Correct Answer: B

Explanation: Windows Server 2025 represents a major philosophical shift to a "secure-by-default" model. A key example is that Credential Guard, which mitigates Pass-the-Hash attacks, is enabled by default on hardware that supports Virtualization-Based Security (VBS). In contrast, on Windows Server 2019, Credential Guard was an optional feature that an administrator had to manually enable post-installation.

Correct Answer: C

Explanation: SMB over QUIC, a feature for providing secure, encrypted file access over the internet without a VPN, was previously an exclusive feature of the niche Windows Server 2022 Datacenter: Azure Edition. Microsoft has "democratized" this feature in Windows Server 2025, making it available in the mainstream Standard and Datacenter editions, which is a major enhancement for hybrid and remote work scenarios.

Correct Answer: B

Explanation: The new Windows Server 2025 functional levels enable a monumental change: optional support for a 32k database page size for `ntds.dit`. This is a huge increase from the 8k page size that has been a hard-coded limitation since Windows 2000. This new page size allows for much larger objects and significantly more values in multi-valued attributes (like a user's `memberOf` list), addressing key scalability challenges in very large enterprises.

Correct Answer: C

Explanation: Hotpatching, now available for on-premises Server 2025 via Azure Arc, follows a quarterly cycle. A reboot-required cumulative update (a "baseline") is installed once per quarter. For the next two months, security updates are delivered as reboot-less hotpatches. This model changes the operational cadence from a potential reboot every month to a planned reboot only four times a year, significantly improving uptime for critical systems.

Correct Answer: C

Explanation: The SMB authentication rate limiter is a new security feature in Server 2025 designed to combat brute-force attacks. By default, it introduces a two-second delay between each failed NTLM authentication attempt. This small delay is unnoticeable to a legitimate user who mistypes a password, but it dramatically slows down automated tools that attempt thousands of passwords per second, making such attacks impractical and ineffective against a Server 2025 machine.

Correct Answer: B

Explanation: Windows LAPS in Server 2025 introduces **Passphrase Generation**, which creates easier-to-read and type passwords (e.g., `EatYummyCaramelCandy`) for better usability. It also adds **Image Rollback Detection**, a security feature that detects when a machine's state has been reverted, which would cause the password stored in AD to be out of sync. When a rollback is detected, LAPS automatically rotates the password to restore administrative access.

Correct Answer: C

Explanation: As part of its "secure-by-default" posture, Windows Server 2025 now enforces encryption for all LDAP client connections and uses the modern TLS 1.3 protocol by default for secure communications. This protects sensitive directory lookups from eavesdropping on the network and ensures the use of a strong, modern cryptographic standard.

Correct Answer: B

Explanation: According to the LSDOU order of processing, the OU policy would normally override the Domain policy. However, the "Enforced" (or "No Override") setting is specifically designed to prevent this. When a GPO is enforced, its settings take precedence over any conflicting settings from GPOs linked at lower levels of the AD hierarchy, ensuring critical policies are applied universally.

Correct Answer: B

Explanation: A CNAME (Canonical Name) record is the best choice. It creates an alias, pointing `webapp.corp.local` to the actual server hostname `srv-app-01.corp.local`. If the application is moved to a new server in the future, you only need to update the A record for `srv-app-01` (or change the CNAME to point to a new server name). All services pointing to the `webapp` alias will automatically resolve to the new location without needing their own DNS records updated, simplifying management.

Correct Answer: C

Explanation: A Dev Drive is a specialized volume in Server 2025 formatted with the Resilient File System (ReFS). Its key performance feature is Block Cloning. Instead of physically copying data blocks when a file is duplicated, ReFS performs a fast metadata operation that points the new file's metadata to the same underlying data blocks on the disk. This makes the copy operation nearly instantaneous, regardless of the file size. This is a massive time-saver for developer workloads.

Correct Answer: B

Explanation: The game-changing feature of GPU Partitioning is its support for high-availability. VMs using DDA were "locked" to a specific host and could not be part of a failover cluster or be live-migrated. GPU-P resolves this limitation, allowing VMs with shared GPU resources to be seamlessly moved between cluster nodes without downtime. This makes it possible to build highly available solutions for mission-critical AI/ML and VDI workloads.

Correct Answer: B

Explanation: This one-liner demonstrates correct PowerShell pipeline usage. `Get-Process` retrieves all processes. `Sort-Object CPU -Descending` is the critical step that orders the processes from highest to lowest CPU usage. Finally, `Select-Object -First 3` filters the sorted list to show only the top three, displaying their name and CPU value for a clean report.

Correct Answer: C

Explanation: The new OSConfig module is the modern tool for declarative configuration and compliance in Server 2025, especially for servers managed by Azure Arc. The `Set-OSConfigDesiredConfiguration -Scenario SecurityBaselineWS2025MemberServer` command applies the built-in baseline. The OSConfig engine then continuously monitors for and automatically remediates configuration drift, making it a powerful tool for maintaining a hardened security posture.

Correct Answer: B

Explanation: SMB over QUIC is a killer feature for the modern hybrid workplace. It directly addresses the business problem of providing secure and easy file access to remote users. This eliminates the cost, complexity, and performance bottlenecks of a traditional VPN, providing a clear ROI in terms of reduced administrative overhead and improved user productivity. It's a tangible benefit that directly impacts the business's bottom line and operational efficiency.

