Try 50 free Microsoft AZ-802 questions across the exam domains, with explanations, then continue with full IT Mastery practice.
This free full-length Microsoft AZ-802 practice exam includes 50 original IT Mastery questions across the exam domains.
These questions are for self-assessment. They are not official exam questions and do not imply affiliation with the exam sponsor.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some certification vendors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
Need concept review first? Read the Microsoft AZ-802 Cheat Sheet for compact concept review before returning to timed practice.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try Microsoft AZ-802 on Web View full Microsoft AZ-802 practice page
| Domain | Weight |
|---|---|
| Deploy and Manage AD DS in Hybrid Environments | 16.5% |
| Manage Windows Servers and Hybrid Workloads | 6.5% |
| Manage Virtual Machines and Containers | 9% |
| Implement and Manage Hybrid Networking | 9% |
| Manage Storage and File Services | 9% |
| Secure Windows Server Hybrid Infrastructure | 14% |
| Implement Windows Server High Availability | 9% |
| Implement Disaster Recovery | 6.5% |
| Migrate Servers and Workloads | 11.5% |
| Monitor and Troubleshoot Windows Server | 9% |
Use this as one diagnostic run. IT Mastery gives you timed mocks, topic drills, analytics, code-reading practice where relevant, and full practice.
Topic: Deploy and Manage AD DS in Hybrid Environments
A company synchronizes on-premises AD DS users to Microsoft Entra ID with password hash synchronization enabled. It is migrating a legacy Windows Server application to Azure VMs. The application must continue to use domain join, LDAP bind, Kerberos/NTLM, and Group Policy, but the company does not want to deploy or manage domain controllers in Azure. Which identity design is the best fit?
Options:
A. Use staged rollout to move the users to cloud authentication.
B. Register the application in Microsoft Entra ID for OAuth authentication.
C. Deploy Microsoft Entra Domain Services and join the VMs to it.
D. Join the Azure VMs directly to Microsoft Entra ID.
Best answer: C
Explanation: Microsoft Entra Domain Services is the correct boundary when legacy workloads need AD DS-like protocols in Azure but you do not want to manage domain controllers. It creates a managed domain that supports domain join, LDAP, Kerberos/NTLM, and Group Policy for identities synchronized from Microsoft Entra ID. Microsoft Entra ID authentication is best for modern applications that use protocols such as OAuth, OpenID Connect, or SAML. AD DS authentication is best when you manage domain controllers directly, either on-premises or on Azure VMs. Staged rollout changes how users authenticate to Microsoft Entra ID; it does not make a legacy LDAP/Kerberos application cloud-native.
Topic: Manage Windows Servers and Hybrid Workloads
An administrator onboarded an on-premises Windows Server to Azure Arc by using the generated installation script. The Azure resource was created, but Azure Arc shows the machine as Offline. On the server, the Azure Connected Machine Agent service is running.
Log excerpt:
azcmagent: Agent Status: Disconnected
himds: last successful heartbeat: 09:15
error: cannot reach gbl.his.arc.azure.com over TCP 443
proxy: not configured
What is the best next diagnostic action?
Options:
A. Reinstall the Azure VM Agent
B. Run azcmagent check on the server
C. Force Microsoft Entra Connect synchronization
D. Restart the AD DS Netlogon service
Best answer: B
Explanation: The evidence points to an Azure Connected Machine Agent connectivity problem, not an identity sync or domain service issue. The agent is installed and its service is running, but the heartbeat fails because the server cannot reach an Azure Arc service endpoint over TCP 443. The best diagnostic step is to run azcmagent check locally to validate required network access, proxy configuration, and endpoint reachability for Azure Arc. If the check fails, investigate firewall, proxy, or DNS rules for the required Azure Arc endpoints before reinstalling anything. A running service with a disconnected status usually means the agent cannot communicate with Azure, not that the server needs the Azure VM Agent.
Topic: Implement and Manage Hybrid Networking
A company is replacing VPN access to an on-premises inventory web app with Microsoft Entra Private Access. Test users are assigned to the private access application, and the private network connector group is healthy, but external users report that https://inventory.corp.contoso.com times out.
Diagnostic summary:
| Check | Result |
|---|---|
| Connector group | Healthy |
| App segment | inventory.corp.contoso.com:443 |
| User assignment | TestUsers assigned |
| Global Secure Access client | Connected |
| Client forwarding profile | Microsoft traffic: On; Private access: Off |
What is the most likely root cause?
Options:
A. Private Access traffic forwarding is not enabled
B. The app must use Microsoft Entra Application Proxy
C. The users need a traditional VPN route
D. The connector group cannot reach the private app
Best answer: A
Explanation: Microsoft Entra Private Access depends on the Global Secure Access client forwarding matching private application traffic to the service. In this case, the connector group is healthy, the app segment is configured, and the users are assigned, so those core publishing elements are present. The decisive clue is the client status: Microsoft traffic is enabled, but Private access is off. That means the client is not intercepting and forwarding traffic for inventory.corp.contoso.com:443, so the request behaves like normal internet traffic and times out. The next fix or validation should focus on enabling the Private Access forwarding profile for the affected users or devices.
Topic: Manage Storage and File Services
A company is moving departmental SMB shares to a new domain-joined Windows Server file server managed through Windows Admin Center. For \\FS1\Finance, administrators want least-privilege access, easy role changes through AD DS groups, and minimal troubleshooting from conflicting share and NTFS permissions. Which design is the best fit?
Options:
A. Assign NTFS permissions to individual users and use local groups only for auditing.
B. Use share permissions only and leave NTFS permissions inherited for all users.
C. Use server local groups for roles, nest domain groups, set NTFS permissions, and allow broad share access.
D. Assign domain users directly to NTFS permissions and set matching share permissions.
Best answer: C
Explanation: For Windows Server file shares, a common least-privilege design is to use groups for access management and avoid managing the same detailed rights in two places. Domain groups should represent user roles, such as Finance readers or Finance managers. Those domain groups can be nested into resource-specific local groups on the file server, and the local groups receive NTFS permissions on the folder. Share permissions are often kept broad, such as allowing authenticated users, so the effective access is determined primarily by NTFS permissions. This reduces conflicts because effective access over SMB is the most restrictive combination of share and NTFS permissions. The key takeaway is to manage identity through AD DS groups and enforce detailed file access with NTFS permissions.
Topic: Implement Windows Server High Availability
An administrator is creating a two-node failover cluster from Windows Server 2022 servers that are not joined to an AD DS domain. Both nodes are in the same workgroup, have matching local administrator credentials, and use a common DNS suffix. Cluster creation fails with this message:
Unable to create the cluster name account in Active Directory.
Access is denied or the object cannot be created.
What is the most likely root cause?
Options:
A. The shared DNS suffix prevents workgroup cluster creation.
B. Matching local administrator credentials are unsupported.
C. Failover clusters require all nodes to join the same domain.
D. The cluster used an AD and DNS administrative access point.
Best answer: D
Explanation: Workgroup failover clusters are supported, but they do not use AD DS computer objects for the cluster name. If cluster creation tries to use the traditional Active Directory and DNS administrative access point, it attempts to create a cluster name object in AD DS and fails because the nodes are not domain joined. For a workgroup cluster, the administrative access point should be DNS-only, with appropriate local administrative credentials and name resolution in place.
The failure message points to an AD DS object-creation attempt, not to a general lack of cluster support for workgroup nodes.
Topic: Implement and Manage Hybrid Networking
A company uses Network Policy Server (NPS) on NPS01 as the central RADIUS server for RRAS VPN servers. VPN01 authenticates users successfully. After adding VPN02, all VPN02 users are denied before any user policy is evaluated.
NPS01 log excerpt:
Reason: The RADIUS request was received from an unknown RADIUS client.
