[Microsoft] AZ-800 - Windows Server Hybrid Admin Assoc Exam Dumps & Study Guide
The Administering Windows Server Hybrid Core Infrastructure (AZ-800) is the premier certification for IT professionals who want to demonstrate their expertise in managing and securing Windows Server workloads across on-premises, hybrid, and cloud environments. As organizations increasingly adopt hybrid cloud models, the ability to build and manage robust, scalable, and secure infrastructures that bridge the gap between local data centers and Microsoft Azure has become a highly sought-after skill. The AZ-800 validates your core knowledge of Windows Server technologies, including identity, management, networking, and storage in a hybrid context. It is an essential milestone for any professional looking to lead in the age of modern hybrid administration.
Overview of the Exam
The AZ-800 exam is a rigorous assessment that covers the implementation and management of Windows Server hybrid core infrastructure. It is a 120-minute exam consisting of approximately 40-60 questions. The exam is designed to test your knowledge of Windows Server technologies and your ability to apply them to real-world hybrid scenarios. From identity and access management using Active Directory and Microsoft Entra ID to managing and monitoring Windows Server workloads, the AZ-800 ensures that you have the skills necessary to build and maintain modern hybrid environments. Achieving the AZ-800 certification proves that you are a highly skilled professional who can handle the technical demands of enterprise-grade hybrid administration.
Target Audience
The AZ-800 is intended for IT professionals who have a solid understanding of Windows Server and Microsoft Azure services. It is ideal for individuals in roles such as:
1. Windows Server Administrators
2. Hybrid Cloud Administrators
3. Systems Engineers
4. Network Administrators
To qualify for the Microsoft Certified: Windows Server Hybrid Administrator Associate certification, candidates must pass both the AZ-800 and the AZ-801 exams.
Key Topics Covered
The AZ-800 exam is organized into several main domains:
1. Deploy and Manage Active Directory Domain Services (AD DS) in On-Premises and Cloud Environments (30-35%): Implementing and managing identity solutions across hybrid environments.
2. Manage Windows Servers and Workloads in a Hybrid Environment (10-15%): Configuring and managing Windows Server workloads, including remote management.
3. Manage Virtual Machines and Containers (15-20%): Implementing and managing virtualized environments using Hyper-V and Azure VM.
4. Implement and Manage an On-Premises and Hybrid Networking Infrastructure (15-20%): Designing and implementing hybrid networking solutions, including DNS and IP addressing.
5. Manage Storage and File Services (15-20%): Configuring and managing storage solutions, including Azure File Sync and Storage Spaces Direct.
Benefits of Getting Certified
Earning the AZ-800 certification provides several significant benefits. First, it offers industry recognition of your specialized expertise in Microsoft's hybrid infrastructure technologies. As a leader in the hybrid cloud industry, Microsoft skills are in high demand across the globe. Second, it can lead to increased career opportunities and higher salary potential in a variety of roles. Third, it demonstrates your commitment to professional excellence and your dedication to staying current with the latest hybrid administration practices. By holding this certification, you join a global community of Microsoft professionals and gain access to exclusive resources and continuing education opportunities.
Why Choose NotJustExam.com for Your AZ-800 Prep?
The AZ-800 exam is challenging and requires a deep understanding of Windows Server's complex features in a hybrid context. NotJustExam.com is the best resource to help you master this material. Our platform offers an extensive bank of practice questions that are designed to mirror the actual exam’s format and difficulty.
What makes NotJustExam.com stand out is our focus on interactive logic and the accuracy of our explanations. We don’t just provide a list of questions; we provide a high-quality learning experience. Every question in our bank includes an in-depth, accurate explanation that helps you understand the technical reasoning behind the correct administration solutions. This ensures that you are truly learning the material and building the confidence needed to succeed on the exam. Our content is regularly updated to reflect the latest Microsoft features and exam updates. With NotJustExam.com, you can approach your AZ-800 exam with the assurance that comes from thorough, high-quality preparation. Start your journey toward becoming a Certified Hybrid Administrator today with us!
Free [Microsoft] AZ-800 - Windows Server Hybrid Admin Assoc Practice Questions Preview
-
Question 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
You need to identify which server is the PDC emulator for the domain.
Solution: From Active Directory Domains and Trusts, you right-click Active Directory Domains and Trusts in the console tree, and then select Operations
Master.
Does this meet the goal?
