az-800 exam questions

Free Questions on AZ-800 exam: Administering Windows Server Hybrid Core Infrastructure

These free AZ-800 exam questions and answers provided here cover the important concepts of the AZ-800 certification exam. Our detailed explanations for these sample questions helps you to learn the exam objectives faster. AZ-800: Administering Windows Server Hybrid Core Infrastructure exam tests your knowledge and understanding on the performing of various technical tasks including the:

  • Deployment and management of Active Directory Domain Services in the on-premises & cloud environment,
  • Managing virtual machines and containers,
  • Managing Windows servers and workloads in a hybrid environment,
  • Implementation and management of hybrid and on-premises networking infrastructure,
  • The management of file services and storage.

Table of Contents

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q1 : You have recently joined the company. Nica and you will be responsible for managing Active Directory Domain Services (AD DS) in the administrator role. You need to set the FSMO role such that the Active directory objects will be unique in every domain. Which of the following Flexible Single Master Operation (FSMO) roles is responsible for the uniqueness of Active directory objects in every domain?

A. RID Master Role
B. Infrastructure Master Role
C. Schema Master Role
D. Domain Naming Master Role
E. PDC Emulator Role

Correct Answer: A

Explanation

When a Domain controller creates a security principal object like a group or a user, it attaches a unique SID (Security ID) to the object. The SID contains:

  • A domain SID, which is the same for all Security IDs created in a domain.
  • A RID (Relative ID), that is unique for every security principal Security ID created in a domain.

Option A is correct. RID Master Role is responsible for the uniqueness of Active directory objects in every domain.
Option B is incorrect. Infrastructure Master Role isn’t responsible for the uniqueness of Active directory objects in every domain.
Option C is incorrect. The schema master role is responsible to perform updates to the directory schema.
Option D is incorrect.  The domain naming master role is responsible for making updates to the forest-wide domain name space of the directory.
Option E is incorrect. The PDC emulator role is essential to synchronize time in an organization.

Reference: To know more about Active Directory FSMO roles in Windows, please visit the below-given link: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/fsmo-roles

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q2 : Active Directory Recycle Bin is a feature offered by Windows Server that helps in restoring the objects deleted from AD DS with no AD DS downtime. Can you use the Active Directory Recycle Bin to revert the changes to existing objects?

A. Yes
B. No

Correct Answer: B

Explanation

Active Directory Recycle Bin can’t be used to revert changes to existing objects. For such cases, you need to use the traditional approaches of backing up and restoring AD DS.

Reference: To know more about how to Maintain AD DS domain controllers, please visit the below-given link: https://docs.microsoft.com/en-us/learn/modules/manage-active-directory-domain-services-flexible-single-master-operation-roles/3-maintain-domain-controllers

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q3 : You have recently joined Carla company as an administrator. Your team lead is working on AD DS and asks you a few questions to check your existing knowledge. One question he asks is – what kind of trust relationship is automatically created when you create a new AD DS tree in an existing AD DS forest? What would be your response? 

A. A Parent and Child trust
B. An External trust
C. A tree-root trust
D. A Realm trust
E. A shortcut trust

Correct Answer: C

Explanation

When a new AD DS tree is created in an existing AD DS forest, it automatically creates a new tree-root trust.

Option A is incorrect. When a new AD DS domain is added to an existing AD DS tree, it creates new parent and child trusts.
Option B is incorrect. when you create a new AD DS tree in an existing AD DS forest, a tree-root trust, not an external trust is created.
Option C is correct. When a new AD DS tree is created in an existing AD DS forest, it automatically creates a new tree-root trust.
Option D is incorrect. Realm trusts create an authentication path between a Windows Server AD DS domain and a Kerberos version 5 (v5) protocol realm that implements by utilizing a directory service other than AD DS.
Option E is incorrect. Shortcut trusts are configured to reduce the time consumed to authenticate between AD DS domains that are in various parts of an AD DS forest.

Reference: To know more about AD DS forests and domains, please visit the below-given link: https://docs.microsoft.com/en-us/learn/modules/introduction-to-ad-ds/4-define-forests-domains

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q4 : You have downloaded a software from the Internet and you want to check this software against vendor-provided file hashes to make sure that it is not tampered with by unauthorized third parties. Which of the following commands can help you?

