Microsoft Updated AZ-720 Exam Questions and Answers by natalie

BOX1: Review the output of the route print command on the client computer.

A Windows VPN connection is a point-to-site connection that allows a client computer to connect to an Azure virtual network gateway using IKEv2 or SSTP protocols1. To troubleshoot Windows VPN connectivity issues, you need to check the configuration and status of the VPN client on the client computer.

One of the common problems that can cause Windows VPN connectivity issues is incorrect routing configuration on the client computer1. The client computer needs to have a route that directs the traffic destined for the target subnet in Azure to the VPN interface. If the route is missing or incorrect, the traffic will not reach the Azure virtual network gateway.

To check the routing configuration on the client computer, you can use the route print command in a command prompt window. This command displays the routing table of the client computer, which shows the destination network, the gateway address, and the interface for each route2. You can compare the output of this command with the expected routes for your VPN connection.

For example, if your target subnet in Azure is 10.0.0.0/24 and your VPN interface has an IP address of 172.16.0.1, you should see a route like this in the output of route print:

Destination Network | Gateway Address | Interface 10.0.0.0/24 | On-link | 172.16.0.1

This route means that any traffic destined for 10.0.0.0/24 will be sent directly to the VPN interface (On-link) with an IP address of 172.16.0.1.

If you do not see this route or see a different gateway address or interface, you need to correct the routing configuration on the client computer. You can use the route add command to add a new route or use the route change command to modify an existing route2.

Box 2: Download the VPN client package and install it on the client computer

A Windows VPN connection is a point-to-site connection that allows a client computer to connect to an Azure virtual network gateway using IKEv2 or SSTP protocols1. To establish a Windows VPN connection, you need to install a VPN client package on the client computer that contains the configuration files and certificates required for the connection1.

One of the common problems that can cause Windows VPN connectivity issues is missing or outdated VPN client package on the client computer1. The VPN client package may be missing if it was not installed properly or deleted accidentally. The VPN client package may be outdated if the Azure virtual network gateway configuration has changed since the package was downloaded.

To resolve this problem, you need to download the latest VPN client package from the Azure portal and install it on the client computer1. To download the VPN client package, follow these steps:

• Go to the Azure portal and select your virtual network gateway.
• On the Overview page, click Point-to-site configuration.
• On the Point-to-site configuration page, click Download VPN client.
• Select the appropriate version of Windows for your client computer and click Download.
• Extract the contents of the downloaded ZIP file to a folder on your client computer.
• Run the executable file in the folder to install the VPN client package.

To troubleshoot the issue with SRV2, you need to run the Get-MsolServicePrincipalCredential PowerShell cmdlet, which returns the credentials that are associated with a service principal in Azure AD. The service principal is an identity that represents an application or a service that interacts with Azure AD. In this case, the service principal is used by the NPS extension for Azure AD MFA to communicate with Azure AD and perform MFA requests. The credentials of the service principal include a certificate and a key that are used to authenticate the service principal to Azure AD. If the credentials are expired or invalid, the MFA requests will fail with a security token error. To resolve this issue, you need to renew the credentials of the service principal by using the New-MsolServicePrincipalCredential cmdlet.

The error 8344 insufficient access rights to perform the operation indicates that the Azure AD Connect service account does not have the required permissions to synchronize the Admin1 account. This could be because the Admin1 account is in an organizational unit (OU) that has security inheritance disabled, which prevents the service account from inheriting the necessary permissions from the parent OU. To resolve this issue, you should enable security inheritance in AD DS for the OU that contains the Admin1 account. This will allow the service account to synchronize the Admin1 account to Azure AD. Alternatively, you could also grant the service account explicit permissions on the Admin1 account, but this would be more tedious and less scalable than enabling security inheritance.

• Connection: VNet1-VNet4 Parameters are: AllowGatewayTransit: Enabled

• Connection: VNet4-VNet1 Parameters are: UseRemoteGateways: Enabled

To resolve the connectivity issues for VM1 to Contoso Suites, you need to configure the peering connections between VNet1 and VNet4 correctly. The peering connection from VNet1 to VNet4 should have the AllowGatewayTransit parameter enabled, which allows VNet1 to use the virtual network gateway in VNet4 as a transit point for traffic. The peering connection from VNet4 to VNet1 should have the UseRemoteGateways parameter enabled, which allows VNet4 to use the remote gateway in VNet1 for traffic destined to Contoso Suites. The IP Allocation parameter should be set to Dynamic for both peering connections, which allows Azure to assign IP addresses from the address space of the peered virtual network. The ServiceEndpoint parameter should be set to None for both peering connections, as there is no need to enable service endpoints for this scenario.