Microsoft AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam Practice Test

Disk1 (three-way mirror): 2 disks; Disk2 (parity): 1 disk

\In the Administering Windows Server Hybrid Core Infrastructure materials on Storage Spaces resiliency, Microsoft describes how each resiliency type determines simultaneous disk-failure tolerance. The guide explains that mirror spaces keep multiple copies of data: “Two-way mirror writes two copies and can sustain a single disk failure; three-way mirror writes three copies and can sustain the loss of any two disks without data loss.” It also differentiates parity spaces , which stripe data with parity information: “Parity provides capacity efficiency comparable to RAID-5 and tolerates a single disk failure (use dual parity to withstand two failures).”

Applying these to SSPace1:

Disk1 uses a three-way mirror across eight physical disks. By definition, a three-way mirror survives two concurrent disk failures and remains online, satisfying the “always available” requirement.

Disk2 is configured as parity across twelve ph ysical disks. Standard parity (single parity) is equivalent to RAID-5 and survives one disk failure ; only dual parity would allow two, but the configuration provided specifies parity (not dual parity).

Therefore, the maximum simultaneous physical disk fail ures while maintaining availability are 2 for Disk1 and 1 for Disk2 .

The AZ-800 materials explain that enabling Microsoft Entra (Azure AD) sign-in to Windows Server running as an Azure VM is done by deploying the Azure AD Login for Windows VM extension. The study guide states that “for Azure VMs, Microsoft Entra sign-in is enabled by installing the AADLoginForWindows extension; once installed, Entra users and groups granted ‘Virtual Machine User/Login’ roles can sign in using Entra credentials.” The required operation is performed from Azure PowerShell with Set-AzVMExtension , providing the publisher Mic rosoft.Azure.ActiveDirectory , type AADLoginForWindows , and the target VM. Other options are not applicable: Set-AzVM changes VM properties but does not install extensions; New-ADComputer and Add-ADComputerServiceAccount are AD DS cmdlets unrelated to enabling Entra login on an Azure VM. Therefore, to meet the plan “Enable Microsoft Entra users to sign in to Server1,” you must run Set-AzVMExtension to install the AAD Login extension on Server1.

The Administering Windows Server Hybrid Core Infrastructure content notes that Microsoft Entra Connect cloud sync uses lightweight agents and supports synchronizing specific OUs from multiple forests into a single tenant. The guide highlights that cloud sync “is designed for multi-forest or cross-organization scenarios and allows scoping to selected OUs and groups,” enabling granular onboarding of just the identities you need. The requirement says “the users in the Marketing OU (in Fabrikam’s forest) must have access to storage1.” Granting access to Azure Files using Entra-based authorization requires that those users exist in the same Entra tenant. Cloud sync enables importing only the Fabrikam Marketing OU into A. Datum’s tenant without establishing full trust for all users. Azure AD Connect in active or staging mode would target the A. Datum forest and isn’t intended for selectively bringing in a separate partner forest OU; AD FS is a federation solution and does not create tenant objects for ACLs on Azure resources like Azure Files. Therefore, implement Microsoft Entra Connect cloud sync and scope it to the Marketing OU to meet the requirement.

To meet the requirement that VM3 be configured for per-folder quotas, the Windows Server file services module directs you to install File Server Resource Manager (FSRM). The course content explains: “FSRM provides quota management, file screening, and storage reporting. Quotas can be applied to volumes and to specific folders, enabling administrators to control the space consumed.” None of the other features listed deliver folder-level quota capability: Enhanced Storage and Windows Standards-Based Storage Management relate to storage management/SMI-S, and iSNS Server concerns iSCSI discovery services. Therefore, the first step is to install FSRM on VM3; after installation, you can create per-folder quota templates and assignments to enforce the desired limits.

According to the Administering Windows Server Hybrid Core Infrastructure (AZ-800) exam study materials, Azure DNS Private Resolver allows bidirectional name resolution between on-premises environments and Azure private DNS zones. The Private DNS Resolver consists of inbound endpoints (to resolve queries from on-premises to Azure) and outbound endpoints (to resolve queries from Azure to on-pr emises DNS servers). For name resolution to work, private DNS zones must be linked to the virtual network associated with the resolver’s hub network.

In this scenario, the planned configuration specifies:

A Private DNS Resolver named Private1 created in th e West US region and linked to VNet1 .

An inbound endpoint in SubnetB .

The requirement is to identify which private DNS zones will be available for name resolution through this resolver.

From the details given, only Zone1.com and Zone2.com are linked to VNe t1 , allowing them to participate in name resolution using the resolver. Zone3.com is not linked to VNet1 (either un linked or linked to another virtual network), and therefore it cannot be resolved through the DNS Resolver in VNet1.

As emphasized in Microso ft’s hybrid infrastructure documentation:

“Private DNS zones must be linked to the same virtual network that contains the Private DNS Resolver or to peered virtual networks for name resolution to succeed.”

Hence, only Zone1.com and Zone2.com are available for name resolution through the Private DNS Resolver.

✅ Correct Answer: C. Zone1.com and Zone2.com only

Comprehensive and Detailed Explanation with all Administering Windows Server Hybrid Core Infrastructure documents: =

In the Administering Windows Server Hybrid Core Infrastructure study materials, Automanage for Azure VMs is described as a service that “onboards supported Azure virtual machines into a curated set of best-practice services automatically.” The guide notes that Automanage supports Azure IaaS VMs running Windows Server (2012 R2 and later) and common Linux distributions (for example Ubuntu/RHEL), while unsupported operating systems such as Windows client SKUs or older Windows Server releases are excluded. The same content emphasizes that Automanage targets “only supported Azure VMs” and does not extend to machines that don’t meet OS prerequisites.

