Prepare for Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-802) with 24 public samples, a free 50-question diagnostic, a 660-question IT Mastery bank, timed mocks, topic drills, detailed explanations, and predecessor guidance for AZ-800/AZ-801.
AZ-802 is the Microsoft Windows Server Hybrid Administrator Associate route for administrators managing Windows Server workloads across on-premises, Azure, and hybrid environments.
Start with the free 50-question AZ-802 diagnostic or the 24 public sample questions. See how the scenarios test AD DS, Azure Arc, virtual machines, containers, networking, storage, security, high availability, disaster recovery, migration, monitoring, and troubleshooting before you subscribe; IT Mastery then gives you a stable, objective-mapped AZ-802 bank with 660 questions, timed mocks, topic drills, progress tracking, and detailed explanations across web and mobile.
Initial release note: This is an initial release. We expand high-demand banks first based on learner usage, feedback, and subscriber demand. Subscribers receive access to future additions automatically.
Start a practice session for Microsoft Windows Server Hybrid Administrator Associate (AZ-802) below, or open the full app in a new tab. For the best experience, open the full app in a new tab and navigate with swipes/gestures or the mouse wheel—just like on your phone or tablet.
Open Full App in a New TabA small set of questions is available for free preview. Subscribers can unlock full access by signing in with the same app-family account they use on web and mobile.
Prefer to practice on your phone or tablet? Download the IT Mastery – AWS, Azure, GCP & CompTIA exam prep app for iOS or IT Mastery app on Google Play (Android) and use the same IT Mastery account across web and mobile.
Free diagnostic: Try the AZ-802 full-length practice exam before subscribing. Use it as one Windows Server hybrid-administrator baseline, then return to IT Mastery for timed mocks, topic drills, explanations, and the full AZ-802 question bank.
| Domain | Weight |
|---|---|
| Deploy and Manage AD DS in Hybrid Environments | 16.5% |
| Manage Windows Servers and Hybrid Workloads | 6.5% |
| Manage Virtual Machines and Containers | 9% |
| Implement and Manage Hybrid Networking | 9% |
| Manage Storage and File Services | 9% |
| Secure Windows Server Hybrid Infrastructure | 14% |
| Implement Windows Server High Availability | 9% |
| Implement Disaster Recovery | 6.5% |
| Migrate Servers and Workloads | 11.5% |
| Monitor and Troubleshoot Windows Server | 9% |
| Older exam code | How to use it now |
|---|---|
| AZ-800 | Use for earlier hybrid core infrastructure terminology, then map the overlap to AZ-802 before studying. |
| AZ-801 | Use for earlier hybrid advanced services terminology, then map the overlap to AZ-802 before studying. |
AZ-800 and AZ-801 remain useful if an employer, training provider, or old study plan still names those codes. For new preparation, start from AZ-802 and use the older pages only as predecessor context.
Use these child pages when you want focused IT Mastery practice before returning to mixed sets and timed mocks.
Need concept review first? Read the Microsoft AZ-802 Cheat Sheet for compact concept review before returning to timed practice.
| If you need to compare… | Start here |
|---|---|
| broader Azure administration | AZ-104 Azure Administrator |
| Azure networking | AZ-700 Azure Networking |
| Microsoft cloud and AI security | SC-500 Cloud and AI Security |
| Windows Server predecessor exams | Microsoft Windows Server hub |
These are original IT Mastery practice questions aligned to Microsoft Windows Server Hybrid Administrator Associate (AZ-802). They are selected from the live IT Mastery practice bank for self-assessment and are not official exam questions.
Topic: Migrate Servers and Workloads
A company has a single on-premises AD DS forest with two domains. All domain controllers run Windows Server 2016 or Windows Server 2019. The company must move AD DS to Windows Server 2025, keep the existing forest and domain names, preserve domain SIDs, and avoid rejoining member servers. Which migration approach should you use?