Client IP Address: 10.20.5.14
Configured RADIUS clients: VPN01 - 10.20.5.10
What is the most likely root cause?
Options:
A. The NPS network policy processing order is incorrect
B. VPN02’s source IP is not configured as a RADIUS client
C. VPN02 is missing an accounting configuration on NPS01
D. The VPN users are missing the required AD DS group membership
Best answer: B
Explanation: NPS must recognize the network access server, such as an RRAS VPN server, as a configured RADIUS client before it can process authentication or authorization. The log states that the request came from an unknown RADIUS client at 10.20.5.14, while the only configured client is VPN01 at 10.20.5.10. That means NPS is rejecting the request at the RADIUS client validation stage, not during AD DS group evaluation or network policy matching.
For VPN02, the administrator should verify the source IP address seen by NPS and add that address as a RADIUS client with the correct shared secret. If NAT is involved, the configured RADIUS client address must match the address NPS actually receives.
Topic: Implement Windows Server High Availability
A four-node failover cluster spans two datacenters with two nodes in each datacenter. A test isolates Datacenter1. The two Datacenter2 nodes and replicated storage stay online, but clustered roles stop and Event ID 1177 reports that quorum was lost. The team also wants the cluster to survive the loss of either datacenter.
Current quorum summary
| Setting | Value |
|---|---|
| Quorum mode | Node and File Share Majority |
| Witness | \\FSW-DC1\ClusterWitness |
| Witness location | Datacenter1 |
Which quorum change should you make before the next test?
Options:
A. Configure a Cloud Witness reachable from both datacenters.
B. Disable dynamic quorum on all cluster nodes.
C. Change the cluster to Node Majority only.
D. Move the file share witness to Datacenter2.
Best answer: A
Explanation: The cluster has four node votes plus a witness vote, so it normally needs a majority of the five possible votes. When Datacenter1 fails, the two nodes in Datacenter2 remain, but the witness is lost with Datacenter1. That leaves only two reachable votes, so the cluster cannot maintain quorum. For a multisite cluster that must survive the loss of either datacenter, place the witness in an independent location that both sites can reach, such as a Cloud Witness in Azure. This prevents the witness from failing with one of the cluster sites.
Topic: Migrate Servers and Workloads
A Windows Server administrator is using Storage Migration Service to migrate an on-premises file server from FS-OLD to FS-NEW. Inventory and transfer completed successfully, and file counts match on the destination. Cutover fails before the server names are swapped.
Exhibit:
Inventory: Success
Transfer: Success
Cutover: Failed
Error: 0x80070005 Access is denied
Failed step: Rename destination and update AD computer object
Run-as account: CONTOSO\sms-migrate
Membership: Local Administrators on FS-OLD and FS-NEW only
What is the most likely root cause?
Options:
A. The destination volume has insufficient free space
B. The migration account lacks AD DS permissions
C. The copied share permissions are invalid
D. TCP port 445 is blocked between the servers
Best answer: B
Explanation: Storage Migration Service cutover is different from inventory and data transfer. Inventory and transfer mainly validate connectivity, storage access, and file copy behavior. Cutover must rename computers, update domain computer objects, and complete identity changes so clients can reach the new server by the old name. The evidence shows file transfer succeeded, but cutover failed at “Rename destination and update AD computer object” with access denied. Because the run-as account is only a local administrator on both servers, the likely issue is missing AD DS rights to modify or rename the relevant computer objects. Local admin rights are not enough for domain object updates.
Topic: Migrate Servers and Workloads
A team is using Storage Migration Service in Windows Admin Center to move an on-premises file server to a Windows Server Azure VM because the applications must continue using Windows Server-hosted SMB shares. Inventory completes, but the first transfer fails.
Phase: Transfer
Source: FS01
Destination: AZFS01
Result: Failed
Detail: Cannot access \\AZFS01\C$.
System error 53: The network path was not found.
Azure VM NSG: inbound RDP allowed; no SMB rule
Windows Defender Firewall: default inbound block
What is the best next diagnostic action?
Options:
A. Recreate the project in Azure Migrate
B. Test TCP 445 and admin share access to AZFS01
C. Configure Azure Site Recovery replication for FS01
D. Enable Azure File Sync cloud tiering on AZFS01
Best answer: B
Explanation: Storage Migration Service performs inventory, transfer, and cutover for Windows Server file-service migrations, including migrations to Windows Server Azure VMs. In this case, inventory succeeds but transfer fails when accessing \\AZFS01\C$, and the exhibit shows no SMB rule in the Azure VM NSG plus default inbound blocking in Windows Defender Firewall. The next diagnostic step is to validate TCP 445 and administrative share access to the destination VM from the migration path, then confirm whether NSG or guest firewall rules are blocking that access. The failure is not evidence that the migration method is wrong; it is a connectivity prerequisite failure for the SMS transfer phase.
Topic: Secure Windows Server Hybrid Infrastructure
A company is moving two IIS-based Windows Server VMs to Azure. The VMs will be in a workload subnet behind an Azure Application Gateway, and administrators must connect only through Azure Bastion. The VMs have no public IP addresses. Which NSG design best fits a least-privilege traffic boundary?
Options:
A. Allow App Gateway HTTPS and Bastion RDP to the VM ASG; deny other inbound traffic.
B. Apply an NSG only to the Application Gateway subnet.
C. Use Windows Defender Firewall only and do not assign an NSG.
D. Allow HTTPS and RDP from Internet to each VM NIC.
Best answer: A
Explanation: For Azure-hosted Windows Server VMs, an NSG should enforce the network boundary closest to the workload, typically on the workload subnet or NIC. In this scenario, the required inbound paths are specific: HTTPS from the Application Gateway subnet to the IIS VMs, and RDP from the Azure Bastion subnet to the VMs. Using an application security group for the VMs keeps the rules stable as VMs are replaced or added. Because Azure NSGs include a default allow rule for traffic within the virtual network, a least-privilege design should also include an explicit deny for other inbound VNet traffic after the required allow rules. The key is to permit only the intended management and application paths.
Topic: Implement and Manage Hybrid Networking
A company has one AD DS forest with Windows Server DHCP and AD-integrated DNS servers in several on-premises sites. Administrators also manage Azure IaaS VMs over a site-to-site VPN, but the immediate requirement is to centrally manage and audit on-premises IP address ranges, DHCP scopes, and DNS records while avoiding Domain Admin permissions for daily operations. Which design is the best fit?
Options:
A. Deploy a dedicated domain-joined IPAM server with GPO-based provisioning and IPAM RBAC.
B. Use Azure DNS Private Resolver to manage DHCP scopes and DNS records.
C. Install IPAM on a domain controller and delegate DNSAdmins to all network operators.
D. Use Microsoft Entra ID administrative units to delegate DHCP and DNS management.
Best answer: A
Explanation: Windows Server IPAM is designed to centrally plan, track, manage, and audit IP address infrastructure in an AD DS environment. For this scenario, a dedicated domain-joined IPAM server can discover DHCP and DNS servers in the forest, use GPO-based provisioning to grant the required management and audit permissions, and apply IPAM role-based access control so operators do not need broad Domain Admin rights. This fits the requirement to manage address spaces, DHCP scopes, and DNS records from a central point while keeping an audit trail. Azure networking services can complement hybrid connectivity, but they do not replace Windows Server IPAM for managing on-premises Windows DHCP and AD-integrated DNS.
Topic: Deploy and Manage AD DS in Hybrid Environments
A branch office has a local domain controller, BR-DC1, in the Branch AD DS site. Users in the branch report slow sign-ins, and their clients authenticate against HQ-DC1 across the WAN. BR-DC1 passes DNS and Netlogon health checks.
