Try 10 focused Microsoft AZ-802 questions on Implement and Manage Hybrid Networking, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try Microsoft AZ-802 on Web View full Microsoft AZ-802 practice page
| Field | Detail |
|---|---|
| Exam route | Microsoft AZ-802 |
| Topic area | Implement and Manage Hybrid Networking |
| Blueprint weight | 9% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Implement and Manage Hybrid Networking for Microsoft AZ-802. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 9% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Implement and Manage Hybrid Networking
A branch subnet is connected to the datacenter by a site-to-site VPN. DHCP01 is a Windows Server DHCP server, and the branch router relays DHCP requests to it. Users report intermittent IP conflicts after a license server was moved back to the branch.
| Evidence | Value |
|---|---|
| Scope | 10.30.8.0/24 |
| Address pool | 10.30.8.50-10.30.8.220 |
| Active lease | 10.30.8.80 to a laptop MAC |
| License server | Static 10.30.8.80 |
You must keep 10.30.8.80 for the license server and centrally manage the assignment in DHCP/IPAM. Which design is the best fit?
Options:
A. Exclude 10.30.8.80 and leave the server statically configured.
B. Add a second DHCP scope containing only 10.30.8.80.
C. Create a DHCP reservation for the license server and clear the laptop lease.
D. Change the branch router relay to the Azure VPN gateway.
Best answer: C
Explanation: This is a DHCP scope assignment conflict: the address 10.30.8.80 is inside the dynamic pool and has already been leased to another client, while the license server is also using it statically. Because the requirement is to keep the address and centrally manage it in DHCP/IPAM, the best design is to use a DHCP reservation for the license server MAC and remove the conflicting lease so the laptop receives a different address. The relay is already forwarding requests successfully, so changing the network boundary is not the issue. An exclusion would prevent future dynamic leasing, but it would not make DHCP responsible for assigning that address to the license server.
Topic: Implement and Manage Hybrid Networking
A branch office uses a Windows Server DHCP scope for 10.25.16.0/24 with an address pool of 10.25.16.1 through 10.25.16.254. The network team now reserves 10.25.16.1 through 10.25.16.49 for static infrastructure addresses. IPAM is deployed for inventory, utilization reporting, and audit history. You must prevent new DHCP clients from receiving addresses in the reserved range without changing the subnet. Which action should you take?
Options:
A. Mark the reserved addresses as in use in IPAM.
B. Add a DHCP exclusion range for 10.25.16.1-10.25.16.49.
C. Create an IPAM access policy for the network team.
D. Create a DHCP superscope for the branch subnet.
Best answer: B
Explanation: DHCP scope configuration controls which addresses the DHCP server can lease to clients. In this scenario, the addressing problem is not visibility, auditing, or delegation; it is that the active DHCP pool includes addresses that must be reserved for static infrastructure. Adding an exclusion range to the existing scope keeps the subnet and scope intact while preventing future dynamic leases from that range. IPAM can help track address usage and provide governance, but simply changing IPAM inventory state does not by itself change what the DHCP service leases to clients. Use IPAM for planning and oversight; use DHCP scope settings to enforce lease behavior.
Topic: Implement and Manage Hybrid Networking
A Windows Server RRAS server provides a site-to-site IKEv2 VPN to an Azure virtual network. The VPN shows Connected. Users on the on-premises LAN cannot reach an Azure VM by private IP, but the RRAS server can.
RRAS server: 172.16.10.10
LAN client: 172.16.10.25
Azure VM: 10.20.1.4
RRAS -> 10.20.1.4: TCP 3389 succeeds
Client route to 10.20.0.0/16: via 172.16.10.1
Azure effective route to 172.16.10.0/24: Virtual network gateway
What is the most likely root cause?
Options:
A. UDP 500 and UDP 4500 are blocked outbound
B. The on-premises LAN gateway lacks a route through RRAS
C. The VPN pre-shared key is mismatched
D. The Azure VM has an incorrect private DNS record
Best answer: B
Explanation: This is a routing problem on the on-premises side. The VPN tunnel is established, and the RRAS server can reach the Azure VM, so the VPN negotiation and Azure-side routing are not the first suspects. The LAN client’s route sends traffic for 10.20.0.0/16 to 172.16.10.1, not to the RRAS server at 172.16.10.10. Unless that LAN gateway has a static route forwarding the Azure address space to RRAS, client traffic will not enter the VPN tunnel.
The key diagnostic clue is the difference between successful connectivity from RRAS and failed connectivity from another LAN host.