Best answer: A
Explanation: When the business must keep the same AD DS forest and domains, the correct approach is an in-place forest modernization by introducing new Windows Server 2025 domain controllers into the existing domains. After replication is healthy, move FSMO roles, ensure DNS and global catalog placement are correct, and demote the older domain controllers. This preserves domain SIDs, user and computer accounts, Group Policy links, service principal names, and member server domain joins.
A forest restructure or inter-forest migration is used when changing forest boundaries, domain design, or security isolation requirements. It is not needed when the existing namespace and trust boundary must remain intact.
Topic: Implement Disaster Recovery
An on-premises Windows Server 2022 file server backed up D:\Shared to an Azure Recovery Services vault by using the Microsoft Azure Recovery Services (MARS) agent. The server failed, and you installed the MARS agent on a replacement server. In the recovery wizard, you select Another server and can see a recovery point from yesterday, which is within the retention policy. When you try to browse files, the restore fails with: Provide the encryption passphrase used during registration. What is the most likely root cause?
Best answer: C
Explanation: For MARS agent file and folder backups, Azure Backup encrypts data before it is sent to the Recovery Services vault. The encryption passphrase is created during server registration and is not recoverable by Microsoft. When restoring to the original server, the local configuration may already have the needed passphrase material. When restoring to an alternate or replacement server, you must provide the same passphrase to decrypt and browse the recovery point. The visible recovery point proves that the backup item and retention are not the problem. The diagnostic clue is the explicit decryption prompt during restore.
Topic: Deploy and Manage AD DS in Hybrid Environments
A forest contains one AD DS domain with three domain controllers. The DC that holds several FSMO roles failed and cannot be recovered. Authentication and replication between the remaining domain controllers are healthy, but administrators can no longer create new users or groups after the remaining DCs exhausted their local pools. The error states that AD DS cannot allocate a relative identifier.
Which FSMO role should be seized to restore this administrative capability?
Best answer: A
Explanation: The symptom points to the domain-level RID Master FSMO role. Each security principal, such as a user, group, or computer account, needs a unique security identifier (SID). Domain controllers use local RID pools to generate the RID portion of those SIDs. When their pools are exhausted, they must contact the RID Master for another pool. If the RID Master is permanently unavailable, creating new security principals can fail even while authentication and replication remain healthy among other DCs. In that failure mode, seize the RID Master role to a healthy writable domain controller. The PDC Emulator affects time, password-change priority, and several compatibility behaviors, not RID pool issuance.
Topic: Manage Storage and File Services
You manage a Storage Sync Service that contains several Azure File Sync sync groups. You need a monitoring configuration that can alert on failed sync sessions and offline or unhealthy registered servers, and help operators filter issues by sync group, cloud endpoint, server endpoint, and agent without custom polling scripts. What should you configure?
Best answer: C
Explanation: Azure File Sync exposes service health through the Storage Sync Service in Azure Monitor. Metric-based monitoring can detect failed sync sessions and server connectivity or agent-related health issues, and dimensions let administrators isolate the affected sync group, cloud endpoint, server endpoint, or registered server. This meets the need for centralized alerting without writing custom polling scripts. Storage account logging is useful for Azure Files access operations, but it does not monitor the Azure File Sync synchronization pipeline or registered server health.
Topic: Manage Windows Servers and Hybrid Workloads
A hybrid operations team manages Windows Server machines with Azure Arc and Azure Policy machine configuration. Several servers remain in Not started compliance state after a baseline assignment.
Evidence:
Azure Arc: Connected
Extension: GuestConfiguration - Provisioning failed
Extension message: Cannot download package over HTTPS
Agent log: proxy authentication required for outbound request
Policy assignment: scope and identity are valid
Which design best fits the issue while preserving centralized governance?
Best answer: D
Explanation: Azure Arc machine configuration depends on the Azure Connected Machine agent and the Guest Configuration extension being able to reach required Azure endpoints over outbound HTTPS. In this scenario, Arc connectivity is present and the policy assignment identity and scope are valid, but the extension cannot download its package because the proxy requires authentication. The best fit is to correct proxy or firewall egress for the Arc agent and extension, then trigger remediation or allow the assignment to evaluate again.
