AZ-801: Configuring Windows Server Hybrid Advanced Services Study Guide
AZ-801 (Configuring Windows Server Hybrid Advanced Services) validates your ability to secure, ensure high availability for, protect with disaster recovery, migrate, and monitor Windows Server workloads across on-premises and Azure hybrid environments. It targets Windows Server administrators who manage hybrid infrastructure and integrate it with Azure services such as Azure Arc, Azure Monitor, Azure Backup, and Azure Site Recovery. Passing requires a score of 700; the exam runs 120 minutes.
Domain 1: Secure Windows Server
- Credential Guard uses virtualization-based security (VBS) to isolate LSA secrets in a Hyper-V-backed trustlet, so derived credentials like NTLM hashes and Kerberos TGTs cannot be read by the running OS, defeating pass-the-hash and pass-the-ticket attacks.
- BitLocker provides full-volume AES encryption for data at rest, binding the key to a TPM, startup key, or recovery password so the disk is unreadable if stolen or decommissioned.
- Reduce attack surface by installing Server Core (no GUI), removing unused roles and features, keeping Windows Defender Firewall on with a default-deny inbound stance, and applying security baselines plus timely patching.
- Microsoft Defender for Servers (part of Defender for Cloud) adds EDR, threat intelligence, and continuous monitoring to Windows Server and onboards machines including Azure Arc-connected servers.
- Just Enough Administration (JEA) constrains PowerShell remoting via role-based session configurations that expose only the specific cmdlets and functions an operator needs, enforcing least privilege after a session connects (ideal for jump/RDP servers).
- Just-in-time (JIT) administration and Microsoft Entra Privileged Identity Management (PIM) grant elevated access only for a limited, time-bound window and require approval, reducing standing privilege.
- Windows Defender Application Control (WDAC) in enforced mode with a managed allowlist blocks all code not on the allowlist; Attack Surface Reduction (ASR) rules further block common malware-exploited behaviors.
- SMB signing protects against tampering and man-in-the-middle, and SMB encryption protects data confidentiality in transit over the SMB protocol.
- Use a tiered administration model and privileged access workstations (PAWs) so admin credentials are never exposed on lower-trust machines, and require MFA for all admin accounts.
- Windows LAPS (Local Administrator Password Solution) sets a unique, automatically rotated local administrator password per machine, eliminating shared local admin credentials.
- The Security Compliance Toolkit (SCT) provides Microsoft security baselines as GPO backups, plus the Policy Analyzer and LGPO tools to compare and apply hardened configurations.
- At low-trust branch sites, deploy Read-Only Domain Controllers (RODCs) and Server Core DCs to limit credential exposure and shrink the patch and attack surface.
- Extended Security Updates (ESU) deliver critical and important security patches for out-of-support Windows Server, and ESU is provided at no additional cost for eligible workloads running in Azure.
Domain 2: Implement and Manage Windows Server High Availability
- Failover Clustering provides automatic failover of clustered roles between nodes by continuously monitoring node and resource health and restarting roles on a healthy node.
- A quorum witness (disk, file share, or cloud) provides a tie-breaking vote that prevents split-brain, ensuring only the partition that can reach the witness keeps the cluster online; a cloud witness uses an Azure storage account.
- Cluster-Aware Updating (CAU) patches cluster nodes in a coordinated rolling manner-draining roles from a node, patching it, returning it to service, then moving to the next-so the cluster stays available.
- Cluster Shared Volumes (CSV) let all cluster nodes simultaneously read and write the same volume, enabling Hyper-V VMs and Scale-Out File Server to share storage without per-role ownership handoffs.
- Storage Spaces Direct (S2D) pools local node disks into a software-defined storage cluster; enable it with Enable-ClusterStorageSpacesDirect and use RDMA-capable networking for east-west traffic.
- For S2D, pick a resiliency type appropriate to node count-three-way mirror for performance-sensitive volumes-and use NVMe/SSD as the built-in cache in front of capacity drives.
- Scale-Out File Server (SOFS) provides continuously available active-active file shares for application data such as Hyper-V VHDs and SQL databases.
- Live Migration moves a running VM between Hyper-V hosts with no downtime for maintenance; Move-ClusterVirtualMachineRole -Name VM1 -Node Node2 -MigrationType Live performs a clustered live migration.
- Storage Replica enables block-level synchronous or asynchronous replication, including stretch clusters that span two sites for site-level resilience.
- Network Load Balancing (NLB) distributes client traffic across identical stateless servers at Layer 4 using unicast or multicast; in Azure use Standard Azure Load Balancer (Layer 4).
- Hyper-V Dynamic Memory adjusts a VM's RAM between configured minimum and maximum values using a memory buffer, improving density without manual reconfiguration.
- Create a cluster with New-Cluster -Name Cluster1 -Node Node1,Node2 -StaticAddress 10.0.0.10, and configure a cloud witness with Set-ClusterQuorum -CloudWitness -AccountName 'mystorage' -AccessKey '<key>'.