Correct Answer: C

Explanation: The SMTP Server feature, along with other legacy components like WordPad, has been completely removed in Windows Server 2025. It is not deprecated or disabled; it is gone. Any migration plan for a server relying on this feature must include a project to reconfigure the application to use a modern mail relay, such as a Microsoft 365 connector or a third-party service. Failure to account for this will result in application failure.

Correct Answer: B

Explanation: The client will typically accept the first offer it receives. Its next step is to broadcast a DHCPREQUEST packet. This broadcast is crucial because it serves two purposes: it formally requests the IP address from the chosen server, and it implicitly informs the other DHCP server that its offer was not accepted. The unchosen server then returns its offered IP address to its available pool.

Correct Answer: C

Explanation: A "seizure" is a forced transfer used only when the original FSMO role holder is permanently offline and cannot be recovered. A graceful transfer is impossible because the original DC cannot be contacted. The correct action is to connect to a healthy DC and use the `Move-ADDirectoryServerOperationMasterRole -Force` PowerShell cmdlet or the `ntdsutil` command-line tool to seize the PDC Emulator role, restoring its critical functions (time sync, password changes, account lockouts) to the domain.

Correct Answer: D

Explanation: DTrace is the correct tool for this scenario. It's a powerful command-line utility, new in Server 2025, that provides dynamic, real-time tracing of system operations. Unlike PerfMon or ResMon, which provide high-level metrics, DTrace can trace individual system calls, file system operations, and CPU scheduler events. This allows an administrator to pinpoint the exact source of a performance bottleneck (e.g., slow disk I/O, CPU contention, or inefficient process interactions) without needing to restart services or modify the application code.

Correct Answer: C

Explanation: The DNS resolution process is hierarchical. The Root servers don't know the IP for `www.example.com`, but they know who is responsible for the `.com` domain. Therefore, the resolver's next step is to query a `.com` TLD server, which will then point the resolver to the authoritative name servers for `example.com`.

Correct Answer: C

Explanation: The KCC's behavior is optimized for the network conditions of each scenario. For **intrasite** replication (within a fast LAN), it automatically creates a bidirectional ring topology, ensuring each DC has at least two replication partners for redundancy. For **intersite** replication (across a slower WAN), it relies on manually defined site links and their associated costs and schedules. The KCC on a designated bridgehead server in each site then creates the connection objects based on these site links to control replication traffic efficiently.

Correct Answer: B

Explanation: While all options are important hardening steps, the most critical initial action for a public-facing server is to minimize its attack surface from the network. Configuring the Windows Firewall with a default-deny inbound policy and then creating explicit "allow" rules only for necessary traffic (e.g., TCP 443 for HTTPS) provides the most significant and immediate risk reduction. This prevents attackers from even attempting to connect to and exploit other services that might be running on the server, such as RDP or SMB.

Correct Answer: B

Explanation: Before attempting a major operation like an OS upgrade on a domain controller, it is absolutely essential to verify that the Active Directory environment is healthy. Running `DCDIAG` and `repadmin` will identify any underlying replication, DNS, or configuration issues. Attempting to upgrade a DC that is already in an error state is a recipe for disaster and can lead to a failed upgrade or a corrupted directory. All other steps are good practices, but starting with a known-healthy environment is the most critical prerequisite.

Correct Answer: C

Explanation: The database page size capability is stored as a new attribute on each domain controller's NTDS Settings object in the Configuration partition of Active Directory. The correct way to query this is by using the generic `Get-ADObject` cmdlet to find objects of the `nTDSDSA` class and request the `msDS-JetDBPageSize` property. A value of 32768 indicates a 32k-capable DC, while 8192 indicates a legacy 8k DC.

Correct Answer: C

Explanation: The default inclusion of Azure Arc is a strategic move to make the Azure portal the central hub for managing all servers, regardless of their location. It extends Azure's management capabilities (like Azure Policy, Monitor, and Defender for Cloud) to on-premises and multi-cloud servers, creating a single, unified plane of glass for inventory, governance, and security across a hybrid environment.

Correct Answer: D

Explanation: WinGet is the native Windows Package Manager included by default in Server 2025. It provides a command-line interface (`winget.exe`) for discovering, installing, and upgrading applications from curated repositories. This brings a modern, scriptable package management experience to Windows, similar to what has long been available on Linux, greatly simplifying software deployment and automation.

Correct Answer: B

Explanation: A major enhancement in Windows Server 2025 is that the ReFS file system now includes native support for both deduplication and compression. Previously, these storage-saving features were exclusive to the NTFS file system. This allows administrators to benefit from the resilience and performance features of ReFS (like Block Cloning) while also significantly reducing the storage footprint of their data, which is especially valuable for virtualized environments and large file repositories.

Correct Answer: A

Explanation: A key performance enhancement unlocked by the Server 2025 forest functional level is NUMA (Non-Uniform Memory Access) awareness for Active Directory. Previously, the core AD process (LSASS.exe) was limited to using CPUs within a single processor group, effectively capping it at 64 logical processors. With NUMA support, LSASS can now span multiple processor groups, allowing it to take full advantage of all available CPU cores on high-end, multi-socket servers for improved performance and scalability.