Reinstalling the agent or changing policy scope does not address the failed outbound package download. Keeping Azure Policy machine configuration preserves centralized governance instead of replacing it with an unrelated automation pattern.
Topic: Monitor and Troubleshoot Windows Server
A hybrid administrator manages an on-premises Windows Server 2022 file server that is onboarded to Azure Arc. After an Azure Update Manager maintenance window and reboot, a line-of-business Windows service fails to start. The team needs remote evidence of whether the failure is related to the update, boot process, service startup, or application crash, while granting only read access to logs. Which design is the best fit?
Best answer: B
Explanation: Windows event logs are the primary evidence source for local Windows Server failures. For this scenario, the System log can show Service Control Manager and boot-related events, the Setup log can show update installation activity, and the Application log can show application or service crash details. Adding the support account to the local Event Log Readers group supports least privilege because it allows log review without granting full local administrator rights.
Azure Monitor can centralize or alert on collected events, but platform metrics alone usually do not provide the specific Windows event evidence needed to diagnose a service failure after a reboot.
Topic: Implement Windows Server High Availability
An organization is moving a pair of Windows Server 2022 application servers to an isolated Azure virtual network connected to on-premises by VPN. Security policy prohibits joining these servers to AD DS or Microsoft Entra Domain Services. The application can run as a clustered generic service, uses its own authentication, and clients can use DNS for the cluster access name. Administrators must create the cluster without AD computer objects. Which design is the best fit?
Best answer: A
Explanation: A workgroup failover cluster is intended for cases where cluster nodes cannot be joined to an AD DS domain. Because there will be no cluster name object or virtual computer objects in AD DS, the design must rely on local administrative credentials that match across nodes and working DNS name resolution for the cluster access name. This also fits the application constraint because the clustered workload does not require Kerberos or AD-integrated identity. A domain-based cluster would be preferable when Kerberos, AD-managed identities, and computer objects are required, but those are explicitly prohibited here.
Topic: Manage Virtual Machines and Containers
You manage an on-premises Hyper-V fabric that hosts a domain controller VM. Security requires that VM disks and saved state be protected from fabric administrators, that console/PowerShell Direct guest access by host admins be blocked, and that the VM run only on approved healthy hosts. Which configuration should you implement?
Best answer: D
Explanation: Shielded VMs are the Hyper-V security control designed to protect sensitive virtual machines from compromised or untrusted fabric administrators. In a guarded fabric, Host Guardian Service (HGS) provides attestation and key protection so a shielded VM can start only on guarded, healthy hosts. Shielding also protects the VM’s virtual disks, saved state, live migration traffic, and prevents host-level access paths such as VMConnect console access and PowerShell Direct into the guest. This matches the requirement to protect VM state and administrator access boundaries. Controls such as guest BitLocker or JEA can improve security, but they do not create the guarded-host trust and shielded-VM protection model.
Topic: Implement and Manage Hybrid Networking
A company is replacing VPN access to an on-premises inventory web app with Microsoft Entra Private Access. Test users are assigned to the private access application, and the private network connector group is healthy, but external users report that https://inventory.corp.contoso.com times out.
Diagnostic summary:
| Check | Result |
|---|---|
| Connector group | Healthy |
| App segment | inventory.corp.contoso.com:443 |
| User assignment | TestUsers assigned |
| Global Secure Access client | Connected |
| Client forwarding profile | Microsoft traffic: On; Private access: Off |
What is the most likely root cause?
Best answer: B
Explanation: Microsoft Entra Private Access depends on the Global Secure Access client forwarding matching private application traffic to the service. In this case, the connector group is healthy, the app segment is configured, and the users are assigned, so those core publishing elements are present. The decisive clue is the client status: Microsoft traffic is enabled, but Private access is off. That means the client is not intercepting and forwarding traffic for inventory.corp.contoso.com:443, so the request behaves like normal internet traffic and times out. The next fix or validation should focus on enabling the Private Access forwarding profile for the affected users or devices.
