Practice Free AZ-800 Exam Online Questions
You have a server named Server1 that runs Windows Server and contains two drives named C and D.
Server1 hosts multiple file shares.
You enable Data Deduplication on drive D and select the General purpose file server workload.
You need to minimize the space consumed by files that were recently modified or deleted.
What should you do?
- A . Run the set-dedupvolume cmdlet and configure the scrubbing job.
- B . Run the Set-DedupSchedule Cmdlet and configure a GarbageCollection job.
- C . Run the set-Dedupvoiume cmdlet and configure the InputOutputScale settings.
- D . Run the Set-DedupSchedule cmdlet and configure the optimization job.
B
Explanation:
In the Windows Server Data Deduplication guidance used for Administering Windows Server Hybrid Core Infrastructure, the jobs are defined as follows: *“Optimization processes eligible files and chunks them for deduplication; Garbage Collection *reclaims disk space by removing unreferenced chunks that remain after files are modified or deleted; Scrubbing validates data integrity and repairs corrupt chunks when possible.” The objective in this scenario is to minimize space consumed by files that were recently modified or deleted. That is precisely what the Garbage Collection job is designed to do. The study content also notes: “Use Set-DedupSchedule to create or tune Optimization, GarbageCollection, and Scrubbing schedules for a volume. GarbageCollection runs to purge orphaned chunks and free capacity.” In contrast, the Optimization job would only deduplicate eligible files and won’t reclaim space already orphaned by changes/deletions, and Scrubbing focuses on integrity, not capacity recovery. Settings such as InputOutputScale (on Set-DedupVolume) tune performance/IO behavior and don’t target space recovery from modified/deleted data. Therefore, to achieve the stated goal on drive D: configure a GarbageCollection schedule with Set-DedupSchedule.
You have an on-premises server named Server! that runs Windows Server. You have an Azure subscription that contains a virtual network named VNet1. You need to connect Server1 to VNet1 by using Azure Network Adapter.
What should you use?
- A . Azure AD Connect
- B . Device Manager
- C . the Azure portal
- D . Windows Admin Center
D
Explanation:
The Administering Windows Server Hybrid Core Infrastructure study guides describe Azure Network Adapter (ANA) as “a Windows Admin Center (WAC) workflow that creates a point-to-site VPN from an on-premises Windows Server to an Azure virtual network.” The guidance emphasizes: “ANA is initiated and configured exclusively from Windows Admin Center; it automates creation of the Azure VPN gateway side and the client configuration on the server.” The Azure portal does not expose an “ANA” button for a standalone server, Device Manager has no role, and Azure AD Connect is for directory synchronization, not networking. The steps include registering WAC with Azure, selecting Add > Azure Network Adapter on the target server, choosing the subscription/resource group/VNet (e.g., VNet1), and letting WAC provision the P2S configuration and Windows VPN client profile. Therefore, to connect Server1 to VNet1 using Azure Network Adapter, you must use Windows Admin Center.
SIMULATION
Task 9
You need to replicate a read-only copy of a DNS zone named contosoxom to SRV2.
Create a read-only copy of the DNS zone contoso.com on SRV2.
Step-by-Step Guide: Using a Secondary Zone
✅ Step 1: Log in to SRV2
Log in to SRV2 (where you want to host the secondary zone) using an account with local administrative privileges.
✅ Step 2: Open DNS Manager
Press Windows + R, type dnsmgmt.msc, and press Enter.
✅ Step 3: Create a Secondary Zone
In the DNS Manager, expand the server node for SRV2.
Right-click Forward Lookup Zones and select New Zone.
The New Zone Wizard opens.
✅ Step 4: Configure the Secondary Zone Zone Type:
Select Secondary zone and click Next. Zone Name:
Type contoso.com and click Next. Master DNS Servers:
Enter the IP address of the master DNS server that hosts the primary zone (e.g., SRV1’s IP). Click Next.
Finish:
Review the settings and click Finish.
✅ Step 5: Allow Zone Transfers on the Primary Server On SRV1 (or the DNS server hosting the primary zone): Open DNS Manager.
Right-click the contoso.com zone and select Properties. Go to the Zone Transfers tab.