Evidence:
| Item | Value |
|---|---|
| Client IP | 10.42.16.25 |
nltest /dsgetsite | HQ |
AD subnet 10.42.0.0/16 | HQ |
AD subnet 10.20.8.0/24 | Branch |
What is the most likely root cause?
Options:
A. The site link schedule blocks authentication traffic
B. BR-DC1 is missing the PDC emulator role
C. The branch subnet is associated with the wrong site
D. The KCC failed to generate replication connections
Best answer: C
Explanation: AD DS uses site and subnet mappings to determine a client’s site. The client IP 10.42.16.25 falls within the configured 10.42.0.0/16 subnet, which is associated with the HQ site. Because no more specific subnet for the branch is shown, the client correctly discovers HQ as its site and selects an HQ domain controller. The fix is to create or correct a subnet object for the branch network, such as 10.42.16.0/24, and associate it with the Branch site. This is a site topology configuration issue, not a domain controller health issue.
Topic: Manage Windows Servers and Hybrid Workloads
An administrator uses Azure Update Manager to assess an Azure Arc-enabled Windows Server. The server appears as Connected in Azure Arc, but the update assessment fails.
Server: FS-ARC-03
Azure Arc state: Connected
Update assessment: Failed
Windows Update error: 0x8024402C
Policy result:
Do not connect to Windows Update Internet locations: Enabled
Specify intranet Microsoft update service location: Not configured
What is the best remediation or validation step?
Options:
A. Create an Azure Monitor data collection rule
B. Reinstall the Azure Connected Machine Agent
C. Configure a reachable update source and rerun assessment
D. Enable VM Insights for the Arc-enabled server
Best answer: C
Explanation: Azure Update Manager assesses Windows updates by using the operating system’s update scan behavior. The server is already connected to Azure Arc, so the failure is not primarily an Arc onboarding issue. The policy evidence shows the server is blocked from contacting Windows Update Internet locations, but no intranet update service such as WSUS is configured. That leaves the Windows Update Agent without a valid scan source, causing the assessment failure. The next step is to configure a reachable WSUS/intranet update service or allow the required Windows Update source, then rerun the assessment to validate compliance.
Topic: Migrate Servers and Workloads
A company has a single AD DS forest with two domains. The forest and both domains are at the Windows Server 2012 R2 functional level, and some domain controllers still run Windows Server 2012 R2. The company synchronizes identities to Microsoft Entra ID and wants to add time-limited privileged group membership in the existing forest without migrating users to a new forest. Which design is the best fit?
Options:
A. Create a new forest and migrate users with ADMT
B. Deploy Microsoft Entra Domain Services for privileged groups
C. Replace legacy DCs, then raise domain and forest functional levels
D. Extend the schema only and keep the current functional levels
Best answer: C
Explanation: Newer AD DS capabilities can require both newer domain controller operating systems and higher domain or forest functional levels. In this scenario, the requirement is to keep the existing forest and enable a capability such as time-limited privileged group membership. The appropriate design is to upgrade or replace domain controllers that block the target functional level, demote the legacy domain controllers, raise each domain functional level as needed, and then raise the forest functional level. Identity synchronization to Microsoft Entra ID can continue because the AD DS forest remains the source directory. A schema update alone does not enable every forest-level feature.
Topic: Secure Windows Server Hybrid Infrastructure
You manage Windows Server 2022 application servers that run a vendor service. The service is updated monthly, but all approved binaries are signed by Microsoft or the vendor certificate. Security requires untrusted executable and script code to be blocked immediately, and local Administrators must not be able to bypass the control. Which configuration should you implement?
Options:
A. An enforced WDAC policy with Microsoft and vendor signer allow rules
B. AppLocker allow rules scoped to standard user groups only
C. Microsoft Defender Antivirus with cloud protection and ASR rules
D. A WDAC audit-mode policy with hash allow rules for current files
Best answer: A
Explanation: Windows Defender Application Control (WDAC) is the correct control when servers must prevent untrusted code from executing. For a workload whose approved code is signed by known publishers, signer allow rules are better than hash rules because monthly updates can continue as long as the signing certificate remains trusted. Enforced mode is required because audit mode only records what would have been blocked. WDAC is also stronger than AppLocker for this requirement because it is designed as a code integrity enforcement control and is harder for local administrators to bypass. Antivirus and attack surface reduction help reduce malware risk, but they do not create a workload-specific trusted-code allow list.
Topic: Deploy and Manage AD DS in Hybrid Environments
You are demoting DC03, an additional domain controller in corp.contoso.com, after transferring all FSMO roles to DC01. The demotion wizard fails with: Active Directory Domain Services could not replicate off changes made locally.
Exhibit:
netdom query fsmo
All roles: DC01.corp.contoso.com
nltest /dsgetdc:corp.contoso.com
DC: \\DC01.corp.contoso.com
Status: 0x0 SUCCESS
repadmin /showrepl DC03
DC=corp,DC=contoso,DC=com from DC01
Last attempt failed: 1722 The RPC server is unavailable
CN=Configuration,DC=corp,DC=contoso,DC=com from DC01
Last attempt failed: 1722 The RPC server is unavailable
What is the best next diagnostic action?
Options:
A. Seize all FSMO roles from DC03 to DC01
B. Retry demotion with an Enterprise Admin account
C. Reconfigure DC03 to use a public DNS resolver
D. Investigate RPC replication connectivity between DC03 and DC01
Best answer: D
Explanation: A normal domain controller demotion must replicate local AD DS changes to another writable domain controller before removal. The evidence rules out common alternatives: FSMO roles are already on DC01, domain controller discovery succeeds, and the specific demotion error mentions replication. The decisive clue is repadmin /showrepl showing error 1722, which indicates RPC connectivity to the replication partner is unavailable. The next diagnostic step is to validate and troubleshoot network, firewall, name resolution, or RPC endpoint access between DC03 and DC01 before retrying demotion. Forced removal and metadata cleanup are recovery options, not the first diagnostic action when normal demotion might still be repaired.
netdom query fsmo already shows all roles hosted by DC01.Topic: Monitor and Troubleshoot Windows Server
A company uses Microsoft Entra Connect Sync with password hash synchronization. New users created on DC2 and recent password changes are not appearing in Microsoft Entra ID. You must restore synchronization quickly, keep the current sync server active, and avoid changing the sign-in method.
Evidence:
Entra Connect AD DS connector: bound to DC1
repadmin /showrepl DC1: inbound from DC2 fails, RPC unavailable
repadmin /showrepl DC2: successful
Which configuration should you apply?
Options:
A. Run a full import and full synchronization against DC1.
B. Configure the AD DS connector to use DC2 as the preferred domain controller.
C. Enable staging mode on the current Microsoft Entra Connect Sync server.
D. Switch the tenant from password hash synchronization to pass-through authentication.
Best answer: B
Explanation: The visible evidence points to a source directory visibility problem, not a Microsoft Entra ID sign-in-method problem. Microsoft Entra Connect Sync is bound to DC1, but DC1 is not receiving inbound replication from DC2, where the new objects and password changes exist. Configuring the AD DS connector to use DC2 as the preferred domain controller lets the active sync server read the current AD DS data without changing the tenant authentication method or deploying a second sync engine. DC1 replication should still be repaired, but it is not the best immediate configuration source for synchronization.
Topic: Secure Windows Server Hybrid Infrastructure
A domain has the Default Domain Policy configured with a minimum password length of 14. Microsoft Entra Password Protection for on-premises AD DS is deployed in enforced mode with a custom banned password list. A service account owner successfully resets the account password to Support2026!, and the DC agent log shows: Microsoft Entra Password Protection evaluation: Passed. What is the best next diagnostic action?