Given the scenario, Server1 (supported Linux server) and Server2 (supported Windows Server) meet Automanage prerequisites, whereas the remaining Azure VMs are not in the supported matrix (client OS or an older/unsupported server release). Therefore, enabling Automanage on Server1 and Server2 only satisfies the technical requirement to “use Azure Automanage on all supported Azure virtual machines.”

The exam materials state that Azure Automation runbooks can be authored in PowerShell and Python (along with Graphical and PowerShell Workflow where noted). The module on “Automate management in hybrid environments” specifies: “Runbooks support PowerShell for Windows-based automation and Python for cross-platform scenarios.” It further explains that these languages integrate with Automation Accounts, modules/packages, credentials, and managed identities to run tasks on Azure or hybrid resources through the Hybrid Runbook Worker. Languages such as Java, JavaScript, or Bicep are not runbook languages (Bicep is used for ARM template deployments, not runbook execution). Accordingly, Task1 can be implemented in PowerShell and Python.

In the Windows Server exam materials for Administering Windows Server Hybrid Core Infrastructure (AZ-800) , Microsoft documents that Data Deduplication is supported only on data volumes and specifically on NTFS-formatted volumes , and it cannot be enabled on the system or boot volume . The study text states: “Data Deduplication is applied at the volume level and supports NTFS data volumes. You cannot enable deduplication on the system or boot volume.” It further clarifies unsupported targets: “ReFS volumes and FAT/exFAT volumes are not supported for Data Deduplication in general-purpose server scenarios,” and emphasizes that deduplication is “not available for the operating s ystem volume.”

Applying these rules to VM3:

C: NTFS but it is the OS/system volume → not eligible .

D: NTFS data volume → eligible .

E: ReFS → not supported for general-purpose dedup in this context.

F: exFAT → not supported .

Therefore, the only volume on which you can enable Data Deduplication to meet the requirement is volume D .

No

Yes

Yes

In Administering Windows Server Hybrid Core Infrastructure , Microsoft states that the domain password policy for domain user accounts is determined by the GPO that wins at the domain root (commonly the Default Domain Policy ). GPOs linked to OUs do not change the domain password policy for user accounts in those OUs; they only affect local accounts on computers within those OUs unless Fine-Grained Password Policies (PSOs) are used and scoped to users/groups. The case shows Default Domain Policy in contoso.com sets Minimum password length = 10 . Therefore, both Admin1 (a domain user in Contoso\OU1) and User1 (in Contoso\OU3) fall under the 10-character minimum; the OU-linked GPO1 (14) does not override the domain password policy for their domain accounts → Admin1: No , User1: Yes .

For member servers and local accounts , the documentation explains that password policy settings in a GP O linked to the OU containing the computer apply to that computer’s local Security Accounts Manager (SAM) . In the scenario, Server1 resides in Member Servers and GPO2 linked to Member Servers specifies Minimum password length = 8 . Thus, when Admin1 creates a local account on Server1 , the enforced minimum is 8 characters → Yes . This approach follows least privilege and standard precedence: domain-level for domain accounts, OU-linked GPOs for local accounts, unless PSOs are explicitly defined.

In the Administering Windows Server Hybrid Core Infrastructure objectives for managing Hyper-V, enabling nested virtualization is the required step when you must “run virtual machines inside a virtual machine.” The referenced guidance states that Hyper-V on a VM is supported only when the host exposes hardware virtualization features to the guest. The prescriptive step is: “Turn off the VM and run Set-VMProcessor -VMName < V MName > -ExposeVirtualizationExtensions $true to enable nested virtualization.” The module further notes that this action “passes through Intel VT-x/AMD-V to the guest so the guest OS can install the Hyper-V role and create VMs.” It also clarifies that “the setting is applied on the parent host for the target VM and requires the VM to be powered off before the change is committed.”

Because the technical requirement says “Ensure that you can run virtual machines on VM1”, VM1 must be able to host Hyper-V while itself running as a VM on Server2. The first and essential cmdlet is therefore Set-VMProcessor with the -ExposeVirtualizationExtensions switch set to $true against VM1. Other optional settings (for example, MAC spoofing on the vNIC or static memory) may be configured later if needed, but exposing virtualization extensions is the enabling prerequisite that satisfies the requirement.

In the Administering Windows Server Hybrid Core Infrastructure materials under Hyper-V management, Microsoft specifies that Enhanced Sess ion Mode changes VMConnect from a raw console attach to a connection that uses Remote Desktop Protocol (RDP) to the guest. The guide states that Enhanced Session Mode “ uses RDP to establish the VMConnect session so the user must supply credentials for a lo gon to the guest operating system ,” and further that it “ prevents a second administrator from inheriting an already signed-in console session ” because the connection is treated as a new interactive sign-in. In contrast, the default basic console session “ attaches directly to the active console without prompting for credentials ,” which is exactly the current problem described for VM2.

The same objective area clarifies that other options do not meet the requirement: Guest Services integration only enables fi le copy and certain host-guest interactions; Credential Guard protects secrets inside Windows by isolating LSASS but does not affect Hyper-V console connection behavior ; Shielded VMs provide fabric-level protections and encryption but are not required mere ly to force credential prompts for VMConnect.

Therefore, to force users to provide credentials when they connect to VM2 and to eliminate inherited console sessions, you should enable Enhanced Session Mode on the Hyper-V host (and ensure the guest supports RDP).

n the Administering Windows Server Hybrid Core Infrastructure guidance for managing AD DS, Microsoft emphasizes using OU-level delegation to satisfy administrative needs while adhering to the principle of least privilege. The documentation explains that the Delegate Control wizard on an OU lets you grant a user or group only the specific permissions required for common tasks, including “Modify the membership of a group”. This grants the write permission to the member attribute on group objects contained in that OU, without giving broader account-management rights across the domain.