Topic: Secure Windows Server Hybrid Infrastructure
Microsoft Defender for Identity reports that a domain service account used by an IIS application is a member of Account Operators and is configured for unconstrained Kerberos delegation. The application only needs to access one SQL Server service by using Kerberos. You must preserve the application flow while applying least privilege. Which configuration should you implement?
Protected Users and leave delegation unchanged.Account Operators and configure constrained delegation to the SQL SPN only.Best answer: B
Explanation: The core remediation is to reduce both privilege and delegation scope. A service account that only needs to access one backend service should not belong to an administrative group such as Account Operators, and it should not be trusted for delegation to any service. Kerberos constrained delegation lets you specify only the required service principal name, such as the SQL Server SPN, so the IIS application can still perform the required delegated access without creating a broad credential-theft path.
Blocking NTLM or changing account type might be useful in other identity-hardening scenarios, but they do not directly fix unconstrained Kerberos delegation plus unsafe administrative membership.
Topic: Migrate Servers and Workloads
A company has one healthy AD DS forest with a root domain and three regional child domains. The company plans to use one Microsoft Entra Connect Sync configuration and wants to reduce administrative overhead by consolidating all users, groups, and computers into the root domain. Existing forest trusts, the DNS namespace, and forest-wide application dependencies must remain in place. Which migration design is the best fit?
Best answer: C
Explanation: The key constraint is that the current forest is healthy and must remain the forest boundary for trusts, namespace, and application dependencies. The required change is not a forest replacement; it is a domain consolidation inside the existing forest. A forest restructure is the best fit because it supports moving or consolidating AD DS objects from multiple domains into a target domain, followed by decommissioning the source domains after validation.
An in-place forest upgrade is used when the topology is acceptable and the goal is to modernize domain controllers or functional levels. A new forest migration is more appropriate when the existing forest design or trust boundary must be replaced, such as after compromise or a major organizational separation.
Topic: Implement Disaster Recovery
Your organization uses Azure Site Recovery to protect Windows Server Azure VMs from East US to West US. The source VMs are in vnet-prod-east on web and app subnets. The DR region already has vnet-dr-west with matching subnets and peering to a hub VNet that hosts domain controllers and shared services. After failover, the VMs must keep their tier separation and reach the DR hub without manual NIC reconfiguration. Which ASR network configuration should you use?
vnet-prod-east and vnet-dr-west.vnet-prod-east to vnet-dr-west and set each VM NIC to its matching DR subnet.vnet-prod-east directly to the DR hub VNet.Best answer: B
Explanation: Azure Site Recovery network mapping controls which target virtual network protected Azure VMs attach to after failover. In this scenario, the source production VNet should be mapped to the DR VNet that already contains the matching application subnets. Each protected VM’s network settings should target the appropriate DR subnet so the web and app tiers remain separated. The existing peering from the DR VNet to the hub then provides private connectivity to domain controllers and shared services. Mapping directly to the hub or relying only on peering does not place the failed-over NICs in the correct workload network.
Topic: Deploy and Manage AD DS in Hybrid Environments
A domain-linked GPO named Server Audit Baseline is not applying to SERVER07. The administrator confirms that the computer account has not been moved recently.
Evidence:
| Item | Value |
|---|---|
| Computer account | OU=ProdServers,OU=Servers,DC=contoso,DC=com |
| GPO link | Linked only at contoso.com |
| Link status | Enabled, not enforced |
| Security filtering | Authenticated Users: Read and Apply Group Policy |
| WMI filter | None |
OU=Servers setting | Block inheritance: Enabled |
| AD replication | No failures reported |
What is the most likely root cause?
