Microsoft AZ-800 - Administering Windows Server Hybrid Core Infrastructure

One possible solution to configure SRV1 as a DNS server that can resolve names from the contoso.com domain by using DC1 and all other names by using the root hint servers is to use conditional forwarding. Conditional forwarding allows a DNS server to forward queries for a specific domain name to another DNS server, while using the normal forwarding or root hint servers for other queries. Here are the steps to configure conditional forwarding on SRV1:

On SRV1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.

In the left pane, right-click on Conditional Forwarders and select New Conditional Forwarder.

In the New Conditional Forwarder dialog box, enter contoso.com as the DNS Domain name.

In the IP addresses of the master servers box, enter the IP address of DC1, which is the DNS server for the contoso.com domain. You can also click on Resolve to verify the name resolution of DC1.

Optionally, you can check the box Store this conditional forwarder in Active Directory, and replicate it as follows if you want to store and replicate the conditional forwarder in AD DS. You can also select the replication scope from the drop-down list.

Click OK to create the conditional forwarder.

Now, SRV1 will forward any queries for the contoso.com domain to DC1, and use the root hint servers for any other queries. You can test the name resolution by using the nslookup command on SRV1 or another computer that uses SRV1 as its DNS server. For example, you can run the following commands:

nslookup www.contoso.com

nslookup www.microsoft.com

The first command should return the IP address of www.contoso.com from DC1, and the second command should return the IP address of www.microsoft.com from a root hint server.

One possible solution to configure Hyper-V to ensure that running virtual machines can be moved between SRV1 and SRV2 without downtime is to use Live Migration. Live Migration is a feature of Hyper-V that allows you to move a running virtual machine from one host to another without any noticeable interruption of service. To set up Live Migration between SRV1 and SRV2, you need to perform the following steps:

On both SRV1 and SRV2, open Hyper-V Manager from the Administrative Tools menu or by typing virtmgmt.msc in the Run box.

In the left pane, right-click on the name of the server and select Hyper-V Settings.

In the Hyper-V Settings dialog box, select Live Migrations in the navigation pane.

Check the box Enable incoming and outgoing live migrations.

Under Authentication protocol, select the method that you want to use to authenticate the live migration traffic between the servers. You can choose either Kerberos or CredSSP. Kerberos does not require you to sign in to the source server before starting a live migration, but it requires you to configure constrained delegation on the domain controller. CredSSP does not require you to configure constrained delegation, but it requires you to sign in to the source server through a local console session, a Remote Desktop session, or a remote Windows PowerShell session. For more information on how to configure constrained delegation, see Configure constrained delegation.

Under Performance options, select the option that best suits your network configuration and performance requirements. You can choose either TCP/IP or Compression or SMB. TCP/IP uses a single TCP connection for the live migration traffic. Compression uses multiple TCP connections and compresses the live migration traffic to reduce the migration time and network bandwidth usage. SMB uses the Server Message Block (SMB) 3.0 protocol and can leverage SMB features such as SMB Multichannel and SMB Direct. For more information on how to choose the best performance option, see Choose a live migration performance option.

Under Advanced Features, you can optionally enable the Use any available network for live migration option, which allows Hyper-V to use any available network adapter on the source and destination servers for live migration. If you do not enable this option, you need to specify one or more network adapters to be used for live migration by clicking on the Add button and selecting the network adapter from the list. You can also change the order of preference by using the Move Up and Move Down buttons.

Click OK to apply the settings.

Now, you have configured Hyper-V to enable live migration between SRV1 and SRV2. You can use Hyper-V Manager or Windows PowerShell to initiate a live migration of a running virtual machine from one server to another.

One possible solution to ensure that you can manage DC1 by using Windows Admin Center on SRV1 is to install Windows Admin Center on SRV1 and add DC1 as a managed server. Windows Admin Center is a web-based management tool that allows you to manage servers, clusters, Windows PCs, and Azure virtual machines (VMs) from a single interface. Here are the steps to install Windows Admin Center on SRV1 and add DC1 as a managed server:

On SRV1, open a web browser and go to the folder named \dc1.contoso.com\install. Download the Windows Admin Center installer file (WindowsAdminCenter.msi) and save it to a local folder, such as C:\Temp.

