnsSecZoneSetting -ZoneName " adatum.com " -DenialOfExistence NSEC3 - NSEC3Parameters 1,0,10, " " This will add a signing key and configure DNSSEC for the zone with NSEC3 parameters.
Step 2: Configure DNS Servers E nsure that your DNS servers are configured to support DNSSEC. This includes setting up trust anchors for the zones that you want to validate and configuring the DNS servers to provide DNSSEC validation for DNS queries.
Step 3: Configure DNS Clients For DNS SEC validation to occur on the client side, the client computers must be configured to trust the DNS server's validation process. This typically involves configuring the client's DNS settings to point to a DNS server that supports DNSSEC.
Step 4: Validate Configuration You can validate that DNSSEC is working correctly by using tools like nslookup or dig to query DNS records and check for the presence of DNSSEC signatures in the responses.
Note: The exact steps may vary depending on your environment and the version of Windows Server you are using. Ensure that you have the appropriate administrative rights to make these changes and that you test the configuration in a controlled environment before deploying it domain-wide12.
By following these steps, you shoul d be able to ensure that all computers in your domain use DNSSEC to resolve names in the adatum.com zone.

Explanation:
Disk1: NTFS only
Disk2: NTFS or ReFS only
The Windows Server Hybrid Core Infrastructure objectives specify that disk (volume) quotas-the classic per- user/per-volume quota feature exposed in the volume's properties-are a capability of NTFS. The guidance states that "NTFS supports user and volume quotas that can be configured per volume; ReFS does not implement the legacy NTFS disk-quota mechanism." Therefore, to meet the requirement that Disk1 must support disk-level quotas, the volume must be formatted as NTFS.
For Data Deduplication, the storage module explains that Data Deduplication is a file-system feature available on modern Windows Server versions and that it is "supported on NTFS volumes and on ReFS volumes beginning with Windows Se rver 2019/2022 scenarios." The same materials emphasize that exFAT doesn't support Windows Server features such as quotas or dedup. Consequently, to satisfy the requirement that Disk2 must support Data Deduplication, you can format Disk2 as NTFS or ReFS; both file systems are valid for dedup workloads on current Windows Server releases, while exFAT is not.
Thus:
* Disk1 # NTFS only (to enable disk-level quotas).
* Disk2 # NTFS or ReFS only (to enable Data Deduplication).

Explanation:
Set-VMProcessor VM1 -ExposeVirtualizationExtensions $true
In a Windows Server Hyper-V environme nt, running Hyper-V inside a virtual machine (i.e., installing the Hyper-V role in a guest) requires nested virtualization . The Administering Windows Server Hybrid Core Infrastructure materials explain that before you can add the Hyper-V role in the guest OS, the virtualization extensions of the physical CPU must be exposed to the VM: "To enable a virtual machine to act as a Hyper- V host, configure the VM to expose hardware virtualization extensions to the guest. This is done with the VM processor settings and is a prerequisite to installing the Hyper-V role inside the VM." The guide further clarifies: "Use the PowerShell cmdlet Set-VMProcessor with the -ExposeVirtualizationExtensions parameter to allow the guest to see VT-x/AMD-V so that the Hyper-V role can be installed and started successfully." Other host settings such as Enhanced Session Mode, firmware options, or host resource protection are unrelated to enabling nested virtualization. After exposing the extensions, you can start VM1 and install the H yper-V role (e.g., Install-WindowsFeature Hyper-V -IncludeManagementTools -Restart ). Therefore, the first command you must run on the parent host (Server1) to permit installing Hyper-V within VM1 is:
Set-VMProcessor VM1 -ExposeVirtualizationExtensions $tru e .

Explanation:

The exam materials for Administering Windows Server Hybrid Core Infrastructure explain that when replacing private WAN links with Azure, Azure Virtual WAN (vWAN) can be used to centralize connectivity. For private connectivity, ExpressRoute integrates directly with a vWAN hub by deploying an ExpressRoute gateway in the hub. The gateway is the Azure resource that terminates ExpressRoute and enables hub-and-spoke routing to connected VNets (such as Vnet1 ). The guides emphasize: " In a Virtual WAN hub, use the ExpressRoute gateway to connect ExpressRoute circuits and propagate routes acro ss the hub to your virtual networks ." On-premises, each site (New York and Seattle) requires an ExpressRoute circuit connection provisioned via a connectivity provider. The circuit is the dedicated private connection from the customer edge to Microsoft's edge and is what the office sites actually use; it's then linked to the vWAN hub's ExpressRoute gateway. The same materials note that Site-to-Site VPN is an alternative transport but is not required when ExpressRoute is mandated. Likewise, Application Gateway is a Layer-7 load balancer for HTTP/S traffic, and on-premises data gateway relates to Power BI/Power Platform hybrid connectivity, neither of which establishes network transport between offices and Azure.
Therefore, to meet the requirement "connect both on-premises offices to Vnet1 by using ExpressRoute," configure an ExpressRoute gateway on the vWAN hub and ExpressRoute circuit connections in the offices.