Microsoft Study Guide

AZ-800: Windows Server Hybrid Administrator Study Guide

AZ-800 (Windows Server Hybrid Administrator) validates your ability to administer core Windows Server identity, compute, storage, and networking workloads across on-premises and hybrid (Azure-connected) environments. It targets administrators who manage AD DS, Hyper-V, file services, and on-prem servers projected into Azure via Azure Arc, Azure File Sync, and Entra Connect. The exam is 120 minutes with a passing score of 700 on a 1000-point scale.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice AZ-800 questions free Create free account

Domain 1: Manage Windows Servers in a Hybrid Environment

Key concepts you must know · 156 practice questions

AD DS is the directory service storing all user, computer, and group objects in a forest/domain hierarchy and authenticates logons via Kerberos and NTLM; domain controllers issue the security tokens every domain-joined machine relies on.
Microsoft Entra Connect (formerly Azure AD Connect) is the sync engine that replicates on-prem AD DS users, groups, and contacts to Microsoft Entra ID, enabling hybrid identity with options like Password Hash Sync, Pass-through Authentication, and federation.
Install-ADDSForest creates a new forest and Install-ADDSDomainController promotes a server into an existing domain; Install-WindowsFeature AD-Domain-Services -IncludeManagementTools installs the role and tools first.
A Read-Only Domain Controller (RODC) holds a read-only copy of the directory, caches only permitted credentials via the Password Replication Policy, and is designed for branch or low-physical-security locations.
A Group Managed Service Account (gMSA) has its password automatically generated and rotated (default 30 days) by AD DS; it requires a KDS root key (Add-KdsRootKey) and supports multiple servers sharing one identity.
Group Policy Objects (GPOs) link to sites, domains, or OUs and apply settings in LSDOU order (Local, Site, Domain, OU) with the last-applied winning unless blocked or enforced; OUs are the targetable containers for delegation and GPO scope.
Server Core is the GUI-less installation option with a smaller attack surface and footprint, managed via PowerShell, Windows Admin Center, or remote MMC; Windows Server now offers no in-place GUI add-back from Core to Desktop Experience.
Windows Admin Center is the modern browser-based console for managing local and remote servers, clusters, and Hyper-V without RDP or traditional MMC snap-ins.
PowerShell Remoting uses WinRM (HTTP 5985 / HTTPS 5986); Enter-PSSession opens an interactive one-to-one session while Invoke-Command runs commands or scripts against many machines (one-to-many fan-out).
Azure Arc projects on-prem and multi-cloud servers as Azure resources via the Connected Machine agent, enabling Azure Policy, Inventory, Update Manager, Machine Configuration, and Monitor governance from the portal.
FSMO roles (Schema Master, Domain Naming Master, RID Master, PDC Emulator, Infrastructure Master) can be transferred gracefully with Move-ADDirectoryServerOperationMasterRole or seized when a DC is permanently offline.
Patching options include WSUS (on-prem, approval-driven) and Azure Update Manager, which patches Arc-enabled and Azure VMs centrally without a WSUS infrastructure.
Cost optimization in Azure uses Azure Reservations (1- or 3-year committed VM capacity for big discounts), right-sizing to smaller SKUs from Azure Advisor data, auto-shutdown schedules to deallocate VMs, and keeping standby VMs in the stopped-deallocated state so they incur no compute charge.
Data Collection Rules (DCRs) define what telemetry the Azure Monitor Agent collects from machines and where it is sent, replacing the legacy Log Analytics agent for performance and event data.