Run the Windows Admin Center installer file and follow the installation wizard. You can choose to install Windows Admin Center as a desktop app or as a service. For more information on how to install Windows Admin Center, see Install Windows Admin Center.

After the installation is complete, launch Windows Admin Center from the Start menu or the desktop shortcut. If you installed Windows Admin Center as a service, you can access it from a web browser by using the URL https://localhost:6516 or https:// :6516, where is the name or IP address of SRV1.

On the Windows Admin Center dashboard, click Add to add a new connection. Select Server as the connection type and enter the name or IP address of DC1 in the Server name field. Optionally, you can specify the display name, description, and tags for the connection. Click Submit to add DC1 as a managed server.

On the Windows Admin Center dashboard, you should see DC1 listed under the Servers section. Click on DC1 to open the server overview page. From here, you can manage various aspects of DC1, such as roles and features, certificates, devices, events, files, firewall, processes, registry, services, and more. For more information on how to use Windows Admin Center to manage servers, see Manage servers with Windows Admin Center.

Now, you can manage DC1 by using Windows Admin Center on SRV1. You can also add more servers or other types of connections to Windows Admin Center and manage them from the same interface

Objective:

Configure the DHCP server SRV1 to lease IP addresses only to computers with MAC addresses starting with AABB in a specific range.

Step-by-Step Guide

✅ Step 1: Open DHCP Management Console

Log in to SRV1 with Domain Admin or DHCP Admin privileges.

Open DHCP Manager:

Press Windows + R, type dhcpmgmt.msc, and press Enter.

✅ Step 2: Create a New DHCP Scope

In the DHCP console, expand SRV1.

Right-click IPv4 and select New Scope.

The New Scope Wizard opens.

✅ Step 3: Configure the Scope

Name:

Enter a name (e.g., MAC-Filtered Scope).

Click Next.

IP Address Range:

Start IP: 192.168.1.190

End IP: 192.168.1.200

Subnet mask: as appropriate (e.g., 255.255.255.0).

Click Next.

Add Exclusions:

None needed unless you want to reserve certain addresses.

Click Next.

Lease Duration:

Set as needed, default is usually fine.

Click Next.

Configure DHCP Options:

You can skip or configure as needed (gateway, DNS, etc.).

Click Next.

Activate Scope:

Click Yes to activate it.

✅ Step 4: Configure MAC Address Filtering (Allow List)

In the DHCP console, expand the scope you created.

Right-click Filters under the scope and choose New Filter.

Enter the MAC address pattern to match devices with MAC addresses starting with AABB:

MAC Address: AABB*

Description: e.g., Allow devices starting with AABB.

Click Add.

✅ Step 5: Enable Allow Filters

Right-click Filters under the scope and select Enable.

Ensure that only devices matching the AABB pattern will receive leases.

✅ Step 6: Test and Verify

Use a test client with a MAC address starting with AABB to ensure it receives an IP address in the 192.168.1.190–192.168.1.200 range.

Use ipconfig /renew on the client, or check the DHCP leases in the Address Leases section.

To configure the domain to support the creation of gMSAs, you need to perform the following steps:

On a domain controller or a computer that has the Remote Server Administration Tools (RSAT) installed, open PowerShell as an administrator and run the following command to install the Active Directory module:

Install-WindowsFeature -Name RSAT-AD-PowerShell

Run the following command to create a Key Distribution Service (KDS) root key, which is required for generating passwords for gMSAs. You only need to do this once per domain:

Add-KdsRootKey -EffectiveImmediately

Wait for at least 10 hours for the KDS root key to replicate to all domain controllers in the domain. Alternatively, you can use the -EffectiveTime parameter to specify a past date and time for the KDS root key, but this is not recommended for security reasons. For more information, see Add-KdsRootKey.

After the KDS root key is replicated, you can create and configure gMSAs using the New-ADServiceAccount and Set-ADServiceAccount cmdlets. For more information, see Create a gMSA and Configure a gMSA.