Options:
A. Check the account’s resultant password policy
B. Add Support2026 to the custom banned list
C. Re-register the Password Protection proxy
D. Verify Microsoft Entra Connect password hash sync
Best answer: A
Explanation: AD DS password length, history, and complexity are controlled by domain password policy or fine-grained password policies. Microsoft Entra Password Protection adds banned-password evaluation, but it does not replace AD DS minimum-length enforcement. Because the password passed the Microsoft Entra Password Protection evaluation and was accepted even though it is shorter than the Default Domain Policy setting, the next diagnostic step is to determine whether a fine-grained password policy applies to that account. Use the account’s resultant password policy to confirm the effective AD DS password settings.
Topic: Secure Windows Server Hybrid Infrastructure
A security team expected alerts for LDAP reconnaissance against an on-premises AD DS domain controller, but no identity-related incident was created. The server is connected to Azure Arc, Defender for Servers Plan 2 is enabled, and Sentinel is receiving Windows Security events from the server. Defender for Identity shows this health state:
| Component | Status |
|---|---|
| DC1 sensor | Not communicating |
What is the best next diagnostic action?
Options:
A. Enable the Sentinel connector for Azure Activity logs.
B. Remediate Defender for Cloud secure score recommendations.
C. Review Defender for Servers vulnerability assessment findings.
D. Verify the Defender for Identity sensor service and connectivity on DC1.
Best answer: D
Explanation: Defender for Identity is responsible for detecting identity-based threats in AD DS, such as reconnaissance, suspicious authentication, and lateral movement patterns. Its detections depend on sensor telemetry from domain controllers or supported sensor deployment points. In this scenario, Sentinel ingestion and Defender for Servers are already present, but the key clue is that the Defender for Identity sensor on DC1 is not communicating. Sentinel can correlate and investigate signals it receives, but it does not replace the Defender for Identity sensor that produces the identity-specific detection evidence. The first diagnostic step is to restore or validate that sensor’s service, network connectivity, and health.
Topic: Manage Virtual Machines and Containers
A company deploys Windows Server Azure VMs in a VNet that has a site-to-site VPN to an on-premises AD DS domain. The VMs must resolve corp.contoso.com by using on-premises domain controllers, have no public IP addresses, allow RDP only through an Azure portal-based session, and allow traffic from the web subnet to the app subnet only on TCP 443. Which configuration should you implement?
Options:
A. Azure-provided DNS, public IPs, and Just-in-Time VM access
B. Microsoft Entra Domain Services, Application Gateway, and VM extensions
C. Azure Private DNS zone, VPN forced tunneling, and route tables
D. Custom VNet DNS, Azure Bastion, and NSG rules by subnet
Best answer: D
Explanation: Azure VMs that must join or use an on-premises AD DS domain need DNS resolution that can locate the domain controllers, typically by setting the VNet or NIC DNS servers to the on-premises DNS server IPs reachable over the VPN. Removing VM public IP addresses keeps the VMs off the internet. Azure Bastion provides portal-based RDP to private VM IP addresses without opening RDP from the internet. Network security groups applied to the relevant subnets or NICs can allow only TCP 443 from the web subnet to the app subnet and deny other lateral traffic. The key is combining DNS, private management access, and segmentation controls at the Azure VM networking layer.
corp.contoso.com.Topic: Manage Windows Servers and Hybrid Workloads
A company has domain-joined Windows Server file servers in its datacenter and in Azure. Helpdesk operators must remotely restart only the Print Spooler service and view only service-related event logs. They must not be local administrators. Which design best fits the requirement?
Options:
A. Deploy a JEA endpoint mapped to the helpdesk AD DS group with constrained role capabilities.
B. Assign the helpdesk group Azure Arc Contributor on the servers.
C. Enable PowerShell remoting and require signed scripts for helpdesk sessions.
D. Add the helpdesk group to local Administrators and audit PowerShell transcripts.
Best answer: A
Explanation: Just Enough Administration (JEA) is the best fit when delegated PowerShell access must be limited to specific administrative tasks. A JEA session configuration is registered on the target servers and maps an AD DS security group to one or more role capability files. The role capability can expose only approved cmdlets, functions, providers, and parameters, such as a constrained restart operation for the Print Spooler service and limited event-log viewing. JEA can also use a virtual account so operators do not need local administrator membership. Transcription and logging can support auditing, but command scoping is the key control.
Topic: Deploy and Manage AD DS in Hybrid Environments
A company has two on-premises AD DS forests that do not have network connectivity to each other. The company wants to synchronize users and groups from both forests to the same Microsoft Entra tenant. The solution must minimize on-premises infrastructure and support resilient synchronization agents. No Exchange hybrid writeback, device writeback, or custom synchronization rules are required.
Which synchronization approach is the best design fit?
Options:
A. Deploy Microsoft Entra Domain Services for both forests
B. Deploy one Microsoft Entra Connect Sync server in one forest
C. Deploy Microsoft Entra Cloud Sync agents in each forest
D. Deploy AD FS federation without directory synchronization
Best answer: C
Explanation: Microsoft Entra Cloud Sync is designed for lightweight, agent-based directory synchronization that is managed primarily from Microsoft Entra ID. It is a strong fit when an organization needs to synchronize identities from multiple AD DS forests, especially when the forests are disconnected, and does not need advanced Microsoft Entra Connect Sync features such as complex custom rules or certain writeback scenarios. Multiple Cloud Sync agents can be installed for resilience.
Microsoft Entra Connect Sync remains appropriate for richer hybrid identity requirements, such as advanced attribute transformation, Exchange hybrid-related writeback, or other full sync-engine capabilities. In this scenario, those advanced requirements are explicitly not needed, so Cloud Sync better matches the resilience and infrastructure constraints.
Topic: Implement and Manage Hybrid Networking
A company hosts a Windows Server IIS intranet application that uses Integrated Windows authentication. Remote employees must access only this web application from the internet, with Microsoft Entra ID preauthentication and Conditional Access. The security team will not allow inbound firewall rules to the on-premises network and does not want users to receive network-level access.
Which access design is the best fit?
Options:
A. Web Application Proxy
B. Microsoft Entra Application Proxy
C. Microsoft Entra Private Access
D. Site-to-site VPN
Best answer: B
Explanation: Microsoft Entra Application Proxy is the best fit for publishing a specific internal web application to remote users when the organization wants Microsoft Entra ID preauthentication, Conditional Access, and no inbound firewall openings. The connector is installed on-premises and makes outbound connections to Microsoft Entra, so users reach the app through the proxy service rather than through direct network connectivity. This matches the requirement to expose only the IIS application, not the internal network.
The key distinction is the access pattern: application publishing for a web app favors Microsoft Entra Application Proxy, while private network access or VPN-style connectivity is broader than needed.
Topic: Deploy and Manage AD DS in Hybrid Environments
A Windows service was moved to two domain-joined Windows Server hosts, APP01 and APP02, behind a load balancer. The service runs successfully on APP01, but on APP02 the service fails to start and logs: “The account name is valid, but the account cannot be used by this computer.” The account was created as a standalone managed service account. What is the best root cause?
Options:
A. The account must be converted to a user account
B. The service account password expired in AD DS
C. The workload needs a group Managed Service Account
D. The hosts must be joined to Microsoft Entra ID only
Best answer: C
Explanation: The evidence points to a service account type mismatch. A standalone managed service account provides automatic password management, but it is intended for use by a single computer. Because the same Windows service must run on both APP01 and APP02, the appropriate account type is a group Managed Service Account, with both hosts authorized to retrieve the managed password. This preserves managed credentials while matching the multi-host scope required by the load-balanced workload.
A regular user account could work technically, but it would reintroduce manual password handling and weaker operational security. The key diagnostic clue is that the account works on one host but is rejected on another host.
Topic: Migrate Servers and Workloads
You are using Storage Migration Service to migrate an on-premises Windows Server file server named FS01 to a new Windows Server 2022 VM. Inventory and transfer completed successfully, but cutover failed.