SERVER07OU=ServersBest answer: D
Explanation: Group Policy processing depends on the object’s location and the inheritance path from site, domain, and OU links. In this case, the GPO is linked only at the domain, and the computer object is under OU=Servers. Because OU=Servers has Block Inheritance enabled, normal domain-linked GPOs do not flow into that OU tree unless the GPO link is enforced. The evidence also rules out common alternatives: security filtering allows Authenticated Users, no WMI filter is present, and AD replication shows no failures. Link order only decides precedence among applicable GPOs at the same level; it does not bypass inheritance blocking.
Topic: Manage Storage and File Services
A company has two datacenters connected by a low-latency 10-Gbps private link. A Windows Server file server stores line-of-business data on a dedicated NTFS volume. The company needs volume-level replication to a standby server at the second site with write-order consistency and the lowest possible data loss if the primary site fails. The standby copy does not need to be writable during normal operations. Which design is the best fit?
Best answer: D
Explanation: Storage Replica is the Windows Server feature designed for block-level replication of volumes between servers, clusters, or sites. In this scenario, the low-latency private link and requirement for the lowest possible data loss point to synchronous replication, where writes are committed to both the source and destination before completion. Storage Replica also preserves write order, which is important for application data consistency. The standby volume is not intended for normal read/write use, which matches Storage Replica behavior because the replicated destination is a protected copy until failover or reversal.
Topic: Manage Windows Servers and Hybrid Workloads
You manage domain-joined Windows Server hosts. From PAW1, administrators must connect to JUMP1 by using PowerShell remoting and, from that remote session, run WinRM commands on WEB1. The commands must run as each administrator’s own account. The administrators are not members of Protected Users, and delegation can be limited to JUMP1 for a short maintenance window. Which configuration should you use?
JUMP1 to WEB1.JUMP1 with a gMSA.JUMP1 and connect with -Authentication CredSSP.Best answer: D
Explanation: PowerShell remoting normally uses the user’s credentials only for the first hop, so a session from PAW1 to JUMP1 cannot automatically reuse those credentials to create a WinRM session to WEB1. CredSSP is the fitting choice when the requirement is a true WinRM second hop that runs as the connecting administrator. It must be enabled on the client side for the delegated target and on the intermediate server as a CredSSP server, then used explicitly for the remoting connection. Because CredSSP exposes delegated credentials to the intermediate server, it should be limited to trusted servers and disabled when no longer needed.
Topic: Monitor and Troubleshoot Windows Server
Users report slow file opens on an SMB share hosted on a Windows Server 2022 Azure VM. You need the least disruptive configuration change that targets the bottleneck. The share must keep the same UNC path, clients cannot be reconfigured, and the VM has spare CPU and memory.
Exhibit: 15-minute average counters
| Counter | Value |
|---|---|
| Processor: % Processor Time | 18% |
| Memory: Available MBytes | 6,400 |
| LogicalDisk(D:): Avg. Disk sec/Read | 0.070 |
| LogicalDisk(D:): Avg. Disk sec/Write | 0.095 |
| LogicalDisk(D:): Current Disk Queue Length | 22 |
| NIC: Bytes Total/sec | 240 Mbps on 10 Gbps |
Which configuration change should you make?
Best answer: A
Explanation: The performance evidence points to the storage path hosting the SMB data. Disk read and write latency are high, and the disk queue length is elevated, while processor utilization is low, memory is available, and the NIC is far below its rated capacity. Because the requirement is to keep the same UNC path and avoid client changes, improving the performance characteristics of the existing data disk is the most direct and least disruptive configuration choice. This targets the constrained resource without changing the file share namespace or reconfiguring SMB clients.
Adding compute, memory, or SMB network features would not address the bottleneck shown by the counters.
Topic: Implement Windows Server High Availability
A company has a four-node Windows Server failover cluster that hosts Hyper-V workloads on Storage Spaces Direct. The servers are Azure Arc-enabled for inventory and monitoring, but the administrator must apply monthly Windows updates without taking the clustered VMs offline and without manually patching one node at a time. Which design best fits the requirement?