Correct Answer:
B
Explanation:
I agree with the suggested answer. The solution provided uses the Active Directory Domains and Trusts tool, which is not the correct tool for identifying the PDC emulator. The correct tool is Active Directory Users and Computers.
Reasoning:
The PDC emulator is one of the five Flexible Single Master Operations (FSMO) roles in an Active Directory domain. To identify the server holding the PDC emulator role, you should use the Active Directory Users and Computers (ADUC) console. Within ADUC, you right-click on the domain, select "Operations Masters," and then click the "PDC" tab to view the server holding the PDC emulator role. Using Active Directory Domains and Trusts and selecting Operations Master displays information about domain naming master but not the PDC emulator.
- Steps to identify the PDC emulator:
- Open Active Directory Users and Computers.
- Right-click on the domain name in the left pane.
- Select "Operations Masters".
- Click the "PDC" tab. The server listed is the PDC emulator.
Why other options are incorrect:
Option A (Yes) is incorrect because the Active Directory Domains and Trusts tool is not used to identify the PDC emulator. This tool is primarily used for managing domain trusts and functional levels.
Citations:
- How to Find the PDC Emulator, https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-active-directory-domains
- Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controller, https://support.microsoft.com/en-us/topic/using-ntdsutil-exe-to-seize-or-transfer-fsmo-roles-to-a-domain-controller-b6f6bb69-d291-3479-efcc-955901f231c3
-
Question 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com.
You need to identify which server is the PDC emulator for the domain.
Solution: From a command prompt, you run netdom.exe query fsmo.
Does this meet the goal?
Correct Answer:
A
Explanation:
I agree with the suggested answer.
The command `netdom query fsmo` is the correct tool to identify the PDC emulator role holder within an Active Directory domain.
Reasoning:
- The `netdom query fsmo` command directly queries the domain and displays the roles held by different domain controllers, including the PDC emulator.
- This method is reliable and commonly used by administrators for this specific purpose.
Why other answers are incorrect:
- The alternative (No) is incorrect because the `netdom query fsmo` command *is* the proper way to identify the PDC emulator.
Using `netdom query fsmo` from a command prompt provides the required information to fulfill the goal.
-
Question 3
You have an on premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant.
You plan to implement self-service password reset (SSPR) in Azure AD.
You need to ensure that users that reset their passwords by using SSPR can use the new password resources in the AD DS domain.
What should you do?
- A. Deploy the Azure AD Password Protection proxy service to the on premises network.
- B. Run the Microsoft Azure Active Directory Connect wizard and select Password writeback.
- C. Grant the Change password permission for the domain to the Azure AD Connect service account.
- D. Grant the impersonate a client after authentication user right to the Azure AD Connect service account.
Correct Answer:
B
Explanation:
I agree with the suggested answer B.
The correct answer is to run the Microsoft Azure Active Directory Connect wizard and select Password writeback.
Reason: Password writeback is the mechanism that allows password changes made in Azure AD (for example, via Self-Service Password Reset - SSPR) to be written back to your on-premises Active Directory Domain Services (AD DS) environment. This ensures that when a user resets their password using SSPR, the new password is also updated in their on-premises AD DS account, allowing them to use the same password for both cloud and on-premises resources.
Why other options are incorrect:
- A: Deploying the Azure AD Password Protection proxy service is used to prevent users from setting weak passwords in Active Directory. It doesn't enable password changes made in Azure AD to be written back to on-premises AD.
- C: Granting the "Change password" permission to the Azure AD Connect service account is necessary for password synchronization in general, but it doesn't specifically enable password writeback from Azure AD to on-premises AD.
- D: Granting the "Impersonate a client after authentication" user right to the Azure AD Connect service account is not directly related to password writeback functionality.
To enable password writeback, you need to run the Azure AD Connect wizard and specifically enable the "Password writeback" feature. This configures Azure AD Connect to securely write password changes back to your on-premises AD DS environment.
Therefore, the most appropriate answer is B.
Citations:
- Azure AD Connect: Password writeback, https://learn.microsoft.com/en-us/azure/active-directory/hybrid/connect/how-to-connect-password-writeback
-
Question 4
DRAG DROP -
You create a new Azure subscription.
You plan to deploy Azure Active Directory Domain Services (Azure AD DS) and Azure virtual machines.
You need to ensure that the virtual machines can join to Azure AD DS.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
See interactive view.