Job phase: Cutover
Source: FS01
Destination: FS01-NEW
Error: Access is denied while renaming destination
and updating the computer account in OU=FileServers
Migration account: CONTOSO\sms-svc
Account status: Local Administrator on both servers
OU delegation: None
Which action is the best design fit to complete the migration with the least rework?
Options:
A. Rerun the inventory phase with Domain Admin credentials
B. Delegate computer-account permissions to CONTOSO\sms-svc in the FileServers OU
C. Configure Azure File Sync before retrying the cutover
D. Grant CONTOSO\sms-svc Full Control on all source NTFS folders
Best answer: B
Explanation: Storage Migration Service separates inventory, transfer, and cutover. In this scenario, inventory and transfer already succeeded, so the failure is not about discovering shares or copying file data. The error occurs during cutover while renaming the destination and updating the computer account in a specific AD DS OU. Being a local administrator on the source and destination is not enough for that AD DS operation. A least-privilege fix is to delegate the needed computer-object permissions in the FileServers OU to the migration account, then retry cutover without repeating the completed transfer work.
The key clue is the cutover-phase error tied to the OU, not the file-copy phase.
Topic: Deploy and Manage AD DS in Hybrid Environments
An organization runs Windows Server workloads in Azure and in two datacenters. Some perimeter servers are workgroup-joined and cannot be joined to AD DS, but all servers are onboarded to Azure Arc. The security team needs to audit and remediate specific local OS configuration settings and view compliance by subscription and resource group. Which management approach is the best design fit?
Options:
A. Link a domain-based GPO to server OUs
B. Configure local policies through Windows Admin Center
C. Assign Azure Policy with Azure Machine Configuration
D. Use Microsoft Entra Conditional Access policies
Best answer: C
Explanation: Azure Policy with Azure Machine Configuration is the best fit when Windows Server guest settings must be audited or remediated across Azure VMs and Azure Arc-enabled servers, especially when some servers are not domain-joined. Azure Policy provides Azure-scope targeting and compliance reporting by subscription, resource group, or resource. Machine Configuration supplies the guest OS configuration assessment and remediation capability. Domain-based Group Policy remains the right choice for AD DS domain-joined computers that process GPOs from OUs, sites, or domains, but it does not cover workgroup servers or provide Azure resource compliance views.
Topic: Monitor and Troubleshoot Windows Server
An Azure IaaS VM running Windows Server 2022 is encrypted by using Azure Disk Encryption with a key-encryption key in Azure Key Vault. After a change window, the VM stops during boot and prompts for BitLocker recovery. You collect the following status:
ADE extension status: Failed
Error: KeyVaultAuthenticationFailure
Operation: unwrapKey
HTTP status: 403 Forbidden
Key URL: https://kv-prod.vault.azure.net/keys/vm-kek/...
What is the most likely root cause?
Options:
A. The managed disk health state is degraded.
B. Key Vault key permissions were removed.
C. The BitLocker recovery key was deleted from AD DS.
D. The OS volume has insufficient free space.
Best answer: B
Explanation: Azure Disk Encryption uses BitLocker in the guest and stores/protects disk encryption material through Azure Key Vault. In this case, the decisive evidence is KeyVaultAuthenticationFailure, unwrapKey, and 403 Forbidden. That combination points to an authorization problem when the encryption process tries to unwrap the protected disk key by using the Key Vault key-encryption key. A missing key would typically look like a not-found condition, while volume space or disk health issues would produce different storage or OS-level symptoms. The next validation would be to review the Key Vault access model and confirm that the encryption identity has the required key permissions, including unwrap access.
Topic: Manage Storage and File Services
A Windows Server 2022 file server receives a new 6 TB data disk. The volume will host a departmental SMB share and must use the full disk capacity, support standard NTFS permissions, and allow users to encrypt individual files with EFS. Which configuration should you use?
Options:
A. Initialize as GPT and format as NTFS
B. Create a dynamic spanned volume and format as ReFS
C. Initialize as MBR and format as NTFS
D. Initialize as GPT and format as ReFS
Best answer: A
Explanation: For a Windows Server data disk larger than 2 TB, use the GUID Partition Table (GPT) partition style rather than MBR. GPT supports large disks, while MBR is limited to approximately 2 TB per disk. The file-system requirement is also decisive: Encrypting File System (EFS) is an NTFS feature, so formatting the volume as NTFS is required when users must encrypt individual files. ReFS is useful for certain resilient data workloads, but it does not satisfy the EFS requirement in this scenario. The best fit is the option that meets both the capacity and file-system constraints without adding unnecessary volume complexity.
Topic: Manage Storage and File Services
A company has two datacenters connected by a low-latency 10-Gbps private link. A Windows Server file server stores line-of-business data on a dedicated NTFS volume. The company needs volume-level replication to a standby server at the second site with write-order consistency and the lowest possible data loss if the primary site fails. The standby copy does not need to be writable during normal operations. Which design is the best fit?
Options:
A. Configure DFS Replication for the data folder
B. Configure Azure Backup for the data volume
C. Configure Azure File Sync with cloud tiering
D. Configure synchronous Storage Replica between the servers
Best answer: D
Explanation: Storage Replica is the Windows Server feature designed for block-level replication of volumes between servers, clusters, or sites. In this scenario, the low-latency private link and requirement for the lowest possible data loss point to synchronous replication, where writes are committed to both the source and destination before completion. Storage Replica also preserves write order, which is important for application data consistency. The standby volume is not intended for normal read/write use, which matches Storage Replica behavior because the replicated destination is a protected copy until failover or reversal.
Topic: Manage Storage and File Services
A company has a Windows Server file server that supports SMB over QUIC. Remote Windows 11 users must access existing SMB shares from hotel and home networks. The solution must avoid a traditional VPN, must not expose TCP 445 to the Internet, and must preserve existing SMB permissions. Which configuration should you implement?
Options:
A. Enable SMB over QUIC with a trusted server certificate and allow UDP 443.
B. Enable SMB encryption and publish TCP 445 through the firewall.
C. Deploy Azure File Sync and redirect users to the cloud endpoint.
D. Configure Always On VPN and keep SMB on the internal network.
Best answer: A
Explanation: SMB over QUIC is designed for secure SMB file access across untrusted networks without relying on a traditional VPN. It uses QUIC over UDP 443 with TLS 1.3, so administrators can avoid exposing TCP 445 while still allowing clients to access SMB shares and keep existing share and NTFS authorization behavior. The server needs an appropriate certificate that clients trust and that matches the published name used for access. This fits remote access from hotels and home networks because UDP 443 is commonly allowed where TCP 445 is blocked.
Topic: Implement Disaster Recovery
A company protects a three-tier Windows Server application with Azure Site Recovery. The administrator must validate the recovery design this weekend without interrupting production and must confirm that the application starts in the correct order and can use the intended Azure network.
| Evidence | Current state |
|---|---|
| Replication health | Healthy for all VMs |
| Recovery plan | DC group, then SQL group, then Web group |
| Network mapping | Prod-VLAN to DR-VNet/AppSubnet |
| Latest recovery point | App-consistent, 12 minutes old |
Which design is the best fit?
Options:
A. Run a test failover of the recovery plan to an isolated test network.
B. Run an unplanned failover of the web VM first.
C. Disable network mapping and fail over the recovery plan.
D. Run a planned failover of each VM to DR-VNet/AppSubnet.
Best answer: A
Explanation: Azure Site Recovery test failover is the right validation method when production must continue running. The evidence shows replication is healthy, a recent app-consistent recovery point exists, the recovery plan defines the required startup order, and network mapping identifies the intended Azure network. Running the recovery plan as a test failover lets the administrator validate boot order, application behavior, and Azure-side connectivity without committing the production workload to Azure. The test should use an isolated or non-conflicting test network when needed, then be cleaned up after validation. A planned or unplanned failover is for an actual recovery or migration event, not a no-impact validation.
