AZ-802 Exam Focus at a Glance
This Quick Reference supports independent preparation for Microsoft AZ-802, Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-802). Use it to review high-yield decisions for Windows Server in hybrid environments: on-premises, Azure VMs, Azure Arc-enabled servers, identity, security, high availability, disaster recovery, migration, monitoring, and troubleshooting.
| If the scenario asks for… | Think first about… | Common trap |
|---|
| Manage non-Azure Windows Servers from Azure | Azure Arc-enabled servers | Arc is management, not automatic migration |
| Patch servers at scale | Azure Update Manager, maintenance configurations | Do not assume WSUS and Azure Update Manager are identical |
| Collect logs and performance data | Azure Monitor Agent, Data Collection Rules, Log Analytics | Agent installed but no DCR means little or no data |
| Improve security posture | Microsoft Defender for Cloud, Microsoft Defender for Endpoint, security baselines | Defender for Cloud posture management is not the same as antivirus |
| Back up files, system state, or VMs | Azure Backup / Recovery Services vault | Backup is not orchestrated disaster recovery |
| Replicate and fail over workloads | Azure Site Recovery | ASR is not long-term backup retention |
| Migrate servers to Azure | Azure Migrate | Assessment and replication/cutover are separate phases |
| Migrate file servers | Storage Migration Service, Azure File Sync, AzCopy/Robocopy depending target | File sync is not the same as one-time migration |
| Provide app or VM high availability | Failover clustering, NLB, load balancers, Storage Spaces Direct | HA inside a site is not a full DR strategy |
| Troubleshoot hybrid visibility | Arc agent, Azure Monitor Agent, DCRs, RBAC, network/proxy | “Server is online” does not mean Azure can manage it |
Hybrid Management Service Selection
| Tool or service | Best use | Key AZ-802 cues | Watch for |
|---|
| Windows Admin Center | Browser-based Windows Server, cluster, Hyper-V, and storage management | Administer servers without full RDP; integrate with Azure services | WAC is a management gateway, not a cloud control plane by itself |
| Server Manager | Traditional role/feature and remote server management | Small on-prem admin scenarios | Less useful for Azure-scale governance |
| Azure Arc-enabled servers | Project non-Azure Windows/Linux servers into Azure Resource Manager | On-premises or other-cloud servers need Azure Policy, tags, Defender, Update Manager, monitoring | Requires Connected Machine agent and outbound connectivity |
| Azure Policy with guest configuration | Audit or enforce machine configuration through Azure | Compliance checks across Azure and Arc-enabled servers | Policy assignment scope and remediation identity matter |
| Azure Update Manager | Assess and deploy OS updates across Azure VMs and Arc-enabled servers | Scheduled patching, update compliance, maintenance windows | Requires supported agent/configuration; not a replacement for every WSUS use case |
| Azure Automation | Runbooks, automation jobs, hybrid workers | Repeatable operational tasks across hybrid infrastructure | Automation account permissions and hybrid worker placement matter |
| Microsoft Defender for Cloud | Security posture, recommendations, regulatory-style compliance views, workload protection integration | “Secure score,” recommendations, server protection, Arc machines | Not the same as Windows Defender Firewall or Defender Antivirus |
| Microsoft Defender for Endpoint | Endpoint detection and response | Investigate suspicious activity, endpoint alerts, attack timeline | Licensing/onboarding method is scenario-dependent |
| Azure Monitor | Metrics, logs, alerts, dashboards, VM insights | Centralized monitoring and KQL analysis | Data appears only if collection is configured |
| Log Analytics workspace | Stores queryable monitoring/log data | KQL, log retention, alerts from logs | Workspace region, permissions, and DCR association can block visibility |
| Azure Monitor Agent | Modern monitoring agent for guest logs/performance | Data Collection Rules, Azure/Arc servers | Replaces many legacy collection patterns, but legacy agents may still appear in existing environments |
| Recovery Services vault | Azure Backup and Azure Site Recovery container | Backup policies, protected items, ASR replication items | Vault choice affects management boundary and recovery configuration |
| Azure Migrate | Discovery, assessment, dependency analysis, server migration | Move VMware, Hyper-V, physical, or other servers to Azure | Assessment readiness is not the same as completed migration |
