AZ-800 Administering Windows Server Hybrid Core Infrastructure Questions and Answers

The Administering Windows Server Hybrid Core Infrastructure materials explain that Azure AD Password Protection for on-premises AD uses two components: the DC agent and the proxy service. The DC agent is installed on every domain controller because it “intercepts password set/change operations locally on the DC and evaluates them against the forbidden-password policy.” The guidance further states that to ensure consistent enforcement “the DC agent should be deployed to all DCs in the forest, since password changes may occur on any DC.” The proxy service is installed on member servers (not necessarily DCs) and “relays policy downloads and telemetry to Azure AD on behalf of DCs,” which satisfies environments where “domain controllers must not directly contact Internet endpoints.” Finally, configuration of the global and custom banned password lists is performed in Azure AD, where administrators “define tenant-wide custom banned terms; DCs obtain the policy via the proxy and cache it for local enforcement.”

Given Fabrikam’s requirement to prevent DCs from accessing the Internet, the proxy must run on non-DC servers (VM1 and VM2). To guarantee enforcement wherever a password is changed, the DC agent must be on all domain controllers. The custom banned password list is configured in the Azure AD tenant and then distributed to on-premises DCs via the proxy.

In the Administering Windows Server Hybrid Core Infrastructure guidance for extending AD DS into Azure, Microsoft states that when you place a domain controller in an Azure virtual network you must run DNS on that domain controller and point the VNet to that DNS server: “Domain controllers in Azure IaaS should host the AD-integrated DNS zone, and the virtual network’s DNS server setting must reference those DC/DNS IPs so Azure VMs use AD DNS rather than the Azure-provided resolver.” The materials also emphasize that Azure’s default DNS cannot host or manage AD DS zones, so custom DNS is required for domain-joined workloads. Therefore, to meet the requirement you (1) install the DNS Server role on DC3 so it can host the corp.fabrikam.com AD-integrated zone (F), and (2) configure the DNS Servers setting on Vnet1 to the IP of DC3 (and any additional DCs), ensuring all Azure VMs in Vnet1 resolve the domain via AD DNS (D). Creating a public Azure DNS zone or a Private DNS zone with the same AD name is not appropriate for AD-integrated name resolution. This design also supports the security requirement of preventing domain controllers from relying on Internet-facing resolvers.

In Administering Windows Server Hybrid Core Infrastructure, Microsoft states that high availability for DHCP on Windows Server is achieved by using DHCP failover rather than the legacy split-scope (80/20) model. The guidance explains that DHCP failover “synchronizes lease data between two DHCP servers and can be configured in Load Balance or Hot Standby mode on a per-scope basis,” and that you enable it on each DHCP scope to create a partner relationship that automatically replicates scope configuration and active leases. This meets the requirement to keep address assignment available if one DHCP server is down.

The same materials further note that DHCP broadcasts do not traverse routers; therefore, when the partner server is reachable across a routed boundary (another site/subnet), you must configure the router as a DHCP relay (IP helper) to forward DHCPDISCOVER messages to the remote DHCP server(s). The text emphasizes: “When clients and DHCP servers are on different subnets, configure a relay agent on the router to forward requests to the DHCP server IP addresses.”

Applying this to Fabrikam: create DHCP failover between DHCP1 (Scope1) and DHCP2 (Scope2) (E) and configure the routers in New York and Seattle as DHCP relays that forward to both DHCP servers (B). You do not use Failover Clustering for DHCP here, and you do not create extra 25% scopes; those are split-scope practices superseded by DHCP failover.

In the Administering Windows Server Hybrid Core Infrastructure materials (hybrid security and IaaS management), Just-In-Time (JIT) VM access from Microsoft Defender for Cloud is the prescribed way to require approval-based, time-bound Remote Desktop access to Azure VMs. The guide explains that JIT “locks down inbound traffic to management ports (for example, TCP/3389) and opens them only on request, for a limited time and only from approved source IPs.” Administrators request access; upon approval, Defender for Cloud creates a temporary NSG rule that expires automatically—you specify the maximum allowed window (e.g., 2 hours) and the ports. This matches the requirement: “Ensure that server administrators request approval before they can establish a Remote Desktop connection to an Azure virtual machine. If the request is approved, the connection must be established within two hours.” Alternatives don’t meet this: PIM governs Azure roles, not VM RDP port exposure; Azure Bastion provides secure RDP/SSH over TLS without public IPs but doesn’t provide approval/time-boxed gating; the Remote Desktop extension is for classic Cloud Services and not for policy-driven approval windows. JIT is the least-privilege, policy-enforced solution aligned with the exam’s hybrid security objectives.