- Use New-NetLbfoTeam -Name Team1 -TeamMembers 'NIC1','NIC2' -TeamingMode Lacp to create a NIC team (note: Switch Embedded Teaming/SET is preferred for Hyper-V hosts).
Domain 3: Implement Disaster Recovery
- Azure Site Recovery (ASR) continuously replicates on-premises and Azure VMs to a secondary Azure region and provides orchestrated failover for regional outages.
- RPO (Recovery Point Objective) defines maximum tolerable data loss and drives replication/backup frequency; RTO (Recovery Time Objective) defines maximum tolerable downtime and drives how fast systems must come back online.
- ASR recovery plans define ordered failover groups for multi-tier apps and can invoke Azure Automation runbooks and custom scripts so dependent components recover in the correct sequence.
- Run periodic ASR test failovers into an isolated network to validate that recovery works and meets RTO/RPO without impacting production replication.
- Hyper-V Replica asynchronously replicates a VM to a replica host; enable it with Enable-VMReplication -VMName VM1 -ReplicaServerName Replica1 -ReplicaServerPort 80 -AuthenticationType Kerberos.
- Hyper-V Replica failover is a two-step replica sequence: Start-VMFailover -VMName VM1 to bring up the replica, then Complete-VMFailover -VMName VM1 to finalize it.
- Azure Backup protects on-premises servers, VMs, files, and system state using the MARS agent, while Azure Backup Server (MABS) backs up application workloads to a Recovery Services vault.
- Incremental backups transfer and store only changed blocks after the initial full backup, reducing bandwidth and storage consumption.
- Protect backups from ransomware with immutable/locked vaults, soft delete (retains deleted data for a recovery window), and Multi-User Authorization (MUA) on the Recovery Services vault.
- Immutability enforces write-once, read-many: a committed recovery point cannot be modified or deleted before its retention lock expires, even by an administrator.
- Control cost by tuning the backup retention policy (daily/weekly/monthly/yearly points), using the archive tier for long-term recovery points, and LRS where geo-redundancy is not required.
- Reduce ASR cost by replicating only the disks/VMs needed for recovery, using a lower-cost target VM SKU, and resizing to the production SKU only at failover.
- Choose asynchronous replication or a longer backup interval when bandwidth and storage cost matter more than minimizing data loss-an explicit RPO-versus-cost trade-off.
Domain 4: Migrate Servers and Workloads
- Azure Migrate is the central tool for discovery, dependency mapping, readiness assessment, sizing, cost estimation, and migration of on-premises servers and VMs to Azure.
- Storage Migration Service (SMS) migrates file shares, data, NTFS permissions, and SMB share configuration from a source server to a new server while preserving share names and access paths; complete it with Start-SmsCutover -Name 'Job1'.
- Common migration strategies include rehost (lift-and-shift VMs as-is with Azure Migrate) and replatform (modernize to Azure managed services where appropriate); choose per workload risk and modernization goals.
- Dependency analysis-agentless via the Azure Migrate appliance or agent-based-maps server-to-server communication so interdependent workloads migrate together in the correct order and nothing breaks.
- Always test the migrated workload (connectivity, application function, performance) in an isolated environment before decommissioning the source server.
- Use Azure Migrate performance-based sizing with a comfort factor tuned to typical utilization, then right-size after migration rather than over-provisioning up front.
- Azure Hybrid Benefit lets you apply existing Windows Server (and SQL Server) licenses with Software Assurance to reduce Azure compute cost; Reserved Instances or savings plans add 1- or 3-year commitment discounts.
- Apply auto-shutdown / start-stop schedules to deallocate non-production VMs when not in use to cut compute cost.
- Migrate Active Directory FSMO roles with Move-ADDirectoryServerOperationMasterRole, transferring all five roles (PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, DomainNamingMaster) to the target DC.
- Migrate DHCP with Export-DhcpServer -ComputerName OldDhcp -File C:\dhcp.xml -Leases on the source and Import-DhcpServer -ComputerName NewDhcp -File C:\dhcp.xml -Leases -BackupPath C:\dhcpbackup on the target.
- Before migrating a clustered File Server role to a new node, install prerequisites with Install-WindowsFeature -Name FS-FileServer,Failover-Clustering -IncludeManagementTools.
- Use robocopy \\Old\Data \\New\Data /MIR /COPYALL /ZB /R:3 /W:5 to mirror file data with all attributes/ACLs, restartable copy, and tuned retry/wait when moving shares manually.
- Azure Files (SMB) with optional Azure File Sync provides cloud file shares with on-premises caching, and DISM /Online /Cleanup-Image /RestoreHealth repairs a corrupted component store before or after migration.
Domain 5: Monitor and Troubleshoot Windows Server
- Azure Monitor with a Log Analytics workspace centralizes logs and metrics from Azure, Arc, and on-premises servers, and queries them with Kusto Query Language (KQL).