Step-by-Step Guide: Seizing/Transferring the Schema Master Role to DC2

✅ Step 1: Log in to DC2

Use an account that is a member of the Schema Admins, Enterprise Admins, and Domain Admins groups.

✅ Step 2: Register the Schema Snap-in

The Schema snap-in is not loaded by default.

Open Command Prompt as Administrator.

Type the following command to register the schema management DLL:

powershell

Copy

regsvr32 schmmgmt.dll

✅ Step 3: Open MMC (Microsoft Management Console)

Press Windows + R, type mmc, and hit Enter.

In MMC, go to File > Add/Remove Snap-in.

Select Active Directory Schema, then click Add > OK.

✅ Step 4: Connect to DC2

In the Active Directory Schema console, right-click Active Directory Schema and select Change Active Directory Domain Controller.

In the dialog box, select DC2 and click OK.

This will connect the console to DC2.

✅ Step 5: Transfer the Schema Master Role

Right-click Active Directory Schema again and select Operations Master.

In the Change Schema Master dialog box, confirm that DC2 is shown as the target.

Click the Change button to transfer the Schema Master role to DC2.

Click Yes when prompted to confirm the transfer.

✅ Step 6: Verify the Transfer

In the same dialog box, ensure that DC2 is now listed as the Schema Master.

Optionally, run the following command in PowerShell to verify:

netdom query fsmo

The Schema Master should now be DC2.

TASK 6

👉 Objective:

Enable nested virtualization for a VM (VM1) on SRV1.

Step-by-Step Guide: Enable Nested Virtualization

✅ Step 1: Verify Requirements

Nested virtualization requires:

SRV1 to have a processor that supports Intel VT-x or AMD-V.

Hyper-V role installed on SRV1.

VM1 must be turned off.

✅ Step 2: Open PowerShell on SRV1

Log in to SRV1 with an account that has administrative privileges.

Open PowerShell as Administrator.

✅ Step 3: Enable Nested Virtualization

Run the following command:

Set-VMProcessor -VMName "VM1" -ExposeVirtualizationExtensions $true

✅ Step 4: Verify Nested Virtualization

To confirm the change, run:

Get-VMProcessor -VMName "VM1" | Format-List ExposeVirtualizationExtensions

✅ The output should show:

ExposeVirtualizationExtensions : True

✅ Step 5: Configure Network Adapter (Optional for Nested VMs)

Nested virtualization requires MAC address spoofing for the VM network adapter.

Run:

Set-VMNetworkAdapter -VMName "VM1" -MacAddressSpoofing On

✅ Step 6: Start the VM

Use PowerShell:

Start-VM -Name "VM1"

Or start the VM in Hyper-V Manager.

Additional Notes

Nested virtualization allows you to run Hyper-V within a VM.

Useful for lab/test environments (e.g., running nested Hyper-V hosts in a VM).

To create a GPO named GPO1 that only applies to a group named MemberServers, you can follow these steps:

On a domain controller or a computer that has the Remote Server Administration Tools (RSAT) installed, open Group Policy Management from the Administrative Tools menu or by typing gpmc.msc in the Run box.

In the left pane, expand your domain and right-click on Group Policy Objects. Select New to create a new GPO.

In the New GPO dialog box, enter GPO1 as the Name of the new GPO and click OK. You can also optionally select a source GPO to copy the settings from.

Right-click on the new GPO and select Edit to open the Group Policy Management Editor. Here, you can configure the settings that you want to apply to the group under the Computer Configuration and User Configuration nodes. For more information on how to edit a GPO, see Edit a Group Policy Object.

Close the Group Policy Management Editor and return to the Group Policy Management console. Right-click on the new GPO and select Scope. Here, you can specify the scope of management for the GPO, such as the links, security filtering, and WMI filtering.

Under the Security Filtering section, click on Authenticated Users and then click on Remove. This will remove the default permission granted to all authenticated users and computers to apply the GPO.

Click on Add and then type the name of the group that you want to apply the GPO to, such as MemberServers. Click OK to add the group to the security filter. You can also click on Advanced to browse the list of groups available in the domain.