Topic: Manage Virtual Machines and Containers
A Windows Server Azure VM must join an on-premises AD DS domain over a site-to-site VPN. The VM can reach the domain controller by private IP, and NSG effective rules allow DNS traffic. Domain join fails with “domain name could not be contacted.”
Exhibit:
ipconfig /all: DNS Servers . . . . . : 168.63.129.16
nslookup corp.contoso.com: Server: 168.63.129.16
Result: Non-existent domain
Test-NetConnection 10.20.0.10 -Port 53: TcpTestSucceeded=True
What is the most likely root cause?
Options:
A. The VPN cannot route traffic to on-premises
B. The VM is using Azure-provided DNS
C. The subnet NSG blocks DNS to the domain controller
D. The domain controller blocks ICMP from Azure
Best answer: B
Explanation: The evidence points to a DNS server selection problem, not basic network reachability. Azure-provided DNS at 168.63.129.16 can resolve Azure and public names, but it does not host the on-premises AD DS zone unless forwarding is configured elsewhere. The VM can reach the domain controller’s private IP and TCP 53 is open, so the next configuration to fix is the VM or VNet DNS server setting so queries go to a DNS server that can resolve corp.contoso.com. After changing DNS settings, restart the VM or renew the network configuration so the guest receives the updated DNS server list.
Topic: Secure Windows Server Hybrid Infrastructure
Microsoft Defender for Identity reports a risky lateral movement path involving a Windows Server application server. The application must delegate user credentials only to a SQL Server service on SQL01.
Evidence:
Server: APP01
Finding: Computer is trusted for unconstrained delegation
Recent logon: Domain Admin user connected to APP01
Back-end service required: MSSQLSvc/SQL01.contoso.com
Which remediation best addresses the finding while preserving the required application function?
Options:
A. Move APP01 into the Domain Controllers OU.
B. Enable NTLM auditing on all domain controllers.
C. Replace unconstrained delegation with constrained delegation to the SQL SPN.
D. Reset the krbtgt password twice.
Best answer: C
Explanation: The evidence points to excessive Kerberos delegation: APP01 is trusted for unconstrained delegation, so delegated credentials can potentially be used against many services if a privileged user signs in to that server. Because the application still needs to delegate to one SQL Server service, the appropriate remediation is to remove unconstrained delegation and configure constrained delegation only for the required MSSQLSvc SPN on SQL01. This reduces the lateral movement path without breaking the intended application flow. NTLM auditing is useful for legacy authentication discovery, but this finding is about Kerberos delegation scope.
APP01.krbtgt reset is used for Kerberos ticket compromise scenarios, not for fixing an unconstrained delegation configuration.Topic: Implement and Manage Hybrid Networking
A company publishes an internal IIS application by using Microsoft Entra Application Proxy. Users can browse to the external URL and complete Microsoft Entra sign-in, but the app fails to load. The connector group shows Active.
Exhibit: Connector event log excerpt
Application: HRPortal
Internal URL: https://hrweb.corp.contoso.com/
Result: BackendServerConnectionFailure
Detail: The remote name could not be resolved
What is the most likely root cause?
Options:
A. Inbound Internet traffic is blocked to the connector server.
B. Microsoft Entra Domain Services is not deployed.
C. The connector cannot resolve the internal application FQDN.
D. Users are missing a VPN connection to the internal network.
Best answer: C
Explanation: Microsoft Entra Application Proxy uses an on-premises connector to reach the internal web application on behalf of authenticated users. In this case, Microsoft Entra sign-in succeeds and the connector is active, so the cloud-side publication and connector registration are not the first suspect. The deciding clue is the connector event: the internal URL name cannot be resolved. The connector server must be able to resolve and connect to the internal URL exactly as configured in the application proxy settings.
A good validation step would be to test DNS resolution and HTTPS access to https://hrweb.corp.contoso.com/ from the connector server, then fix internal DNS or the configured internal URL as needed.
Topic: Implement Disaster Recovery
You need to restore D:\Shares\Finance from Azure Backup for an Azure VM named FS01. The production VM must remain online and must not be overwritten. The File Recovery script runs successfully on a compatible Windows Server jump host, but the mounted recovery point does not show drive D:.
Backup evidence:
| Item | Evidence |
|---|---|
| Recovery point | App-consistent, latest nightly backup |
| OS disk | Included |
| Data disk LUN 0 | Included |
| Data disk LUN 1 | Excluded from backup |
D: volume | Located on LUN 1 |
What is the best diagnostic conclusion?
Options:
A. A crash-consistent recovery point is required.
B. LUN 1 was not protected in this recovery point.
C. The script must be run on FS01.
D. The restore must replace the existing VM.
Best answer: B
Explanation: Azure Backup File Recovery can mount only the disks and volumes that are present in the selected recovery point. In this case, the restore goal is a folder on D:, and the evidence shows that D: resides on data disk LUN 1. Because LUN 1 was excluded from backup, the mounted recovery point cannot contain that volume, even though the backup item is healthy and the script runs successfully. To preserve the goal of restoring only the folder without overwriting production, the next step is to find a recovery point or another backup source that includes LUN 1, not to perform a full VM replacement.
Topic: Deploy and Manage AD DS in Hybrid Environments
Contoso uses Microsoft Entra Connect Sync and AD FS federation for contoso.com. The administrators want to move to cloud authentication in phases. The pilot must include only one synced security group, all other users must continue using AD FS, and user sign-in must be preserved if the pilot needs to be reversed. Which configuration should you use?
Options:
A. Deploy Microsoft Entra Cloud Sync for the pilot group.
B. Convert contoso.com from federated to managed authentication.
C. Enable password hash sync staged rollout for the pilot group.
D. Enable Microsoft Entra seamless SSO for all synced users.
Best answer: C
Explanation: Microsoft Entra staged rollout is designed for a controlled transition from federation to cloud authentication. With password hash sync enabled, you can add a synced security group to staged rollout so only those users authenticate directly with Microsoft Entra ID. The domain can remain federated during the pilot, so users outside the group continue to use AD FS. If the pilot has issues, removing the group from staged rollout returns those users to the existing federated path without a domain-wide cutover.
A domain conversion is the broader cutover step and should wait until the staged pilot is validated.
Topic: Secure Windows Server Hybrid Infrastructure
A Windows Server Azure IaaS VM named FS01 is marked noncompliant after a storage-security rollout. The requirement is to protect the VM’s OS and data disks by using Azure Disk Encryption.
Exhibit: VM security check
| Check | Result |
|---|---|
| Managed disk SSE | Enabled with platform-managed keys |
| VM extensions | Azure Monitor Agent only |
| Policy detail | Azure Disk Encryption extension not found |
| Key Vault | kv-sec-eastus exists |
What is the best next action?
Options:
A. Enable SMB encryption for FS01 shares.
B. Enable Azure Disk Encryption using the Key Vault.
C. Rely on managed disk SSE as configured.
D. Enable BitLocker manually inside Windows Server.
Best answer: B
Explanation: Azure managed disks are encrypted at rest with Storage Service Encryption, but that is not the same control as Azure Disk Encryption. The scenario explicitly requires Azure Disk Encryption for Azure IaaS VM disk protection, and the diagnostic clue says the ADE extension is not found. For a Windows Server VM, ADE uses BitLocker through the Azure VM extension and stores required secrets or keys in Azure Key Vault. The appropriate next action is to enable ADE for the VM’s OS and required data disks using the available Key Vault, assuming normal prerequisites are met.
The key distinction is default managed-disk encryption versus guest-volume encryption managed through Azure Disk Encryption.
