AZ-801: Configuring Windows Server Hybrid Advanced Services Practice Exam

What the AZ-801 exam covers

• Secure Windows Server124 questions
• Implement and Manage Windows Server High Availability99 questions
• Implement Disaster Recovery104 questions
• Migrate Servers and Workloads106 questions
• Monitor and Troubleshoot Windows Server107 questions

Free AZ-801 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 540.

1. Question 1Secure Windows Server

   Which feature protects credentials by isolating LSA secrets using virtualization-based security?

   • AIIS
   • BCredential GuardCorrect
   • CDHCP
   • DDNS round-robin
   ✓ Correct answer: B

   Credential Guard uses virtualization-based security (VBS) to run a trustlet inside an isolated Hyper-V container, moving the secrets normally held by the Local Security Authority into memory that the running operating system cannot read. Because the derived credentials such as NTLM hashes and Kerberos ticket-granting tickets never sit in the standard LSASS process space, tools that scrape LSASS cannot harvest them. This directly defeats pass-the-hash and pass-the-ticket lateral movement even on a host where an attacker has already gained code execution. It is the purpose-built answer for protecting cached secrets, which the other choices have no mechanism to do.

   Why the other options are wrong

   • AIIS is a web server role for hosting HTTP applications and has no relationship to secret isolation or the Local Security Authority.
   • CDHCP automatically leases IP addresses to clients and operates entirely at the network configuration layer, so it offers no credential protection.
   • DDNS round-robin distributes client requests across multiple address records for crude load balancing and does nothing to secure or isolate credentials.
2. Question 2Migrate Servers and WorkloadsSelect all that apply

   Which TWO are valid migration approaches to Azure? (Choose TWO)

   • AReplatform to managed services where appropriateCorrect
   • BLift-and-shift (rehost) VMs with Azure MigrateCorrect
   • CDeleting servers and hoping
   • DEmailing VHDs to Microsoft
   ✓ Correct answer: A, B

   These two approaches represent valid and widely-used migration strategies to Azure. Lift-and-shift (rehosting) moves VMs as-is to Azure with minimal modifications, providing fast migration with lower risk but potentially retaining legacy architecture. Replatforming involves modernizing applications to use Azure managed services (databases, container platforms, etc.), which reduces operational burden and improves scalability. Organizations often use both approaches for different workloads, choosing based on application architecture and business requirements.

   Why the other options are wrong

   • CDeleting servers and hoping is incorrect because this approach destroys the original workloads without establishing them in Azure and creates unacceptable business disruption.
   • DEmailing VHDs to Microsoft is incorrect because this is not a supported migration method and describes an inefficient and insecure approach to data transfer.
3. Question 3Implement and Manage Windows Server High Availability

   You need to balance stateless web traffic across several Azure VMs at low cost within a region. Which service is the most cost-effective fit?

   • AA DHCP failover relationship
   • BA second domain controller
   • CAzure Front Door for purely intra-region L4 traffic
   • DAzure Load Balancer (Standard, Layer 4)Correct
   ✓ Correct answer: D

   Azure Load Balancer is a Layer 4 (transport) service that distributes stateless traffic across regional Azure VMs at minimal cost—it charges per GB of data processed rather than per connection or rule, making it the most economical choice for simple traffic balancing. Load Balancer operates at the TCP/UDP level and is optimized for high-throughput scenarios, requiring minimal configuration or ongoing management. For intra-region workloads without the need for Layer 7 content routing or multi-region failover, Load Balancer provides best-in-class price-to-performance.

   Why the other options are wrong

   • AA DHCP failover relationship is incorrect because DHCP manages IP assignment, not load balancing.
   • BA second domain controller is incorrect because domain controllers provide authentication, not traffic balancing.
   • CAzure Front Door for purely intra-region L4 traffic is incorrect because Front Door is a global Layer 7 service designed for multi-region routing, making it overkill and more expensive for regional intra-region traffic.
4. Question 4Secure Windows Server

   You are designing a tiered administration model. Where should Tier 0 assets such as domain controllers be administered from to best limit credential exposure?

