AZ-800: Windows Server Hybrid Administrator Practice Exam

What the AZ-800 exam covers

• Manage Windows Servers in a Hybrid Environment128 questions
• Manage Identity and Access118 questions
• Manage Storage and File Services108 questions
• Manage Virtual Machines and Containers107 questions
• Storage and File Services82 questions

Free AZ-800 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 543.

1. Question 1Manage Windows Servers in a Hybrid Environment

   Which role provides centralized identity, authentication, and group policy in a Windows Server environment?

   • AIIS
   • BDHCP Server
   • CPrint Server
   • DActive Directory Domain Services (AD DS)Correct
   ✓ Correct answer: D

   AD DS is the directory service that stores all user, computer, and group objects in a hierarchical forest and domain structure, and it is the authority that authenticates logons through Kerberos and NTLM. Because every domain-joined machine queries domain controllers for security tokens, AD DS becomes the single point at which identity and access decisions are enforced. Group Policy is delivered through AD DS, letting administrators push configuration and security settings to thousands of accounts and machines from one place. In hybrid deployments this same directory is synchronized to Microsoft Entra ID, so AD DS remains the on-premises root of trust.

   Why the other options are wrong

   • AIIS is the Internet Information Services web server that handles HTTP and HTTPS application requests, so it hosts websites and has no role in directory authentication or Group Policy.
   • BDHCP Server only leases IP addresses and network options to clients; it neither stores identities nor authenticates users.
   • CPrint Server manages shared printers and print queues and cannot authenticate accounts or distribute policy.
2. Question 2Manage Virtual Machines and Containers

   Which role automatically assigns IP configuration to network clients?

   • AIIS
   • BHyper-V
   • CDHCP ServerCorrect
   • DAD DS
   ✓ Correct answer: C

   The DHCP Server role hands out IP addresses, subnet masks, default gateways, DNS servers, and other options to clients from defined scopes, removing the need for manual static configuration. When a client boots it broadcasts a discovery request, and the DHCP server offers and then commits a lease for a defined duration. Centralizing addressing this way prevents conflicts, simplifies subnet changes, and lets administrators push options such as DNS suffixes uniformly. It is the standard Windows Server role for dynamic address management.

   Why the other options are wrong

   • AIIS is a web server that serves HTTP and HTTPS content and cannot lease IP addresses.
   • BHyper-V is the hypervisor that runs virtual machines; it provides virtual switches but does not itself assign client IP configuration.
   • DAD DS provides directory and authentication services and does not distribute IP addressing to clients.
3. Question 3Manage Storage and File Services

   Which Azure Files tier minimizes cost for large, infrequently accessed file shares synced via Azure File Sync, accepting higher per-transaction charges?

   • AHot tier with provisioned IOPS
   • BUltra Disk tier
   • CCool (or Cold) access tierCorrect
   • DPremium SSD tier
   ✓ Correct answer: C

   The Cool or Cold tier is optimized for large infrequently accessed file shares, offering the lowest storage cost per gigabyte at the expense of higher per-transaction fees. For scenarios where data is accessed occasionally and cost is the primary driver, this tier provides significant cost savings compared to Hot tier storage. Azure File Sync is designed to work seamlessly with cool-tiered shares, automatically managing data movement between on-premises and cloud based on access patterns.

   Why the other options are wrong

   • AHot tier with provisioned IOPS is incorrect because it offers premium performance at significantly higher cost, making it unsuitable for infrequently accessed workloads.
   • BUltra Disk tier is incorrect because it provides the highest performance and cost, designed for extreme I/O requirements rather than cost-optimization for infrequently accessed shares.
   • DPremium SSD tier is incorrect because it offers high performance at premium pricing and is not intended for cost-optimized, infrequently accessed file shares.
4. Question 4Manage Windows Servers in a Hybrid Environment

   You must onboard 200 on-prem Windows Servers to Azure Arc with consistent configuration and minimal manual effort. Which approach is the recommended best practice?