A. Matchutil.exe command
B. certutil.exe command
C. Hashmatch.exe command
D. Filematch.exe command

Correct Answer: B

Explanation

certutil.exe command, built into the Windows operating system, can be used to compare a downloaded file with the hash file that has been provided by the vendor.

Option A is incorrect. Matchutil.exe is not a valid command.
Option B is correct. certutil.exe command can be used to compare a downloaded file with the hash file that has been provided by the vendor.
Option C is incorrect. Hashmatch.exe command can’t be used for the said purpose.
Option D is incorrect. Filematch.exe is not a valid command.

Reference: To know more about ESAE forests, please visit the below-given link: https://docs.microsoft.com/en-us/learn/modules/manage-advanced-features-of-ad-ds/3-implement-esae-forests

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q5. From the below list of attributes or objects, choose the ones that are synchronized from an on-premises AD DS environment to Azure AD DS or Azure AD.

A. Group Policies
B. Sysvol folder
C. SidHistory attributes for users and groups
D. Organization Units (OU) structures
E. None of these

Correct Answer: E

Explanation

The following attributes or objects are not synchronized from an on-premises AD DS environment to Azure AD DS or Azure AD:

    • Excluded attributes
    • Group policies
    • Sysvol folder
    • Computer objects
    • SidHistory attributes for users and groups
  • Organization Units (OU) structures

Option A is incorrect. Not only group policies, but all the given attributes or objects are not synchronized.
Option B is incorrect. The content of the Sysvol folder in an on-premises AD DS environment isn’t synchronized to Azure AD DS. 
Option C is incorrect. The primary group and primary user SIDs from an on-premises AD DS environment are synchronized to Azure AD DS. However, existing SidHistory attributes for groups and users are not synchronized from the on-premises AD DS environment to Azure AD DS.
Option D is incorrect. OUs defined in an on-premises AD DS environment are not synchronized to Azure AD DS. 
Option E is correct. None of the given attributes or objects is synchronized from an on-premises AD DS environment to Azure AD DS or Azure AD.

Reference: To know more about synchronization, please visit the below-given link: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q6 : There are two sites Manchester and Sydney in Whizlabs.com. A single GPO (called Manchester settings) is linked to Manchester and another (Sydney settings) is linked to Sydney. Additionally, there are 2 GPOs linked to the Whizlabs.com domain: The Default Domain GPO (which is Enforced) and a further policy: Whizlabs Folder Redirection (which has a link order value of 2). The Sales OU has a linked GPO called Sales Desktop settings. A user in the Sales department based in Sydney, whose user account and computer account reside in the Sales OU, is facing issues with settings on their computer. Being the administrator, you decide to investigate. You suspect that there are conflicting settings in the several GPOs that apply to the users and their computers. Which of the following GPOs settings take precedence?

A. Sydney setting GPO
B. Default Domain GPO
C. Sales Desktop setting GPO
D. Manchester setting GPO

Correct Answer: B

Explanation

The Default Domain Policy GPO is associated with the domain, and it applies to Authenticated Users. Because of not having any WMI filters, it affects all the computers and users in the domain. 

In the above case, Default Domain GPO takes precedence because it is Enforced.

Option A is incorrect. Sydney setting GPO won’t take precedence as it is likely to be superseded by more specific GPOs on the domain and OU.
Option B is correct. Default Domain GPO will take precedence because it is enforced.
Option C is incorrect. Although this GPO is the most specific, its settings are overridden by settings in the enforced Default Domain policy.
Option D is incorrect. Manchester setting GPO is the incorrect answer.

Reference: To know more about group policy order, please visit the below-given link: https://4sysops.com/archives/understanding-group-policy-order/

 

Domain : Manage Windows Servers and Workloads in a Hybrid Environment

Q7 : You have been tasked to reconfigure the properties of some users in the Sales organization unit of the fabrikam.com domain. Which of the following cmdlets would you use in PowerShell to make the changes?