Best answer: D
Explanation: Cluster-Aware Updating (CAU) is designed for maintaining Windows Server failover clusters while keeping clustered workloads available. In self-updating mode, CAU uses a clustered role and an update run profile to coordinate the update cycle across nodes. It pauses and drains a node, installs updates, reboots if required, resumes the node, and then moves to the next node. This is the right fit for a Hyper-V and Storage Spaces Direct cluster because availability depends on controlled rolling maintenance, not just installing patches. Azure Arc can help with inventory and monitoring, but it does not replace cluster-aware orchestration for this requirement.
Topic: Manage Virtual Machines and Containers
A Windows Server 2022 container host runs as a Hyper-V virtual machine on an on-premises network. A containerized line-of-business app must receive an IP address from the existing VLAN DHCP scope, be reachable directly by other servers on that IP address, and avoid publishing individual ports on the container host. Which configuration should you use?
Best answer: A
Explanation: Windows Server container networking uses different network drivers for different isolation and connectivity goals. A transparent network connects containers to an external Hyper-V virtual switch so the containers appear on the same Layer 2 network as other physical or virtual machines. That allows DHCP from the existing VLAN and direct inbound access to each container IP. Because the container host itself is a Hyper-V VM, MAC address spoofing must be enabled on that VM so the physical network can see traffic using the containers’ MAC addresses. NAT would require host port publishing and would not give the app direct reachability on a VLAN-assigned IP.
Topic: Implement and Manage Hybrid Networking
You manage Windows Server workloads on-premises and in Azure. Several application VMs will be migrated to Azure, but for the first phase they must keep their existing on-premises IPv4 addresses because legacy firewall rules and licensing are tied to those addresses. You want to extend only the required subnet to Azure and avoid readdressing before cutover. Which configuration should you implement?
Best answer: C
Explanation: Azure extended network is the appropriate choice when a Windows Server migration requires Azure VMs to remain reachable by using their existing on-premises IP addresses. It extends an on-premises subnet into Azure, which helps with phased migrations where DNS records, firewall rules, or application dependencies cannot be changed immediately. Azure Network Adapter is different: it creates a point-to-site VPN connection from a Windows Server to an Azure virtual network for connectivity, but it does not stretch the on-premises subnet or preserve VM IP addresses in Azure. The key distinction is subnet extension versus server-to-VNet connectivity.
Topic: Secure Windows Server Hybrid Infrastructure
A company has 180 Windows Server 2025 servers running as Azure VMs and on-premises Azure Arc-enabled servers. The security team requires Microsoft security baseline settings to be applied consistently, remediated after drift, and reported centrally in Azure. The solution must work for servers that are not joined to an AD DS domain. Which configuration should you use?
Best answer: A
Explanation: OSConfig is the appropriate mechanism when Windows Server baseline configuration must be managed consistently at scale, especially across Azure VMs and Azure Arc-enabled servers. By assigning a machine configuration baseline through Azure Policy, administrators can apply the required OSConfig-backed settings, detect drift, trigger remediation, and view compliance centrally in Azure. This also avoids dependence on AD DS domain membership, which is important for hybrid or workgroup servers.
Group Policy is useful for domain-joined servers but does not meet the cross-environment and non-domain constraint. Defender for Cloud can surface security posture and recommendations, but it is not the baseline application mechanism by itself.
Topic: Migrate Servers and Workloads
A company migrated users, groups, and member servers from an old AD DS forest to a new forest. Before the final cutover, you must validate that migrated users can sign in, retain expected resource access through groups, receive the correct GPOs, and that cross-forest application dependencies remain functional. Which validation configuration should you use?
dcdiag and repadmin on the new forest domain controllers.gpresult, trust health, repadmin, and application service dependencies.Best answer: C
Explanation: AD DS migration validation must prove that the migrated environment works from the user, policy, directory, and application perspectives. A strong validation runbook should test interactive or service authentication, verify effective group membership and resource authorization, confirm applied GPOs with tools such as gpresult, and check forest trust health. It should also confirm AD DS replication health with tools such as repadmin and test application dependencies such as SPNs, service accounts, LDAP binds, or cross-forest access paths.