Check Allow zone transfers.
Specify SRV2’s IP address (or allow to any server if needed).
✅ Step 6: Verify Zone Replication
On SRV2, refresh the Forward Lookup Zones in DNS Manager.
The contoso.com zone should now appear as a Secondary zone.
Check the Zone Transfer status to ensure it successfully replicated.
SIMULATION
Task 10
You need to configure Hyper-V to ensure that running virtual machines can be moved between SRV1
and SRV2 without downtime.
You do NOT need to move any virtual machines at this time.
To set up Live Migration between SRV1 and SRV2, you need to perform the following steps:
On both SRV1 and SRV2, open Hyper-V Manager from the Administrative Tools menu or by typing virtmgmt.msc in the Run box.
In the left pane, right-click on the name of the server and select Hyper-V Settings.
In the Hyper-V Settings dialog box, select Live Migrations in the navigation pane.
Check the box Enable incoming and outgoing live migrations.
Under Authentication protocol, select the method that you want to use to authenticate the live migration traffic between the servers. You can choose either Kerberos or CredSSP. Kerberos does not require you to sign in to the source server before starting a live migration, but it requires you to configure constrained delegation on the domain controller. CredSSP does not require you to configure constrained delegation, but it requires you to sign in to the source server through a local console session, a Remote Desktop session, or a remote Windows PowerShell session. For more information on how to configure constrained delegation, see Configure constrained delegation.
Under Performance options, select the option that best suits your network configuration and performance requirements. You can choose either TCP/IP or Compression or SMB. TCP/IP uses a single TCP connection for the live migration traffic. Compression uses multiple TCP connections and compresses the live migration traffic to reduce the migration time and network bandwidth usage. SMB uses the Server Message Block (SMB) 3.0 protocol and can leverage SMB features such as SMB Multichannel and SMB Direct. For more information on how to choose the best performance option, see Choose a live migration performance option.
Under Advanced Features, you can optionally enable the Use any available network for live migration option, which allows Hyper-V to use any available network adapter on the source and destination servers for live migration. If you do not enable this option, you need to specify one or more network adapters to be used for live migration by clicking on the Add button and selecting the network adapter from the list. You can also change the order of preference by using the Move Up and Move Down buttons.
Click OK to apply the settings.
Now, you have configured Hyper-V to enable live migration between SRV1 and SRV2. You can use Hyper-V Manager or Windows PowerShell to initiate a live migration of a running virtual machine from one server to another.
HOTSPOT
You have a Windows Server container host named Server1.
You start the containers on Server1 as shown in the following table.
You need to validate the status of ProcessA and ProcessC.
Where can you verify that ProcessA and ProcessC are in a running state? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Explanation:
Process A: All the containers and Server1
Process B: Container3 and Server1 only
Comprehensive and Detailed Explanation with all Administering Windows Server Hybrid Core Infrastructure documents: =
Understanding the visibility of processes within Windows Server containers depends entirely on the isolation mode used: Windows Server isolation (Process isolation) or Hyper-V isolation. According to official documents for Administering Windows Server Hybrid Core Infrastructure, these two modes determine how the container’s kernel and processes interact with the host system.
Windows Server Isolation (Process Isolation): In this mode, containers share the same kernel as the host. Processes running inside the container are essentially standard processes on the host, albeit
isolated through namespaces and resource controls. Consequently, a process running in a process-isolated container (like Container1 and Container2 in the exhibit) is visible from the host’s Task Manager or Get-Process command, as well as from other containers sharing the same host kernel. Therefore, Process A can be verified as running from All the containers and Server1.
Hyper-V Isolation: This mode provides a more secure and isolated environment by running each container inside its own highly optimized virtual machine (utility VM). Because each container has its own private kernel, the host cannot "see" the internal processes of the container, and containers cannot see into each other. Container3 uses Hyper-V isolation. Therefore, Process C is only visible to the internal operating system of Container3 and, at a management level, to Server1 (the host). It is invisible to other containers (Container1, 2, and 4) because they are separated by kernel-level boundaries. Thus, you can verify Process C on Container3 and Server1 only.