A. New-ADuser
B. Set-ADuser
C. Get-ADuser
D. Change-ADuser

Correct Answer: B

Explanation

Set-ADUser is used to make changes to the data associated with a resource, such as a user or a file property. Therefore, in the given scenario, being the administrator you need to use Set-ADuser PowerShell cmdlet to reconfigure the properties of some users in the Sales organization unit of the fabrikam.com domain.

Option A is incorrect. New-ADuser cmdlet is used to create a new user in AD DS.
Option B is correct. Set-ADuser is the right cmdlet to be used to reconfigure the properties of some users in the Sales organization unit of the fabrikam.com domain.
Option C is incorrect. Although the administrator may go with this cmdlet to get user details, it doesn’t commit changes.
Option D is incorrect. Change-ADuser is not a valid cmdlet to use.

Reference: To know more about Set-ADUser cmdlet, please visit the below-given link: https://docs.microsoft.com/en-us/powershell/module/activedirectory/set-aduser

 

Domain: Manage Virtual Machines and Containers

Question 8 : You decide to create a Virtual Machine using New-AzVM cmdlet. Which of the following parameters would you use to specify the name of the availability set where it should be created?

A. -AvailabilitySetName
B. -AvailabilitySetVMName
C. -AvailableVirtualMachine
D. -AvailabilityVirtualSetName
E. -AvailabilityVirtualName

Correct Answer: A

Explanation

Virtual machines must be created within the availability set to ensure they are correctly distributed across the hardware. An existing virtual machine can’t be added to an availability set after it has been created.

When you create a virtual machine with New-AzVM cmdlet, you should use the -AvailabilitySetName parameter for specifying the name of the availability set.

Option A is correct. -AvailabilitySetName is the right parameter to specify the name of the availability set.
Option B is incorrect. -AvailabilitySetVMName is not the right parameter to use.
Option C is incorrect. -AvailableVirtualMachine is not the valid parameter.
Option D is incorrect. -AvailabilityVirtualSetName isn’t a valid parameter.
Option E is incorrect.  -AvailableVirtualName is not the valid parameter.

Reference: To know more about creating and deploying virtual machines in an availability set, please visit the below-given link: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/tutorial-availability-sets

 

Domain : Manage Virtual Machines and Containers

Q9 : While creating a new container image on Windows Admin Center, which of the following options would you use to create a new container image using the IIS base image?

A. Use an existing Dockerfile
B. IIS web application/Visual Studio solution (ASP.NET)
C. IIS web application/Web Deploy (exported Zip file)
D. IIS web application/static web application folder

Correct Answer: D

Explanation

IIS web application/static web application folder option is used for creating a new container image utilizing the IIS base image. The content of the folder is copied to the container image to include it as a website. It adds no framework.

Option A is incorrect. It allows the users to rebuild a new container image depending upon an existing Dockerfile.
Option B is incorrect. It is used to create a new container image depending upon an existing Visual Studio solution. 
Option C is incorrect. This option is used to create a container image from the artifacts exported from a running server.
Option D is correct. This option is used for creating a new container image utilizing the IIS base image.

Reference: To know more about creating new container images on Windows Admin Center, please visit the below-given link: https://docs.microsoft.com/en-us/virtualization/windowscontainers/wac-tooling/wac-images

 

Domain : Manage Virtual Machines and Containers

Q10 : You are an administrator and you need to create and manage AD DS Partitions. You have to use a command-line tool to perform the required tasks. Which of the following tools can help you?

A. Dcdiag.exe
B. Repadmin.exe
C. NtdsUtil.exe
D. Diskpart

Correct Answer: C

Explanation

AD DS partitions can be created and managed by using the NtdsUtil.exe command-line tool. This tool also allows the users to perform various other AD DS related management tasks, such as:

  • Cleaning up domain-controller metadata after its unrecoverable failure.
  • NTDS database maintenance, which includes creating snapshots, relocating, files, database and offline defragmentation.
  • Resetting the password utilized to sign in to the DSRM (Directory Services Restore Mode).

Option A is incorrect. Dcdiag.exe is the tool used to monitor and troubleshoot replication.
Option B is incorrect. Repadmin.exe also helps in monitoring and troubleshooting replication.
Option C is correct. AD DS partitions can be created and managed by using the NtdsUtil.exe command-line tool.
Option D is incorrect. Diskpart helps in managing the disk partitions, not AD DS application partitions.