Topic: Manage Virtual Machines and Containers
A company is moving a latency-sensitive Windows Server database VM to Azure. The database data volume must provide 150,000 IOPS, remain persistent across VM restarts, and use default encryption at rest with platform-managed keys. Shared disk access is not required. Which storage design is the best fit?
Options:
A. Mount a Standard SSD data disk
B. Attach Ultra Disk managed data disks
C. Use an ephemeral OS disk for the database files
D. Store database files on an Azure Files standard share
Best answer: B
Explanation: Azure Ultra Disk is designed for high-performance, low-latency data disk workloads on Azure virtual machines, such as demanding database workloads. It supports persistent managed data disks with provisioned IOPS and throughput, while Azure managed disks are encrypted at rest by default using server-side encryption with platform-managed keys unless another encryption option is selected. The key requirements are high IOPS and persistence, not shared access or file-share modernization. Ephemeral OS disks are not appropriate for durable database data, and standard storage tiers are not intended for this performance profile.
Topic: Secure Windows Server Hybrid Infrastructure
A company runs AD DS domain controllers on-premises, Windows Server file servers onboarded to Azure Arc, and several Windows Server Azure VMs. The security team needs to detect identity attacks against AD DS, assess and protect server workloads, and centralize incidents for correlation and automated response. Which design is the best fit?
Options:
A. Use Defender for Identity for AD DS signals, Defender for Cloud with Defender for Servers for workload protection, and Sentinel for SIEM/SOAR.
B. Use Defender for Servers to replace AD DS auditing, Defender for Cloud for playbooks, and Sentinel only for endpoint antivirus.
C. Use Defender for Cloud to monitor Kerberos attacks directly, Defender for Identity for Azure VM patching, and Defender for Servers for SIEM correlation.
D. Use Sentinel sensors on domain controllers, Defender for Identity for server vulnerability assessment, and Defender for Cloud only for log retention.
Best answer: A
Explanation: In a hybrid Windows Server security design, these services have distinct roles. Microsoft Defender for Identity detects identity-based threats by analyzing AD DS signals from domain controllers, such as suspicious Kerberos activity or lateral movement. Microsoft Defender for Cloud provides security posture management and enables workload protection plans. Defender for Servers is the Defender for Cloud plan focused on server workloads, including Azure VMs and Azure Arc-enabled servers. Microsoft Sentinel is the SIEM/SOAR platform used to ingest incidents and logs, correlate detections, run analytics, and automate response. The key is to assign detection, protection, and correlation to the service designed for that responsibility.
Topic: Migrate Servers and Workloads
During migration planning, a Windows Server file server selected for Azure VM migration is flagged with a Review target selection warning.
| Assessment finding | Value |
|---|---|
| Server roles | File Server only |
| Local app dependencies | None found |
| Shares | SMB departmental shares |
| Permissions | NTFS ACLs using AD DS groups |
| Business goal | Reduce server OS management |
What is the best next diagnostic action?
Options:
A. Troubleshoot Azure Migrate replication appliance connectivity
B. Replace NTFS ACLs with Microsoft Entra role assignments
C. Deploy a larger Azure VM as the file server target
D. Validate Azure Files readiness for the shares
Best answer: D
Explanation: The warning is about target selection, not a failed server replication. The inventory shows that the server provides only SMB file shares, has no local application dependencies, and the business goal is to reduce Windows Server operating system management. That is the pattern where the administrator should assess migration to Azure file shares instead of automatically rehosting the whole Windows Server file server as an Azure VM. The diagnostic action should confirm Azure Files requirements: SMB client connectivity, identity-based authentication with AD DS or Microsoft Entra Kerberos as appropriate, NTFS ACL preservation expectations, capacity, and performance needs. A larger VM or replication troubleshooting does not address whether the workload needs a server at all.
Topic: Monitor and Troubleshoot Windows Server
A company has a single AD DS forest. Users report intermittent Kerberos authentication failures, and repadmin shows replication errors that correlate with time skew between domain controllers. Network rules allow only the forest root PDC emulator to reach the approved NTP appliances. You need to restore the supported domain time hierarchy and prevent domain members from using internet time sources. Which configuration should you apply?
Options:
A. Configure each domain controller to synchronize only with its Hyper-V host.
B. Configure the forest root PDC emulator to use the approved NTP appliances; configure other domain-joined computers to use the domain hierarchy.
C. Configure every domain controller to use the approved NTP appliances directly.
D. Configure all domain members to use the approved NTP appliances directly.
Best answer: B
Explanation: Windows Time Service in an AD DS domain is normally hierarchical. The forest root PDC emulator is the authoritative point that should synchronize with a reliable external time source, such as approved NTP appliances. Other domain controllers and domain members should use the domain hierarchy, commonly through the NT5DS synchronization type, so Kerberos, replication, and domain operations share a consistent time source. This design also matches the firewall constraint because only the PDC emulator needs outbound NTP access. Pointing all systems to external NTP bypasses the domain hierarchy, and relying on virtualization host time can introduce inconsistent time sources for domain controllers.
Topic: Implement Disaster Recovery
You perform a test failover of a two-tier application by using an Azure Site Recovery recovery plan. The recovery plan job completes, both Azure VMs start successfully, but the web VM cannot connect to the database VM.
Exhibit: Validation evidence
| Check | Result |
|---|---|
| Replication health | Healthy, latest recovery point used |
| Recovery plan order | DB VM group 1, Web VM group 2 |
| VM boot diagnostics | Both VMs booted successfully |
| Connection test | Web VM to DB VM TCP 1433: blocked by NSG |
What is the most likely root cause?
Options:
A. The replication recovery point is inconsistent
B. The test failover used the wrong recovery plan
C. The database VM was started after the web VM
D. The recovery network blocks database traffic
Best answer: D
Explanation: For Site Recovery failover validation, separate replication, orchestration, and network checks. The evidence shows replication health is healthy, the latest recovery point was used, the recovery plan started the database tier before the web tier, and both VMs booted. That rules out the common storage and sequencing causes shown in the evidence. The remaining failure is connectivity after failover: the web VM cannot reach the database VM on TCP 1433 because an NSG blocks that traffic in the recovery network.
The next remediation would be to review the effective NSG rules and recovery VNet/subnet placement for the failed-over NICs before promoting the test result as successful.
Topic: Monitor and Troubleshoot Windows Server
After monthly patching, a Windows Server 2022 member server rebooted, but a line-of-business service did not start. You need to configure a local Event Viewer view that shows only service startup evidence from the current boot. You must avoid deploying agents or enabling additional auditing. Which configuration should you use?
Options:
A. Create a Performance Monitor Data Collector Set for the service
B. Filter the System log for Service Control Manager events since boot
C. Enable the WindowsUpdateClient Operational log and filter errors
D. Filter the Security log for Audit Failure events since boot
Best answer: B
Explanation: For service startup failures, the fastest local event-log configuration is a Custom View or filter against the Windows System log with the Service Control Manager source and a time range beginning at the last boot. Service Control Manager records events such as a service failing to start, a dependency failure, or a service entering the running or stopped state. This satisfies the need for local evidence without adding agents or changing audit policy. The key is matching the failure type to the event source and log, then narrowing the time window so routine historical service events do not obscure the boot-related evidence.
Topic: Manage Virtual Machines and Containers
You manage an on-premises Windows Server 2022 cluster that will host several legacy .NET Framework applications packaged as Windows Server containers. The workloads must remain on-premises, use AKS-style orchestration, and avoid refactoring the images to Linux containers. Which configuration should you implement?
Options:
A. A Linux-only AKS cluster connected to Azure Arc
B. AKS enabled by Azure Arc with a Windows worker node pool
C. Standalone Docker Engine on each Windows Server host
D. Azure Container Instances with a private endpoint
Best answer: B
Explanation: For on-premises orchestration of Windows container workloads, use AKS enabled by Azure Arc on Windows Server and include Windows worker nodes for the application pods. Windows container images require Windows nodes with a compatible Windows Server container host; they cannot be scheduled onto Linux-only nodes. This satisfies the on-premises requirement while providing AKS-style cluster management instead of manually running containers on individual hosts.