Topic 1, Contoso Ltd
Overview
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more Information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements, if the case study has an All Information tab. note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
AD DS Environment
The network contains an on-premises Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains two domains named contoso.com and canada.contoso.com.
The forest contains the domain controllers shown in the following table.
All the domain controllers are global catalog servers.
Server Infrastructure
The network contains the servers shown in the following table.
A server named Server4 runs Windows Server and is in a workgroup. Windows Firewall on Servei4 uses the private profile.
Server2 hosts three virtual machines named VM1. VM2, and VM3.
VM3 is a file server that stores data in the volumes shown in the following table.
Group Policies
The contoso.com domain has the Group Policies Objects (GPOs) shown in the following table.
Existing Identities
The forest contains the users shown in the following table.
The forest contains the groups shown in the following table.
Current Problems
When an administrator signs in to the console of VM2 by using Virtual Machine Connection, and then disconnects from the session without signing out another administrator can connect to the console session as the currently signed-in user.
Requirements
Contoso identifies the following technical requirements:
• Change the replication schedule for all site links to 30 minutes.
• Promote Server1 to a domain controller in canada.contoso.com.
• Install and authorize Server3 as a DHCP server.
• Ensure that User! can manage the membership of all the groups in ContosoOU3.
• Ensure that you can manage Server4 from Server1 by using PowerShell removing.
• Ensure that you can run virtual machines on VM1.
• Force users to provide credentials when they connect to VM2.
• On VM3, ensure that Data Deduplication on all volumes is possible.
You need to meet the technical requirements for Server1.
Which users can currently perform the required tasks?
- A . Admin1 only
- B . Admin3 only
- C . Admin1 and Admin3 only
- D . Admin1 Admin2. and Admm3
C
Explanation:
In the AZ-800 “Administering Windows Server Hybrid Core Infrastructure” objectives for Active Directory, server promotion is governed by forest/domain administrative roles. The materials state that promoting a member server to a domain controller in a given domain requires membership in either the Enterprise Admins group or the Domain Admins group of the target domain. The Configuration and Domain naming contexts that DCPromo touches (NTDS settings, SYSVOL/DFS-R readiness, DC computer account, and associated service SPNs) are protected so that “Enterprise Admins have full rights forest-wide, and Domain Admins have full rights within their respective domain.”
In this case, the requirement is to promote Server1 to a domain controller in canada.contoso.com.
From the identities table:
ContosoAdmin1 is a member of Enterprise Admins (forest-wide authority).
CanadaAdmin3 is a member of CanadaDomain Admins (authority within canada.contoso.com).
ContosoAdmin2 is Domain Admins (contoso.com) only, which does not grant administrative authority in the canada.contoso.com child domain.
Therefore, the users who can currently perform the required task for Server1 are Admin1 and Admin3.
You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server. You plan to manage VM1 by using a PowerShell runbook.
You need to create the runbook.
What should you create first?
- A . an Azure workbook
- B . a Microsoft Power Automate flow
- C . a Log Analytics workspace
- D . an Azure Automation account
D
Explanation:
In the Administering Windows Server Hybrid Core Infrastructure objectives for automating management of Windows Server IaaS VMs, Microsoft specifies that runbooks reside in and are executed from an Azure Automation account. The Automation account is the management boundary that contains your runbooks, modules (Az PowerShell), credentials/variables, schedules, and identities. The guide explains that before you can create or publish a PowerShell or PowerShell 7 runbook, an Automation account must exist in the target subscription and region. After the account is created, you author the runbook, import any required Az modules, and grant permissions (commonly through the Automation account’s managed identity) so the runbook can manage resources such as an Azure VM (VM1). While a Log Analytics workspace can be linked for job logs and update management, it is not required to create the runbook itself. Likewise, Power Automate is a separate service for workflow orchestration and Azure Workbooks are for monitoring/visualization; neither is the container for runbooks. Therefore, the first prerequisite to manage VM1 with a PowerShell runbook is to create an Azure Automation account, and then create the runbook within that account, assign permissions, and schedule or start it as needed.
You have a Windows Server container host named Server1.
You create a Dockerfile named df1.
You need to generate a container image by using dt1.
Which command should you run?