In Azure File Sync architecture (covered in Administering Windows Server Hybrid Core Infrastructure under “Implement and manage storage solutions”), the fundamental design points are:

Sync group – “A sync group defines a sync topology. Each sync group contains exactly one cloud endpoint (an Azure file share) and one or more server endpoints.” A server endpoint is a folder on a registered Windows Server. A server can participate in multiple sync groups so long as the server endpoints are different paths.

Storage Sync Service – “The Storage Sync Service is the top-level resource that maintains server registrations and houses your sync groups.” A Windows Server registers to one Storage Sync Service at a time, and that service can contain many sync groups and many servers.

Applying these rules to the requirement:

You have three Azure file shares: newyorkfiles, seattlefiles, and companyfiles. Because each sync group maps to one cloud endpoint, you need one sync group per share ⇒ 3 sync groups.

FS1 must sync with newyorkfiles and companyfiles; FS2 must sync with seattlefiles and companyfiles. Since one Storage Sync Service can host multiple sync groups and multiple servers, and a server must be registered to a single service, the most efficient design is a single Storage Sync Service containing all three sync groups and both servers.

The exam materials for Administering Windows Server Hybrid Core Infrastructure explain that when replacing private WAN links with Azure, Azure Virtual WAN (vWAN) can be used to centralize connectivity. For private connectivity, ExpressRoute integrates directly with a vWAN hub by deploying an ExpressRoute gateway in the hub. The gateway is the Azure resource that terminates ExpressRoute and enables hub-and-spoke routing to connected VNets (such as Vnet1). The guides emphasize: “In a Virtual WAN hub, use the ExpressRoute gateway to connect ExpressRoute circuits and propagate routes across the hub to your virtual networks.”

On-premises, each site (New York and Seattle) requires an ExpressRoute circuit connection provisioned via a connectivity provider. The circuit is the dedicated private connection from the customer edge to Microsoft’s edge and is what the office sites actually use; it’s then linked to the vWAN hub’s ExpressRoute gateway. The same materials note that Site-to-Site VPN is an alternative transport but is not required when ExpressRoute is mandated. Likewise, Application Gateway is a Layer-7 load balancer for HTTP/S traffic, and on-premises data gateway relates to Power BI/Power Platform hybrid connectivity, neither of which establishes network transport between offices and Azure.

Therefore, to meet the requirement “connect both on-premises offices to Vnet1 by using ExpressRoute,” configure an ExpressRoute gateway on the vWAN hub and ExpressRoute circuit connections in the offices.

One possible solution to register SRV1 to sync Azure file shares using the 34646045 Storage Sync Service is to use the Register-AzStorageSyncServer cmdlet from the Az.StorageSync module. This cmdlet establishes a trust relationship between the server and the Storage Sync Service, which is required for creating server endpoints and syncing files. Here are the steps to register SRV1 using the cmdlet:

On SRV1, open PowerShell as an administrator and run the following command to install the Az.StorageSync module if it is not already installed:

Install-Module -Name Az.StorageSync

Run the following command to import the Az.StorageSync module:

Import-Module -Name Az.StorageSync

Run the following command to sign in to your Azure account and select the subscription that contains the 34646045 Storage Sync Service:

Connect-AzAccount

Select-AzSubscription -SubscriptionId

Run the following command to register SRV1 with the 34646045 Storage Sync Service. You need to specify the resource group name and the Storage Sync Service name as parameters:

Register-AzStorageSyncServer -ResourceGroupName -StorageSyncServiceName 34646045

Wait for the registration to complete. You can verify the registration status by checking the Registered servers tab on the Azure portal or by running the following command:

Get-AzStorageSyncServer -ResourceGroupName -StorageSyncServiceName 34646045

Now, SRV1 is registered with the 34646045 Storage Sync Service and ready to sync Azure file shares. You can create server endpoints on SRV1 and cloud endpoints on the Azure file shares to define the sync topology.

The exam content for Group Policy processing stresses User Group Policy loopback processing for session hosts (RDS/AVD): “In environments like Remote Desktop Session Host (or Azure Virtual Desktop), enable loopback processing on the OU that contains the session host computers so that user settings from that GPO apply when users log on to those computers, regardless of the user’s own OU.” The requirement states: “Apply GPO4 to the Azure Virtual Desktop session hosts. Ensure that Azure Virtual Desktop user sessions lock after being idle for 10 minutes. Users must be able to control the lockout time manually from their client computer.” The idle-lock is a user configuration setting that must apply when users sign in to the session hosts, not to their personal devices. Therefore, enable loopback processing (Merge/Replace) in GPO4, which is linked to the VirtualDesktops OU containing the session hosts. Using security filtering or Enforced cannot make user settings in GPO4 override the user’s own OU without loopback. Loopback ensures the AVD hosts impose the 10-minute lock for sessions, while leaving users free to set their own client device policies independently—fulfilling least-impact design.