By contrast, placing a user in Account Operators or Server Operators provides elevated, domain-wide capabilities far beyond what is required. Account Operators can create, delete, and modify many account types across the domain (except for protected admin accounts), which violates least-privilege for a task that only needs to change group membership in one OU. Server Operators is unrelated to group membership and is intended for server administration tasks. Creating a delegation at the domain root would similarly be excessive because it applies broadly to all containers and OUs.

Therefore, to meet the requirement “Ensure that User1 can manage the membership of all the groups in Contoso\OU3,” you should delegate control on OU3 and assign the built-in task “Modify the membership of a group” to User1, achieving the minimal permissions necessary.

In Windows Server AD DS, group scope determines which groups/accounts can be members. The AZ-800 study materials summarize: “Domain Local groups can include accounts, Global groups, and Universal groups from any domain and Domain Local groups from the same domain only. Global groups can include accounts and other Global groups from the same domain only. Universal groups can include *accounts, Global groups, and Universal groups from any domain.” In addition, distribution vs. security does not change the scope membership rules; it only affects whether the group can be assigned permis sions.

Applying the rules: Group3 is a Domain Local security group in contoso.com . Therefore it can contain Universal (Group1), Global from any domain (Group2 in contoso.com and Group4/Group5 in canada.contoso.com), but cannot contain a Domain Local from a nother domain (Group6 in canada.contoso.com). Hence: Group1, Group2, Group4, and Group5 only .

Group5 is a Global distribution group in canada.contoso.com . A Global group can only contain accounts or Global groups from the same domain . From the list, only G roup4 (Global distribution, canada.contoso.com) fits. It cannot contain Group1 (Universal), Group2 (Global but different domain), or Group6 (Domain Local). Therefore: Group4 only .

 Create two additional sites named Site2 and Site3. Move DC2 to Site2 and DC3 to Site3.

 Create an additional site link that contains Site1 and Site2.

 Remove Site2 from DEFAULTIPSITELINK.

The Administering Windows Server Hybrid Core Infrastructure guidance for AD DS site design states that each physical location should be mapped to its own Active Directory site so that replication and logon traffic can be controlled and optimized per location. The documentation explains that when you deploy new sites, domain controllers must be moved into the corresponding site containers to ensure intrasite replication uses the local site topology and intersite replication follows site links. It also emphasizes that site links define replication cost, schedule, and frequency between sites; by creating separate site links for the pairs you want to manage, you can independently control replication schedules for those paths. The guides further note that new sites are placed in DEFAULTIPSITELINK by default, and that administrators can create additional site links and then remove a site from DEFAULTIPSITELINK to prevent it from inheriting the default schedule and cost—thereby isolating schedules per site pair. Finally, the KCC/ISTG automatically generate the required connection objects, so you generally should not create manual connection objects unless you have a specific exception. Following these principles: create Site2 and Site3 and move DCs, add a dedicated link (Site1–Site2) to set its own schedule, and remove Site2 from DEFAULTIPSITELINK so Site1–Site2 and Site1–Site3 replication can be controlled independently while minimizing replication interruptions.

In the Administering Windows Server Hybrid Core Infrastructure materials for managing hybrid servers with Azure Arc, Microsoft describes two primary, supported ways to deliver Desired State Configuration at scale: Azur e Automation State Configuration and Azure Policy Guest Configuration . For large fleets of Arc-enabled servers, the guidance emphasizes that Guest Configuration uses DSC resources and content that is packaged and then assigned by Azure Policy , removing the need to stand up or manage a pull server. The study content explains that Guest Configuration “ audits and (with remediation) configures the inside of machines using DSC resources ” and that you deliver it by creating or using a policy definition that refer ences your guest configuration package , so compliance and remediation happen through policy assignment. This approach is highlighted as the lowest-overhead method for Arc servers because policy assignments can be targeted to subscriptions, resource groups, or Arc-enabled machines , providing uniform roll-out and governance with minimal administration.

The same materials note that Automation State Configuration requires onboarding nodes to an Automation account and managing configurations there , which adds ex tra setup for non-Azure VMs. In contrast, with Arc + Guest Configuration, the DSC content is stored/referenced in the Azure Policy definition and enforced by the Guest Configuration extension , enabling you to apply and remediate configurations at scale wit h Azure Policy , which best meets the requirement to minimize administrative effort across 500 Arc-enabled Windows Server machines joined to the on-premises domain.

In Just Enough Administration (JEA), you restrict what remote users can do by publishing a PowerShell se ssion endpoint that references a session configuration file and one or more role capability files . The AZ-800 “Administering Windows Server Hybrid Core Infrastructure” materials explain that a JEA deployment follows this order: (1) create role capability f iles (.psrc) in a module’s RoleCapabilities folder to enumerate allowed cmdlets, functions, and parameters; (2) author a session configuration file (.pssc) —typically with New-PSSessionConfigurationFile —that maps users or groups to the role capabilities; an d (3) register the endpoint with Register-PSSessionConfiguration , supplying the .pssc path and a Name for the endpoint. Only after registration can helpdesk users connect to the constrained endpoint.

Critically, among the listed cmdlets, Register-PSSession Configuration is the one that accepts -Name and -Path to a .pssc file, which matches the prompt ( -Path .\hypervJeaConfig __ -Name ' hypervJeaHelpDesk ' -Force ). Enter-PSSession is for connecting to an already published endpoint, and New-PSSessionConfigurationFile creates the .pssc but does not publish it. Likewise, file types .ps1 (script), .psm1 (module), and .psrc (role capability) are not valid for the -Path parameter when registering an endpoint. Therefore, the correct completion is:

Register-PSSessionConfiguration -Path .\hypervJeaConfig.pssc -Name ' hypervJeaHelpDesk ' -Force .