Explanation:
I agree with the suggested answer.
The correct sequence of actions to ensure that Azure virtual machines can join Azure AD DS is as follows:
- Create a virtual network.
- Create an Azure AD DS instance.
- Modify the DNS server settings in the virtual network.
Reasoning:
- Step 1: Create a virtual network: Azure AD DS must be deployed into a virtual network. This network provides the communication channel between Azure AD DS and the virtual machines that will join the domain. A virtual network is a fundamental requirement for Azure AD DS.
- Step 2: Create an Azure AD DS instance: This step involves creating and configuring the managed domain service within the virtual network created in the first step. During the creation process, you specify the virtual network where Azure AD DS will be deployed.
- Step 3: Modify the DNS server settings in the virtual network/subnets: After Azure AD DS is deployed, you need to configure the virtual network's DNS settings to point to the Azure AD DS domain controllers. This allows the virtual machines to resolve the domain name and join the domain. This involves updating the DNS server settings of the virtual network to use the IP addresses of the Azure AD DS domain controllers.
Reasons for not choosing other orders:
- You cannot create an Azure AD DS instance without first having a virtual network where it can reside.
- Modifying DNS settings before creating the Azure AD DS instance is pointless because there are no Azure AD DS domain controllers to point to.
Citations:
- Tutorial: Create and configure an Azure Active Directory Domain Services instance, https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
-
Question 5
HOTSPOT -
You have an Azure Active Directory Domain Services (Azure AD DS) domain.
You create a new user named Admin1.
You need Admin1 to deploy custom Group Policy settings to all the computers in the domain. The solution must use the principle of least privilege.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
Hot Area:

Correct Answer:
See interactive view.
Explanation:
I agree with the suggested answer.
The correct answer involves assigning the Admin1 user to the AAD DC Administrators group and creating a new GPO linked to the domain.
Reasoning:
- AAD DC Administrators: Adding Admin1 to the AAD DC Administrators group grants the necessary permissions to manage Group Policy within the Azure AD DS domain. This aligns with the principle of least privilege by providing only the required administrative rights.
- Create a new GPO linked to the domain: Creating a new Group Policy Object (GPO) allows for customized settings to be applied to the computers in the domain. Linking it to the domain ensures that the policy applies to all computers within the domain scope. This approach also avoids modifying the default Domain Controllers Policy, which is a best practice.
Why other options are incorrect:
- Modifying an existing computer GPO would not be the correct answer because group policy can't be linked to the domain only to an OU.
Suggested Answer Breakdown:
- AAD DC Administrators: Correct - Provides the necessary permissions.
- Create a new GPO linked to the domain: Correct - Enables custom policy deployment to all domain computers.
Citations:
- Manage Group Policy in Azure Active Directory Domain Services, https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy
- Create an organizational unit in Azure Active Directory Domain Services, https://docs.microsoft.com/en-us/azure/active-directory-domain-services/create-ou
-
Question 6
DRAG DROP -
Your network contains a single domain Active Directory Domain Services (AD DS) forest named contoso.com. The forest contains a single Active Directory site.
You plan to deploy a read only domain controller (RODC) to a new datacenter on a server named Server1. A user named User1 is a member of the local
Administrators group on Server1.
You need to recommend a deployment plan that meets the following requirements:
✑ Ensures that a user named User1 can perform the RODC installation on Server1
✑ Ensures that you can control the AD DS replication schedule to the Server1
✑ Ensures that Server1 is in a new site named RemoteSite1
Uses the principle of least privilege
Which three actions should you recommend performing in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
See interactive view.
Explanation:
I agree with the suggested answer. The recommended steps address all requirements outlined in the question: ensuring User1 can perform the RODC installation with least privilege, controlling the AD DS replication schedule, and placing Server1 in a new site.
Here's a breakdown of the reasoning:
- Create a site and a subnet: This is the first step because it establishes the network topology for the RODC. Creating a new site (RemoteSite1) and associating the appropriate subnet with it allows for controlling replication traffic and schedule via site links. Without a defined site, you cannot effectively manage replication to the RODC.
- Pre-create an RODC account: Pre-staging the RODC account is crucial for delegation of permissions. It allows you to grant User1 the necessary rights to join the server to the domain without making them a Domain Admin, adhering to the principle of least privilege. You can specify the user who is allowed to attach the server to the prestaged account.
