AZ-600 : Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack Hub : Part 03

AZ-600 : Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack Hub : Part 03

1. DRAG DROP

   You have an Azure Stack Hub integrated system that uses an Azure Active Directory (Azure AD) tenant named contoso.onmicrosoft.com as an identity provider.

   You need to ensure that users from an Azure AD tenant named fabrikam.onmicrosoft.com can authenticate to the integrated system.

   Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

   

   

2. DRAG DROP

   You have an Azure Stack Hub integrated system that uses an Azure Active Directory (Azure AD) identity provider.

   You have a group named AppGroup1.

   You need to provide an application with the ability to access Azure Stack Hub resources by using AppGroup1.

   Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

   

   

3. HOTSPOT

   You have an Azure Stack Hub integrated system that uses an Azure Active Directory (Azure AD) tenant named fabrikam.com as an identity provider. The integrated system region name is region1, and the external domain name is fabrikam.com.

   The integrated system has the following domains enabled for multitenancy:

   – fabrikam.onmicrosoft.com
   – contoso.onmicrosoft.com
   – fabrikam.com
   – contoso.com

   You need to disable multitenancy for contoso.com.

   How should you complete the PowerShell script? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

4. HOTSPOT

   You have three Azure Stack Hub integrated systems that use the same Azure Active Directory (Azure AD) tenant named contoso.com as their identity provider. The integrated systems are deployed in Chicago, New York, and Seattle. The region name of each integrated system corresponds to the city in which the system is deployed.

   When reviewing alerts in the integrated system in Chicago, you receive an alert indicating that the home directory requires an update.

   From the Azurestack-tools-master/identity folder, you import the AzureStack.Identity.psm1 module.

   How should you complete the command to update the home directory? To answer, select the appropriate options in the answer area.

   NOTE: Each correct selection is worth one point.

   

   

5. You have an Azure Stack Hub integrated system.

   You need to give a new operator access to the privileged endpoint (PEP) as soon as possible.

   Which two actions should you perform? Each correct answer presents part of the solution.

   NOTE: Each correct selection is worth one point.

   • Run the New-CloudAdminUser cmdlet.
   • Run the New-AzureADUser cmdlet.
   • Connect to the PEP.
   • Connect to and unlock the PEP.
   • Connect to the administrator management endpoint.

6. You have an Azure Stack Hub integrated system.

   You are an operator, and you have read access to a user subscription named Fabrikam1.

   Users in Fabrikam1 request help creating a custom role-based access control (RBAC) role based on an existing built-in Azure role.

   You connect to the Azure subscription, create the respective role definition, and save the role definition as a JSON file.

   Which three actions should you perform to create the custom role? Each correct answer presents part of the solution.

   NOTE: Each correct selection is worth one point.

   • Request owner access to the user subscription.
   • Modify the custom role definition to include the target subscription ID as an AssignableScope, set the IsCustom field to true, and set Id to Null.
   • Connect to the administrator management endpoint and run the
     New-AzureRmRoleDefinition cmdlet.
   • Connect to the user management endpoint and run the
     New-AzureRmRoleDefinition cmdlet.
   • Modify the custom role definition to include the target default provider subscription ID as an AssignableScope, set the IsCustom field to true, and set Id to Null.

7. Case study

   This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

   To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

   At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

   To start the case study
   To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

   Overview

   A company named Northwind Traders has a main office and a datacenter. All development occurs at the main office.

   Existing Environment

   Identity Environment

   The network contains an Active Directory forest named northwind.com. The forest and an Azure Active Directory (Azure AD) tenant named northwind.onmicrosoft.com are integrated by using Active Directory Federation Service (AD FS).

   All Azure subscriptions use the northwind.onmicrosoft.com Azure AD tenant.

   Northwind Traders uses an Enterprise Agreement (EA) subscription.

   All operators are global administrators in northwind.onmicrosoft.com.