Replication-only checks are necessary but not sufficient. The key is to collect evidence across identity, policy, trust, replication, and application behavior before cutover.
Topic: Implement Disaster Recovery
A company has two standalone Hyper-V hosts in separate on-premises sites. The hosts are in untrusted AD DS forests, and the disaster recovery design must use host-based VM replication without Azure Site Recovery. Replication traffic must be encrypted, and administrators need the option to recover the VM to earlier recovery points. Which configuration should you use?
Best answer: B
Explanation: Hyper-V Replica is the host-based replication feature for protecting Hyper-V virtual machines when the requirement is outside Azure Site Recovery. Because the hosts are in untrusted AD DS forests, Kerberos authentication is not suitable. To encrypt replication traffic at the Hyper-V Replica layer, configure the replica server to use certificate-based authentication over HTTPS, then enable replication for the VM and configure recovery history as needed. This protects the VM at the Hyper-V level and supports planned, test, and unplanned failover scenarios without depending on Azure Site Recovery.
Topic: Deploy and Manage AD DS in Hybrid Environments
A company has a single AD DS forest with two domains: contoso.com and emea.contoso.com. After an administrator increases the minimum password length in the Default Domain Policy of contoso.com, users in emea.contoso.com can still set shorter passwords. Replication health is normal, and gpresult for an affected user shows the Default Domain Policy from emea.contoso.com with the old setting.
What is the best root cause?
Best answer: C
Explanation: AD DS account password policy is a domain-scoped configuration, not a forest-wide or site-scoped setting. Changing the Default Domain Policy in contoso.com affects accounts in that domain, but it does not automatically change password requirements for accounts in emea.contoso.com. The gpresult clue confirms that the affected user is receiving the child domain’s Default Domain Policy, which still contains the old setting. Healthy replication does not help when the change was made in the wrong scope.
The key diagnostic distinction is scope: domains define account policy boundaries, sites define physical topology and replication/client-location behavior, and forest-wide partitions hold shared configuration such as sites and schema.
Topic: Manage Storage and File Services
A Windows Server Hyper-V cluster stores VM disks on shared storage. Several development VMs periodically consume enough disk I/O to affect production VMs. You need to cap the combined storage I/O from the development VM disks, manage the setting centrally, and keep the cap effective if the VMs move between cluster nodes. What should you configure?
Best answer: B
Explanation: Storage QoS is the Windows Server mechanism for controlling storage performance for Hyper-V workloads. When multiple VM disks must share one overall limit, use an aggregated Storage QoS policy and assign it to the relevant virtual hard disks. The policy enforces a combined cap across the assigned disks instead of treating each disk independently. This fits clustered Hyper-V because the policy assignment follows the VM disk and can be managed centrally with Windows Server storage tools or PowerShell. A dedicated policy is useful when each disk or workload needs its own individual limit or reservation, not when several disks must share one group cap.
Use this map to connect the sample questions to Windows Server hybrid administration decisions.
flowchart LR
S1["Windows Server estate"] --> S2
S2["Connect to Azure management"] --> S3
S3["Secure identity and access"] --> S4
S4["Operate storage and networking"] --> S5
S5["Plan migration and recovery"] --> S6
S6["Monitor and troubleshoot"]
| Cue | What to remember |
|---|---|
| Hybrid scope | Connect on-premises Windows Server responsibilities with Azure management, monitoring, and recovery. |
| Identity | Review AD DS, Microsoft Entra integration, access, and administrative boundaries. |
| Networking | Plan DNS, connectivity, name resolution, VPN, and hybrid service paths. |
| Recovery | Distinguish backup, failover, migration, high availability, and tested recovery procedures. |
| Route transition | Confirm whether AZ-802 is the target exam for the candidate timeline before relying on older AZ-800/AZ-801 material. |