   • ARe-image each server as an Azure VM
   • BGenerate a service principal and run the Arc onboarding script at scale (via Group Policy, Configuration Manager, or a deployment tool)Correct
   • CManually run the interactive Connect-AzConnectedMachine wizard on each server
   • DInstall the Azure VM Agent on each physical server
   ✓ Correct answer: B

   Azure Arc enables hybrid server management by extending Azure control plane capabilities to on-premises and multi-cloud environments. The recommended approach for onboarding at scale involves creating a service principal with appropriate permissions and deploying the Arc agent script through existing infrastructure automation tools. This method eliminates the need for re-imaging, avoids per-server manual intervention, and leverages enterprise deployment patterns like Group Policy or Configuration Manager.

   Why the other options are wrong

   • ARe-image each server as an Azure VM is incorrect because Azure VMs require different management overhead and defeat the purpose of Arc, which is to manage on-premises servers without converting them.
   • CManually run the interactive Connect-AzConnectedMachine wizard on each server is incorrect because manual execution of 200 servers introduces operational inefficiency, human error, and does not meet the "minimal manual effort" requirement.
   • DInstall the Azure VM Agent on each physical server is incorrect because the Azure VM Agent is for Azure VMs only; Arc uses the Arc Connected Machine Agent instead.
5. Question 5Manage Identity and Access

   After adding a new attribute by extending the AD schema, replication of the schema change is slow to propagate. Which DC must process the schema modification, and why is caution warranted?

   • AThe PDC Emulator, because it owns the schema partition
   • BThe Schema Master, because schema changes are forest-wide and irreversible (deactivated, not deleted)Correct
   • CThe Infrastructure Master, because it tracks attribute references
   • DAny RODC, because it can write schema changes locally
   ✓ Correct answer: B

   Schema modifications can only be made on the single Schema Master FSMO role holder for the entire forest, which then replicates the change to every domain controller. The caution is that the schema is forest-wide and effectively permanent: once an attribute or class is added it can be deactivated but never truly deleted, so mistakes cannot simply be removed. Slow propagation is expected because the change must replicate across the whole forest. Understanding both facts prevents rushed or unrecoverable schema edits.

   Why the other options are wrong

   • AThe PDC Emulator does not own the schema partition; it handles time, password, and account-lockout functions, so it does not process schema changes.
   • CThe Infrastructure Master tracks cross-domain object references, not schema modifications, so it is not where schema changes are made.
   • DAn RODC is read-only and cannot write schema changes locally; it only receives replicated changes.
6. Question 6Manage Virtual Machines and Containers

   Which Hyper-V log channel in Event Viewer records VM start/stop, live migration, and worker process errors?

   • AThe Setup log
   • BApplications and Services Logs \ Microsoft \ Windows \ Hyper-V-* channelsCorrect
   • CThe DNS Server log
   • DThe Forwarded Events log only
   ✓ Correct answer: B

   The Hyper-V event log channels are located in Applications and Services Logs under Microsoft \ Windows \ Hyper-V-* in Event Viewer. These dedicated Hyper-V channels include critical operational events such as VM start/stop actions, live migration success/failure, worker process errors, and other hypervisor-level activities. Monitoring these channels is essential for troubleshooting Hyper-V issues and maintaining visibility into virtualization infrastructure operations.

   Why the other options are wrong

   • AThe Setup log is incorrect because it records Windows installation and configuration changes, not Hyper-V operations.
   • CThe DNS Server log is incorrect because it logs DNS server activities, not Hyper-V events.
   • DThe Forwarded Events log only is incorrect because it is a destination for forwarded events from other computers, not the primary Hyper-V event location.
7. Question 7Manage Windows Servers in a Hybrid Environment

   Users in one OU complain a mapped-drive GPO no longer applies, yet a security-settings GPO linked higher still works. gpresult shows the drive-map GPO is 'Denied (Security)'. What is the most likely fix?

   • ARestart the DHCP service
   • Bgrant the affected users/computers Read and Apply Group Policy permission on that GPO (or correct a security-filtering removal of Authenticated Users)Correct
   • CRe-create the DNS reverse lookup zone
   • DConvert the OU to a security group
   ✓ Correct answer: B

   A gpresult status of 'Denied (Security)' means the account fails the GPO's security filtering: to apply, a principal needs both Read and Apply Group Policy permissions on the GPO. This commonly breaks after Authenticated Users is removed from a GPO during security-filtering changes, which also affects the computer-side permission the GPO now requires for processing. Restoring Authenticated Users (or explicitly granting the target users and computers Read plus Apply Group Policy) re-enables application of the drive-map GPO. The higher-linked GPO still works because its filtering was never altered.