| Storage Migration Service | File server inventory, transfer, and cutover | Preserve shares/security while moving to newer Windows Server or Azure VM | Not designed as a continuous file sync service |
| Azure File Sync | Centralize file shares in Azure Files with Windows Server cache | Branch file servers, cloud tiering, multi-site file access | Sync topology and conflict behavior matter |
| Azure Site Recovery | VM/workload replication, test failover, planned/unplanned failover | DR to Azure or secondary site | Does not replace backups or app-level consistency planning |
Identity, Directory, and Access Control
AD DS and Microsoft Entra ID distinctions
| Component | Primary purpose | Choose when… | Exam caution |
|---|
| Active Directory Domain Services | Kerberos/NTLM domain auth, domain join, Group Policy, LDAP, computer accounts | Windows Server workloads depend on domain services | Microsoft Entra ID does not directly replace all AD DS features |
| Microsoft Entra ID | Cloud identity, OAuth/OIDC/SAML apps, Azure RBAC integration | Users need cloud app access, Azure portal access, conditional access | Entra users are not automatically domain users for legacy apps |
| Microsoft Entra Connect / Cloud Sync | Synchronize identities from AD DS to Entra ID | Hybrid identity required | Know sync direction and sign-in method implications |
| Microsoft Entra Domain Services | Managed domain services in Azure | Azure workloads need LDAP/Kerberos/NTLM without managing DCs | Not the same as extending your existing DCs into Azure |
| Domain controller in Azure VM | Extend existing AD DS into Azure | Azure workloads need full AD DS control and replication | Treat as a DC: DNS, sites, subnets, backup, security |
AD DS operations to recognize
| Task | High-yield reference | Useful checks |
|---|
| Add a domain controller | Install AD DS role, promote server, configure DNS and site placement | DNS health, replication, time sync |
| Replace old domain controllers | Add new DCs, transfer FSMO roles, validate replication, demote old DCs | Do not simply shut down the last role holder |
| Manage replication topology | Use AD Sites and Services, site links, subnets | Incorrect subnet mapping causes wrong DC selection |
| Troubleshoot logon issues | Check DNS SRV records, secure channel, time skew, DC locator | nltest, dcdiag, repadmin, w32tm |
| Protect privileged accounts | Tiered admin model, Protected Users, PAWs, JEA, LAPS | Avoid using domain admin for routine server tasks |
| Service account management | gMSA where supported | gMSA requires domain support and correct host authorization |
| Restore deleted AD objects | AD Recycle Bin when enabled | Not a substitute for full system state backup |
| Back up domain controllers | System State / supported backup methods | Avoid unsupported snapshots or rollback patterns |
Privileged access decision table
| Requirement | Prefer | Why |
|---|
| Local administrator password rotation | Windows LAPS | Unique, rotated local admin passwords reduce lateral movement |
| Run limited PowerShell admin tasks | Just Enough Administration | Provides role-limited endpoints instead of full admin shell |
| Manage services securely | Group Managed Service Account | Automatic password management and SPN support |
| Temporary Azure privileged role | Microsoft Entra Privileged Identity Management | Time-bound elevation for cloud roles |
| Restrict credential exposure during remote admin | Credential Guard / Remote Credential Guard where applicable | Reduces credential theft risk |
| Delegate server management through WAC | Windows Admin Center role-based controls and gateway access | Centralizes browser-based server administration |
Windows Server Security Reference
| Control | Use for | Implementation clues | Common trap |
|---|
| Microsoft Defender Antivirus | Malware protection on Windows Server | Real-time protection, definitions, exclusions | Exclusions must be justified; do not broadly exclude system paths |
| Microsoft Defender for Endpoint | EDR, investigation, advanced threat detection | Onboarding package, security portal alerts | Antivirus status alone does not confirm EDR onboarding |
| Microsoft Defender for Cloud | Posture management and workload protection recommendations | Secure score, recommendations, Arc/Azure servers | Recommendations may require agent, extension, or plan configuration |
| Windows Defender Firewall | Host-level inbound/outbound filtering | Profiles: domain/private/public; rule scope | NSGs do not replace host firewall rules |