Within the hybrid governance section of Administering Windows Server Hybrid Core Infrastructure, Microsoft specifies that Azure Arc–enabled servers are the mechanism to bring on-premises and multi-cloud servers under Azure control to apply Azure Policy (Guest Configuration) and Defender for Servers. The prerequisite is installing the Azure Connected Machine agent (Azure Arc agent) on each server: “To manage servers with Azure Policy and configuration management, install the Connected Machine agent to onboard them to Azure Arc; once connected, you can assign Azure Policy guest configuration and monitor compliance just like Azure VMs.” Hybrid Azure AD Join is unrelated to Azure Policy assignment; the Azure Monitor agent provides telemetry but does not onboard to Arc for policy governance; a hybrid runbook worker is for Automation runbooks, not for enforcing Azure Policy. Therefore, to “use Azure Policy to enforce configuration management policies on the servers in Azure and on-premises,” deploy the Azure Connected Machine agent to all servers to Arc-enable them and then assign the desired policies.

In the Administering Windows Server Hybrid Core Infrastructure materials (AZ-800), Microsoft explains that Group Managed Service Accounts (gMSAs) are designed for services running on multiple servers and “provide automatic password management, simplified SPN management, and the ability to delegate the management to other administrators.” The guidance further states that before you can create any gMSA, “the domain must have a KDS root key so that the Key Distribution Service can generate and rotate strong, unique passwords for gMSAs on a schedule.” After the KDS root key is created, “use New-ADServiceAccount to create the gMSA and grant the computers (e.g., web servers) permission to retrieve the account password.” For IIS, the course notes specify that a gMSA can be used for app pools: “Configure the IIS application pool identity to a custom account and specify the gMSA name (ending with ‘$’) without a password; the password is managed automatically by AD and rotates by policy (for example, every 30 days).”

Mapping these requirements to the scenario: Webapp1 runs on WEB1 and WEB2 and must use the same service account with an automatic 30-day password change. Therefore, the correct sequence is: create the KDS root key, create the gMSA, and then set the IIS application pool to run under that account. This fulfills the security requirement while allowing both web servers to share the same, automatically-rotated credentials.

One possible solution to configure SRV1 as a DNS server that can resolve names from the contoso.com domain by using DC1 and all other names by using the root hint servers is to use conditional forwarding. Conditional forwarding allows a DNS server to forward queries for a specific domain name to another DNS server, while using the normal forwarding or root hint servers for other queries. Here are the steps to configure conditional forwarding on SRV1:

On SRV1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.

In the left pane, right-click on Conditional Forwarders and select New Conditional Forwarder.

In the New Conditional Forwarder dialog box, enter contoso.com as the DNS Domain name.

In the IP addresses of the master servers box, enter the IP address of DC1, which is the DNS server for the contoso.com domain. You can also click on Resolve to verify the name resolution of DC1.

Optionally, you can check the box Store this conditional forwarder in Active Directory, and replicate it as follows if you want to store and replicate the conditional forwarder in AD DS. You can also select the replication scope from the drop-down list.

Click OK to create the conditional forwarder.

Now, SRV1 will forward any queries for the contoso.com domain to DC1, and use the root hint servers for any other queries. You can test the name resolution by using the nslookup command on SRV1 or another computer that uses SRV1 as its DNS server. For example, you can run the following commands:

nslookup www.contoso.com

nslookup www.microsoft.com

The first command should return the IP address of www.contoso.com from DC1, and the second command should return the IP address of www.microsoft.com from a root hint server.

One possible solution to ensure that a DHCP scope named scope1 on SRV1 can service client requests is to activate the scope on the DHCP server. A scope must be activated before it can assign IP addresses to DHCP clients. To activate a DHCP scope on SRV1, perform the following steps:

On SRV1, open DNS Manager from the Administrative Tools menu or by typing dnsmgmt.msc in the Run box.

In the left pane, expand your DHCP server and click on IPv4.

In the right pane, right-click on the scope that you want to activate, such as scope1, and select Activate.

Wait for the scope to be activated. You can verify the activation status by checking the icon next to the scope name. A green arrow indicates that the scope is active, while a red arrow indicates that the scope is inactive.