- Instruct User1 to run the Active Directory Domain Services installation Wizard on Server1: After pre-staging the account and granting User1 the appropriate permissions, User1 can then use the AD DS installation wizard to complete the RODC installation, linking it to the pre-created account.
Why other options are less suitable:
- Adding User1 to the Domain Admins group: This violates the principle of least privilege. Granting User1 Domain Admin rights gives them far more access than necessary for simply installing an RODC.
- Running adprep /rodcprep: While `adprep /rodcprep` is necessary to prepare the forest for RODC deployment, it's a one-time operation per forest (or domain) and doesn't directly address the specific requirements of delegating the RODC installation to User1 or controlling the replication schedule to Server1. Furthermore, this step is usually performed by a Domain Admin or Enterprise Admin, which we are trying to avoid.
- Modifying the Password Replication Policy (PRP): While the PRP is important for RODC security, it's configured *after* the RODC account is pre-created and isn't directly involved in the initial delegation of installation rights. You need to pre-create the RODC account first before you can modify the PRP for that account.
In summary, the proposed sequence ensures that the RODC is deployed securely and efficiently, meeting all the stated requirements.
Therefore, the suggested answer is correct.
- Title: How to Install and Configure Read-Only Domain Controller (RODC) 2016, https://mehic.se/2018/01/02/how-to-install-and-configure-read-only-domain-controller-rodc-2016/
-
Question 7
Your network contains an Active Directory Domain Services (AD DS) domain. The network also contains 20 domain controllers, 100 member servers, and 100 client computers.
You have a Group Policy Object (GPO) named GPO1 that contains Group Policy preferences.
You plan to link GPO1 to the domain.
You need to ensure that the preference in GPO1 apply only to domain member servers and NOT to domain controllers or client computers. All the other Group
Policy settings in GPO1 must apply to all the computers. The solution must minimize administrative effort.
Which type of item level targeting should you use?
- A. Domain
- B. Operating System
- C. Security Group
- D. Environment Variable
Correct Answer:
B
Explanation:
I disagree with the suggested answer of B. The recommended answer is C. Security Group.
Reasoning:
The question requires that the Group Policy preferences in GPO1 apply only to domain member servers and NOT to domain controllers or client computers, while other settings in GPO1 must apply to all computers. The solution must minimize administrative effort.
Using Security Group filtering is the most efficient way to target only member servers.
- Create a security group.
- Add all the member servers to the security group.
- In the GPO1, under the "Delegation" tab, add the security group.
- Set the permissions for the security group to "Read" and "Apply Group Policy."
- Under the "Settings" tab of the GPO, navigate to the specific preference item you want to target.
- In the "Common" tab of the preference item, enable "Item-level targeting."
- Add a "Security Group" targeting item, and specify the security group containing the member servers.
This ensures that the preference applies only to members of the specified security group (i.e., the member servers).
Why other options are not suitable:
- A. Domain: Domain targeting isn't granular enough as it would apply to all computers within the domain, including domain controllers and client computers.
- B. Operating System: While you could target specific server operating systems, this is less flexible. Domain controllers and member servers might run the same OS, and you'd have to update the GPO every time you introduce a new OS. This increases administrative overhead.
- D. Environment Variable: While environment variables can be used for targeting, relying on them for server identification isn't reliable. They can be changed or might not be consistently configured across all servers. This introduces complexity and potential for error.
-
Question 8
DRAG DROP -
You deploy a new Active Directory Domain Services (AD DS) forest named contoso.com. The domain contains three domain controllers named DC1, DC2, and
DC3.
You rename Default-First-Site-Name as Site1.
You plan to ship DC1, DC2, and DC3 to datacenters in different locations.
You need to configure replication between DC1, DC2, and DC3 to meet the following requirements:
✑ Each domain controller must reside in its own Active Directory site.
✑ The replication schedule between each site must be controlled independently.
✑ Interruptions to replication must be minimized.
Which three actions should you perform in sequence in the Active Directory Sites and Services console? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Correct Answer:
See interactive view.
Explanation:
The suggested answer is the correct one. Here's a breakdown of why:
The scenario requires each domain controller to reside in its own Active Directory site, with independent replication schedules and minimized interruptions. The correct sequence of actions directly addresses these requirements.
- Create two additional sites and move DC2 and DC3: This step is crucial because each DC needs to reside in its own site. By creating two new sites, Site2 and Site3, and moving DC2 and DC3 into them, the first requirement is met.