Optionally, you can also configure the WMI Filtering section to further filter the GPO based on the Windows Management Instrumentation (WMI) queries. For more information on how to use WMI filtering, see Filter the scope of a GPO by using WMI filters.

To link the GPO to an organizational unit (OU) or a domain, right-click on the OU or the domain in the left pane and select Link an Existing GPO. Select the GPO that you created, such as GPO1, and click OK. You can also change the order of preference by using the Move Up and Move Down buttons.

Wait for the changes to replicate to other domain controllers. You can also force the update of the GPO by using the gpupdate /force command on the domain controller or the client computers. For more information on how to update a GPO, see Update a Group Policy Object.

Now, you have created a GPO named GPO1 that only applies to a group named MemberServers. You can verify the GPO application by using the gpresult /r command on a member server and checking the Applied Group Policy Objects entry. You can also use the Group Policy Results wizard in the Group Policy Management console to generate a report of the GPO application for a specific computer or user. For more information on how to use the Group Policy Results wizard, see Use the Group Policy Results Wizard.

To ensure that all computers in the domain use DNSSEC to resolve names in the adatum.com zone, you’ll need to configure both the DNS servers and the client computers. Here’s how you can do it:

Step 1: Sign the adatum.com Zone First, you need to sign the adatum.com DNS zone. This can be done using the DNS Manager or PowerShell. Here’s a PowerShell example:

Add-DnsServerSigningKey -ZoneName "adatum.com" -CryptoAlgorithm RsaSha256

Set-DnsServerDnsSecZoneSetting -ZoneName "adatum.com" -DenialOfExistence NSEC3 -NSEC3Parameters 1,0,10,""

This will add a signing key and configure DNSSEC for the zone with NSEC3 parameters.

Step 2: Configure DNS Servers Ensure that your DNS servers are configured to support DNSSEC. This includes setting up trust anchors for the zones that you want to validate and configuring the DNS servers to provide DNSSEC validation for DNS queries.

Step 3: Configure DNS Clients For DNSSEC validation to occur on the client side, the client computers must be configured to trust the DNS server’s validation process. This typically involves configuring the client’s DNS settings to point to a DNS server that supports DNSSEC.

Step 4: Validate Configuration You can validate that DNSSEC is working correctly by using tools like nslookup or dig to query DNS records and check for the presence of DNSSEC signatures in the responses.

Note: The exact steps may vary depending on your environment and the version of Windows Server you are using. Ensure that you have the appropriate administrative rights to make these changes and that you test the configuration in a controlled environment before deploying it domain-wide12.

By following these steps, you should be able to ensure that all computers in your domain use DNSSEC to resolve names in the adatum.com zone.

Objective:

Create a read-only copy of the DNS zone contoso.com on SRV2.

Step-by-Step Guide: Using a Secondary Zone

✅ Step 1: Log in to SRV2

Log in to SRV2 (where you want to host the secondary zone) using an account with local administrative privileges.

✅ Step 2: Open DNS Manager

Press Windows + R, type dnsmgmt.msc, and press Enter.

✅ Step 3: Create a Secondary Zone

In the DNS Manager, expand the server node for SRV2.

Right-click Forward Lookup Zones and select New Zone.

The New Zone Wizard opens.

✅ Step 4: Configure the Secondary Zone

Zone Type:

Select Secondary zone and click Next.

Zone Name:

Type contoso.com and click Next.

Master DNS Servers:

Enter the IP address of the master DNS server that hosts the primary zone (e.g., SRV1’s IP).

Click Next.

Finish:

Review the settings and click Finish.

✅ Step 5: Allow Zone Transfers on the Primary Server

On SRV1 (or the DNS server hosting the primary zone):

Open DNS Manager.

Right-click the contoso.com zone and select Properties.

Go to the Zone Transfers tab.

Check Allow zone transfers.

Specify SRV2’s IP address (or allow to any server if needed).

✅ Step 6: Verify Zone Replication

On SRV2, refresh the Forward Lookup Zones in DNS Manager.

The contoso.com zone should now appear as a Secondary zone.

Check the Zone Transfer status to ensure it successfully replicated.