Now, the DHCP scope named scope1 on SRV1 can service client requests and lease IP addresses to DHCP clients. You can test the DHCP service by using the ipconfig /renew command on a DHCP client computer that is connected to the same subnet as the scope.

To meet the requirement that VM3 be configured for per-folder quotas, the Windows Server file services module directs you to install File Server Resource Manager (FSRM). The course content explains: “FSRM provides quota management, file screening, and storage reporting. Quotas can be applied to volumes and to specific folders, enabling administrators to control the space consumed.” None of the other features listed deliver folder-level quota capability: Enhanced Storage and Windows Standards-Based Storage Management relate to storage management/SMI-S, and iSNS Server concerns iSCSI discovery services. Therefore, the first step is to install FSRM on VM3; after installation, you can create per-folder quota templates and assignments to enforce the desired limits.

The Administering Windows Server Hybrid Core Infrastructure content notes that Microsoft Entra Connect cloud sync uses lightweight agents and supports synchronizing specific OUs from multiple forests into a single tenant. The guide highlights that cloud sync “is designed for multi-forest or cross-organization scenarios and allows scoping to selected OUs and groups,” enabling granular onboarding of just the identities you need. The requirement says “the users in the Marketing OU (in Fabrikam’s forest) must have access to storage1.” Granting access to Azure Files using Entra-based authorization requires that those users exist in the same Entra tenant. Cloud sync enables importing only the Fabrikam Marketing OU into A. Datum’s tenant without establishing full trust for all users. Azure AD Connect in active or staging mode would target the A. Datum forest and isn’t intended for selectively bringing in a separate partner forest OU; AD FS is a federation solution and does not create tenant objects for ACLs on Azure resources like Azure Files. Therefore, implement Microsoft Entra Connect cloud sync and scope it to the Marketing OU to meet the requirement.

The exam materials state that Azure Automation runbooks can be authored in PowerShell and Python (along with Graphical and PowerShell Workflow where noted). The module on “Automate management in hybrid environments” specifies: “Runbooks support PowerShell for Windows-based automation and Python for cross-platform scenarios.” It further explains that these languages integrate with Automation Accounts, modules/packages, credentials, and managed identities to run tasks on Azure or hybrid resources through the Hybrid Runbook Worker. Languages such as Java, JavaScript, or Bicep are not runbook languages (Bicep is used for ARM template deployments, not runbook execution). Accordingly, Task1 can be implemented in PowerShell and Python.

Comprehensive and Detailed Explanation with all Administering Windows Server Hybrid Core Infrastructure documents: =

In the Administering Windows Server Hybrid Core Infrastructure study materials, Automanage for Azure VMs is described as a service that “onboards supported Azure virtual machines into a curated set of best-practice services automatically.” The guide notes that Automanage supports Azure IaaS VMs running Windows Server (2012 R2 and later) and common Linux distributions (for example Ubuntu/RHEL), while unsupported operating systems such as Windows client SKUs or older Windows Server releases are excluded. The same content emphasizes that Automanage targets “only supported Azure VMs” and does not extend to machines that don’t meet OS prerequisites.

Given the scenario, Server1 (supported Linux server) and Server2 (supported Windows Server) meet Automanage prerequisites, whereas the remaining Azure VMs are not in the supported matrix (client OS or an older/unsupported server release). Therefore, enabling Automanage on Server1 and Server2 only satisfies the technical requirement to “use Azure Automanage on all supported Azure virtual machines.”

The exam materials explain that to add a new domain controller to an existing AD DS forest in Azure, you deploy a Windows Server IaaS VM and then promote it: “To extend on-premises AD DS into Azure, provision a Windows Server VM in Azure and run AD DS to create an additional domain controller for the existing domain.” Conversely, Azure Active Directory Domain Services (Azure AD DS) provides a managed domain that is separate from and not writable by your on-premises administrators—you “do not get domain admin rights or access to DCs”—so it cannot be used to add a DC (dc3.corp.fabrikam.com) to the existing corp.fabrikam.com forest. Azure AD Application Proxy and Azure AD administrative units are unrelated to deploying DCs. Therefore, the correct implementation is to deploy an Azure virtual machine in Vnet1, install AD DS/DNS, and promote it to become DC3 in the existing domain.

One possible solution to ensure that the Azure file share named share1 can sync to on-premises servers is to use Azure File Sync. Azure File Sync allows you to centralize your file shares in Azure Files without giving up the flexibility, performance, and compatibility of an on-premises file server. It does this by transforming your Windows Servers into a quick cache of your Azure file share. You can use any protocol available on Windows Server to access your data locally (including SMB, NFS, and FTPS) and you can have as many caches as you need across the world1.