   Azure Stack Hub Environment

   Northwind Traders has the following five Azure Stack Hub integrated systems:

   One integrated system that connects to an internet-facing network and has the following configurations:
   – The region name is int1.
   – The operators do not have access to the user subscriptions.
   – The integrated system is used for customer and partner applications.
   – The partners and customers of NorthWind Traders use guest user accounts to access various user resources.
   Two integrated systems that connect to a private network, are accessed only from inside the company, and have the following configurations:
   – The integrated systems are dedicated to research and development.
   – One integrated system has a region name of priv1, and the other has a region name of priv2.
   – The integrated systems are used for various data rendering, AI workloads, inference, and data visualization.
   Two integrated systems that are dedicated to application development and have the following configurations:
   – The integrated systems are disconnected from the Internet. The workloads in the user subscriptions have Internet access.
   – One integrated system has a region name of dev1, and the other has a region name of dev2.
   – Both regions are used only by developers at Northwind Traders.

   The external domain name of all the integrated systems is northwind.com. All the integrated systems have Azure App Service and the Azure Kubernetes Service (AKS) engine deployed.

   The computer of the operator in each region has all the prerequisite software installed for managing Azure Stack Hub.

   Current Problems

   You identify the following issues in the current environment:

   – The priv2 region recently experienced a catastrophic failure.
   – The developers report high chargeback costs for the dev1 region.
   – The int1 region runs a high number of Windows virtual machines that use pay-as-you-use images.
   – The Northwind Traders partners and customers report that use of the guest user accounts is too complex.
   – Users in the priv1 region recently deployed NCas_v4 virtual machines for various AI workload. The users discover that the virtual machines do not use GPUs.

   Requirements

   Planned Changes

   Northwind Traders plans to implement the following changes:

   – Remove all guest user accounts.
   – Change the DNS forwarder of the priv1 region.
   – Change the billing model and registration name of the int1 region.
   – After the catastrophic failure, restore the priv2 region to its original state.
   – Provide each partner with its own dedicated user subscription that will use its own dedicated Azure AD tenant.

   Technical Requirements

   Northwind Traders identifies the following technical requirements:

   – Minimize hardware and software costs.
   – Standardize all datacenter workloads on Azure Stack Hub.
   – In the priv1 region, implement a disaster recovery plan for App Service.
   – Whenever possible, implement solutions by using the minimum amount of administrative effort.
   – In the dev2 region, update the AKS Base Ubuntu image to the latest version in Azure Stack Hub Marketplace.
   – Whenever possible, implement solutions by using built-in tools, features, and services without acquiring additional third-party tools.
   – For the users’ virtual machines and the associated resources in the dev1 and dev2 regions, implement a business continuity and disaster recovery plan that includes an automated failback process.
   – If changes to the Azure Stack Hub infrastructure cause workload downtime outside of planned maintenance windows, notify all users in the region where the downtime occurred and schedule a maintenance window.

   1. You need to recommend a business continuity and disaster recovery plan for the dev1 and dev2 regions that meets the technical requirements.

      Which two recommendations should you make? Each correct answer presents part of the solution.

      NOTE: Each correct selection is worth one point.

      • Implement the Infrastructure Backup Service
      • Use an Azure Marketplace backup tool in each region to protect the virtual machines that run in the other region
      • Implement Azure Site Recovery
      • Use Infrastructure as Code (IaC) by using Azure Resource Manager templates

   2. You need to resolve the performance issue reported by the users in the priv1 region.

      What should you do?

      • Redeploy the virtual machines to a new Azure Stack Hub node
      • Install the NVIDIA drivers on the virtual machines
      • Install the AMD drivers on the virtual machines
      • Add an additional scale unit node

   3. You need to change the DNS forwarder of the priv1 region.

      Which two actions should you perform? Each correct answer presents part of the solution?

      NOTE: Each correct selection is worth one point.

      • Run the Register-CustomDnsServer cmdlet
      • Run the Add-DnsServerForwarder cmdlet
      • Run the Set-AzsDnsForwarder cmdlet
      • Connect to the administrator management endpoint of the priv1 region
      • Connect to privileged endpoint (PEP) of the priv1 region

   4. The priv2 region is redeployed according to the planned changes.

      You need to restore App Service.

      Which three components should you restore? Each correct answer presents part of the solution.

      NOTE: Each correct selection is worth one point.

      • the App Service roles and services
      • the file server share content
      • the infrastructure backup
      • the worker role virtual machine
      • the App Service databases
      • the default domain certificate

   5. DRAG DROP

      You schedule a planned maintenance window.