| BitLocker | Volume encryption | TPM, recovery keys, policy enforcement | Encryption protects data at rest, not live compromised sessions |
| Secure Boot / TPM / Secured-core | Boot integrity and hardware-rooted protections | Modern server hardware or Azure VM generation support | Availability depends on platform capabilities |
| Credential Guard | Protect derived credentials | Virtualization-based security | Can affect older auth/delegation patterns |
| SMB signing/encryption | Protect SMB integrity/confidentiality | File server and client settings | SMB encryption is not a backup or access-control substitute |
| TLS certificate management | Secure service endpoints | AD CS, public CA, certificate lifecycle | Expired certs break hybrid services and agents |
| JEA | Least-privilege PowerShell operations | Role capabilities and session configuration | Users still need a defined endpoint and permissions |
| Security baselines | Standardized hardening | Microsoft security baselines, GPO, Intune, policy | Test before broad enforcement |
| Shielded VMs / Host Guardian Service | Protect Hyper-V VMs from fabric admins | Guarded fabric, attestation, key protection | More complex than normal VM encryption |
Fast security checks
Get-MpComputerStatus | Select-Object AMServiceEnabled,AntivirusEnabled,RealTimeProtectionEnabled
Get-SmbServerConfiguration |
Select-Object EnableSMB1Protocol,EncryptData,RejectUnencryptedAccess
auditpol /get /category:*
Get-LocalUser | Where-Object Enabled -eq $true
Get-LocalGroupMember Administrators
Networking and Remote Administration
| Requirement | Use | Notes |
|---|
| Secure server management without broad RDP exposure | Windows Admin Center, PowerShell Remoting, JEA | Prefer constrained, audited admin paths |
| Connect on-premises network to Azure | Site-to-site VPN or ExpressRoute | VPN is internet-based encrypted tunnel; ExpressRoute is private connectivity through provider |
| Connect one server to Azure VNet for management/testing | Azure Network Adapter through WAC, where suitable | Good for limited scenarios, not enterprise WAN design |
| Protect Azure VM traffic | NSG, Azure Firewall, route tables, host firewall | NSG filters at subnet/NIC; host firewall still matters |
| Protect on-prem server traffic | Windows Defender Firewall, network firewalls, IPsec | Azure controls do not automatically protect on-prem paths |
| Diagnose Azure network path | Network Watcher, Connection Monitor, effective routes/NSGs | Applies to Azure resources and monitored endpoints depending configuration |
| Remote command execution | WinRM / PowerShell Remoting | Requires listener, firewall, auth, and endpoint permissions |
| Remote GUI access | RDP, Azure Bastion for Azure VMs | Bastion is for Azure VM access, not general on-prem RDP |
Common hybrid connectivity traps
| Symptom | Likely area to inspect |
|---|
| Azure Arc server disconnected | Outbound HTTPS/proxy, Connected Machine agent, identity/RBAC |
| Azure Monitor no data | DCR association, AMA health, workspace permissions, collection rule scope |
| Domain logons slow in Azure | AD Sites and Services subnet mapping, DNS, DC placement |
| Azure VM cannot join domain | DNS points to AD DS DNS servers, network path to DCs, time sync |
| WAC cannot manage server | WinRM, firewall rules, trusted hosts/domain trust, gateway permissions |
| Backup/ASR agent cannot register | Vault credentials, outbound connectivity, clock, proxy/TLS inspection |
High Availability Reference
HA technology selection
| Scenario | Prefer | Why | Avoid assuming |
|---|
| Stateful workload needs automatic failover between nodes | Failover clustering | Cluster service coordinates resource ownership | Cluster alone provides site DR |
| Stateless scale-out TCP/UDP application | Network Load Balancing or external load balancer | Distributes client traffic | NLB protects shared state |
| Highly available Hyper-V storage | Cluster Shared Volumes, Storage Spaces Direct, SAN-backed cluster | Shared or replicated storage for clustered VMs | Local disks alone are enough |
| Highly available SMB application shares | Scale-Out File Server where appropriate | Active-active SMB access for application data | General user file shares always fit SOFS |
| Rolling patching of clusters | Cluster-Aware Updating | Coordinates node maintenance | Manual patching is always safe |
| Site-aware cluster | Failover cluster with site awareness, proper quorum/witness | Supports planned placement and failover logic | It eliminates need for DR testing |