Here are the steps to configure Azure File Sync for the Azure file share named share1 and the source files located in a folder named \dc1.contoso.com\install:

On the Azure portal, create a Storage Sync Service in the same region as your storage account that contains the Azure file share named share1. For more information on how to create a Storage Sync Service, see How to deploy Azure File Sync.

On the on-premises server that hosts the folder named \dc1.contoso.com\install, install the Azure File Sync agent. For more information on how to install the Azure File Sync agent, see Install the Azure File Sync agent.

On the on-premises server, register the server with the Storage Sync Service that you created in the first step. For more information on how to register a server with a Storage Sync Service, see Register/unregister a server with Storage Sync Service.

On the Azure portal, create a sync group that defines the sync topology for a set of files. In the sync group, select the Azure file share named share1 as the cloud endpoint and the folder named \dc1.contoso.com\install as the server endpoint. For more information on how to create a sync group, see Create a sync group and a cloud endpoint and Create a server endpoint.

Wait for the initial sync to complete. You can monitor the sync progress on the Azure portal or on the on-premises server. For more information on how to monitor sync progress, see [Monitor sync progress].

Once the initial sync is complete, you can add more on-premises servers to the same sync group to sync and cache the content locally. You can also enable cloud tiering to optimize the storage space on the on-premises servers by tiering infrequently accessed or older files to Azure Files.

According to the Administering Windows Server Hybrid Core Infrastructure (AZ-800) exam study materials, Azure DNS Private Resolver allows bidirectional name resolution between on-premises environments and Azure private DNS zones. The Private DNS Resolver consists of inbound endpoints (to resolve queries from on-premises to Azure) and outbound endpoints (to resolve queries from Azure to on-premises DNS servers). For name resolution to work, private DNS zones must be linked to the virtual network associated with the resolver’s hub network.

In this scenario, the planned configuration specifies:

A Private DNS Resolver named Private1 created in the West US region and linked to VNet1.

An inbound endpoint in SubnetB.

The requirement is to identify which private DNS zones will be available for name resolution through this resolver.

From the details given, only Zone1.com and Zone2.com are linked to VNet1, allowing them to participate in name resolution using the resolver. Zone3.com is not linked to VNet1 (either unlinked or linked to another virtual network), and therefore it cannot be resolved through the DNS Resolver in VNet1.

As emphasized in Microsoft’s hybrid infrastructure documentation:

“Private DNS zones must be linked to the same virtual network that contains the Private DNS Resolver or to peered virtual networks for name resolution to succeed.”

Hence, only Zone1.com and Zone2.com are available for name resolution through the Private DNS Resolver.

✅ Correct Answer: C. Zone1.com and Zone2.com only

The AZ-800 materials explain that enabling Microsoft Entra (Azure AD) sign-in to Windows Server running as an Azure VM is done by deploying the Azure AD Login for Windows VM extension. The study guide states that “for Azure VMs, Microsoft Entra sign-in is enabled by installing the AADLoginForWindows extension; once installed, Entra users and groups granted ‘Virtual Machine User/Login’ roles can sign in using Entra credentials.” The required operation is performed from Azure PowerShell with Set-AzVMExtension, providing the publisher Microsoft.Azure.ActiveDirectory, type AADLoginForWindows, and the target VM. Other options are not applicable: Set-AzVM changes VM properties but does not install extensions; New-ADComputer and Add-ADComputerServiceAccount are AD DS cmdlets unrelated to enabling Entra login on an Azure VM. Therefore, to meet the plan “Enable Microsoft Entra users to sign in to Server1,” you must run Set-AzVMExtension to install the AAD Login extension on Server1.

Disk1 (three-way mirror): 2 disks; Disk2 (parity): 1 disk

\In the Administering Windows Server Hybrid Core Infrastructure materials on Storage Spaces resiliency, Microsoft describes how each resiliency type determines simultaneous disk-failure tolerance. The guide explains that mirror spaces keep multiple copies of data: “Two-way mirror writes two copies and can sustain a single disk failure; three-way mirror writes three copies and can sustain the loss of any two disks without data loss.” It also differentiates parity spaces, which stripe data with parity information: “Parity provides capacity efficiency comparable to RAID-5 and tolerates a single disk failure (use dual parity to withstand two failures).”