Domain 2: Manage Identity and Access

Key concepts you must know · 140 practice questions

Active Directory Certificate Services (AD CS) provides an on-prem PKI; certificate templates plus autoenrollment driven by Group Policy let clients and servers obtain and renew certificates automatically.
AD trust types differ by scope: a forest trust links two entire forests (transitive across all domains), while an external trust is a non-transitive link to a single domain in another forest, typically for legacy or selective access.
New-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true creates an OU with deletion protection enabled, which sets a Deny on delete that must be cleared before the OU can be removed.
New-ADServiceAccount with -PrincipalsAllowedToRetrieveManagedPassword specifies which computers (or a security group) can pull a gMSA password; Install-ADServiceAccount then installs it on each host.
Universal Group Membership Caching (UGMC) is enabled per site to let a non-global-catalog DC cache universal group memberships, allowing logons at branch sites without a local global catalog.
AD Sites and Subnets steer clients to the nearest DC; site links control replication using a configurable schedule, interval, and cost, and replication between sites can be compressed to save bandwidth.
For a branch office, define an AD site, associate its subnets, and place a local DC (or RODC) in that site so authentication stays local and inter-site replication is scheduled.
Group Policy Preferences differ from policy settings: preferences set a value the user can later change (not enforced) and support item-level targeting to scope application by criteria like OS, group, or IP range.
GPO performance best practices: minimize the number of linked GPOs, avoid heavy WMI filters and logon scripts, and use loopback processing or item-level targeting only where genuinely needed.
Get-ADDomain | Select-Object PDCEmulator identifies the PDC Emulator FSMO role holder, which is also the default time source and the authority for password changes and account lockouts.
The DHCP Server role must be authorized in AD (Add-DhcpServerInDC) before it will lease addresses on a domain network; this prevents rogue DHCP servers.
Add-DhcpServerv4Scope defines a lease range (start, end, subnet mask); scope options deliver gateway, DNS, and other settings, and DHCP relies on conflict detection and reservations for fixed-address devices.
To decommission a global catalog while keeping logons working at a site, enable UGMC for that site and then remove the global catalog role from the DC.
Azure Arc with Machine Configuration (formerly Guest Configuration) audits and enforces in-guest settings on hybrid servers, complementing Azure Policy for compliance reporting.

Domain 3: Manage Storage and File Services

Key concepts you must know · 123 practice questions

Storage Spaces Direct (S2D) pools local disks across cluster nodes into software-defined storage for hyper-converged infrastructure; it requires Failover Clustering and a minimum of 2 nodes (3+ recommended for two-/three-way mirror resilience).
Resiliency choices: a two-way mirror tolerates one disk/node failure, a three-way mirror tolerates two, single parity is space-efficient but slower for writes, and mirror-accelerated parity (on ReFS) combines a fast mirror tier with an efficient parity tier.
ReFS (Resilient File System) offers integrity streams, automatic repair on mirror spaces, and block cloning; it is preferred for Hyper-V and S2D, but NTFS remains required for the boot volume and for features ReFS lacks (such as compression and quotas).
Data Deduplication breaks files into variable-size chunks and stores each unique chunk once; choose the correct usage type (Default for general file servers, Hyper-V for VDI/virtualization, Backup for backup targets) and schedule optimization during off-peak hours.
DFS Namespaces (DFS-N) present a single logical UNC path mapping to multiple targets, while DFS Replication (DFS-R) keeps folder contents synchronized between servers for availability and branch scenarios using multi-master replication.
Storage Replica provides block-level volume replication: synchronous mode guarantees zero data loss between sites within latency limits, asynchronous mode tolerates higher latency for longer distances, and it requires a dedicated, SSD-backed log volume at each end.
Failover Clustering for the File Server role plus a quorum witness (cloud witness or file-share witness) keeps the cluster running when a node fails; use a Scale-Out File Server with SMB Continuous Availability for application data like Hyper-V and SQL.
Azure File Sync registers a Windows Server endpoint with a Storage Sync Service (Register-AzStorageSyncServer); cloud tiering keeps hot files local and tiers cold files to Azure, governed by volume free-space and date policies.
SMB Direct uses RDMA-capable NICs to move data with very low CPU overhead and latency, ideal for S2D and live migration traffic; SMB Multichannel aggregates multiple NICs for bandwidth and failover.
File Server Resource Manager (FSRM) enforces hard or soft quotas on folders, applies file screens to block file types, and generates storage reports and file classification.
New-SmbShare creates a share with permission parameters such as -ChangeAccess, -ReadAccess, and -FullAccess; effective access is the most restrictive combination of share and NTFS permissions.
Storage provisioning cmdlets follow a sequence: New-StoragePool creates the pool from physical disks, then New-VirtualDisk creates a resilient virtual disk, then a partition/volume is created on top.
An iSCSI Target Server presents block storage to initiators; New-IscsiVirtualDisk creates a VHDX-backed LUN that is then mapped to an iSCSI target for use by clustered or remote hosts.
For archival or rarely accessed data in Azure Files/Blob, the Cool and Cold (and Archive) access tiers lower storage cost at the expense of higher access/retrieval cost and minimum retention periods.