| VM-level replica between hosts/sites | Hyper-V Replica | Asynchronous VM replication | Same as backup or app-aware HA |
| Volume-level replication | Storage Replica | Block-level replication between servers/clusters | Same as DFS Replication |
Failover clustering quick checks
| Area | What to remember |
|---|
| Validation | Run cluster validation before creating or changing a supported cluster |
| Quorum | Prevents split-brain; witness helps maintain majority |
| Witness options | Disk witness, file share witness, cloud witness depending topology |
| Cloud witness | Useful when Azure is reachable and no shared witness disk is preferred |
| Dynamic quorum | Adjusts quorum vote behavior as nodes change |
| Cluster networks | Separate or logically plan client, storage, live migration, and management traffic where needed |
| CSV | Common for Hyper-V clustered VM storage |
| CAU | Automates patching workflow across cluster nodes |
| Drain roles | Move clustered roles before maintenance |
| Anti-affinity / preferred owners | Control workload placement patterns |
Cluster PowerShell snippets
Install-WindowsFeature Failover-Clustering -IncludeManagementTools
Test-Cluster -Node "SRV1","SRV2"
New-Cluster -Name "CL01" -Node "SRV1","SRV2" -StaticAddress "10.0.0.50"
Get-ClusterNode
Get-ClusterGroup
Get-ClusterQuorum
Cloud witness example pattern:
Set-ClusterQuorum -CloudWitness `
-AccountName "<storage-account-name>" `
-AccessKey "<storage-account-key>"
Disaster Recovery and Backup
Backup vs replication vs disaster recovery
| Requirement | Best fit | Reason |
|---|
| Restore accidentally deleted files | Azure Backup, Windows Server Backup, file backup | Point-in-time recovery |
| Restore Windows Server system state | Azure Backup with MARS agent or supported backup product | Protects critical OS roles such as AD DS |
| Long-term retention | Backup policy | Replication usually keeps only current or near-current state |
| Fail over VM workloads to Azure | Azure Site Recovery | Replication plus orchestration |
| Test failover without disrupting production | Azure Site Recovery test failover | Validates DR plan |
| Replicate storage volumes between servers/clusters | Storage Replica | Block-level volume replication |
| Replicate Hyper-V VMs between hosts | Hyper-V Replica | VM-focused asynchronous replication |
| Protect Azure VM | Azure Backup VM backup and/or ASR depending objective | Backup and DR solve different problems |
Azure Backup components
| Component | Purpose | Exam cues |
|---|
| Recovery Services vault | Management container for backup/ASR items | Policies, protected items, jobs, alerts |
| MARS agent | Back up files/folders/system state from Windows Server | Common for on-prem Windows Server backup to Azure |
| Microsoft Azure Backup Server | Protect workloads and servers through a backup server model | App-aware workload protection scenarios |
| Backup policy | Schedule and retention | Match recovery need; do not invent retention from scenario |
| Recovery point | Point in time available for restore | Application-consistent vs crash-consistent may matter |
| Soft delete / immutability-style protections | Protect against accidental or malicious deletion where configured | Security and recovery controls are separate from backup schedule |
Azure Site Recovery components
| Component | Purpose | Exam cues |
|---|
| Replication policy | Frequency/retention/app consistency behavior | Drives RPO-related behavior |
| Mobility service / provider components | Replication agents/components depending source platform | Health must be monitored |
| Recovery plan | Ordered failover groups and automation steps | Multi-tier app failover |
| Test failover | Non-disruptive validation | Always preferred before real failover |
| Planned failover | Controlled failover when source is available | Minimizes data loss |
| Unplanned failover | Disaster scenario | Requires post-failover validation |
| Failback | Return workloads after primary site recovery | Must be planned and tested |
DR decision checklist
- Define the workload dependency map: identity, DNS, database, file shares, certificates, IP dependencies.
- Determine RPO/RTO from the scenario, then choose backup, replication, clustering, or ASR.
- Verify network design: Azure VNets, subnets, DNS, routing, VPN/ExpressRoute, NSGs, firewalls.
- Configure replication or backup policy.
- Run test failover or test restore.
- Document cutover order, validation steps, and rollback.
- Monitor jobs, agent health, replication health, and recovery point availability.