Applying these to SSPace1:

Disk1 uses a three-way mirror across eight physical disks. By definition, a three-way mirror survives two concurrent disk failures and remains online, satisfying the “always available” requirement.

Disk2 is configured as parity across twelve physical disks. Standard parity (single parity) is equivalent to RAID-5 and survives one disk failure; only dual parity would allow two, but the configuration provided specifies parity (not dual parity).

Therefore, the maximum simultaneous physical disk failures while maintaining availability are 2 for Disk1 and 1 for Disk2.

In the Windows Server DNS planning guidance from Administering Windows Server Hybrid Core Infrastructure, forwarders can be used to centralize name resolution through a designated DNS server. The guide states that a DNS server can be configured to “forward queries it cannot resolve to one or more upstream DNS servers” and that this is often used to “centralize Internet and internal namespace resolution through an authoritative hub server.” In this scenario, Server1 hosts the contoso.local parent zone and already contains delegations to east.contoso.local and west.contoso.local. If Server2 and Server3 are set to forward unresolved queries to 10.0.1.10 (Server1), they will resolve:

• Internal names—Server1 is authoritative for the parent and, through delegations, can refer requests to the appropriate child-zone servers.

• Internet names—Server1 uses root hints and can resolve external hosts, with Server2/Server3 receiving the answers via forwarding.

The study materials emphasize: “Delegations enable a parent zone to direct queries to child zones,” and “forwarders do not break authority—authoritative data is answered locally; only unresolved names are forwarded.” Thus, configuring Server2 and Server3 to forward to Server1 satisfies the requirement that all DNS servers resolve all internal namespaces and Internet hosts, while keeping the design simple and consistent with DNS best practices.

 Two-way mirror: 2

 Three-way mirror: 5

In the Administering Windows Server Hybrid Core Infrastructure materials, the Storage Spaces guidance explains that mirror layouts keep multiple copies of each slab of data across different physical drives in a pool. A two-way mirror maintains two copies, so the pool must contain at least two physical disks to place each copy on a separate disk. This provides protection from a single disk failure with continuous availability. For higher resiliency, a three-way mirror maintains three copies of every write. The Windows Server implementation requires a minimum of five physical disks in the pool to create a three-way mirror virtual disk. The extra drives beyond the three copies are needed to satisfy the layout/columning rules used by Storage Spaces for performance striping and to ensure there is sufficient distribution to sustain a failure and still have capacity and parallelism for repair operations. The curriculum emphasizes that mirror spaces are recommended for workloads needing fast writes and quick recovery, while parity spaces trade performance for capacity efficiency. Therefore, when planning a JBOD-backed storage pool on a single Windows Server, you must allocate at least 2 disks for a two-way mirror and at least 5 disks for a three-way mirror to meet the platform’s resiliency and layout requirements.

In Administering Windows Server Hybrid Core Infrastructure, the operations that affect forest-wide naming contexts are tied to specific FSMO roles. The material explains that AD DS contains five FSMO roles—Schema Master, Domain Naming Master, RID Master, PDC Emulator, and Infrastructure Master—and each governs a unique set of authoritative changes. The course notes state:

“The Domain Naming Master is responsible for all changes to the forest namespace. This includes adding and removing domains and application directory partitions (also called application naming contexts). Because these operations change the forest-wide naming structure, the Domain Naming Master must be online and reachable to perform them.”

It further emphasizes:

“Creation or deletion of application partitions is a forest-scoped operation. Only the Domain Naming Master can process these updates to ensure single-master consistency of the forest’s name context metadata.”

By contrast, the Schema Master controls schema updates, the RID Master allocates RID pools, the PDC Emulator provides time sync and password update precedence, and the Infrastructure Master maintains cross-domain reference updates. None of these roles can substitute for the Domain Naming Master when creating application partitions. Therefore, if DC1 (which holds the Domain naming master role) fails, you cannot create new application partitions until that role holder is restored or the role is transferred/seized to another domain controller.

No

Yes

Yes

In Administering Windows Server Hybrid Core Infrastructure, Microsoft states that the domain password policy for domain user accounts is determined by the GPO that wins at the domain root (commonly the Default Domain Policy). GPOs linked to OUs do not change the domain password policy for user accounts in those OUs; they only affect local accounts on computers within those OUs unless Fine-Grained Password Policies (PSOs) are used and scoped to users/groups. The case shows Default Domain Policy in contoso.com sets Minimum password length = 10. Therefore, both Admin1 (a domain user in Contoso\OU1) and User1 (in Contoso\OU3) fall under the 10-character minimum; the OU-linked GPO1 (14) does not override the domain password policy for their domain accounts → Admin1: No, User1: Yes.