The Administering Windows Server Hybrid Core Infrastructure materials for Azure File Sync explain that a cloud endpoint in a sync group must be an Azure file share and that “the storage account that contains the Azure file share must be in the same Azure region as the Storage Sync Service.” The guide also clarifies supported account types: “Azure File Sync supports Azure Files in general-purpose v2 (StorageV2) accounts for Standard performance and FileStorage ac counts for Premium performance; BlockBlobStorage accounts are not supported for Azure Files.” Additionally, only storage accounts that contain Azure file shares can be selected for cloud endpoints; blob containers (used by Block Blob) are not applicable to Azure File Sync.

Applying these requirements to the table:

storage1 (East US, StorageV2) → valid region and account kind, and it has share1 (an Azure file share) → eligible.

storage3 (East US, FileStorage) → valid region and supported Premium account kind, with share3 → eligible.

storage2 (East US, BlockBlobStorage) → Block Blob only, no Azure Files share → ineligible.

storage4 (Central US, StorageV2) → has a file share but is not in the same region as the Storage Sync Service (Synd in East US) → ineligible.

Therefore, when creating the sync group in Synd (East US), you can use storage1 and storage3, and the only valid cloud endpoints you can specify are share1 and share3.

In Windows Admin Center (WAC), “gateway access” is controlled by the Allowed groups list on the gateway. The AZ-800 materials explain that membership in the local Administrators group on the WAC gateway still permits sign-in unless you explicitly scope access to specific groups in the Allowed groups list . The guidance further states that to restrict who can sign in to the WAC gateway, you must populate Allowed groups with one or more security groups (for example, a domain group) and remove broad principals (like BUILTIN\Users). Until you add at least one explicit group, existing administrators can continue to authenticate, which is why “everyone” appears able to sign in after only removing BUILTIN\Users. By adding a dedicated security group to Allowed groups, only members of that group can authenticate to the gateway UI; non-members are denied. Settings such as Performance profile or Require manage-as sessions to re-authenticate affect performance and remote management prompts, not gateway sign-in. Proxy bypass lists control outbound connectivity, not access control. Therefore, to prevent unauthorized sign-ins, configure Allowed groups with a specific security group and manage membership there.

Infrastructure documents: =

In the Windows Server DNS guidance for hybrid core infrastructure, Microsoft specifies that forwarders send “all queries for names that the DNS server cannot resolve locally to a designated upstream server,” while conditional forwarders target “queries for a specific DNS domain to one or more authoritative DNS servers for that domain.” When a branch office DNS server must resolve a partner/remote domain hosted elsewhere in the organization and you cannot change the authoritative server, the recommended pattern is to configure a conditional forwarder on the branch server pointing to the remote authoritative server. For Internet name resolution, you configure a standard forwarder to the required recursive resolver IP.

Applied here: New York clients use Server2. To resolve contoso.com (hosted on Server1), create a conditional forwarder on Server2 for contoso.com that points to 10.1.1.1 (Server1). To meet the requirement to forward all other external lookups, configure a forwarder on Server2 to 131.107.100.200. This design avoids zone transfers or changes on Server1 and fulfills both name-resolution requirements with minimal administration.

Infrastructure documents: =

In the Windows Server container objectives of Administering Window s Server Hybrid Core Infrastructure , image creation is performed from a Dockerfile by using the build workflow. The guide explains that a Dockerfile is a “text manifest of instructions that define how to assemble an image.” To produce the actual image, you run docker build against a build context, optionally specifying the Dockerfile name and the image tag. The study text notes: “Use docker build to compile a container image from a Dockerfile; the command processes each instruction (FROM, COPY, RUN, EXPOSE, etc.) and writes the resulting layers to a new image.” Other commands serve different purposes: docker exec runs a command inside an existing container ; docker create prepares a container from an already-built image without starting it; docker images merely lists images. Therefore, to generate an image from df1, you would run a command such as docker build -f df1 -t contoso/app:1.0 . , which aligns with the exam guidance that image authoring always culminates with docker build .

 User1 can read the files in Share1. Yes

 User3 can delete files in Share1. No

 If User2 connects to \Server1.adatum.com from File Explorer, (Share1 will be visible). Yes

In Windows file sharing, effective access over SMB = the most restrictive result of Share permissions AND NTFS permissions . The AZ-800 materials emphasize that a user must have sufficient permission on both layers to perform an action. In Folder1, NTFS ACLs grant Group1 = Read , Group2 = Write , and no entry for Group3 . The share “Share1” grants Group1 = Change and Group3 = Full Control .

User1 (Group1) : Share permission “Change” would allow modify over SMB, but NTFS grants only Rea d . Because the effective permission is the lower of the two, User1 is effectively Read and therefore can read the files.

User3 (Group3) : Although the share grants Full Control , there is no NTFS entry for Group3 (inheritance is disabled), so NTFS denies acc ess. Without NTFS rights (e.g., Modify/Delete), delete is not possible .

User2 (Group2) : NTFS grants Write , but there is no share permission for Group2, so User2 cannot access content through the share. However, the share’s FolderEnumerationMode = Unrestricted (i.e., Access-Based Enumeration is off). As covered in the hybrid core guide, when ABE is disabled, users can see items even if they lack permissions. Thus, when User2 browses \Server1.adatum.com , Share1 is visible (opening it will result in A ccess Denied).

Therefore: Yes (User1 read), No (User3 delete), Yes (User2 sees Share1).