Migration Reference
Migration service selection
| Source / target scenario | Prefer | Key reason | Common trap |
|---|
| Assess server estate for Azure readiness | Azure Migrate discovery and assessment | Inventory, sizing, dependency analysis | Discovery does not move workloads |
| Rehost VMware/Hyper-V/physical server to Azure VM | Azure Migrate server migration | Replication and cutover workflow | Lift-and-shift may still require app remediation |
| Move file server to newer Windows Server or Azure VM | Storage Migration Service | Inventories data, shares, ACLs, and supports cutover | Not continuous sync after migration |
| Move file data into Azure Files | Azure File Sync, AzCopy, Robocopy, or migration tooling | Depends on ongoing cache/sync vs one-time copy | Azure File Sync is not just a copy command |
| Keep branch file server cache with cloud namespace | Azure File Sync | Local cache plus Azure Files centralization | Plan sync groups and endpoint layout |
| Move AD DS to newer servers | Add new DCs, transfer FSMO roles, demote old DCs | Supported modernization path | Do not clone/restore DCs carelessly |
| Move IIS apps | Web Deploy, Azure Migrate/app assessment, App Service tools where applicable | Depends on rehost vs refactor | App dependencies may block simple move |
| Move databases | Database-specific migration tooling | Schema, compatibility, downtime requirements | File copy is not database migration |
Storage Migration Service flow
| Phase | What happens | Validate |
|---|
| Prepare orchestrator | Install/administer Storage Migration Service | Network, firewall, permissions |
| Inventory source | Discover shares, files, security, local users/groups | Source access and complete inventory |
| Transfer data | Copy data to destination | ACLs, timestamps, share paths |
| Cut over | Destination assumes source name/IP where configured | Client access, DNS, application paths |
| Decommission | Remove or repurpose old server after validation | Backups and rollback window |
Azure Migrate flow
| Phase | Focus | Candidate reminders |
|---|
| Discover | Deploy appliance or agent-based discovery as required | Credentials, network reachability, inventory scope |
| Assess | Readiness, sizing, dependencies | Assessment assumptions affect recommendations |
| Remediate | Fix OS, disk, boot, app, network, identity issues | Do not migrate known-broken dependencies |
| Replicate | Start replication to Azure | Monitor replication health |
| Test migrate | Validate isolated or test environment | Avoid production DNS/IP conflicts |
| Cut over | Stop source changes and migrate | Plan downtime and rollback |
| Optimize | Rightsize, secure, back up, monitor | Migration is not complete until operations are configured |
Monitoring, Logging, and Alerting
Monitoring component selection
| Need | Use | Notes |
|---|
| Guest OS event/performance collection | Azure Monitor Agent + DCR | DCR defines what to collect and where to send it |
| Query logs | Log Analytics workspace | KQL-based analysis |
| Visualize VM performance/dependencies | VM insights | Requires appropriate agent/configuration |
| Alert on log pattern | Azure Monitor log alert | Query returns condition over time |
| Alert on metric threshold | Azure Monitor metric alert | Lower-latency for platform metrics |
| Monitor backup jobs | Backup center / vault jobs and alerts | Check job status and protected item health |
| Monitor ASR replication | Recovery Services vault replication health | Look at agent and replication status |
| Monitor security posture | Defender for Cloud | Recommendations, alerts, secure score |
| Track update compliance | Azure Update Manager | Assessment and deployment results |
| Troubleshoot Azure network path | Network Watcher / Connection Monitor | Especially useful for Azure networking dependencies |
KQL patterns to recognize
Table availability depends on the agent, DCR, workspace, and solution configuration.
Heartbeat
| where TimeGenerated > ago(1h)
| summarize LastHeartbeat=max(TimeGenerated) by Computer
| order by LastHeartbeat asc
Event
| where TimeGenerated > ago(24h)
| where EventLog == "System"
| where EventLevelName in ("Error", "Critical")
| summarize Count=count() by Computer, Source, EventID
| order by Count desc
Perf
| where TimeGenerated > ago(1h)
| where ObjectName == "LogicalDisk"
| where CounterName == "% Free Space"
| summarize LatestFreePercent=arg_max(TimeGenerated, CounterValue) by Computer, InstanceName
Update
| where TimeGenerated > ago(7d)
| summarize Updates=count() by Computer, Classification
Alert design checklist
| Check | Why it matters |
|---|
| Correct target scope | Alerts scoped too narrowly miss servers |
| Correct signal type | Metrics, logs, activity logs, and service health are different |
| Action group configured | Alert without notification or automation may be useless |
| Evaluation frequency/window | Too short causes noise; too long delays response |
| Suppression/maintenance plan | Avoid false positives during planned patching |
| Runbook or remediation path | Candidates should connect alerts to action |
Troubleshooting Quick Reference
First-pass hybrid troubleshooting workflow
- Confirm identity and authorization: Azure RBAC, local admin rights, domain membership, managed identity/service principal.
- Confirm DNS and time: name resolution, DC locator, Kerberos time requirements.
- Confirm network path: firewall, proxy, routing, TLS inspection, NSG, Windows Defender Firewall.
- Confirm agent health: Arc, AMA, MARS, ASR mobility/provider, Defender onboarding.
- Confirm configuration scope: policy assignment, DCR association, backup policy, update schedule, vault registration.
- Check logs: Event Viewer, agent logs, Azure activity logs, Log Analytics, service-specific job history.
- Test with a minimal path: one server, one rule, one workspace/vault, one known event.