   Why the other options are wrong

   • ARestarting the DHCP service affects IP leasing and has no influence on Group Policy security filtering or application.
   • CRe-creating the DNS reverse lookup zone changes name-to-IP reverse resolution and does not fix a 'Denied (Security)' GPO filtering problem.
   • DConverting the OU to a security group is not possible and would not address the missing Read and Apply Group Policy permission causing the denial.
8. Question 8Manage Windows Servers in a Hybrid Environment

   Which Azure capability lets you collect security and event logs from Arc-enabled servers into Microsoft Sentinel for threat detection?

   • ANIC teaming
   • BAzure Monitor Agent (data collection rules) feeding Microsoft SentinelCorrect
   • CDHCP failover
   • DDNS round-robin
   ✓ Correct answer: B

   Microsoft Azure provides the Azure Monitor Agent and data collection rules as the mechanism to collect security and event logs from Arc-enabled servers and ingest them into Microsoft Sentinel for centralized threat detection and analysis. The Azure Monitor Agent is installed on Arc-enabled servers and uses data collection rules to define which event logs and performance data to collect. These logs flow into Microsoft Sentinel, which provides Security Information and Event Management (SIEM) capabilities including threat detection, investigation tools, and automated response playbooks. This approach provides unified visibility across hybrid and multi-cloud environments, allowing organizations to detect threats consistently whether they occur on on-premises servers or cloud resources. The integration supports rich analytical queries and threat intelligence correlation.

   Why the other options are wrong

   • ANIC teaming is incorrect because it bonds multiple network adapters for redundancy and load balancing, not for collecting security logs.
   • CDHCP failover is incorrect because it provides DHCP service redundancy, not log collection or threat detection.
   • DDNS round-robin is incorrect because it distributes DNS queries across multiple servers, not related to security log collection.
9. Question 9Manage Identity and AccessSelect all that apply

   A consultant is reviewing the password policies configuration at Contoso Ltd. Which two actions should be performed to optimize the implementation? (Choose two.)

   • AAzure AD Connect configuration
   • Bmanaged service accountsCorrect
   • Chybrid identity
   • DDisable password policies monitoring
   • Ecertificate servicesCorrect
   ✓ Correct answer: B, E

   Optimizing password policies requires implementing managed service accounts and integrating certificate services. Managed service accounts provide automatic password management for service accounts, eliminating the need for manual password changes and reducing security risks associated with hardcoded credentials. Certificate services enables PKI capabilities that can be used to secure services and authentication mechanisms within the Active Directory infrastructure. Together, managed service accounts and certificate services provide a comprehensive approach to credential management and secure authentication that reduces operational overhead while improving security.

   Why the other options are wrong

   • AAzure AD Connect configuration is incorrect because Azure AD Connect is for hybrid identity synchronization, not for optimizing on-premises password policies.
   • CHybrid identity is incorrect because hybrid identity is a broader architecture pattern, not a specific action for password policy optimization.
   • DDisable password policies monitoring is incorrect because disabling monitoring eliminates visibility into password policy compliance and security violations.
10. Question 10Manage Virtual Machines and ContainersSelect all that apply

    A consultant is reviewing the container storage configuration at Tailwind Traders. Which two actions should be performed to optimize the implementation? (Choose two.)

    • Astorage migrationCorrect
    • BVM resource controlsCorrect
    • Ccontainer orchestration
    • DDisable container storage monitoring
    • EVM generation 1 vs 2
    ✓ Correct answer: A, B

    Container storage implementation requires careful attention to storage migration capabilities to move container data between storage systems without service interruption. VM resource controls ensure that container storage operations don't exceed allocated CPU, memory, or network resources, maintaining overall system stability. Optimizing both components together enables efficient container storage solutions that can scale and evolve without impacting other workloads.

    Why the other options are wrong

    • Ccontainer orchestration is incorrect because orchestration manages container deployment and scheduling, not storage migration.
    • DDisable container storage monitoring is incorrect because monitoring provides essential insights into storage performance and capacity usage.
    • EVM generation 1 vs 2 is incorrect because VM generation choice doesn't directly address container storage optimization.

AZ-800 practice exam FAQ