In the AZ-800 materials on “Manage and maintain Windows Server IaaS virtual machines,” the Serial Console requirement is called out clearly: the VM must have Boot diagnostics enabled so Azure can capture the console and provide an interactive text console during boot and runtime. The guidance explains that enabling Boot diagnostics (either managed or with a storage account) stores the console output and screen shots that the Serial Console relies on. Guest-level diagnostics or a managed identity are not prerequisites for Serial Console access.

Access control to the Serial Console is governed by Azure RBAC. The study guidance states that users must be granted either Virtual Machine Contributor (broad rights) or the minimal login roles; for secure, least-privilege access to a console session with administrative rights, assign Virtual Machine Administrator Login to the user. This role allows interactive sign-in to the VM (RDP/SSH/Serial Console) without granting configuration permissions on the VM.

Therefore, to let user1@contoso.com use the Serial Console while meeting least-privilege objectives, enable Boot diagnostics on the VM (here, with a custom storage account, which satisfies the boot diagnostics requirement) and assign the Virtual Machine Administrator Login role to User1.

The course content for Administering W indows Server Hybrid Core Infrastructure explains the effective permission model for SMB shares: “Access to a shared folder is the most restrictive result of the Share permissions and the NTFS permissions . Share permissions control access over the network, while NTFS permissions control access to the file system itself. The effective permission is the intersection—users must have permission in both places.” It also clarifies typical rights: “Read includes viewing and opening; Change/Modify includes creating , changing, and deleting ; Full Control adds the ability to change permissions and take ownership.”

Applying this: User1 is in Group1 . Share1 grants Group1 = Change , and NTFS on D:\Folder1 grants Group1 = Read . The intersection is Read , so User1 can read fi les. User3 is in Group3 . Share1 grants Group3 = Full Control , but NTFS has no entry for Group3 (and no broader Allow that would include it). Without NTFS Modify/Delete, User3 cannot delete .

Regarding visibility, the share was created with FolderEnumerationMode = Unrestricted . The training states: “With Unrestricted enumeration, the share (and items) are not hidden based on access; users may see the share even if they lack permissions, though access will be denied when opened. Access-Based e numeration hides items from users without permission.” Therefore, when User2 (member of Group2 ) browses \\Server1 , Share1 will be listed , though opening it would rely on permissions.

 A secondary DNS zone for contoso.com can be added to Server3. : Yes

 If you add a DNS record to contoso.com, the record will replicate to Server2. : Yes

 If you add a DNS record to east.contoso.com, the record will re plicate to Server1. : Yes

The replication and availability of DNS data in a Windows Server environment are dictated by the zone type and its replication scope. According to official documentation, Active Directory-integrated zones provide high availability and multi-master replication.

Secondary Zone Availability : A secondary zone is a read-only copy of a DNS zone hosted on another server (the master). Standard DNS protocol allows any DNS server, regardless of its role as a Domain Controller, to host a seco ndary zone for any reachable primary zone. Since Server3 is a member server, it can host a secondary zone for contoso.com to provide local name resolution.

Replication of contoso.com : The properties for the contoso.com zone on Server1 show the replication scope is set to " All DNS servers in this domain " . Since Server1 and Server2 are both domain controllers in the contoso.com domain, any record added to this zone will automatically replicate between them through the Active Directory replication process.

Rep lication of east.contoso.com : The properties for the east.contoso.com zone on Server3 show the replication scope is set to " All DNS servers in this forest " . In Active Directory, the forest-wide replication scope stores the DNS zone in the ForestDnsZones partition. This partition is replicated to every domain controller that runs the DNS Server service throughout the entire forest. Because Server1 is a domain controller within the same forest (contoso.com root), it will receive the replicated records from the east.contoso.com zone.

ProcessA : All the containers and Server1

ProcessB : Container3 and Server1 only

Comprehensive and Detailed Explanation with all Administering Windows Server Hybrid Core Infrastructure documents : =

Understand ing the visibility of processes within Windows Server containers depends entirely on the isolation mode used: Windows Server isolation (Process isolation) or Hyper-V isolation . According to official documents for Administering Windows Server Hybrid Core In frastructure, these two modes determine how the container ' s kernel and processes interact with the host system.

Windows Server Isolation (Process Isolation) : In this mode, containers share the same kernel as the host. Processes running inside the container are essentially standard processes on the host, albeit isolated through namespaces and resource controls. Consequently, a process running in a process-isolated container (like Container1 and Container2 in the exhibit) is visible from the host ' s Task Manag er or Get-Process command, as well as from other containers sharing the same host kernel. Therefore, ProcessA can be verified as running from All the containers and Server1 .

Hyper-V Isolation : This mode provides a more secure and isolated environment by ru nning each container inside its own highly optimized virtual machine (utility VM). Because each container has its own private kernel, the host cannot " see " the internal processes of the container, and containers cannot see into each other. Container3 uses Hyper-V isolation. Therefore, ProcessC is only visible to the internal operating system of Container3 and, at a management level, to Server1 (the host). It is invisible to other containers (Container1, 2, and 4) because they are separated by kernel-level boundaries. Thus, you can verify ProcessC on Container3 and Server1 only .

Within the Manage AD DS operations master roles (FSMO) section of the AZ-800 materials, Microsoft documents multiple supported me thods to identify role holders. The guidance states that the command-line utility NETDOM can enumerate all FSMO roles with: netdom query fsmo . The output lists the Schema Master , Domain Naming Master , RID Master , PDC Emulator , and Infrastructure Master , ea ch with the current role holder’s FQDN. The course notes emphasize that this method is fast, non-interactive, and does not require specific MMC snap-ins, making it suitable for both Server Core and remote administration scenarios. Because the command retur ns the PDC Emulator holder explicitly in its results, running netdom.exe query fsmo does meet the goal of identifying which server is the PDC Emulator for the domain. This aligns with best practices for quick verification of FSMO placement during operations such as time service verification, password update convergence checks, or when planning FSMO transfers and seizures.