Reference: To know more about naming contexts and Application partitions, please visit the below-given link: https://www.oreilly.com/library/view/active-directory-5th/9781449361211/ch04.html

 

Domain : Implement and Manage an On-premises and Hybrid Networking Infrastructure

Q11 : While creating a zone on a DNS server, it is essential to identify whether it is a primary zone or a secondary zone. Which of the following statements is false about a primary or a secondary zone?

A. It is possible to create, delete or edit resource records in a primary zone. 
B. A secondary zone allows creating resource records but you can’t delete records in the secondary zone.
C. A secondary zone is a read-only copy of a primary zone.
D. You can’t manage resource records in a secondary zone.

Correct Answer: B

Explanation

While creating a zone on a DNS server, you need to identify whether it is a primary zone or a secondary zone. If you want to create, delete or edit the resource records, you need to use the primary zone. As a secondary zone is a read-only copy of a primary zone, resource records can’t be managed in a secondary zone.

Option A is incorrect. It is true that you can create, delete or edit resource records in a primary zone.
Option B is correct. As a secondary zone is a read-only copy of a primary zone, you can’t even create the resource records there.
Option C is incorrect. It is true that a secondary zone is a read-only copy of a primary zone.
Option D is incorrect. As a secondary zone is a read-only copy of a primary zone, you can’t manage resource records in a secondary zone.

Reference: To know more about primary and secondary DNS, please visit the below-given link: https://www.cloudflare.com/en-ca/learning/dns/glossary/primary-secondary-dns/

 

Domain : Implement and Manage an On-premises and Hybrid Networking Infrastructure

Q12 : You need to create CNAME alias resource records for a specific app running on a server. Which of the following cmdlet can you use to create the required resource records in Windows PowerShell?

A. Add-DnsServerResourceRecordA
B. Add-DnsServerResourceRecordAAAA
C. Add-DnsServerResourceRecordCNAME
D. Add-DnsServerResourceRecordPtr
E. Add-DnsServerResourceRecordMX

Correct Answer: C

Explanation

Resource records can be created by using DNS manager, Windows PowerShell, or Windows Admin Center. Here are some Windows PowerShell cmdlets that can be used to create DNS resource records.

Option A is incorrect. Add-DnsServerResourceRecordA cmdlet is used to create a host(A) resource record.
Option B is incorrect. Add-DnsServerResourceRecordAAAA cmdlet is used to create a host (AAAA) resource record.
Option C is correct. Add-DnsServerResourceRecordCNAME cmdlet is used to create a CNAME alias resource record.
Option D is incorrect. Add-DnsServerResourceRecordPtr cmdlet is used to create a PTR resource record.
Option E is incorrect. Add-DnsServerResourceRecordMX cmdlet is used to create an MX resource record.

Reference: To know more about installing and configuring the DNS role, please visit the below-given link: https://docs.microsoft.com/en-us/learn/modules/implement-windows-server-dns/4-install-configure-dns-role

 

Domain : Implement and Manage an On-premises and Hybrid Networking Infrastructure

Question 13 : Your network consists of an AD domain named fabrikam.com. This domain has a server known as Server2 running Windows Server 2016.
Server2 has IPAM (IP Address Management) installed. IPAM has been configured to utilize the Group Policy-based provisioning approach. The prefix of IPAM GPOs is IP.
You rename the IPAM GPOs manually from Group Policy Management to have IPAM’s prefix.
Now, you are required to edit the GPO prefix utilized by IPAM. What would you do?

A. In the Server Manager, click on the Configure server discovery 
B. In the Server Manager, Click on Provision the IPAM server.
C. Run the PowerShell cmdlet Set-IpamConfiguration 
D. Run the PowerShell cmdlet Invoke-IpamGpoProvisioning 

Correct Answer: C

Explanation

The Set-IpamConfiguration is the command that can be used to modify the configuration for the system running IPAM (IP Address Management) server.

The -GpoPrefix<String> parameter mentions the unique GPO prefix name that is used by IPAM for creating the group policy objects. This parameter is used only when the ProvisioningMethod parameter is assigned the value as Automatic.

