Try 10 focused Microsoft AZ-802 questions on Migrate Servers and Workloads, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try Microsoft AZ-802 on Web View full Microsoft AZ-802 practice page
| Field | Detail |
|---|---|
| Exam route | Microsoft AZ-802 |
| Topic area | Migrate Servers and Workloads |
| Blueprint weight | 11.5% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Migrate Servers and Workloads for Microsoft AZ-802. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 11.5% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Migrate Servers and Workloads
A company migrated departmental shares from an on-premises Windows file server to Azure Files. AD DS authentication and a private endpoint are configured, and the DFS Namespace path used by clients will remain unchanged. Before making the old server read-only, which validation approach is the best design fit?
Options:
A. Browse the shares with Storage Explorer by using the storage account key.
B. Accept the migration after a successful job status and test only as a domain admin.
C. Grant broad SMB contributor access, test connectivity, and tighten permissions after cutover.
D. Compare data, verify share and NTFS permissions, and test DFS access as representative AD users.
Best answer: D
Explanation: Post-migration validation should prove that the migrated file service works the way clients will use it. For Azure Files with AD DS authentication, that means checking the copied data, confirming the Azure file share permissions and NTFS ACLs still enforce least privilege, and testing access from domain-joined clients through the DFS Namespace or UNC path. Representative user and group accounts are important because administrator or storage-key access can bypass the authorization path that normal users depend on. A successful migration status is useful evidence, but it is not enough to validate permissions, shares, name resolution, and client access.
Topic: Migrate Servers and Workloads
During a cross-forest AD DS migration, you use ADMT from the target forest to migrate users and groups from corp.contoso.com to adatum.com. Migrated users must keep access to ACLs in the source forest until file servers are migrated. DNS resolution and the two-way forest trust are validated. The ADMT service account is a target Domain Admin and has Full Control on the target OU, but in the source domain it is only a member of Account Operators.
Log clue: Access is denied while updating SID history for migrated account.
What is the most likely root cause?
Options:
A. Insufficient source-domain rights for SID history migration
B. Missing Password Export Server on the source domain controller
C. The trust should be one-way from target to source
D. Missing ADMT migration table for Group Policy translation
Best answer: A
Explanation: For phased resource access, ADMT can migrate sIDHistory so a target account’s token includes the old source SID and can still match existing ACLs. The failure occurs specifically while updating SID history, and the scenario already rules out DNS, trust, and target OU permissions. The remaining diagnostic clue is that the ADMT service account has only Account Operators membership in the source domain, which is not sufficient for SID history migration. Password migration and GPO translation are separate ADMT tasks and do not explain an access-denied error while writing sIDHistory.
sIDHistory.Topic: Migrate Servers and Workloads
A team is using Storage Migration Service in Windows Admin Center to move an on-premises file server to a Windows Server Azure VM because the applications must continue using Windows Server-hosted SMB shares. Inventory completes, but the first transfer fails.
Phase: Transfer
Source: FS01
Destination: AZFS01
Result: Failed
Detail: Cannot access \\AZFS01\C$.
System error 53: The network path was not found.
Azure VM NSG: inbound RDP allowed; no SMB rule
Windows Defender Firewall: default inbound block
What is the best next diagnostic action?
Options:
A. Recreate the project in Azure Migrate
B. Test TCP 445 and admin share access to AZFS01
C. Enable Azure File Sync cloud tiering on AZFS01
D. Configure Azure Site Recovery replication for FS01
Best answer: B
Explanation: Storage Migration Service performs inventory, transfer, and cutover for Windows Server file-service migrations, including migrations to Windows Server Azure VMs. In this case, inventory succeeds but transfer fails when accessing \\AZFS01\C$, and the exhibit shows no SMB rule in the Azure VM NSG plus default inbound blocking in Windows Defender Firewall. The next diagnostic step is to validate TCP 445 and administrative share access to the destination VM from the migration path, then confirm whether NSG or guest firewall rules are blocking that access. The failure is not evidence that the migration method is wrong; it is a connectivity prerequisite failure for the SMS transfer phase.