Domain 4: Manage Virtual Machines and Containers

Key concepts you must know · 127 practice questions

Generation 2 Hyper-V VMs use UEFI firmware with Secure Boot, support GPT system disks larger than the 2 TB BIOS/MBR limit, and use synthetic devices; Generation cannot be changed after a VM is created.
Hyper-V Live Migration moves a running VM between hosts with no downtime by transferring memory and state; enable compression or SMB Direct (RDMA) on a dedicated migration network to speed transfers, and use Shared Nothing Live Migration when there is no shared storage.
Dynamic Memory assigns RAM on demand using startup, minimum, maximum, and buffer values (Set-VMMemory -DynamicMemoryEnabled $true); it lets you overcommit memory while right-sizing virtual processors to actual workload.
Dynamically expanding VHDX grows as data is written (thin), while fixed VHDX preallocates full size for predictable performance; differencing disks chain to a parent for scenarios like VDI base images.
Checkpoints capture VM state and disk for rollback (Checkpoint-VM); production checkpoints use VSS for application consistency and are recommended over standard (saved-state) checkpoints for server workloads.
Hyper-V virtual switch types: external connects VMs to the physical network via a host NIC, internal connects VMs to each other and the host only, and private connects VMs to each other with no host or physical access.
Discrete Device Assignment (DDA) passes a physical PCIe device (such as a GPU or NVMe) directly through to a single VM for near-native performance, at the cost of that VM's live migration and high availability.
Container isolation models: process-isolated (Windows Server) containers share the host kernel for low overhead and fast startup, while Hyper-V-isolated containers run in a lightweight VM for stronger security and host-kernel compatibility flexibility.
Build small container images using a minimal base such as Nano Server (or Server Core when full APIs are needed) and multi-stage Dockerfiles to drop build-time dependencies from the final image.
Shielded VMs use a virtual TPM (vTPM) and BitLocker encryption and run only on attested hosts validated by the Host Guardian Service (HGS), protecting VM data from compromised or malicious fabric administrators.
Hybrid connectivity to Azure uses Site-to-Site VPN (encrypted IPsec tunnel over the internet) for lower cost, or Azure ExpressRoute for a private, dedicated, higher-bandwidth, lower-latency circuit that bypasses the public internet.
Remote Access via Routing and Remote Access (RRAS) provides VPN, routing, and NAT services; Always On VPN is the modern domain-aware client VPN replacement for DirectAccess.
Azure Spot Virtual Machines offer deep discounts on unused capacity but can be evicted when Azure needs the resources, making them suitable for interruptible, fault-tolerant batch workloads only.
Right-sizing VMs uses Azure Advisor and Azure Monitor utilization metrics (CPU, memory, network); enable Premium SSD or Ultra Disk with host caching to meet IOPS/throughput targets, and use vRSS to spread network processing across vCPUs.

