| Question.31 You have an Azure subscription that contains a resource group named RG26. RG26 is set to the West Europe location and is used to create temporary resources for a project. RG26 contains the resources shown in the following table.  SQLDB01 is backed up to RGV1. When the project is complete, you attempt to delete RG26 from the Azure portal. The deletion fails. You need to delete RG26. What should you do first? (A) Delete VM1 (B) Stop VM1 (C) Stop the backup of SQLDB01 (D) Delete sa001 |
31. Click here to View Answer
Answer is (C) Stop the backup of SQLDB01
When you delete a resource group, all resources in the resource group are also deleted but the Resource group has recovery service vault with active backup. You can’t delete recovery service vault with dependencies. So, First you have to stop the backup. Then you have to delete the backup in recovery service vault , but backup goes into soft deleted status. The soft deleted items will be permanently deleted only after 14 days of delete operation Only after permanent deletion, you can delete the recovery service vault or resource group RG26.
Here are the other possible dependencies for recovery service vault before it can be deleted., which could be used to twist the question.
• You can’t delete a vault that contains protected data sources (for example, IaaS VMs, SQL databases, Azure file shares).
• You can’t delete a vault that contains backup data. Once backup data is deleted, it will go into the soft deleted state.
• You can’t delete a vault that contains backup data in the soft deleted state.
• You can’t delete a vault that has registered storage accounts.
Reference:
https://docs.microsoft.com/en-us/azure/backup/backup-azure-delete-vault
| Question.32 You have an Azure Active Directory (Azure AD) tenant named contosocloud.onmicrosoft.com. Your company has a public DNS zone for contoso.com. You add contoso.com as a custom domain name to Azure AD. You need to ensure that Azure can verify the domain name. Which type of DNS record should you create? (A) MX (B) NSEC (C) PTR (D) RRSIG |
32. Click here to View Answer
Answer is (A) MX
To verify your custom domain name (example)
1. Sign in to the Azure portal using a Global administrator account for the directory.
2. Select Azure Active Directory, and then select Custom domain names.
3. On the Fabrikam – Custom domain names page, select the custom domain name, Contoso.
4. On the Contoso page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD. Use either the TXT or the MX record type.
Note:
There are several versions of this question in the exam. The question can have two correct answer:
1. MX
2. TXT
The question can also have other incorrect answer options, including the following:
1. SRV
2. NSEC3
Reference:
https://docs.microsoft.com/en-us/azure/dns/dns-web-sites-custom-domain
| Question.33 You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e. You need to create a custom RBAC role named CR1 that meets the following requirements: -Can be assigned only to the resource groups in Subscription1 -Prevents the management of the access permissions for the resource groups -Allows the viewing, creating, modifying, and deleting of resources within the resource groups What should you specify in the assignable scopes and the permission elements of the definition of CR1?  |
33. Click here to View Answer
First part is “/Subscription/subcription_id”.
There is nothing called “resourceGroups” only or “resourceGroups/*”. You can specify either a subscription, specific resource group, management group or specific resource. for example it should “/subcription/subcription_id/resourceGroups/resource_group_name”
Second is Microsoft.Authorization/*
Reference:
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/role-based-access-control/role-definitions.md#role-definition-structure
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresources
| Question.34 You have an app named App1 that runs on an Azure web app named webapp1. The developers at your company upload an update of App1 to a Git repository named Git1. Webapp1 has the deployment slots shown in the following table.  You need to ensure that the App1 update is tested before the update is made available to users. Which two actions should you perform? Each correct answer presents part of the solution. (A) Swap the slots (B) Deploy the App1 update to webapp1-test, and then test the update (C) Stop webapp1-prod (D) Deploy the App1 update to webapp1-prod, and then test the update (E) Stop webapp1-test |
34. Click here to View Answer
Answer are (A) & (D)
Swap the slots
Deploy the App1 update to webapp1-prod, and then test the update
Reference:
https://docs.microsoft.com/en-us/azure/app-service/deploy-staging-slots
| Question.35 You have Azure virtual machines that run Windows Server 2019 and are configured as shown in the following table.  You create a private Azure DNS zone named adatum.com. You configure the adatum.com zone to allow auto registration from VNET1. Which A records will be added to the adatum.com zone for each virtual machine?  |
35. Click here to View Answer
Box 1: Private IP addresses only.
Box 2: Private IP addresses only.
The virtual machines are registered (added) to the private zone as A records pointing to their private IP addresses.
Since both VM1 & VM2 are in same Vnet1 and the Vnet1 is liked under adatum.com domain (Private DNS Zone->Setting->virtual network links).
Reference:
https://docs.microsoft.com/en-us/azure/dns/private-dns-overview https://docs.microsoft.com/en-us/azure/dns/private-dns-scenarios
| Question.36 You have the Azure virtual networks shown in the following table.  To which virtual networks can you establish a peering connection from VNet1? (A) VNet2 andVNet3 only (B) VNet2 only (C) VNet3 and VNet4 only (D) VNet2, VNet3, and VNet4 |
36. Click here to View Answer
Answer is (C) VNet3 and VNet4 only
VNet1 10.11.0.0/16 = 10.11.0.1 – 10.11.255.255 (overlap VNet2)
VNet2 10.11.0.0/17 = 10.11.0.1 – 10.11.127.254 (overlap VNet1)
VNet3 10.10.0.0/22 = 10.10.0.1 – 10.10.3.254 (no overlap)
VNet4 192.168.16.0/22 = 192.168.16.1 – 192.168.19.254 (no overlap)
Possible peerings are:
VNet1 -> Vnet3
VNet1 -> Vnet4
If a virtual network has address ranges that overlap with another virtual network or on-premises network, the two networks can’t be connected.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/tutorial-connect-virtual-networks-portal