   • ADedicated Privileged Access Workstations (PAWs) used only for Tier 0 tasksCorrect
   • BInternet-facing jump servers with cached domain credentials
   • CAny domain-joined user workstation with RDP enabled
   • DPersonal laptops with local admin rights
   ✓ Correct answer: A

   In a tiered administration model, Tier 0 assets such as domain controllers must be managed only from hardened, single-purpose Privileged Access Workstations. PAWs isolate privileged credentials from everyday activities like email and web browsing, ensuring domain controller administration never occurs from a system that could be compromised by malware or lateral movement, which directly limits credential exposure.

   Why the other options are wrong

   • BInternet-facing jump servers with cached domain credentials are incorrect because internet exposure makes them prime attack targets and caching domain credentials on them leaves high-value secrets recoverable by an attacker.
   • CAny domain-joined user workstation with RDP enabled is incorrect because ordinary user workstations are routinely exposed to lower-tier threats and malware, making them unsafe for Tier 0 administration.
   • DPersonal laptops with local admin rights are incorrect because personal, unmanaged devices fall outside organizational control and lack the hardening, monitoring, and isolation required for Tier 0 work.
5. Question 5Implement Disaster Recovery

   Azure Site Recovery is protecting a VM. What is the maximum number of recovery points retained when application-consistent snapshots are taken, and what is the gotcha with frequency?

   • AASR retains only a single recovery point at all times
   • BRecovery points are retained for a maximum of 1 hour
   • CApp-consistent snapshot frequency can be as low as 1 hour, and crash-consistent recovery points are generated every 5 minutes with retention up to 15 daysCorrect
   • DApp-consistent snapshots are taken every 30 seconds automatically
   ✓ Correct answer: C

   Azure Site Recovery generates crash-consistent recovery points automatically every 5 minutes, capturing the disk state as it would look after an unexpected crash, and these can be retained for up to 15 days. Application-consistent recovery points require a VSS snapshot that briefly quiesces application I/O, so they can be taken no more frequently than once per hour to avoid excessive performance overhead.

   Why the other options are wrong

   • AASR retaining only a single recovery point at all times is incorrect because ASR keeps multiple recovery points across the configured retention window, not just one.
   • BRecovery points being retained for a maximum of 1 hour is incorrect because the retention window extends up to 15 days, far beyond an hour.
   • DApp-consistent snapshots being taken every 30 seconds automatically is incorrect because app-consistent snapshots are user-scheduled and cannot occur more often than once per hour due to the VSS quiescing overhead.
6. Question 6Implement Disaster Recovery

   Which Azure Site Recovery indicator tells you how far behind the replica is and whether you can meet your RPO?

   • AThe DNS zone serial number
   • BThe DHCP lease duration
   • CThe replication health and RPO/latest recovery point in the Replicated items bladeCorrect
   • DThe NSG flow log count
   ✓ Correct answer: C

   Azure Site Recovery provides continuous monitoring of replication health for each protected VM in the Replicated items blade. The RPO (Recovery Point Objective) indicator shows how far behind the replica is compared to the source, displaying the age of the latest recovery point available for failover. By tracking RPO and replication health status, organizations can determine whether they are meeting their RPO targets and can take corrective action if replication lag exceeds acceptable thresholds.

   Why the other options are wrong

   • AThe DNS zone serial number is incorrect because it tracks DNS record changes, not replication lag.
   • BThe DHCP lease duration is incorrect because it controls IP address assignment duration, not replication status.
   • DThe NSG flow log count is incorrect because it monitors network traffic flows, not Site Recovery replication.
7. Question 7Secure Windows Server

   After applying Windows Defender Application Control (WDAC) in enforced mode, a critical line-of-business app stops launching because an unsigned DLL is blocked. You must restore the app quickly while keeping enforcement. What should you do?