Option A is incorrect. The given option won’t help in editing the GPO prefix used by IPAM.
Option B is incorrect. The question clearly states that you manually rename, not create the new settings. Therefore, the given option is the incorrect answer.
Option C is correct. Set-IpamConfiguration cmdlet would help in editing the GPO prefix used by IPAM.
Option D is incorrect. This cmdlet is used to create GPO, not to rename GPO.

Reference: To know more about the Set-IpamConfiguration cmdlet, please visit the below-given link: https://docs.microsoft.com/en-us/powershell/module/ipamserver/set-ipamconfiguration?view=windowsserver2022-ps

 

Domain : Implement and Manage an On-premises and Hybrid Networking Infrastructure

Q14 : As an administrator, you’re responsible for managing the security in hybrid as well as on-premises scenarios. While securing IPAM, which of the following would help you with defining the administrative domains of IPAM?

A. IPAM Roles
B. IPAM Access Scopes
C. IPAM Access Policies
D. None of the above

Correct Answer: B

Explanation

An access scope is responsible to decide which objects a user has access. Access scopes can be used for defining the IPAM administrative domains.

Option A is incorrect.role is a collection of IPAM operations. A role can be associated with a group or user in Windows by utilizing an access policy.
Option B is correct. An access scope is responsible for determining the objects that can be accessed by a user. Access scopes can be used for defining IPAM administrative domains. 
Option C is incorrect. An IPAM access policy joins a role with the help of access scope for assigning the permissions to a group or user.
Option D is incorrect. IPAM access scope is the correct answer.

Reference: To know more about how to Administer IP Address Management, please visit the below-given link: https://docs.microsoft.com/en-us/learn/modules/implement-ip-address-management/4-administer-ip-address-management

 

Domain : Implement and Manage an On-premises and Hybrid Networking Infrastructure

Q15 : Whizlabs Solutions has hired you as an expert consultant for its Azure projects. You are chairing a team session and you are supposed to educate the team about Azure Bastion. Which of the following statement(s) would you use while describing the Azure Bastion?

A. Azure Bastion routes the Network traffic from the VPN gateway to the cloud application.
B. Azure Bastion allows users to log into virtual machines in the Azure VNet without exposing the Virtual Machines directly to the internet.
C. Azure Bastion uses SSH(Secure Shell) or RDP(Remote Desktop Protocol) protocols.
D. If you lose VPN connectivity, you can’t use Azure Bastion to manage your virtual machines in the Azure virtual network.
E. Azure Bastion supports the management of on-premises servers.

Correct Answers: B and C

Explanation

Azure Bastion allows the users to log into virtual machines in the Azure VNet without exposing the virtual machines directly to the internet. It utilizes Remote Desktop Protocol (RDP) or Secure Shell (SSH). Even If you lose VPN connectivity, you can still utilize Azure for managing your virtual machines in the Azure VNet. However, Azure Bastion doesn’t support the management of on-premises servers.

Option A is incorrect. It is the internal load balancer that routes the Network traffic from the VPN gateway to the cloud application.
Option B is correct. It is true that Azure Bastion allows the users to log into virtual machines in the Azure VNet without exposing the Virtual Machines directly to the internet.
Option C is correct. Azure Bastion uses SSH(Secure Shell) or RDP(Remote Desktop Protocol) protocols.
Option D is incorrect. If you lose VPN connectivity, you can still utilize Azure for managing your virtual machines in the Azure VNet.
Option E is incorrect. Azure Bastion doesn’t support the management of on-premises servers.

Reference: To know more about connecting standalone servers by using Azure Network Adapter, please visit the below-given link: https://docs.microsoft.com/en-us/azure/architecture/hybrid/azure-network-adapter

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q16 : You have been hired as the networking administrator in Whizlabs company. There is one user account that is required to be moved very often between the Sales & Marketing groups.  But you notice that the changes aren’t working. Which of the following Flexible Single Master Operation (FSMO) roles might be responsible?

A. Infrastructure Master Role
B. Domain Naming Master Role
C. Schema Master Role
D. RID Role

Correct Answer: A

Explanation

The Infrastructure Master role should be held by a Domain Controller that isn’t a Global Catalog server (GC). If the IM role runs on a GC server it will halt updating object information because it doesn’t have any references to objects that it doesn’t hold. 