The Administering Windows Server Hybrid Core Infrastructure materials explain that Azure AD Password Protection for on-premises AD uses two components : the DC agent and the proxy service . The DC agent is installed on every domain controller because it “ intercepts password set/change operations locally on the DC and evaluates them against the forbidden-password policy .” The guidance further states that to ensure consistent enforcement “ the DC agent should be deployed to all DCs in the forest, since password changes may occur on any DC .” The proxy service is installed on member servers (not necessarily DCs) and “ relays policy downloads and telemetry to Azure AD on behalf of DCs ,” which satisfies envi ronments where “ domain controllers must not directly contact Internet endpoints .” Finally, configuration of the global and custom banned password lists is performed in Azure AD , where administrators “ define tenant-wide custom banned terms; DCs obtain the p olicy via the proxy and cache it for local enforcement .”

Given Fabrikam’s requirement to prevent DCs from accessing the Internet, the proxy must run on non-DC servers ( VM1 and VM2 ). To guarantee enforcement wherever a password is changed, the DC agent must be on all domain controllers . The custom banned password list is configured in the Azure AD tenant and then distributed to on-premises DCs via the proxy.

Within the hybrid governance section of Administering Windows Server Hybrid Core Infrastructure, Microsoft specifies that Azure Arc–enabled servers are the mechanism to bring on-premises and multi-cloud servers under Azure control to apply Azure Policy (Guest Configuration) and Defender for Servers. The prerequisite is installing the Azure Connected Machine agent (Azure Arc agent) on each server: “To manage servers with Azure Policy and configuration management, install the Connected Machine agent to onboard them to Azure Arc; once connected, you can assign Azure Policy guest configuration and monitor compliance just like Azure VMs.” Hybrid Azure AD Join is unrelated to Azure Policy assignment; the Azure Monitor agent provides telemetry but does not onboard to Arc for policy governance; a hybrid runbook worker is for Automation runbooks, not for enforcing Azure Policy. Therefore, to “use Azure Policy to enforce configuration management policies on the servers in Azure and on-premises,” deploy the Azure Connected Machine agent to all servers to Arc-enable them and then assign the desired policies.

In Administering Windows Server Hybrid Core Infrastructure , Microsoft states that high availability for DHCP on Windows Server is achieved by using DHCP failover rather than the legacy split-scope (80/20) model. The guidan ce explains that DHCP failover “ synchronizes lease data between two DHCP servers and can be configured in Load Balance or Hot Standby mode on a per-scope basis,” and that you enable it on each DHCP scope to create a partner relationship that automatically replicates scope configuration and active leases. This meets the requirement to keep address assignment available if one DHCP server is down.

The same materials further note that DHCP broadcasts do not traverse routers; therefore, when the partner server i s reachable across a routed boundary (another site/subnet) , you must configure the router as a DHCP relay (IP helper) to forward DHCPDISCOVER messages to the remote DHCP server(s). The text emphasizes: “When clients and DHCP servers are on different subnet s, configure a relay agent on the router to forward requests to the DHCP server IP addresses.”

Applying this to Fabrikam: create DHCP failover between DHCP1 (Scope1) and DHCP2 (Scope2) ( E ) and configure the routers in New York and Seattle as DHCP relays th at forward to both DHCP servers ( B ). You do not use Failover Clustering for DHCP here, and you do not create extra 25% scopes; those are split-scope practices superseded by DHCP failover.

The exam content for Group Policy processing stresses User Group Policy loopback processing for session hosts (RDS/AVD): “In environments like Remote Desktop Session Host (or Azure Virtual Desktop), enable loopback processing on the OU that contains the session host computers so that user settings from that GPO apply when users log on to those computers, regardless of the user’s own OU.” The requirement states: “Apply GPO4 to the Azure Virtual Desktop session hosts. Ensure that Azure Virtual D esktop user sessions lock after being idle for 10 minutes. Users must be able to control the lockout time manually from their client computer.” The idle-lock is a user configuration setting that must apply when users sign in to the session hosts, not to their personal devices. Therefore, enable loopback processing (Merge/Replace) in GPO4, which is linked to the VirtualDesktops OU containing the session hosts. Using security filtering or Enforced cannot make user settings in GPO4 override the user’s own OU without loopback. Loopback ensures the AVD hosts impose the 10-minute lock for sessions, while leaving users free to set their own client device policies independently—fulfilling least-impact design.

In Azure File Sync architecture (covered in Admin istering Windows Server Hybrid Core Infrastructure under “Implement and manage storage solutions”), the fundamental design points are:

Sync group – “A sync group defines a sync topology. Each sync group contains exactly one cloud endpoint (an Azure file sh are) and one or more server endpoints.” A server endpoint is a folder on a registered Windows Server. A server can participate in multiple sync groups so long as the server endpoints are different paths.

Storage Sync Service – “The Storage Sync Service is the top-level resource that maintains server registrations and houses your sync groups.” A Windows Server registers to one Storage Sync Service at a time, and that service can contain many sync groups and many servers.

Applying these rules to the requirement:

You have three Azure file shares: newyorkfiles, seattlefiles, and companyfiles. Because each sync group maps to one cloud endpoint, you need one sync group per share ⇒ 3 sync groups.

FS1 must sync with newyorkfiles and companyfiles; FS2 must sync with seattlefiles and companyfiles. Since one Storage Sync Service can host multiple sync groups and multiple servers, and a server must be registered to a single service, the most efficient design is a single Storage Sync Service containing all three sync groups and both servers.