      You need to perform an Azure Stack Hub update in the dev1 region. The solution must meet the technical requirements.

      Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

      

      

8. Case study

   This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

   To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

   At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

   To start the case study
   To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

   Overview

   Litware Inc. is a renewable energy company. Litware has a business partner named Fabrikam, Ltd. that develops custom software for Litware.

   Litware has a main office in Boston and a research department in Chicago. Each location has a datacenter. Fabrikam has an office in Boston.

   Existing Environment

   Network Environment

   The Litware offices and the Fabrikam office connect by using a private circuit. Each office connects directly to the Internet.

   Identity Environment

   The Litware network contains an Active Directory forest named litwareinc.com. The forest and an Azure Active Directory (Azure AD) tenant named litwareinc.com are integrated by using Active Directory Federation Services (AD FS). Litware has an enterprise certification authority (CA).

   The Azure subscriptions of Litware are associated to the litwareic.com Azure AD tenant.

   Fabrikam also has an Azure AD tenant.

   Azure Stack Hub Environment

   Litware has the following two Azure Stack Hub integrated systems:

   A fully operational integrated system in Boston that connects to the Internet and has the following configurations:
   – Is managed by using an administrator management endpoint of:
   https://adminportal.eastus.litwareinc.com
   – Has an Azure App Service deployment that has two dedicated, large web workers
   – Currently uses version 2005 of Azure Stack Hub and does NOT have any hotfixes installed
   A newly delivered integrated system in Chicago that is disconnected from the Internet and will be managed by using an administrator management endpoint of: https://adminportal.northcentralus.litwareinc.com

   Datacenter Environment

   The Chicago datacenter of Litware contains the infrastructure shown in the following table.

   

   Current Problems

   During heavy usage, requests to App Service in Boston fail despite low utilization of the web workers.

   Requirements

   Planned Changes

   Litware plans to implement the following changes:

   – Deploy an Event Hubs resource provider to the integrated system in Boston.
   – Make Azure Functions available to Azure Stack Hub users in Boston.
   – Prepare the integrated system in Chicago to be production-ready.

   Technical Requirements

   Litware identifies the following technical requirements:

   – Implement an infrastructure to support Azure Functions on the integrated system in Boston.
   – Provision the certificates required to deploy the Event Hubs resource provider to the integrated system in Boston.
   – Configure an identity provider for the integrated system in Chicago.
   – Locate the IP address of the privileged endpoint (PEP) of the integrated system in Chicago.
   – Ensure that only operators have control over the creation of subscriptions on the integrated system in Chicago.
   – Provision a certificate to provide access to the Azure Resource Manager endpoint of the integrated system in Chicago.
   – Identify which PowerShell setting on CLIENT1 and CLIENT2 must be modified to register the integrated system in Chicago.
   – Implement a management app that will use Azure Resource Manager to inventory the resources of the integrated system in Chicago.

   Security and Compliance Requirements

   Litware has the following security and compliance requirements:

   All infrastructure software must run the latest version, including hotfixes.
   Litware must have control over certificate revocations.

   Business Requirements

   Litware wants to ensure that the users at Fabrikam have secure access to the workloads on the integrated system in Boston.

   Updates and Hotfixes

   The current hotfixes and updates available for Azure Stack Hub are:

   – 2005
   – 2005 hotfix 1
   – 2005 hotfix 2
   – 2005 hotfix 3
   – 2008
   – 2008 hotfix 1
   – 2008 hotfix 2
   – 2011 (latest version)

   1. You need to identify the PEP information for the integrated system in Chicago. The solution must meet the technical requirements.

      What should you use?

      • the DNS zone of litwareinc.com
      • the Get-AzsRegistrationToken cmdlet
      • Properties on the Region management blade of the administrator portal
      • the DNS zone of northcentralus.litwareinc.com
   2. HOTSPOT

      You need to implement the App Service infrastructure to address the current issues and support the planned changes for Azure Functions in Boston.

      What should you do? To answer, select the appropriate options in the answer area.

      NOTE: Each correct selection is worth one point.

      

      

9. DRAG DROP

   You have an Azure Stack Hub integrated system that has syslog forwarding configured.