Topic: Implement and Manage Hybrid Networking
An organization has an on-premises AD DS forest named contoso.com with Windows Server DNS on two domain controllers. A hub VNet in Azure is connected by VPN and contains Azure DNS Private Resolver with inbound and outbound endpoints. Azure Files private endpoints use a linked Azure Private DNS zone. Azure VMs must resolve contoso.com, and on-premises servers must resolve the private endpoint names. The design must avoid zone transfers and avoid deploying AD DS DNS in Azure. Which design best fits?
Options:
A. Point all clients to Azure-provided DNS
B. Use root hints between the DNS environments
C. Use conditional forwarders and Private Resolver forwarding rules
D. Create secondary DNS zones on both sides
Best answer: C
Explanation: Hybrid name resolution should forward only the namespaces that cross the boundary. On-premises Windows Server DNS can use a conditional forwarder for the private endpoint zone, such as privatelink.file.core.windows.net, targeting the Azure DNS Private Resolver inbound endpoint. In Azure, a DNS forwarding ruleset associated with the outbound endpoint can forward contoso.com queries to the on-premises DNS servers over the VPN. This preserves AD-integrated DNS on-premises, uses Azure Private DNS for private endpoints, and avoids zone transfers. The key design choice is namespace-specific forwarding, not replacing DNS authority or changing every client resolver blindly.
Topic: Implement and Manage Hybrid Networking
A company configured an Azure VPN gateway for a site-to-site VPN to an on-premises Windows Server RRAS VPN server. The tunnel never reaches a connected state.
Exhibit: Diagnostic evidence
Azure VPN gateway public IP: 20.51.10.8
RRAS public IP: 198.51.100.25
Firewall: UDP 500/4500 allowed both ways
On-premises subnet: 10.20.0.0/16
Azure VNet subnet: 10.40.0.0/16
RRAS event: IKE authentication credentials are unacceptable
What is the most likely root cause?
Options:
A. Overlapping on-premises and Azure address spaces
B. Missing route table on the Azure subnet
C. Missing user certificate on the RRAS server
D. Mismatched shared key for IPsec/IKE
Best answer: D
Explanation: For an Azure site-to-site VPN, the tunnel must establish IPsec/IKE security associations before routing can pass traffic. The evidence shows that the public endpoints can attempt IKE because UDP 500 and 4500 are allowed, and the address spaces do not overlap. The RRAS event specifically says that IKE authentication credentials are unacceptable, which is an authentication-stage failure. In a typical policy-based or route-based site-to-site VPN using a shared key, that points to a mismatch between the Azure connection shared key and the RRAS IPsec pre-shared key.
Routing problems usually appear after the tunnel is connected but traffic cannot reach the remote subnet.
Topic: Implement and Manage Hybrid Networking
A company wants to replace a legacy VPN for help desk administrators. The administrators must access on-premises Windows Server management endpoints by private FQDN, including RDP and WinRM. The solution must avoid inbound firewall rules and apply Microsoft Entra Conditional Access per user. Which access option should you configure?
Options:
A. Microsoft Entra Private Access
B. Web Application Proxy
C. Microsoft Entra Application Proxy
D. Azure Relay
Best answer: A
Explanation: The access pattern is private, identity-aware access to internal Windows Server management services, not publishing a single web application. Microsoft Entra Private Access is designed for Zero Trust access to private applications and resources using Microsoft Entra policies, and it can replace broad VPN access for selected private destinations. It also avoids inbound firewall openings by using outbound connectivity from the private network. Microsoft Entra Application Proxy and Web Application Proxy are mainly for publishing web applications. Azure Relay helps applications communicate across network boundaries but is not the normal administrator access method for RDP or WinRM.
Topic: Implement and Manage Hybrid Networking
A company uses Windows Server DNS policies on DNS01 for app.contoso.com. Branch users on subnet 10.20.8.0/24 should receive 172.16.20.10, but they receive 10.50.4.20.
Evidence:
Policy: OnPremClientSubnet = 10.20.0.0/16 -> OnPremScope
Default scope -> AzureScope
Branch DHCP DNS server: 10.99.0.10
DNS01 query log:
Client=10.99.0.10 Query=app.contoso.com Response=10.50.4.20
What is the most likely root cause?
Options:
A. The OnPremScope record failed to replicate to DNS01.
B. The branch DNS forwarder is outside the policy client subnet.
C. Round robin is overriding the configured DNS policy.
D. DNSSEC validation is failing for the contoso.com zone.
Best answer: B
Explanation: Windows Server DNS policies that use client subnets match the source IP address of the DNS request received by the authoritative DNS server. In this case, DNS01 does not see the branch client address 10.20.8.x; it sees the branch DNS server or forwarder 10.99.0.10. Because that address is not included in OnPremClientSubnet, the query falls through to the default scope and returns the Azure-scope address 10.50.4.20.