Additionally, the Infrastructure master doesn’t make changes often.

Option A is correct. As Infrastructure Master Role doesn’t make changes often, it might be responsible for the said issue in the scenario.
Option B is incorrect. Domain Naming Master Role can’t be responsible for the said issue.
Option C is incorrect. Infrastructure Master role, not Schema Master Role might be the possible reason.
Option D is incorrect. RID role is not the right answer.

References: To know more about various FSMO Roles, please visit the below-given links: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/fsmo-roleshttps://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q17 : You are chairing a team session where you are discussing with your team members important points to be considered while deploying AD domain controllers in Azure. In between, will you suggest your team members to shut down an AD domain controller VM through the Azure portal?

A. Yes
B. No

Correct Answer: B

Explanation

It is always advised not to use Azure portal to turn off the AD domain controller virtual machine. However, you can use the guest operating system to turn off and start again. If you use the Azure portal to turn off the AD domain controller virtual machine, it will delicate the Azure VM, which will reset both VM invocationID and GenerationID of the Active Directory repository. 

It further results in discarding the Azure Directory Domain Services RID (Relative Identifier) pool. It also non-authorize the sysvol folder. You may even need to reconfigure the whole domain controller.

Reference: To know more about deploying AD DS in an Azure virtual network, please visit the below-given link: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q18 : Which of the following cmdlet would you use in PowerShell to domain-join a VM without connecting to it and manually configuring the connection?

A. Set-AzVmAdDomainConfig
B. Set-AzVmAdDomainExtension 
C. Set-AzVmConnectDomainExtension
D. Set-AzVmAdDomainManualConfig

Correct Answer: B

Explanation

To domain-join a VM without connecting to it and manually configuring the connection, you can utilize the Set-AzVmAdDomainExtension Azure PowerShell cmdlet.

Option A is incorrect. Set-AzVmAdDomainConfig is not a valid cmdlet for the said purpose.
Option B is correct. Set-AzVmAdDomainExtension is used to domain-join a VM without connecting to it and manually configuring the connection.
Option C is incorrect. Set-AzVmConnectDomainExtension is not the right cmdlet.
Option D is incorrect. Set-AzVmAdDomainManualConfig can’t be used to domain-join a VM without connecting to it and manually configuring the connection.

Reference: To know more about joining a Windows Server VM to an Azure AD Domain Services managed domain, please visit the below-given link: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q19 : Your company network is made up of 2 on-premises AD forests named powlene.com and marico.com. Forest powlene.com has 1 domain and 5 domain controllers (DCs) while marico.com consists of the domains as demonstrated in the table below.

Name

Number of Domain Controllers

Marico.com

2

East.marico.com

3

West.marico.com

3

You have been tasked to synchronize users from powlene.com and marico.com to a common Azure Active Directory tenant through Azure Active Directory Connect.
How many Azure Active Directory Connect sync servers would you need (at least) to perform the task?

A. 8
B. 4
C. 3
D. 2
E. 1

Correct Answer: E

Explanation

You can have only 1 active Azure Active Directory Connect server synchronizing accounts to a common Azure Active Directory tenant. You can have backup Azure Active Directory Connect servers, but they must be running in staging mode. 

When there are multiple forests, it must be possible to reach all the forests by a common Azure AD Connect sync server. This server needs to be linked to a specific domain. If required, the server can be placed in a secure network, so it will allow reaching all the forests.

Option A is incorrect. At a minimum, there is a need for only 1 Azure Active Directory Connect sync server.
Option B is incorrect. 1 Azure Active Directory Connect sync server would be enough to perform the task.
Option C is incorrect. At a minimum, there is a need for only 1 Azure Active Directory Connect sync server.
Option D is incorrect. You can have only 1 active Azure Active Directory Connect server synchronizing accounts to a common Azure Active Directory tenant. Also, you can have backup Azure AD Connect servers, but they must be running in staging mode. 
Option E is correct. 1 Azure Active Directory Connect sync server would be enough to perform the task.

Reference: To know more about various topologies for Azure Active Directory Connect, please visit the below-given link: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies#multiple-forests-single-azure-ad-tenant

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q20 : Which of the following tools helps the users in identifying and remediating the object synchronization errors or issues like malformed or duplicate proxyAddresses and userPrincipalName in the Active directory?