   You need to remove syslog forwarding and the associated certificate.

   Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

   

   

10. DRAG DROP

    You have an Azure Stack Hub integrated system that is disconnected from the Internet.

    You need to collect diagnostic logs, but do not have access to an SMB share.

    Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

11. HOTSPOT

    You have an Azure Stack Hub integrated system that has 10 user subscriptions. Each subscription contains approximately 50 virtual machines.

    You are planning a backup and restore strategy for the integrated system.

    You need to identify which type of backup to use to back up specific resources.

    What should you identify for each resource? To answer, select the appropriate options in the answer area.

    NOTE: Each correct selection is worth one point.

    

    

12. You have an Azure Stack Hub integrated system.

    You perform infrastructure backups twice daily.

    User workloads are protected by using Azure Site Recovery.

    The architect of the user workloads is planning a business continuity disaster recovery (BCDR) strategy.

    You need to recommend to the architect which resources to include in the BCDR strategy.

    Which two resources should you recommend? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Azure Key Vault secrets
    • plans, quotas, and offers
    • role-based access control (RBAC) permissions and roles
    • user subscriptions
    • Azure Resource Manager templates for resources used by Azure Stack Hub virtual machines
    • Azure Site Recovery workloads

13. You have an Azure Stack Hub integrated system that was recently moved to a new datacenter and powered on.

    You need to verify whether the infrastructure components are fully operational.

    Which three actions should you perform? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • Run the Start-AzureStack cmdlet
    • Run the Test-AzureStack cmdlet
    • Connect to the privileged endpoint (PEP)
    • Connect to the administrator portal
    • Run the Get-AzureStackStampInformation cmdlet

14. You and a Microsoft Support Engineer are troubleshooting an Azure Stack Hub integrated system.

    The security team at your company requires an audit trail whenever management actions are performed on the integrated system.

    You unlock the privileged endpoint (PEP) and perform several troubleshooting tasks that resolve the issue.

    Which cmdlet should you run next?

    • Invoke-AzureStackOnDemandLog
    • Close-PrivilegedEndpoint
    • Get-AzureStackLog
    • Exit-PSSession

15. DRAG DROP

    You have an Azure Stack Hub integrated system.

    You need to ensure that you can recover managed and unmanaged disks that are deleted from user subscriptions.

    Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

16. DRAG DROP

    You have an Azure Stack Hub integrated system that is disconnected from the Internet.

    During an update, an error occurs that prevents you from accessing the administrator portal.

    While troubleshooting the issue, a Microsoft Support Engineer requests that you collect and send the relevant logs.

    Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

    

    

17. HOTSPOT

    You start the update of an Azure Stack Hub integrated system. The Update run details are shown in the following exhibit.

    

    Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

    NOTE: Each correct selection is worth one point.

    

    

18. You have an Azure Stack Hub integrated system.

    A scale unit node has a hardware failure.

    You replace the physical server based on the field replacement unit (FRU) documentation of the OEM hardware vendor.

    You need to reintroduce the node to the scale unit.

    Which PowerShell cmdlet should you run?

    • Enable-AzsScaleUnitNode

    • Repair-AzsScaleUnitNode

    • Start-AzsScaleUnitNode

    • Restart-AzsInfrastructureRole

    • Add-AzsScaleUnitNode

19. Which three components are required to configure an Azure Stack Hub infrastructure backup? Each correct answer presents part of the solution.

    NOTE: Each correct selection is worth one point.

    • an SMB file share in the trusted network perimeter
    • credentials that have write access to storage
    • an Azure Blob storage account
    • an encryption certificate
    • an SMB file share in Azure

20. HOTSPOT

    You have an Azure Stack Hub integrated system that has 10 user subscriptions. Each subscription contains 30 storage accounts. Deleted storage accounts are purged automatically after seven days.

    One of the user subscriptions has 10 storage accounts that are no longer used. The storage accounts contain a large amount of data.

    You need to delete the unused storage accounts. The solution must increase the amount of available disk space in the integrated system as soon as possible.

    Which two actions should you perform in the administrator portal and the user portal? To answer, drag the appropriate actions to the correct portals. Each action may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

    NOTE: Each correct selection is worth one point.