AZ-800 Question #71: Real Exam Question with Answer & Explanation

Question

You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant. The on-premises network is connected to Azure by using a Site-to-Site VPN. You have the DNS zones shown in the following table. You need to ensure that names from fabrikam.com can be resolved from the on-premises network. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Options

• ACreate a conditional forwarder for fabrikam.com on DC1.
• BCreate a stub zone for fabrikam.comonDC1.
• CCreate a secondary zone for fabrikam.com on DC1.
• DDeploy an Azure virtual machine that runs Windows Server.
• EDeploy an Azure virtual machine the runs Windows Server.

Explanation

{"question_number": 1, "question_summary": "Resolve fabrikam.com names from on-premises network with Site-to-Site VPN to Azure", "correct_answer": "A, E", "explanation": "Two steps are needed to resolve Azure-hosted DNS names from on-premises. First (E), deploy an Azure VM running Windows Server to act as a DNS server inside the Azure VNet - this VM can resolve fabrikam.com because it is within the Azure network where that private DNS zone is accessible. Second (A), create a conditional forwarder on DC1 (the on-premises DNS server) pointing fabrikam.com queries to that Azure DNS VM's private IP. When an on-premises client queries fabrikam.com, DC1 forwards the request over the Site-to-Site VPN to the Azure DNS VM, which returns the correct answer. A stub zone (B) only stores NS records and cannot resolve names without a forwarder. A secondary zone (C) requires zone transfer from a primary, which is complex and unnecessary here. Option D is a duplicate of E (same text, minor typo difference) and is not the intended answer.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.