The next fix would be to include the forwarding resolver address in the appropriate client subnet policy or redesign forwarding so DNS01 can apply the intended traffic-aware rule.
Topic: Implement and Manage Hybrid Networking
A company publishes an internal IIS application by using Microsoft Entra Application Proxy. Users can browse to the external URL and complete Microsoft Entra sign-in, but the app fails to load. The connector group shows Active.
Exhibit: Connector event log excerpt
Application: HRPortal
Internal URL: https://hrweb.corp.contoso.com/
Result: BackendServerConnectionFailure
Detail: The remote name could not be resolved
What is the most likely root cause?
Options:
A. The connector cannot resolve the internal application FQDN.
B. Users are missing a VPN connection to the internal network.
C. Inbound Internet traffic is blocked to the connector server.
D. Microsoft Entra Domain Services is not deployed.
Best answer: A
Explanation: Microsoft Entra Application Proxy uses an on-premises connector to reach the internal web application on behalf of authenticated users. In this case, Microsoft Entra sign-in succeeds and the connector is active, so the cloud-side publication and connector registration are not the first suspect. The deciding clue is the connector event: the internal URL name cannot be resolved. The connector server must be able to resolve and connect to the internal URL exactly as configured in the application proxy settings.
A good validation step would be to test DNS resolution and HTTPS access to https://hrweb.corp.contoso.com/ from the connector server, then fix internal DNS or the configured internal URL as needed.
Topic: Implement and Manage Hybrid Networking
A company is moving a Windows Server file workload to Azure Files. The storage account will use a private endpoint in an Azure VNet connected to the datacenter by site-to-site VPN. On-premises member servers and Azure VMs must resolve the file share name to the private endpoint IP without changing client UNC paths. Which DNS design is the best fit?
Options:
A. Create an on-premises file.core.windows.net primary zone and add only the storage account A record.
B. Create privatelink.file.core.windows.net in Azure Private DNS, link the VNet, and forward that zone from on-premises DNS to Azure DNS Private Resolver.
C. Create a public DNS A record for the storage account that points to the private endpoint IP.
D. Add a hosts file entry on each Windows Server that maps the storage account name to the private endpoint IP.
Best answer: B
Explanation: For Azure Files over a private endpoint, clients should continue using the normal storage account file endpoint name. Azure uses a CNAME chain to the privatelink.file.core.windows.net namespace, where the private endpoint A record is stored. Linking the Azure Private DNS zone to the VNet lets Azure VMs resolve the private IP. Forwarding that private-link zone from on-premises DNS to an Azure DNS Private Resolver inbound endpoint extends the same resolution path to datacenter servers over VPN.
This avoids overriding the broader file.core.windows.net namespace and keeps name resolution centralized and maintainable.
file.core.windows.net zone can break resolution for other Azure Files accounts in that namespace.Topic: Implement and Manage Hybrid Networking
A domain-joined Windows Server VM in an Azure virtual network cannot apply Group Policy and logs Netlogon event 5719. The VM can reach an on-premises domain controller by IP address across the VPN.
Exhibit: Diagnostic output
DNS Servers: 168.63.129.16
nltest /dsgetdc:corp.contoso.com
DsGetDcName failed: 1355
nslookup -type=SRV _ldap._tcp.dc._msdcs.corp.contoso.com
Server: 168.63.129.16
*** No records found
What is the most likely root cause?
Options:
A. The domain controller has lost the PDC emulator role.
B. The VM is using DNS that cannot resolve AD DS SRV records.
C. The computer account password has expired in AD DS.
D. The VPN is blocking LDAP traffic to the domain controller.
Best answer: B
Explanation: Domain-joined Windows Server workloads locate domain controllers by querying AD DS DNS records, especially SRV records under _msdcs. The evidence shows that IP connectivity to a domain controller works, but name-based DC discovery fails while the client is using Azure-provided DNS (168.63.129.16). Azure-provided DNS does not automatically host or resolve the AD-integrated DNS zones for an on-premises AD DS domain. The virtual network or client must use DNS servers that can resolve the AD DS namespace, such as domain controllers running DNS or a resolver with the correct conditional forwarding. The key distinction is connectivity versus domain service discovery.
nltest /dsgetdc._msdcs SRV resolution.Use the Microsoft AZ-802 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try Microsoft AZ-802 on Web View Microsoft AZ-802 Practice Test
Read the Microsoft AZ-802 Cheat Sheet for compact concept review before returning to timed practice.