Topic: Migrate Servers and Workloads
During migration planning, a Windows Server file server selected for Azure VM migration is flagged with a Review target selection warning.
| Assessment finding | Value |
|---|---|
| Server roles | File Server only |
| Local app dependencies | None found |
| Shares | SMB departmental shares |
| Permissions | NTFS ACLs using AD DS groups |
| Business goal | Reduce server OS management |
What is the best next diagnostic action?
Options:
A. Replace NTFS ACLs with Microsoft Entra role assignments
B. Validate Azure Files readiness for the shares
C. Deploy a larger Azure VM as the file server target
D. Troubleshoot Azure Migrate replication appliance connectivity
Best answer: B
Explanation: The warning is about target selection, not a failed server replication. The inventory shows that the server provides only SMB file shares, has no local application dependencies, and the business goal is to reduce Windows Server operating system management. That is the pattern where the administrator should assess migration to Azure file shares instead of automatically rehosting the whole Windows Server file server as an Azure VM. The diagnostic action should confirm Azure Files requirements: SMB client connectivity, identity-based authentication with AD DS or Microsoft Entra Kerberos as appropriate, NTFS ACL preservation expectations, capacity, and performance needs. A larger VM or replication troubleshooting does not address whether the workload needs a server at all.
Topic: Migrate Servers and Workloads
A company is validating a pilot AD DS migration from a legacy forest to a new Windows Server forest. A two-way forest trust remains in place during coexistence, and several line-of-business applications still use AD DS groups and service accounts. Before expanding the migration scope, which validation design best confirms that the migrated identity and application dependencies are working?
Options:
A. Use a pilot validation checklist covering sign-in, tokens, GPOs, trusts, replication, and application access
B. Confirm Microsoft Entra sign-in success for synced users only
C. Run only repadmin /replsummary on the new forest domain controllers
D. Review only ADMT migration logs and then remove the forest trust
Best answer: A
Explanation: AD DS migration validation should prove that migrated identities behave correctly in the new forest, not just that objects were copied. A strong validation design includes interactive and service authentication tests, effective group membership or token checks, Group Policy result verification, trust validation during coexistence, domain controller replication health, and application dependency tests such as SPNs, service accounts, permissions, and group-based authorization. This gives evidence that users and applications can operate after cutover and that the coexistence path is still healthy. Directory replication is important, but it is only one part of the validation scope.
Topic: Migrate Servers and Workloads
A company has a single AD DS forest with two domains. The forest and both domains are at the Windows Server 2012 R2 functional level, and some domain controllers still run Windows Server 2012 R2. The company synchronizes identities to Microsoft Entra ID and wants to add time-limited privileged group membership in the existing forest without migrating users to a new forest. Which design is the best fit?
Options:
A. Extend the schema only and keep the current functional levels
B. Deploy Microsoft Entra Domain Services for privileged groups
C. Create a new forest and migrate users with ADMT
D. Replace legacy DCs, then raise domain and forest functional levels
Best answer: D
Explanation: Newer AD DS capabilities can require both newer domain controller operating systems and higher domain or forest functional levels. In this scenario, the requirement is to keep the existing forest and enable a capability such as time-limited privileged group membership. The appropriate design is to upgrade or replace domain controllers that block the target functional level, demote the legacy domain controllers, raise each domain functional level as needed, and then raise the forest functional level. Identity synchronization to Microsoft Entra ID can continue because the AD DS forest remains the source directory. A schema update alone does not enable every forest-level feature.
Topic: Migrate Servers and Workloads
A company hosts 70 ASP.NET applications on IIS across 14 on-premises Windows Server hosts. Before any cutover, the migration team must produce centralized readiness evidence that identifies which IIS applications can be modernized to Azure App Service and which require remediation. Which configuration should you use?
Options:
A. Create an Azure Migrate server assessment for Azure VM sizing.
B. Use Storage Migration Service to inventory the IIS content folders.
C. Configure Azure Site Recovery replication for the IIS servers.
D. Create an Azure Migrate web app assessment for discovered IIS applications.
Best answer: D
Explanation: Azure Migrate is the right choice when the required output is migration or modernization readiness evidence across on-premises workloads. For IIS modernization, you deploy discovery through an Azure Migrate project, discover the Windows Server hosts and IIS web applications, and create a web app assessment targeting Azure App Service. This produces centralized readiness and remediation information before migration decisions are made. A server assessment for Azure VMs supports rehost planning, not App Service modernization readiness. Replication or content-copy tools do not answer whether the IIS applications are suitable for Azure App Service.