For member servers and local accounts, the documentation explains that password policy settings in a GPO linked to the OU containing the computer apply to that computer’s local Security Accounts Manager (SAM). In the scenario, Server1 resides in Member Servers and GPO2 linked to Member Servers specifies Minimum password length = 8. Thus, when Admin1 creates a local account on Server1, the enforced minimum is 8 characters → Yes. This approach follows least privilege and standard precedence: domain-level for domain accounts, OU-linked GPOs for local accounts, unless PSOs are explicitly defined.

In the AZ-800 “Administering Windows Server Hybrid Core Infrastructure” objectives for Active Directory, server promotion is governed by forest/domain administrative roles. The materials state that promoting a member server to a domain controller in a given domain requires membership in either the Enterprise Admins group or the Domain Admins group of the target domain. The Configuration and Domain naming contexts that DCPromo touches (NTDS settings, SYSVOL/DFS-R readiness, DC computer account, and associated service SPNs) are protected so that “Enterprise Admins have full rights forest-wide, and Domain Admins have full rights within their respective domain.”

In this case, the requirement is to promote Server1 to a domain controller in canada.contoso.com. From the identities table:

Contoso\Admin1 is a member of Enterprise Admins (forest-wide authority).

Canada\Admin3 is a member of Canada\Domain Admins (authority within canada.contoso.com).

Contoso\Admin2 is Domain Admins (contoso.com) only, which does not grant administrative authority in the canada.contoso.com child domain.

Therefore, the users who can currently perform the required task for Server1 are Admin1 and Admin3.

The AZ-800 content covering Active Directory Sites and Services clarifies that site, subnet, and site-link objects live in the Configuration partition. The guides emphasize that administration of the Configuration naming context is restricted to Enterprise Admins and to Domain Admins of the forest-root domain. In the context of changing replication topology parameters—such as editing the replication schedule on site links—the documentation notes: “Only Enterprise Admins or administrators in the forest-root Domain Admins group have default permissions to modify site and site-link objects,” because these objects affect replication forest-wide.

Applying this to the scenario:

Contoso\Admin1 (Enterprise Admins) has forest-wide rights to modify site links.

Contoso\Admin2 (Domain Admins in contoso.com, the forest-root domain) also has the required rights to change site-link schedules.

Canada\Admin3 (Domain Admins in canada.contoso.com) does not have default permissions in the Configuration partition for forest-wide site-link administration.

Thus, to meet the technical requirement to change all site links to a 30-minute schedule, the users who can perform the task are Admin1 and Admin2.

In Windows Server AD DS, group scope determines which groups/accounts can be members. The AZ-800 study materials summarize: “Domain Local groups can include accounts, Global groups, and Universal groups from any domain and Domain Local groups from the same domain only. Global groups can include accounts and other Global groups from the same domain only. Universal groups can include *accounts, Global groups, and Universal groups from any domain.” In addition, distribution vs. security does not change the scope membership rules; it only affects whether the group can be assigned permissions.

Applying the rules: Group3 is a Domain Local security group in contoso.com. Therefore it can contain Universal (Group1), Global from any domain (Group2 in contoso.com and Group4/Group5 in canada.contoso.com), but cannot contain a Domain Local from another domain (Group6 in canada.contoso.com). Hence: Group1, Group2, Group4, and Group5 only.

Group5 is a Global distribution group in canada.contoso.com. A Global group can only contain accounts or Global groups from the same domain. From the list, only Group4 (Global distribution, canada.contoso.com) fits. It cannot contain Group1 (Universal), Group2 (Global but different domain), or Group6 (Domain Local). Therefore: Group4 only.

In the Administering Windows Server Hybrid Core Infrastructure materials under Hyper-V management, Microsoft specifies that Enhanced Session Mode changes VMConnect from a raw console attach to a connection that uses Remote Desktop Protocol (RDP) to the guest. The guide states that Enhanced Session Mode “uses RDP to establish the VMConnect session so the user must supply credentials for a logon to the guest operating system,” and further that it “prevents a second administrator from inheriting an already signed-in console session” because the connection is treated as a new interactive sign-in. In contrast, the default basic console session “attaches directly to the active console without prompting for credentials,” which is exactly the current problem described for VM2.

The same objective area clarifies that other options do not meet the requirement: Guest Services integration only enables file copy and certain host-guest interactions; Credential Guard protects secrets inside Windows by isolating LSASS but does not affect Hyper-V console connection behavior; Shielded VMs provide fabric-level protections and encryption but are not required merely to force credential prompts for VMConnect.