Domain 5: Storage and File Services

Key concepts you must know · 96 practice questions

SMB runs over TCP port 445 and underpins UNC paths; modern SMB 3.x adds encryption, signing, Multichannel, and SMB Direct (RDMA), and SMB encryption can be enforced per share for data-in-transit protection.
Azure File Sync with cloud tiering centralizes the master copy in Azure Files while caching hot data locally; the correct deployment sequence is deploy the Storage Sync Service, install the agent, register the server, create a sync group, then add server endpoints and enable tiering.
Cloud tiering behavior is governed by the volume free-space policy (target percentage of free space to maintain) and an optional date policy (tier files not accessed within N days); recalled files stream back on access.
Storage Migration Service (SMS), driven from Windows Admin Center, inventories source servers, transfers data and configuration, and can cut over identity (name and IP) so clients keep using the same path after migration.
Storage Replica in synchronous mode provides zero-RPO disaster recovery between sites; Test-SRTopology validates prerequisites and New-SRPartnership establishes replication, both requiring a dedicated log volume.
Azure Data Box is an offline, shipped appliance for transferring very large datasets to Azure when network transfer would be too slow or costly; AzCopy is the command-line tool for online copies to/from Azure storage.
Robocopy is the preferred Windows file-copy tool for on-prem migrations because it preserves NTFS permissions, timestamps, and attributes and supports restartable, multithreaded, mirror-mode copies.
Azure Files supports identity-based authentication (Microsoft Entra Kerberos or on-prem AD DS) so users access shares with their domain identity and NTFS-style ACLs instead of the storage account key.
Soft delete for Azure file shares retains deleted shares and files for a configurable retention period, protecting against accidental deletion before permanent removal.
Large file shares raise an Azure Files share capacity to 100 TiB (versus the 5 TiB default) and increase per-share IOPS/throughput, and must be enabled on standard storage accounts (LRS/ZRS only).
NTFS permission precedence: an explicit Deny overrides an Allow, so resolve unintended denial by removing the user from the denied group or using targeted permissions rather than broad Deny entries.
Storage Spaces Direct requires a minimum of two nodes and uses two-way or three-way mirror resiliency so data copies survive node loss; thin provisioning lets virtual disks present more capacity than is physically allocated.
Choose the right file-services technology per scenario: DFS-N/DFS-R for namespace and multi-master branch sync, Storage Replica for block-level DR, Azure File Sync for cloud tiering, and Failover Clustering for highly available shares.
A cluster quorum witness (cloud witness backed by an Azure storage account, or a file-share witness) provides the deciding vote so a two-node cluster maintains quorum and stays online when one node is down.

AZ-800 exam tips

Expect heavy use of PowerShell cmdlet identification: memorize the verb-noun and key parameters for AD DS (Install-ADDSForest, New-ADServiceAccount), Hyper-V (New-VM, Set-VMMemory, Checkpoint-VM), storage (New-StoragePool, Enable-DedupVolume, New-SRPartnership), and DHCP/DNS cmdlets.
When a question gives a hybrid scenario, map the requirement to the right Azure service: Azure Arc for governing on-prem servers, Entra Connect for identity sync, Azure File Sync for tiered file storage, and Azure Update Manager for patching across environments.
Watch for drag-and-drop 'correct sequence' items (Azure File Sync setup, Storage Replica, storage pool creation) and case-study questions; read the constraints (cost, no downtime, branch security) carefully because they dictate the single best answer.
Distinguish look-alike features under pressure: mirror vs parity vs mirror-accelerated parity, Gen 1 vs Gen 2 VMs, process- vs Hyper-V-isolated containers, external vs internal vs private switches, and forest vs external trusts.
Remember default behaviors and precedence rules the exam loves: explicit Deny beats Allow, GPO LSDOU processing order, gMSA 30-day password rotation, the PDC Emulator as time/lockout authority, and stopped-deallocated VMs incurring no compute cost.

Study guide FAQ

How is AZ-800 different from AZ-801?

AZ-800 covers core hybrid administration: identity (AD DS, Entra Connect), compute (Hyper-V, containers), storage and file services, and managing servers via Azure Arc and Windows Admin Center. AZ-801 builds on it with secure, high-availability, disaster-recovery, migration, and monitoring/troubleshooting topics. Passing both earns the Windows Server Hybrid Administrator Associate certification.

How much Azure and PowerShell knowledge do I really need?

A lot of both. The exam is explicitly hybrid, so you must know Azure Arc, Azure File Sync, Entra Connect, Azure VM cost controls, and Azure Update Manager alongside on-prem skills. PowerShell is tested directly through cmdlet recognition and parameter usage, so hands-on practice with AD DS, Hyper-V, and storage cmdlets is essential.

What format are the questions and how is it scored?

You get a mix of multiple choice, multiple response, drag-and-drop ordering, build-list, and one or more case studies with several linked questions. The exam runs 120 minutes and you need 700 out of 1000 to pass; the score is scaled, not a simple percentage of questions correct.

Should I build a lab to prepare?

Yes. Stand up a small Hyper-V lab with a domain controller, a member/file server, and a client, then practice promoting DCs, creating GPOs and gMSAs, building Storage Spaces and DFS, and configuring Hyper-V networking. Add a free or trial Azure subscription to onboard a server with Azure Arc and set up Azure File Sync, which mirrors the hybrid tasks the exam emphasizes.

Test yourself: 642 AZ-800 practice questions