Topic: Migrate Servers and Workloads
You plan to migrate a VMware-hosted Windows Server application to Azure by using Azure Migrate. The team must right-size Azure VMs from observed utilization, include the month-end peak, and avoid starting replication until sizing evidence is reliable.
| Azure Migrate assessment finding | Value |
|---|---|
| Sizing criterion | Performance-based |
| Confidence rating | 1 star |
| Reason | Appliance has 18 hours of data |
| Dependency analysis | Complete |
Which action should you take next?
Options:
A. Repeat dependency analysis with agents installed
B. Start replication using the recommended VM sizes
C. Change the assessment to as-on-premises sizing
D. Collect through month-end and recalculate the assessment
Best answer: D
Explanation: Azure Migrate performance-based assessments depend on collected utilization data. A 1-star confidence rating means the size recommendation is based on too little or incomplete performance evidence. Because the requirement is to right-size from observed utilization and include the month-end peak, the best action is to let the appliance collect data through that representative period and then recalculate the assessment. Dependency analysis is already complete, so the blocking evidence is sizing confidence, not application grouping. Starting replication or switching to as-on-premises sizing would bypass the stated sizing requirement.
Topic: Migrate Servers and Workloads
You are preparing a VMware-to-Azure migration by using an Azure Migrate appliance. You must build migration waves from process-level dependency evidence before enabling replication. The security team does not allow agents on the source servers, and the vCenter account must remain read-only.
Exhibit: Appliance evidence
| Check | Result |
|---|---|
| VM discovery | Successful |
| VMware Tools | Running |
| Windows credentials | Validation failed: not local admin |
| Dependency data | Not collected |
Which configuration change should you make?
Options:
A. Enable replication and run a test migration first
B. Add a local-administrator Windows credential to the appliance
C. Grant the vCenter account Administrator permissions
D. Install the Dependency Agent on each source server
Best answer: B
Explanation: Azure Migrate appliance discovery can identify VMware VMs with read-only vCenter access, but guest-level inventory and dependency evidence require valid operating system credentials with sufficient permissions. The exhibit shows that VM discovery and VMware Tools are healthy, while Windows credential validation failed because the credential is not a local administrator. Since the requirement is agentless dependency evidence before replication, the appropriate fix is to provide and map a Windows credential that has local administrator rights on the source servers, then revalidate collection. Changing vCenter permissions does not solve guest credential failure, and starting replication addresses migration execution rather than dependency discovery.
Topic: Migrate Servers and Workloads
A company is replacing an on-premises Windows file server named FS01 with a new Windows Server named FS02. Users access departmental data through paths such as \\FS01\Dept, and mapped drives and line-of-business apps cannot be changed during the maintenance window. NTFS permissions, share permissions, and share names must be preserved. Which design best fits the cutover requirement?
Options:
A. Run Storage Migration Service cutover so FS02 assumes the FS01 identity.
B. Create DNS CNAME records from FS01 to FS02 after copying the data.
C. Use DFS Replication and update all mapped drives to a namespace path.
D. Join FS02 to Microsoft Entra ID and publish the shares through cloud sync.
Best answer: A
Explanation: Storage Migration Service supports a staged file-server migration: inventory the source, transfer data and share configuration, then perform cutover. During cutover, the destination server can take over the source server’s name and network identity while the source is renamed, so existing UNC paths such as \\FS01\Dept continue to work without changing client mappings or application configuration. This is the best fit when the goal is to preserve share names, NTFS and share permissions, and client access behavior during a controlled maintenance window. A DNS alias can help with name resolution in some designs, but it does not provide the same server identity takeover and can introduce SMB/Kerberos issues.
Use the Microsoft AZ-802 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try Microsoft AZ-802 on Web View Microsoft AZ-802 Practice Test
Read the Microsoft AZ-802 Cheat Sheet for compact concept review before returning to timed practice.