A. ADModify.NET tool
B. Repadmin.exe tool
C. Dsdiag.exe tool
D. Microsoft 365 IdFix tool 

Correct Answer: D

Explanation

The Microsoft 365 IdFix tool allows the users to identify and remediate the common object synchronization errors including general like malformed or duplicate proxyAddresses and userPrincipalName in Active Directory.  You can choose the Organizational units that you expect IdFix to check, and the common errors can be fixed within the tool itself.

Option A is incorrect. For errors like format issues, changes can be made to particular attributes object-by-object by utilizing either ADSIEdit or Advanced Mode in AD computers and users. 
Option B is incorrect. Repadmin.exe tool is used for analyzing and reporting the replication.
Option C is incorrect. Dsdiag.exe tool is another tool that helps in analyzing and reporting the replication.
Option D is correct. The Microsoft 365 IdFix tool allows the users to identify and remediate the common object synchronization errors including general like malformed or duplicate proxyAddresses and userPrincipalName in Active Directory.  

Reference: To know more about Active Directory health-check tools, please visit the below-given link: https://docs.microsoft.com/en-us/learn/modules/implement-hybrid-identity-windows-server/04-prepare-premises-active-directory-synchronization

 

Domain : Deploy and Manage Active Directory Domain Services (AD DS) in On-premises and Cloud Environments

Q21 : The IT department in Contoso is deploying a new version of MS Office in their on-premises environment. The administrator desires to configure the settings with GPOs for Office. What should they do?

A. Download and install new .adml files and then configure the desired settings in the Administrative Templates node in the appropriate GPO.
B. Download and install new .admx files and then configure the desired settings in the Administrative Templates node in the appropriate GPO.
C. Download and install new administrative template files and then configure the desired settings in the Administrative Templates node in the appropriate GPO.
D. Copy the content of the Windows\PolicyDefinitions folder to the Central Store.

Correct Answer: C

Explanation

Administrative templates can be used to control the environment of an operating system(OS) and the user experience. Two available sets of administrative templates are computer-related settings and user-related settings. Administrative template files offer most of the available GPO settings, which change particular registry keys. 

Option A is incorrect. .adml files store only language-specific information and don’t directly deal with GPO settings.
Option B is incorrect. The .admx files are language-neutral and don’t directly deal with GPO settings.
Option C is correct. Downloading and installing new administrative template files and then configuring the desired settings in the Administrative Templates node in the appropriate GPO is the right solution. You must update the .admx and .adml files together.
Option D is incorrect. Although a Central Store makes managing Administrative Templates easier, administrators still need updated template files.

References: To know more about administrative templates, please visit the below-given links: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789186(v=ws.11), https://docs.microsoft.com/en-us/learn/modules/implement-group-policy-objects/7-define-administrative-templates?

 

Domain : Manage Windows Servers and Workloads in a Hybrid Environment

Q22 : You need to add some virtual machines in the VNet and in consideration of that, you want to ensure that WinRM is running on the target VM. Which of the following commands would you run on the target VM to ensure that?

A. winrm noconfig
B. winrm VMconfig
C. winrm targetVM
D. winrm quickconfig

Correct Answer: D

Explanation

In order to add other virtual machines in the VNet, you should ensure WinRM is running on the target VMs by running the below cmdlet in PowerShell or the command prompt upon the target VM

winrm quickconfig

Option A is incorrect. winrm noconfig is not the right command to be run.
Option B is incorrect. Running winrm VMconfig won’t help in ensuring that WinRM is running on the target VM.
Option C is incorrect. winrm targetVM is not the valid command.
Option D is correct. winrm quickconfig is the right command that is used to ensure that WinRM is running on the target VMs.

Reference: To know more about manually deploying Windows Admin Center in Azure for managing multiple servers, please visit the below-given link: https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/azure/deploy-wac-in-azure?WT.mc_id=ravikirans

 

Domain : Manage Windows Servers and Workloads in a Hybrid Environment

Q23 : In a demonstration video, at time point 4:15, the administrator selects an account to sign in with. What are the minimum permissions that are needed by this account?