The key distinction is orchestration plus node OS compatibility: AKS enabled by Azure Arc provides the hybrid AKS platform, and the Windows node pool provides the runtime target for Windows containers.
Topic: Implement Windows Server High Availability
Your team manages an on-premises Windows Server failover cluster that hosts a highly available file server role. During planned maintenance, operators must use the existing Windows Admin Center gateway to check cluster health, move the file server role, and pause or resume nodes. They should not RDP to cluster nodes. Which configuration should you implement?
Options:
A. Add the cluster as a Failover cluster connection in Windows Admin Center.
B. Configure Azure Update Manager for the cluster nodes.
C. Create a Storage Migration Service job for the file server role.
D. Add each node only as an individual server connection.
Best answer: A
Explanation: Windows Admin Center can manage a failover cluster as a cluster-scoped connection, not just as separate server connections. For this scenario, the operators need cluster-level operations: viewing overall health, managing clustered roles, and pausing or resuming nodes during maintenance. Adding the cluster connection lets Windows Admin Center use the Failover cluster management experience for those tasks through the gateway, avoiding RDP and local GUI tools on each node. Managing nodes as standalone servers can show server health, but it does not provide the same role and cluster operation context. The key is to connect to the cluster object when the required work is cluster administration.
Topic: Deploy and Manage AD DS in Hybrid Environments
A company is moving a legacy Windows Server application to Azure IaaS. The application requires LDAP lookups, Kerberos authentication, and domain-joined servers. The identity team already synchronizes users and groups to Microsoft Entra ID, but the operations team must avoid deploying or patching domain controllers in Azure. Which configuration should you use?
Options:
A. Register the application in Microsoft Entra ID and configure OAuth authentication.
B. Deploy AD DS domain controllers on Azure VMs and configure the VNet DNS to those VMs.
C. Enable Microsoft Entra Domain Services and point the VNet DNS to its managed domain IPs.
D. Use Microsoft Entra Cloud Sync to synchronize Azure VM computer accounts to on-premises AD DS.
Best answer: C
Explanation: Microsoft Entra Domain Services is the managed domain option for workloads that still require traditional AD DS-compatible features, such as LDAP, Kerberos/NTLM, domain join, and Group Policy support. In this scenario, the workload needs domain services, but the team does not want to deploy, secure, patch, or replicate domain controllers in Azure. Enabling Microsoft Entra Domain Services in an Azure virtual network and configuring the workload VNet DNS settings to use the managed domain IP addresses lets the Azure VMs locate and join the managed domain. Existing users and groups synchronized to Microsoft Entra ID can be available in the managed domain. The key distinction is that Microsoft Entra ID alone is not a domain controller service, while Microsoft Entra Domain Services supplies managed AD DS-compatible services.
Topic: Manage Storage and File Services
Users in GG-Projects-RW access \\FS1\Projects\Design over SMB. They can open files but receive Access denied when saving changes. Name resolution for FS1 succeeds, and Effective Access on D:\Shares\Projects\Design shows GG-Projects-RW has NTFS Modify inherited from the parent. The Projects share currently grants Everyone: Read and Administrators: Full Control. You must allow the group to modify files without disabling NTFS inheritance or broadening access to all users. Which configuration change should you make?
Options:
A. Grant Everyone Full Control on the Projects share.
B. Disable inheritance on the Design folder and add Modify.
C. Grant GG-Projects-RW Change on the Projects share.
D. Create a DNS CNAME for FS1 and reconnect the share.
Best answer: C
Explanation: For SMB access to a Windows Server file share, the effective permission is constrained by both the share permission and the NTFS permission. In this case, name resolution works and NTFS already allows GG-Projects-RW to modify the Design folder through inheritance. The blocking setting is the share permission: Everyone: Read limits remote SMB users to read access even when NTFS allows Modify. Granting the group Change on the share permits write operations while NTFS continues to enforce folder-level scope and inheritance. Granting broad share permissions to Everyone would violate the requirement to avoid broadening access.
Everyone Full Control expands share-level capability beyond the target group.FS1 already resolves and the symptom is an authorization failure, not a name lookup failure.Topic: Manage Virtual Machines and Containers
You manage a supported Windows Server Hyper-V cluster in an on-premises datacenter. The hosts are administered with Windows Admin Center and monitored through Azure Arc. A CAD team is moving rendering workers from physical workstations to VMs. Several VMs must use the same physical GPU concurrently, and the design must avoid dedicating the entire GPU to one VM. Which Hyper-V resource configuration should you select?
Options:
A. Configure GPU partitioning for the VMs.
B. Create a VM resource group for the workload.
C. Place the VMs in a CPU group.
D. Enable nested virtualization for the VMs.
Best answer: A
Explanation: GPU partitioning, often called GPU-P, is the design fit when multiple Hyper-V VMs need concurrent access to portions of a physical GPU. It provides GPU acceleration to guests without assigning the whole adapter exclusively to one VM. That matches the CAD rendering requirement and the constraint to share one GPU across several workers. Nested virtualization exposes virtualization extensions inside a guest, while CPU groups control processor allocation and isolation. VM resource grouping is not the mechanism for sharing GPU capacity.
Topic: Implement Windows Server High Availability
During planned maintenance, an administrator tries to move the clustered file server role FS-App from NODE1 to NODE3. The role stays online on NODE1, and the move returns: No nodes are available for this group. Quorum is online, NODE3 is Up, and the shared disk is Online.
Exhibit:
Cluster role: FS-App
Current owner: NODE1
State: Online
Preferred owners: NODE1, NODE2
Possible owners: NODE1, NODE2
What is the most likely root cause?
Options:
A. The role must be stopped before it can move
B. NODE3 is not a possible owner for the role
C. The cluster witness is preventing the failover
D. The shared disk must be placed in maintenance mode
Best answer: B
Explanation: Failover clustering only moves a clustered role to a node that is eligible to own that role and its resources. The evidence shows NODE3 is Up and the shared disk and quorum are healthy, but NODE3 is absent from both the preferred and possible owner lists. Because the move request targets a node that is not an allowed owner, the cluster keeps the role online on NODE1 rather than causing an outage. To preserve service availability and administrative control, validate and adjust possible owners before attempting the planned move.
NODE3 an eligible owner and could disrupt storage access.Topic: Migrate Servers and Workloads
A company has a single AD DS forest with two domains. The forest and domain functional levels are Windows Server 2012 R2, and several domain controllers still run Windows Server 2012 R2. The security team wants to use time-limited group membership for just-in-time administration in the existing forest, while retaining the current DNS namespace and object SIDs. Which configuration should you perform?
Options:
A. Create a new AD DS forest, migrate users, and establish a two-way forest trust
B. Demote older DCs, raise all domain and forest functional levels to Windows Server 2016, then enable PAM
C. Deploy Microsoft Entra Domain Services and synchronize the existing users
D. Raise only the forest functional level and leave the domain functional levels unchanged
Best answer: B
Explanation: AD DS functional levels control which forest and domain features can be used. For time-limited group membership, the existing forest must be upgraded to the Windows Server 2016 forest functional level, which also requires the domains to be at the required functional level. Domain controllers that cannot support that level must be upgraded or demoted first. After the functional level requirement is met, the Privileged Access Management optional feature can be enabled in the existing forest. This preserves the current namespace, SIDs, and domain structure instead of creating a migration project.
Use the Microsoft AZ-802 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try Microsoft AZ-802 on Web View Microsoft AZ-802 Practice Test
Read the Microsoft AZ-802 Cheat Sheet for compact concept review before returning to timed practice.