- The modern collection path uses the Azure Monitor Agent (AMA) driven by Data Collection Rules (DCRs); the legacy Log Analytics/MMA agent is deprecated.
- To monitor an Azure Arc-enabled server, create a DCR, associate it with the machine, and install the AzureMonitorWindowsAgent extension (e.g., New-AzConnectedMachineExtension -Name AMAAgent -ExtensionType AzureMonitorWindowsAgent -Publisher Microsoft.Azure.Monitor).
- VM insights builds on the Azure Monitor Agent and Log Analytics to give performance charts plus a dependency map of processes and connections for a VM.
- Azure Monitor alert rules fire when a metric crosses a threshold; route notifications through action groups, and use alert processing rules and smart groups to manage noise and routing.
- Performance Monitor (PerfMon) collects real-time and historical counters; create a Data Collector Set logging to a .blg file for sustained capture, and import a template with logman import -n MyCollector -xml C:\template.xml.
- Key disk-performance counters are Avg. Disk sec/Read, Avg. Disk sec/Write, and Current Disk Queue Length; high values indicate a storage bottleneck.
- For slow Azure disk I/O, review the disk SKU IOPS/throughput limits and consider Premium SSD or a higher tier, since per-disk and per-VM caps throttle throughput.
- Enable Accelerated Networking on a VM's NIC to use SR-IOV for lower latency, lower jitter, and reduced CPU utilization on network-heavy workloads.
- Export an event log for offline analysis with wevtutil epl System C:\Logs\System.evtx, and use Event Viewer plus Windows RE/safe mode for boot and crash diagnostics.
- Azure Update Manager provides unified, agentless update assessment and scheduled patching for Azure, Arc-enabled, and on-premises servers; WSUS remains the on-premises alternative.
- Control Log Analytics cost with DCRs that filter/transform data, table-level retention, and commitment (capacity reservation) tiers; query the Usage table to find which tables ingest the most GB.
- A typical KQL CPU query is: Perf | where ObjectName == 'Processor' and CounterName == '% Processor Time' and TimeGenerated > ago(1h) | summarize avg(CounterValue) by Computer.
AZ-801 exam tips
- Watch for the hybrid angle in every domain: the same task often has an on-premises tool and an Azure equivalent (WSUS vs Azure Update Manager, Log Analytics agent vs Azure Monitor Agent, file share witness vs cloud witness)-pick the one that matches the stated environment and constraints.
- Know the exact PowerShell cmdlets and their key parameters cold; AZ-801 frequently shows command-completion or correct-command questions (New-Cluster, Set-ClusterQuorum, Enable-VMReplication, Start-SmsCutover, Move-ADDirectoryServerOperationMasterRole).
- For yes/no and case-study items, evaluate only whether the proposed solution fully meets the stated goal and constraints-do not assume unstated requirements, and remember a partially correct solution still answers 'No, this does not meet the goal.'
- Map every DR scenario back to RPO and RTO: synchronous vs asynchronous, replication frequency, and target VM sizing are almost always cost-versus-recovery trade-offs the question expects you to reason about.
- Prefer the least-privilege, smallest-attack-surface, Microsoft-recommended answer (Server Core, JEA, JIT/PIM, WDAC enforced, default-deny firewall) when multiple options technically work.
Study guide FAQ
How is AZ-801 different from AZ-800, and do I need both?
AZ-800 covers core hybrid administration (identity, networking, storage, compute, Hyper-V), while AZ-801 focuses on advanced services-security, high availability, disaster recovery, migration, and monitoring. You must pass both AZ-800 and AZ-801 to earn the Windows Server Hybrid Administrator Associate certification.
How much Azure knowledge does AZ-801 require versus on-premises Windows Server?
Substantial Azure knowledge is required because the exam is explicitly hybrid. Expect Azure Arc, Azure Monitor and Log Analytics, Azure Backup and Recovery Services vaults, Azure Site Recovery, Azure Migrate, Azure Update Manager, and Azure Hybrid Benefit alongside core Windows Server features like Failover Clustering, S2D, Hyper-V Replica, and Storage Migration Service.
What question formats should I expect?
A mix of multiple choice, multiple-response (select all that apply), drag-and-drop ordering, PowerShell command-completion, and case studies. Some series present a goal with several proposed solutions where each is answered independently as 'Yes, this meets the goal' or 'No, this does not meet the goal'-and you cannot go back once you move past a yes/no series.
What are the highest-value areas to study given the domain weighting?
All five domains are fairly evenly weighted, so cover everything, but invest heavily in the exact tooling: which service or cmdlet solves each scenario. Master Failover Clustering and quorum/witness behavior, ASR recovery plans plus Hyper-V Replica failover steps, Azure Migrate assessment and dependency mapping, and the Azure Monitor Agent/DCR collection model with KQL basics.