A. The account must be a member of the Azure Connected Machine Resource Administrator role.
B. The account must be a member of the Global Administrator role.
C. The account must be a member of the Azure Connected Machine Onboarding role.
D. None of these

Correct Answer: C

Explanation

At time point 4:15, The script first downloads the agent, then installs it, and then onboards the device into Azure Arc. To onboard the device or machine, the account must be a part of the Azure Connected Machine Onboarding role.

Option A is incorrect. The account only requires being a part of the Azure Connected Machine Onboarding role.
Option B is incorrect. The account doesn’t require being a part of the Global Administrator role.
Option C is correct. For the given scenario, the account must be a part of the Azure Connected Machine Onboarding role.
Option D is incorrect. The account only should be a part of the Azure Connected Machine Onboarding role.

Reference: To know more about onboarding Windows Server Instances, please visit the below-given link: https://docs.microsoft.com/en-us/learn/modules/manage-hybrid-workloads-azure-arc/3-onboard-windows-server-instances

 

Domain : Manage Windows Servers and Workloads in a Hybrid Environment

Q24 : Which of the following PowerShell cmdlet can you use to create JEA endpoints on a single computer? 

A. Register-PSSessionConfiguration
B. Set-PSSessionConfiguration
C. Get-PSSessionConfiguration
D. Create-PSSessionJEApoints

Correct Answer: A

Explanation

On a single machine, JEA endpoints can be created by using the Register-PSSessionConfiguration PowerShell cmdlet. When you want to use this cmdlet, you need to specify an endpoint name and a session configuration file placed on the local machine.

Option A is correct. Register-PSSessionConfiguration command is used to create JEA endpoints on a single machine.
Option B is incorrect. Set-PSSessionConfiguration cmdlet is used to modify the properties of a registered session configuration.
Option C is incorrect. Get-PSSessionConfiguration cmdlet is used to view existing JEA endpoints.
Option D is incorrect. Create-PSSessionJEApoints is not a valid PowerShell cmdlet.

Reference: To know more about JEA configurations, please visit the below-given link: https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/jea/register-jea?view=powershell-7.2

 

Domain : Manage Virtual Machines and Containers

Q25 : Which of the following schedulers provide a fair share and preemptive round-robin scheduling approach for guest virtual processors in Windows Server 2016 Hyper-V?

A. Classic Scheduler
B. Core Scheduler
C. Root Scheduler
D. None of these

Correct Answer: A

Explanation

The classic scheduler is the default for all versions of the Windows Hyper-V hypervisor since its commencement that also includes Windows Server 2016 Hyper-V. This scheduler provides a fair share and preemptive round-robin scheduling approach for guest virtual processors.

Option A is correct. The classic scheduler provides a fair share and preemptive round-robin scheduling approach for guest virtual processors.
Option B is incorrect. The core scheduler provides a strong security boundary for guest workload isolation and decreased performance variability for workloads inside virtual machines running upon an SMT-enabled virtualization host. 
Option C is incorrect. The root scheduler meets the unique requirements inherent in supporting a utility partition to offer strong workload isolation, as utilized with WDAG(Windows Defender Application Guard).
Option D is incorrect. A classic scheduler is the right type of scheduler.

Reference: To know more about Managing Hyper-V hypervisor scheduler types, please visit the below-given link: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/manage/manage-hyper-v-scheduler-types

Summary

These AZ-800 exam questions must have helped you to get a quick assessment of the exam. For more such questions and content on the AZ-800: Administering Windows Server Hybrid Core Infrastructure, go through our detailed AZ-800 practice tests that not only contain elaborate explanations for all the concepts covered, but will also help you pass the certification in the first attempt.

 

About Dharmendra Digari

Dharmalingam carries years of experience as a product manager. He pursued his MBA, which honed his skills of seeing products differently than others perceive. He specialises in products from the information technology and services domain, with a proven history of expertise. His skills include AWS, Google Cloud Platform, Customer Relationship Management, IT Business Analysis and Customer Service Operations. He has specifically helped many companies in the e-commerce domain establish themselves with refined and well-developed products, carving a niche for themselves.

Leave a Comment

Your email address will not be published. Required fields are marked *


Scroll to Top