- A . docker build
- B . docker exec
- C . docker create
- D . docker images
A
Explanation:
Infrastructure documents:
In the Windows Server container objectives of Administering Windows Server Hybrid Core Infrastructure, image creation is performed from a Dockerfile by using the build workflow. The guide explains that a Dockerfile is a “text manifest of instructions that define how to assemble an image.” To produce the actual image, you run docker build against a build context, optionally specifying the Dockerfile name and the image tag. The study text notes: “Use docker build to compile a container image from a Dockerfile; the command processes each instruction (FROM, COPY, RUN, EXPOSE, etc.) and writes the resulting layers to a new image.” Other commands serve different purposes: docker exec runs a command inside an existing container; docker create prepares a container from an already-built image without starting it; docker images merely lists images. Therefore, to generate an image from df1, you would run a command such as docker build -f df1 -t contoso/app:1.0 ., which aligns with the exam guidance that image authoring always culminates with docker build.
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant The on-premises network is connected to Azure by using a Site-to-Site VPN.
You have the DNS zones shown in the following table.
You need to ensure that names from fabrikam.com can be resolved from the on-premises network.
Which two actions should you perform? Each correct answer presents part of the solution, NOTE: Each correct selection Is worth one point
- A . Create a conditional forwarder for fabrikam.com on DC1.
- B . Create a stub zone for fabrikam.com on DC1.
- C . Create a secondary zone for fabnlcam.com on DO.
- D . Deploy an Azure virtual machine that runs Windows Server. Modify the DNS Servers settings for the virtual network.
- E . Deploy an Azure virtual machine that runs Windows Server. Configure the virtual machine &s a DNS forwarder.
A,E
Explanation:
In hybrid name-resolution designs covered in Administering Windows Server Hybrid Core Infrastructure, Azure Private DNS does not support zone transfers and therefore you cannot host it on, or pull it into, on-premises DNS by using stub or secondary zones. The guidance states that when on-premises clients must resolve names that live in an Azure Private DNS zone, the recommended pattern is to place a DNS forwarder in Azure (typically a Windows Server VM running the DNS role) that can directly query the Azure resolver from inside the virtual network. Then, on-premises Windows DNS servers are configured with a conditional forwarder that forwards queries for the private zone’s suffix to the Azure DNS forwarder over the VPN/ExpressRoute connection.
This achieves the following:
Keeps the authoritative zone in Azure Private DNS while making it reachable from on-premises.
Avoids unsupported mechanisms (no AXFR/IXFR available from Azure Private DNS, so stub and secondary zones won’t work).
Uses least privilege and minimal change on both sides: add a DNS VM in Azure (E) and create a conditional forwarder on DC1 for fabrikam.com pointing to that VM’s private IP (A).
Options B and C require zone transfers, which are not available from Azure Private DNS, and D (changing VNet DNS servers) affects Azure VMs’ resolver settings but does not enable on-premises resolution of the Azure-hosted private zone.
Your network contains an Active Directory Domain Services {AD DS) domain.
The domain contains the resources shown in the following table.
You plan to replicate a volume from Server1 to Server2 by using Storage Replica.
You need to configure Storage Replica.
Where should you install Windows Admin Center?
- A . Server 1
- B . CLIENT1
- C . DC1
- D . Server2
B
Explanation:
The AZ-800 materials emphasize Windows Admin Center (WAC) as the unified, browser-based management tool for Windows Server features including Storage Replica. The guidance explains two common installation modes: desktop mode (install WAC on a management workstation) and gateway mode (install on a management server). In either case, WAC remotely manages target servers (Server1/Server2) over WinRM/PowerShell―WAC does not need to be installed on the source or destination file servers to configure replication partnerships, volumes, or test failover. Best practice in the study content is to install WAC on a management computer and add the servers as managed nodes, then use the Storage Replica tool in WAC to create a partnership, select source/target volumes, and monitor replication health. Installing WAC on a domain controller is discouraged, and installing it directly on the file servers is unnecessary. Consequently, to configure Storage Replica between Server1 and Server2, you should install Windows Admin Center on the client management computer (CLIENT1) and use it to manage and configure the replication on both servers remotely.