In the Administering Windows Server Hybrid Core Infrastructure materials (AZ-800), Microsoft explains that Group Managed Service Accounts (gMSAs) are designed for services running on multi ple servers and “provide automatic password management, simplified SPN management, and the ability to delegate the management to other administrators.” The guidance further states that before you can create any gMSA, “the domain must have a KDS root key so that the Key Distribution Service can generate and rotate strong, unique passwords for gMSAs on a schedule.” After the KDS root key is created, “use New-ADServiceAccount to create the gMSA and grant the computers (e.g., web servers) permission to retrieve the account password.” For IIS, the course notes specify that a gMSA can be used for app pools: “Configure the IIS application pool identity to a custom account and specify the gMSA name (ending with ‘$’) without a password; the password is managed automa tically by AD and rotates by policy (for example, every 30 days).”

Mapping these requirements to the scenario: Webapp1 runs on WEB1 and WEB2 and must use the same service account with an automatic 30-day password change . Therefore, the correct sequence is: create the KDS root key , create the gMSA , and then set the IIS application pool to run under that account. This fulfills the security requirement while allowing both web servers to share the same, automatically-rotated credentials.

In the Administering Windows Server Hybrid Core Infrastructure guidance for extending AD DS into Azure, Microsoft states that when you place a domain controller in an Azure virtual network you must run DNS on that domain controller and point the VNet to that DNS server: “Domain controllers in Azure IaaS should host the AD-integrated DNS zone, and the virtual network’s DNS server setting must reference those DC/DNS IPs so Azure VMs use AD DNS rat her than the Azure-provided resolver.” The materials also emphasize that Azure’s default DNS cannot host or manage AD DS zones, so custom DNS is required for domain-joined workloads. Therefore, to meet the requirement you (1) install the DNS Server role on DC3 so it can host the corp.fabrikam.com AD-integrated zone (F), and (2) configure the DNS Servers setting on Vnet1 to the IP of DC3 (and any additional DCs), ensuring all Azure VMs in Vnet1 resolve the domain via AD DNS (D). Creating a public Azure DNS zone or a Private DNS zone with the same AD name is not appropriate for AD-integrated name resolution. This design also supports the security requirement of preventing domain controllers from relying on Internet-facing resolvers.

The exam materials for Administering Windows Server Hybrid Core Infrastructure explain that when replacing private WAN links with Azure, Azure Virtual WAN (vWAN) can be used to centralize connectivity. For private connectivity, ExpressRoute integrates directly with a vWAN hub by deploying an ExpressRoute gateway in the hub. The gateway is the Azure resource that terminates ExpressRoute and enables hub-and-spoke routing to connected VNets (such as Vnet1 ). The guides emphasize: “ In a Virtual WAN hub, use the ExpressRoute gateway to connect ExpressRoute circuits and propagate routes acro ss the hub to your virtual networks .”

On-premises, each site (New York and Seattle) requires an ExpressRoute circuit connection provisioned via a connectivity provider. The circuit is the dedicated private connection from the customer edge to Microsoft’s edge and is what the office sites actually use; it’s then linked to the vWAN hub’s ExpressRoute gateway. The same materials note that Site-to-Site VPN is an alternative transport but is not required when ExpressRoute is mandated. Likewise, Application Gateway is a Layer-7 load balancer for HTTP/S traffic, and on-premises data gateway relates to Power BI/Power Platform hybrid connectivity, neither of which establishes network transport between offices and Azure.

Therefore, to meet the requirement “connect both on-premises offices to Vnet1 by using ExpressRoute,” configure an ExpressRoute gateway on the vWAN hub and ExpressRoute circuit connections in the offices.

In the Administering Windows Server Hybrid Core Infrastructure materials (hybrid security and IaaS management), Just-In-Time (JIT) VM access from Microsoft Defender for Cloud is the prescribed way to require approval-based, time-bound Remote Desktop access to Azure VMs. The guide explains that JIT “locks down inbound traffic to management ports (for example, TCP/3389) and opens them only on request, for a limited time and only from approved source IPs.” Administrators request access; upon approval, Defender for Cloud creates a temporary NSG rule that expires automatically—you specify the maximum allowed window (e.g., 2 hours) and the ports. This matches the requirement: “Ensure that server administ rators request approval before they can establish a Remote Desktop connection to an Azure virtual machine. If the request is approved, the connection must be established within two hours.” Alternatives don’t meet this: PIM governs Azure roles, not VM RDP port exposure; Azure Bastion provides secure RDP/SSH over TLS without public IPs but doesn’t provide approval/time-boxed gating; the Remote Desktop extension is for classic Cloud Services and not for policy-driven approval windows. JIT is the least-privilege, policy-enforced solution aligned with the exam’s hybrid security objectives.

The exam materials explain that to add a new domain controller to an existing AD DS forest in Azure, you deploy a Windows Server IaaS VM and then promote it: “To extend on-premises AD DS into Azure, provision a Windows Server VM in Azure and run AD DS to create an additional domain controll er for the existing domain.” Conversely, Azure Active Directory Domain Services (Azure AD DS) provides a managed domain that is separate from and not writable by your on-premises administrators —you “do not get domain admin rights or access to DCs” —so it cannot be used to add a DC (dc3.corp.fabrikam.com) to the existing corp.fabrikam.com forest. Azure AD Application Proxy and Azure AD administrative units are unrelated to deploying DCs. Therefore, the correct implementation is to deploy an Azure virtual machine in Vnet1, install AD DS/DNS, and promote it to become DC3 in the existing domain.

TASK 6

???? Objective:

Enable nested virtualization for a VM (VM1) on SRV1.

Step-by-Step Guide: Enable Nested Virtualization

✅ Step 1: Verify Requirements

Nested virtualization requires:

SRV1 to have a processor that supports Intel VT-x or AMD-V.

Hyper-V role installed on SRV1.

