Microsoft AZ-720 Practice Test - Questions Answers, Page 2

Box 1 = Use IP flow verify.

IP flow verify is a feature of Azure Network Watcher that checks if a packet is allowed or denied to or from a virtual machine. It can help diagnose connectivity issues caused by network security groups, user-defined routes, or Azure Virtual Network Manager rules1. IP flow verify can also return the name of the rule that denied the packet, which can be useful for troubleshooting2. Connection troubleshoot is another feature of Azure Network Watcher that helps reduce the time to diagnose and resolve network connectivity issues. However, it can only test TCP or ICMP connections from certain Azure resources, such as virtual machines, Azure Bastion instances, or application gateways3. Connection troubleshoot can also detect issues such as high VM CPU utilization, DNS resolution failures, or inability to open a socket at the specified source port3. In this scenario, you need to collect the required logs for the SharePoint workload in VNet2. Since you are not testing a specific TCP or ICMP connection, but rather checking if packets are allowed or denied by any network configuration, IP flow verify is more suitable than connection troubleshoot. You can use IP flow verify to check the direction, protocol, local IP, remote IP, local port, and remote port of the packets and see which rule is blocking them12. To use IP flow verify, you need to enable a network watcher in the same region as the virtual machines you want to troubleshoot. Then you can use the Azure portal, PowerShell, or Azure CLI to run IP flow verify and get the results24.

Box 2 = Use Traffic analytics

To troubleshoot issues related to the SharePoint workload in VNet2, we can use Traffic Analytics. It is a networking monitoring solution that uses Network Watcher to analyze and report on traffic flows in your Azure virtual network. With Traffic Analytics, you could see information about the traffic flow patterns and security concerns detected across Azure subscriptions using network security group (NSG) flow logs. IP Flow Verify is used to verify if packets are flowing as expected between two endpoints within an Azure virtual network or between a public IP address and an endpoint inside an azure virtual network. But it doesn't provide visibility into overall traffic patterns or identify potential security threats. Connection Troubleshoot can be used when you have connectivity problems while interacting with a specific instance of a resource type being served out from Microsoft datacenters over Internet, but for troubleshooting SharePoint workloads related issue which might not necessarily correspond to internet routing/connectivity problems this may not apply.

BOX 1: Run the command: nslookup -type=a www.contoso.com 8.8.8.8

nslookup is a command-line tool that queries DNS servers for information about domain names and IP addresses. It can be used to troubleshoot DNS issues and verify DNS configurations1. The -type option specifies the type of DNS record to query. The -type=a option queries for A records, which map domain names to IPv4 addresses1. The www.contoso.com argument specifies the domain name to query. The 8.8.8.8 argument specifies the DNS server to use for the query, which is a public DNS server provided by Google2. By running this command, you can verify if the Azure Public DNS zone is configured according to the requirements by checking if the A record for www.contoso.com matches the expected IPv4 address. If the A record is missing or incorrect, you can use the Azure portal, PowerShell, or Azure CLI to create or update it in your DNS zone3.

Box2: Create NS records

NS (Name Server) records are used to delegate a domain or subdomain name to a set of authoritative DNS servers, which can provide information about that domain. In this scenario, there appears to be an issue with resolving the domain in question via public DNS lookup since it's only resolving locally on one server and not across all networks. By creating NS records for the domain, authoritative nameservers will be identified and designated as responsible for providing accurate information about the specific zone. This will ensure your domain is properly distributed on various different network zones and help users globally reach your website without any delays or connectivity problems. Alternatively, SRV (Service locator) record is used when you have multiple servers offering similar services such as email or SIP but want to use a weight system indication greater trustworthiness/proximity of datacenters within providers dns infrastructure. And SOA (Start Of Authority) - indicates who in control ofthe DNS zone and provides other related information such as the serial number and default TTL values. Therefore, option

A. Create NS records would be the best solution for resolving public DNS lookup issues in this scenario. Reference: - "NS record," Microsoft Docs, accessed March 27, 2023. [Online]. Available:

https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/create-a-dns-record-fordomain-access#ns-record - "SRV record," Cloudflare Help Center, accessed March 27, 2023. [Online]. Available: https://support.cloudflare.com/hc/en-us/articles/216672888-SRV-Record-Setup - "SOArecord," DigitalOcean Product Documentation, accessed March 27, 2023. [Online]. Available:

https://www.digitalocean.com/community/tutorials/how-to-manage-dns-using-the-digitaloceancontrol-panel#start-of-authority-record

The error 8344 insufficient access rights to perform the operation indicates that the Azure AD Connect service account does not have the required permissions to synchronize the Admin1 account.