Symptom-to-check table
| Symptom | Check first | Useful direction |
|---|
| Server not visible in Azure as Arc-enabled | Connected Machine agent, outbound connectivity, proxy, resource group/RBAC | Reconnect or re-onboard after fixing connectivity/identity |
| Arc server visible but no logs | AMA installed, DCR associated, workspace target, data source configured | Install/repair AMA and apply DCR |
| Update assessment missing | Azure Update Manager eligibility, Arc/VM status, agent health | Trigger assessment after agent/connectivity fix |
| Defender recommendation not appearing | Defender for Cloud plan, agent/extension, scope, policy | Confirm subscription/workspace/server onboarding |
| Azure Backup job failing | MARS/MABS/extension health, vault credentials, VSS writers, network | Check job error and local event logs |
| ASR replication unhealthy | Mobility service/provider, process components, replication policy, network | Re-sync or repair agent after root cause |
| Domain join fails | DNS points to AD DS DNS, domain reachability, credentials, time | Test name resolution and DC locator |
| Kerberos/auth failures | Time skew, SPNs, duplicate names, secure channel | Use w32tm, setspn, nltest |
| Cluster resource fails over unexpectedly | Cluster logs, resource dependencies, storage/network health, witness | Validate cluster and inspect event logs |
| File migration permissions wrong | ACL translation, local users/groups, domain trust, SID history/mapping | Re-run validation before cutover |
| Slow Azure VM domain logon | AD Sites and Services subnets, DNS, DC placement | Add correct subnets and local DC/DNS path |
Command reference
## AD DS health
dcdiag /v
repadmin /replsummary
nltest /dsgetdc:contoso.com
w32tm /query /status
Test-ComputerSecureChannel
## Network tests
Test-NetConnection dc01.contoso.com -Port 53
Test-NetConnection server01.contoso.com -Port 5985
Resolve-DnsName _ldap._tcp.dc._msdcs.contoso.com
## Azure Arc agent
azcmagent show
azcmagent check
azcmagent logs
## Cluster checks
Get-ClusterNode
Get-ClusterGroup
Get-ClusterResource
Get-ClusterQuorum
## Backup / VSS checks
vssadmin list writers
wbadmin get status
High-Yield Exam Distinctions
| Distinction | Remember |
|---|
| Azure Backup vs Azure Site Recovery | Backup restores recovery points; ASR orchestrates workload failover |
| Failover clustering vs ASR | Clustering is HA; ASR is DR/failover orchestration |
| Storage Replica vs DFS Replication | Storage Replica is block-level volume replication; DFSR is file-level replication |
| Azure Arc vs Azure Migrate | Arc manages existing machines; Azure Migrate moves/assesses workloads |
| Azure Monitor Agent vs Log Analytics workspace | Agent collects; workspace stores/query logs; DCR defines collection |
| Defender Antivirus vs Defender for Cloud | Antivirus protects endpoint; Defender for Cloud assesses and protects cloud/hybrid posture |
| NSG vs Windows Defender Firewall | NSG filters Azure network traffic; host firewall filters inside the OS |
| Microsoft Entra ID vs AD DS | Entra ID is cloud identity; AD DS provides domain services, Kerberos, GPO, LDAP |
| Cloud witness vs backup | Witness participates in quorum; it stores no protected workload data |
| Test failover vs planned failover | Test failover validates DR without production cutover; planned failover is controlled production move |
| Azure File Sync vs Storage Migration Service | File Sync supports ongoing sync/cache; SMS is migration/cutover focused |
| WAC vs Azure portal | WAC manages Windows Server directly; Azure portal manages Azure resources and Arc projections |
Final Review Checklist
Before sitting for AZ-802, make sure you can quickly answer:
- Which service manages non-Azure Windows Servers through Azure Resource Manager?
- Which component controls Azure Monitor Agent data collection?
- When would you choose Azure Backup instead of Azure Site Recovery?
- How do quorum and witness settings prevent split-brain in a cluster?
- Which tool migrates file servers while preserving shares and ACLs?
- How do you validate a cluster before creating it?
- What breaks domain join for Azure VMs most often?
- How do you troubleshoot Arc, AMA, backup, and ASR agent health?
- How do AD DS, Microsoft Entra ID, and Microsoft Entra Domain Services differ?
- What should be tested before a real DR failover?
Next step: convert the decision tables into scenario flashcards, then complete timed AZ-802 practice questions that force you to choose the correct Microsoft service, agent, policy, or recovery pattern from a short business requirement.