   • AOpen all inbound firewall ports
   • BSwitch the entire policy to disabled mode permanently
   • CAdd a WDAC rule that allows the specific file by hash or publisher and redeploy the policyCorrect
   • DUninstall Defender from the server
   ✓ Correct answer: C

   Windows Defender Application Control (WDAC) in enforced mode blocks any code that is not explicitly allowed. When a critical line-of-business application fails because of an unsigned DLL, the proper response is to create a new WDAC rule that allows that specific file (by hash, certificate, or publisher) and then redeploy the updated policy. This maintains WDAC enforcement while allowing the necessary application to run. You can target the rule to specific paths or publishers to minimize the blast radius of the allowance.

   Why the other options are wrong

   • AOpen all inbound firewall ports is incorrect because it does not address the WDAC block, only network access.
   • BSwitch the entire policy to disabled mode permanently is incorrect because disabling WDAC removes all application control protections.
   • DUninstall Defender from the server is incorrect because Defender provides critical security protections beyond WDAC.
8. Question 8Implement and Manage Windows Server High AvailabilitySelect all that apply

   Which TWO are valid uses of Live Migration in a Hyper-V failover cluster? (Choose TWO)

   • ARebalance VM load across cluster nodesCorrect
   • BEncrypt the VM's virtual disk at rest
   • CAssign DHCP scopes to guests
   • DMove a running VM to another host before patching with no downtimeCorrect
   ✓ Correct answer: A, D

   Live Migration allows running VMs to move between cluster nodes without stopping. This enables load balancing by moving VMs to less-busy nodes, and it enables seamless maintenance by migrating VMs away from a node before applying patches, eliminating downtime from maintenance activities.

   Why the other options are wrong

   • BEncrypt the VM's virtual disk at rest is incorrect because Live Migration transfers a running VM's memory and state, not disk encryption.
   • CAssign DHCP scopes to guests is incorrect because Live Migration moves VMs between hosts, not DHCP configuration.
9. Question 9Implement and Manage Windows Server High AvailabilitySelect all that apply

   A consultant is reviewing the cluster migration configuration at Tailwind Traders. Which two actions should be performed to optimize the implementation? (Choose two.)

   • ADisable cluster migration monitoring
   • Bcluster shared volumesCorrect
   • CAlways On availability groupsCorrect
   • DSQL Server FCI
   • Ecluster health monitoring
   ✓ Correct answer: B, C

   When optimizing cluster migration configuration, ensuring proper shared storage and database availability is critical. Cluster shared volumes should be configured to provide the shared storage layer that enables efficient cluster migration for virtual machines and services. Always On availability groups should be configured for databases running in the cluster, as they provide an alternative or complementary high-availability mechanism that works alongside cluster migration for comprehensive data protection and failover capabilities.

   Why the other options are wrong

   • ADisable cluster migration monitoring is incorrect because monitoring is essential for cluster health and should not be disabled; it helps identify and prevent migration issues. Cluster shared volumes by itself is a component that needs proper configuration, not something to disable.
   • DSQL Server FCI is incorrect as it represents a different clustering approach; Always On availability groups is the recommended technology for modern SQL Server deployments.
   • ECluster health monitoring is incorrect as it should be enabled to monitor cluster operations, not disabled for optimization.
10. Question 10Implement Disaster RecoverySelect all that apply

    An administrator at Woodgrove Bank is planning to use test failover. Which two of the following are requirements or features of this solution? (Choose two.)

    • AAzure Site Recovery for Hyper-VCorrect
    • Bfailover test
    • Crecovery point objectivesCorrect
    • Dbackup schedule design
    • Erecovery time objectives
    ✓ Correct answer: A, C

    A test failover validates a disaster recovery plan by spinning up protected workloads in an isolated environment without disrupting production. Azure Site Recovery for Hyper-V is the orchestration platform that enables this, replicating Hyper-V VMs and providing the test failover capability against an isolated network. Recovery point objectives define how current the failed-over copy will be, which is exactly what a test verifies by confirming the available recovery points meet the target. Both tie directly to performing and evaluating a test failover.

    Why the other options are wrong

    • BFailover test is a scrambled, non-existent label and does not name any real feature.
    • DBackup schedule design governs how often backups run and is a separate planning task from validating a replication failover.
    • ERecovery time objectives measure restore duration, whereas a test failover primarily validates orchestration and the currency of recovery points.

AZ-801 practice exam FAQ