This could be because the Admin1 account is in an organizational unit (OU) that has security inheritance disabled, which prevents the service account from inheriting the necessary permissions from the parent OU. To resolve this issue, you should enable security inheritance in AD DS for the OU that contains the Admin1 account. This will allow the service account to synchronize the Admin1 account to Azure AD. Alternatively, you could also grant the service account explicit permissions on

the Admin1 account, but this would be more tedious and less scalable than enabling security inheritance.

Connection: VNet1-VNet4 Parameters are: AllowGatewayTransit: Enabled

Connection: VNet4-VNet1 Parameters are: UseRemoteGateways: Enabled

To resolve the connectivity issues for VM1 to Contoso Suites, you need to configure the peering connections between VNet1 and VNet4 correctly. The peering connection from VNet1 to VNet4 should have the AllowGatewayTransit parameter enabled, which allows VNet1 to use the virtual network gateway in VNet4 as a transit point for traffic. The peering connection from VNet4 to VNet1 should have the UseRemoteGateways parameter enabled, which allows VNet4 to use the remote

gateway in VNet1 for traffic destined to Contoso Suites. The IP Allocation parameter should be set to Dynamic for both peering connections, which allows Azure to assign IP addresses from the address space of the peered virtual network. The ServiceEndpoint parameter should be set to None for both

peering connections, as there is no need to enable service endpoints for this scenario.

To troubleshoot the issue reported by Blue Yonder Airlines, you need to review the IKEDiagnosticLog, which contains information about the Internet Key Exchange (IKE) protocol that is used to establish IPsec VPN connections. The IKEDiagnosticLog can help you identify the cause of the VPN disconnections and IPsec failure to connect errors, such as mismatched authentication parameters, incorrect pre-shared keys, or network connectivity issues. You can enable and download the IKEDiagnosticLog from the Azure portal or by using PowerShell commands

Explanation:

To troubleshoot the issue with SRV2, you need to run the Get-MsolServicePrincipalCredential PowerShell cmdlet, which returns the credentials that are associated with a service principal in Azure AD. The service principal is an identity that represents an application or a service that interacts with Azure AD. In this case, the service principal is used by the NPS extension for Azure AD MFA to communicate with Azure AD and perform MFA requests. The credentials of the service principal

include a certificate and a key that are used to authenticate the service principal to Azure AD. If the credentials are expired or invalid, the MFA requests will fail with a security token error. To resolve this issue, you need to renew the credentials of the service principal by using the NewMsolServicePrincipalCredential cmdlet.

Explanation:

To resolve the issue with VM10, you need to remove the inbound security rule that has a priority of 100 in NSG10, which is blocking ICMP traffic from ASG1 to ASG10. The rule has a source of Any, a destination of VirtualNetwork, a protocol of ICMP, and an action of Deny. This means that any ICMP traffic from outside the VNet4 address space will be denied by NSG10, which is attached to subnet4.

This prevents VM1 from pinging VM10 by using ICMP, as VM1 is in VNet1 and not in VNet4. By removing this rule, you can allow ICMP traffic from ASG1 to ASG10, as there is no other rule in NSG10 that explicitly denies it. Alternatively, you could also modify the rule to change the source to VirtualNetwork or the action to Allow, but removing the rule is simpler and more effective.

Tool: B. psping

Port: B. 443

To troubleshoot the issues that scheduling agents report accessing Alpine Ski House resources, you need to test the network latency by using the psping tool and the port 443. The psping tool is a command-line utility that can measure network performance and connectivity by sending TCP or UDP packets to a target host and reporting the round-trip time (RTT) and other statistics. The port 443 is the default port for HTTPS, which is the protocol used by Alpine Ski House to secure their web traffic. By using the psping tool with the port 443, you can test the latency of the HTTPS connection from VM3 to Alpine Ski House and compare it with the expected latency. If the latency is higher than expected, it could indicate a network issue that affects the performance of accessing Alpine Ski House resources.