- Create an additional site link that contains Site1 and Site2: Creating site links allows for controlling the replication path between sites. An additional site link allows for independent replication path and schedule control.
- Remove Site2 from the default site link: Removing Site2 from the default site link ensures that replication occurs only through the newly created site links, fulfilling the requirement to control replication schedules independently and minimize interruptions by avoiding unnecessary replication paths.
The actions must be performed in this sequence to ensure that sites are properly configured before creating site links. Creating the sites first and then configuring the links provides a structured approach to meet all the requirements.
Here's why other possible sequences are incorrect:
- Failing to create separate sites for each DC would violate the first requirement.
- Creating site links before creating the necessary sites would make the site link configuration ineffective.
- Not removing sites from the default site link would prevent independent control over replication schedules and potentially cause replication interruptions.
These steps align with best practices for Active Directory site topology design, as described in Microsoft's documentation. While specific documentation directly addressing this exact scenario is difficult to pinpoint, the principles of site design and replication control are well-documented.
Citations:
- Active Directory Sites and Services, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771747(v=ws.11)
- Designing the Site Topology, https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc787951(v=ws.10)
-
Question 9
Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com. The root domain contains the domain controllers shown in the following table.

A failure of which domain controller will prevent you from creating application partitions?
- A. DC1
- B. DC2
- C. DC3
- D. DC4
- E. DC5
Correct Answer:
A
Explanation:
I agree with the suggested answer.
A failure of DC1 will prevent the creation of application partitions because DC1 holds the Domain Naming Master FSMO role. The Domain Naming Master is responsible for managing the addition and removal of domains and application partitions in the forest. If the Domain Naming Master is unavailable, you cannot create or remove domains or application partitions.
Here's a breakdown of why the other options are incorrect:
- DC2, DC3, DC4, and DC5: These domain controllers do not hold the Domain Naming Master FSMO role. Their failure would not directly prevent the creation of application partitions. While they provide other essential services, the Domain Naming Master is the key to this specific operation.
Therefore, the correct answer is A.
Citations:
- FSMO roles in Active Directory, https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/introduction/fsmo/fsmo-roles
-
Question 10
Your network contains an on-premises Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the objects shown in the following table.

You plan to sync contoso.com with an Azure Active Directory (Azure AD) tenant by using Azure AD Connect.
You need to ensure that all the objects can be used in Conditional Access policies.
What should you do?
- A. Select the Configure Hybrid Azure AD join option.
- B. Change the scope of Group1 and Group2 to Global.
- C. Clear the Configure device writeback option.
- D. Change the scope of Group2 to Universal.
Correct Answer:
A
Explanation:
I agree with the suggested answer.
The goal is to ensure all objects can be used in Conditional Access policies. To achieve this, we need to focus on enabling device-based Conditional Access, as well as ensuring group membership can be evaluated.
Reasoning:
Configuring Hybrid Azure AD join (Option A) allows devices to be both domain-joined and registered with Azure AD. This is a prerequisite for using device-based Conditional Access policies. Hybrid Azure AD join brings the device into Azure AD, making it a manageable object that can be targeted by Conditional Access policies.
Reasons for not choosing other options:
- Option B: Change the scope of Group1 and Group2 to Global. While Global groups are generally recommended for Azure AD Connect synchronization, changing the group scope alone does not directly enable devices to be used in Conditional Access policies. The question specifies that *all* objects, which implicitly includes devices, should be usable in Conditional Access.
- Option C: Clear the Configure device writeback option. Device writeback is related to writing device information from Azure AD back to on-premises AD. Disabling it would not help in making objects usable in Conditional Access policies; it is a different concept and generally not required for basic Conditional Access scenarios.
- Option D: Change the scope of Group2 to Universal. While universal groups can be used in Conditional Access policies, changing the group scope alone does not address the need to bring devices under Azure AD management for Conditional Access purposes. Hybrid Azure AD join is still needed.
Therefore, the most appropriate action is to configure Hybrid Azure AD join.
Answer: A
Citations:
- Hybrid Azure AD join implementation, https://learn.microsoft.com/en-us/azure/active-directory/devices/how-to-hybrid-azure-ad-join
- Using groups to manage access to your SaaS apps, https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-saas
- Conditional Access: Devices, https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions#devices