Therefore, to force users to provide credentials when they connect to VM2 and to eliminate inherited console sessions, you should enable Enhanced Session Mode on the Hyper-V host (and ensure the guest supports RDP).

In the Windows Server Hybrid Core Infrastructure objectives for Active Directory group design, group scope and type determine valid membership and usage. The study guidance for group scopes states that a Domain Local group is used to assign permissions in its own domain and “can contain accounts, computer objects, global groups from any domain, and universal groups; it can also contain other domain local groups from the same domain only.” Security-type restrictions also apply: “Security groups can contain only security principals; distribution groups cannot be nested into security groups for access control.”

Applying these rules to Group3 (contoso.com Domain Local Security): it can accept security groups of compatible scopes. From the lists, Group1 (contoso.com Universal Security) and Group2 (contoso.com Global Security) are valid. Distribution groups (Group4, Group5, Group6) are not valid members of a security group used for authorization. Therefore, Group3 ⇒ Group1 and Group2 only.

For Group5 (canada.contoso.com Global Distribution), the scope rule for Global groups is: “Global groups can include user accounts and other global groups from the same domain only; they cannot include universal or domain local groups.” Hence, the only eligible group from the same domain and scope is Group4 (canada.contoso.com Global Distribution). Group6 is domain local (invalid), and cross-domain globals (Group2) are not permitted. Therefore, Group5 ⇒ Group4 only.

n the Administering Windows Server Hybrid Core Infrastructure guidance for managing AD DS, Microsoft emphasizes using OU-level delegation to satisfy administrative needs while adhering to the principle of least privilege. The documentation explains that the Delegate Control wizard on an OU lets you grant a user or group only the specific permissions required for common tasks, including “Modify the membership of a group”. This grants the write permission to the member attribute on group objects contained in that OU, without giving broader account-management rights across the domain.

By contrast, placing a user in Account Operators or Server Operators provides elevated, domain-wide capabilities far beyond what is required. Account Operators can create, delete, and modify many account types across the domain (except for protected admin accounts), which violates least-privilege for a task that only needs to change group membership in one OU. Server Operators is unrelated to group membership and is intended for server administration tasks. Creating a delegation at the domain root would similarly be excessive because it applies broadly to all containers and OUs.

Therefore, to meet the requirement “Ensure that User1 can manage the membership of all the groups in Contoso\OU3,” you should delegate control on OU3 and assign the built-in task “Modify the membership of a group” to User1, achieving the minimal permissions necessary.

In the Administering Windows Server Hybrid Core Infrastructure objectives for managing Hyper-V, enabling nested virtualization is the required step when you must “run virtual machines inside a virtual machine.” The referenced guidance states that Hyper-V on a VM is supported only when the host exposes hardware virtualization features to the guest. The prescriptive step is: “Turn off the VM and run Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true to enable nested virtualization.” The module further notes that this action “passes through Intel VT-x/AMD-V to the guest so the guest OS can install the Hyper-V role and create VMs.” It also clarifies that “the setting is applied on the parent host for the target VM and requires the VM to be powered off before the change is committed.”

Because the technical requirement says “Ensure that you can run virtual machines on VM1”, VM1 must be able to host Hyper-V while itself running as a VM on Server2. The first and essential cmdlet is therefore Set-VMProcessor with the -ExposeVirtualizationExtensions switch set to $true against VM1. Other optional settings (for example, MAC spoofing on the vNIC or static memory) may be configured later if needed, but exposing virtualization extensions is the enabling prerequisite that satisfies the requirement.

Server1 - Set-Item

Server4 - Enable-PSRemoting

In the Windows Server exam materials for Administering Windows Server Hybrid Core Infrastructure (AZ-800), Microsoft documents that Data Deduplication is supported only on data volumes and specifically on NTFS-formatted volumes, and it cannot be enabled on the system or boot volume. The study text states: “Data Deduplication is applied at the volume level and supports NTFS data volumes. You cannot enable deduplication on the system or boot volume.” It further clarifies unsupported targets: “ReFS volumes and FAT/exFAT volumes are not supported for Data Deduplication in general-purpose server scenarios,” and emphasizes that deduplication is “not available for the operating system volume.”

Applying these rules to VM3:

C: NTFS but it is the OS/system volume → not eligible.

D: NTFS data volume → eligible.

E: ReFS → not supported for general-purpose dedup in this context.

F: exFAT → not supported.

Therefore, the only volume on which you can enable Data Deduplication to meet the requirement is volume D.