VM1 must be turned off.

✅ Step 2: Open PowerShell on SRV1

Log in to SRV 1 with an account that has administrative privileges.

Open PowerShell as Administrator.

✅ Step 3: Enable Nested Virtualization

Run the following command:

Set-VMProcessor -VMName " VM1 " -ExposeVirtualizationExtensions $true

✅ Step 4: Verify Nested Virtu alization

To confirm the change, run:

Get-VMProcessor -VMName " VM1 " | Format-List ExposeVirtualizationExtensions

✅ The output should show:

ExposeVirtualizationExtensions : True

✅ Step 5: Configure Network Adapter (Optional for Nested VMs)

Nested virtualization requires MAC address spoofing for the VM network adapter.

Run:

Set-VMNetworkAdapter -VMName " VM1 " -MacAddressSpoofing On

✅ Step 6: Start the VM

Use PowerShell:

Start-VM -Name " VM1 "

Or start the VM in Hyper-V Manager.

Additional Notes

Nested virtualization allows you to run Hyper-V within a VM.

Useful for lab/test environments (e.g., running nested Hyper-V hosts in a VM).

Modify the trust on : DC2

Modify the permissions for the : Computer object of SRV1

In an Active Directory Domain Services (AD DS) environment involving multiple forests and external trusts, managing granular access across domain boundaries is achieved through Selective Authentication . According to official documents for Administering Windows Server Hybrid Core Infrastructure, there are two primary authentication settings for a trust: Domain-wide authentication and Se lective authentication .

When you need to restrict users from a trusted forest (contoso.com) so they can only access specific resources in the trusting forest (adatum.com), you must configure the trust to use Selective Authentication . This configuration must be performed in the resource domain (the trusting domain). Based on the provided table, DC2 is the domain controller for adatum.com , which is where the shared resources (SRV1) reside. Therefore, you must modify the trust properties on DC2 to enable Selective Authentication for the incoming trust from contoso.com.

Once Selective Authentication is enabled, Windows does not automatically grant the " Authenticated Users " SID to the user ' s access token for resources in the local domain. Instead, administrators must explicitly grant the Allowed to Authenticate permission on the specific resource ' s computer object. In this scenario, since the requirement is to restrict access specifically to resources on SRV1 , you must modify the security permissions on the Comput er object of SRV1 in Active Directory Users and Computers. By granting the contoso.com users (or a group containing them) this permission, they can successfully authenticate against SRV1 while being blocked from all other servers in the adatum.com forest. This satisfies the requirement to prevent access to any other resources while maintaining the ability of adatum.com users to access contoso.com (as the 2-way trust remains intact).

To create an AD DS site named Site2 that is associated to an IP address range of 192.168.2.0 to 192.168.2.255, you can follow these steps:

On a domain controller or a computer that has the Remote Server Administration Tools (RSAT) installed, open Active Directory Sites and Services from the Administrative Tools menu or by typing dssite.msc in the Run box.

In the left pane, right-click on Sites and select New Site.

In the New Object - Site di alog box, enter Site2 as the Name of the new site. Select a site link to associate the new site with, such as DEFAULTIPSITELINK, and click OK. You can also create a new site link if you want to customize the replication frequency and schedule between the s ites. For more information on how to create a site link, see Create a Site Link.

In the left pane, right-click on Subnets and select New Subnet.

In the New Object - Subnet dialog box, enter 192.168.2.0/24 as the Prefix of the subnet. This notation represen ts the IP address range of 192.168.2.0 to 192.168.2.255 with a subnet mask of 255.255.255.0. Select Site2 as the Site object to associate the subnet with, and click OK.

Wait for the changes to replicate to other domain controllers. You can verify the site and subnet creation by checking the Sites and Subnets containers in Active Directory Sites and Services.

Now, you have created an AD DS site named Site2 that is associated to an IP address range of 192.168.2.0 to 192.168.2.255. You can add domain controlle rs to the new site and configure the site links and site link bridges to optimize the replication topology.

To collect the recommended Windows Performance Counters from SRV1 in a Log Analytics workspace, you can follow these steps:

Step 1: Access the Log Analytics Workspace Log in to the Azure portal and navigate to your Log Analytics workspace.

Step 2: Configure Performance Counters In the Log Analytics workspace, select Advanced settings and then choose Data > Windows Performance Counters1. You can add the recommended performance counters by selecting the + button. If you’re using legacy agent management, you can add counters from the Legacy agents management menu2.

Step 3: Add P erformance Counters Select the counters you want to collect. You can add common counters quickly by checking the boxes next to them. For specific counters, enter the name of the counter in the format object(instance)\counter. For example, to collect the Pr ocessor Time counter for all instances of the Processor object, specify Processor(_Total)\% Processor Time.

Step 4: Set Sample Interval When adding a counter, you can set the sample interval, which is the frequency at which data is collected. The default is 10 seconds, but you can change this to a higher value if needed.

Step 5: Apply Configuration After adding the desired performance counters, select Apply at the top of the screen to save the configuration.

Step 6: Install and Configure the Agent Ensure t hat the Microsoft Monitoring Agent (MMA) is installed on SRV1. Configure the agent to report to your Log Analytics workspace by specifying the workspace ID and key during setup.

Step 7: Verify Data Collection After the agent is configured, it will start co llecting the specified performance counters. You can verify the data collection in the Log Analytics workspace by running queries against the collected data.

Note: The legacy Log Analytics agent will be deprecated by August 2024. Migrate to the Azure Monit or agent before this date to continue ingesting data3.

By following these steps, you should be able to collect the recommended Windows Performance Counters from SRV1 in your Log Analytics workspace. Ensure that you have the necessary permissions and that S RV1 has network connectivity to Azure services.