Microsoft AZ-800 Online Practice
Questions and Exam Preparation
AZ-800 Exam Details
Exam Code
:AZ-800
Exam Name
:Administering Windows Server Hybrid Core Infrastructure
Certification
:Microsoft Certifications
Vendor
:Microsoft
Total Questions
:289 Q&As
Last Updated
:Jul 08, 2026
Microsoft AZ-800 Online Questions &
Answers
Question 241:
HOTSPOT
You have on-premises servers that run Windows Server as shown in the following table.
You have an Azure file share named share1 that stores two files named File2.docx and File3.docx.
You create an Azure File Sync sync group that includes the following endpoints:
1. share
2. D:\Folder1 on Server1
3. D:\Datal on Server2
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
1. N - You are not changing a file, it asks if you can create a file with a name that already exists on all endpoints as File2.docx has already been synced from Azure file share (share1) to on-premise endpoints 2. N - As I understand this is the same scenario. File1 from Server1 has already been synced to all endpoints when you try to create a new file with the same name.
3. Y - If you add an Azure file share that has an existing set of files as a cloud endpoint to a sync group, the existing files will sync to server endpoints that you add to the same sync group.
Question 242:
You have an Active Directory domain that contains a file server named Server1. Server1 runs Windows Server and includes the file shares shown in the following table.
When users login to the network they receive the following network drive mappings.
1. H: maps to \\server1\users\%UserName%
2. G: maps to \\server1\%Department%
You need to limit the amount of space consumed by user's on Server1. The solution must meet the following requirements:
1. Prevent users using more than 5GB of space on their H: drive
2. Prevent Accounts department users from using more than 10GB of space on the G: drive
3. Prevent Marketing department users from using more than 15GB of space on the G: drive
4. Prevent Customer Service department users from using more than 2GB of space on the G: drive
5. Minimize administrative effort
What should you use?
A. File Server Resource Manager (FSRM) quotas B. Storage tiering C. NTFS Disk quotas D. Group Policy Preferences
A. File Server Resource Manager (FSRM) quotas
Explanation
On the Quota Management node of the File Server Resource Manager Microsoft Management Console (MMC) snap-in, you can perform the following tasks:
Create quotas to limit the space allowed for a volume or folder, and generate notifications when the quota limits are approached or exceeded.
Generate auto apply quotas that apply to all existing subfolders in a volume or folder and to any subfolders that are created in the future.
Define quota templates that can be easily applied to new volumes or folders and then used across an organization.
For example, you can:
Place a 200 megabyte (MB) limit on users' personal server folders, with an email notification sent to you and the user when 180 MB of storage has been exceeded.
Set a flexible 500 MB quota on a group's shared folder. When this storage limit is reached, all users in the group are notified by e-mail that the storage quota has been temporarily extended to 520 MB so that they can delete unnecessary files and comply with the preset 500 MB quota policy.
Receive a notification when a temporary folder reaches 2 gigabytes (GB) of usage, yet not limit that folder's quota because it is necessary for a service running on your server.
You need to create a user named Admin1 in contoso.com. Admin1 must be able to back up and restore files on SRV1. The solution must use principle of the least privilege.
To complete this task, sign in the required computer or computers.
A. See explanation below. B. PlaceHolder C. PlaceHolder D. PlaceHolder
A. See explanation below.
Explanation
Step 1: Sign in to the Azure portal in the User Administrator role for the organization.
Add a new user
You can create a new user using the Azure Active Directory portal.
To add a new user, follow these steps:
Step 1. Sign in to the Azure portal in the User Administrator role for the organization.
Step 2: Search for and select Azure Active Directory from any page.
Step 3: Select Users, and then select New user.
Step 4: On the User page, enter information for this user:
Name: Admin1
User name: Admin1
Groups.
Optional Groups. Optional: Backup Operator
Step 5: Copy the autogenerated password provided in the Password box. You'll need to give this password to the user to sign in for the first time.
Step 6: Select Create.
The user is created and added to your Microsoft Entra organization.
Note:
Azure Backup provides three built-in roles to control backup management operations.
Backup Operator - This role has permissions to everything a contributor does except removing backup and managing backup policies. This role is equivalent to contributor except it can't perform destructive operations such as stop backup with delete data or remove registration of on-premises resources.
Incorrect:
Backup Contributor - This role has all permissions to create and manage backup except deleting Recovery Services vault and giving access to others. Imagine this role as admin of backup management who can do every backup management operation.
Backup Reader - This role has permissions to view all backup management operations. Imagine this role to be a monitoring person.
Your network contains an Active Directory Domain Services (AD DS) forest named contoso.com.
The forest contains the domain controllers shown in the following table.
You have a partner organization that has an AD DS forest named fabrikam.com.
You create a trust relationship between contoso.com and fabrikam.com.
You need to configure selective authentication for the trust relationship.
Which domain controller should be granted permissions to fabrikam.com?
A. DC1 B. DC2 C. DC3 D. DC4
D. DC4
Explanation
* Before an authentication request made with the Kerberos version 5 authentication protocol can follow the forest trust path, the service principal name (SPN) of the resource computer must be resolved to a location in the other forest.
* RID Master FSMO Role
The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. Each object in AD has an SID, and the last few digits of the SID are the Relative portion.
In order to keep multiple objects from having the same SID, the RID Master grants each DC the privilege of assigning certain SIDs. Note: How selective authentication affects domain controller behavior.
When selective authentication is enabled, all authentication requests made over a trust to the trusting forest are tagged with an identifier that subjects the request to closer scrutiny by the domain controllers in the domain where the target resource is located. This is important because the mere presence of this identifier triggers the domain controller in the resource domain to first check whether the user requesting the access has been given explicit permissions to the Active Directory object where the resource is hosted.
The appropriate permission to the resource object in Active Directory is verified before the domain controller sends a service ticket back to the requesting workstation in the trusted forest. The following illustration summarizes how domain controllers in the trusting forest are affected when selective authentication is enabled.
Effect of Selective Authentication on Domain Controllers in the Trusting Forest
Note 2:
Authentication Settings Used on Interforest Trusts
You have a server named Host1 that runs Windows Server 2022 and is configured as a container host. Host1 stores a container image named image1 that is based on Windows Server 2019.
You need to start a container from image1 on Host1.
How should you complete the command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Question 246:
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1.
On Server 1, you install Windows Admin Center and use Windows Admin Center to remove BUILTlN\Users from the allowed groups.
You discover that all users can still sign in to Windows Admin Center.
You need to prevent unauthorized users from signing in to Windows Admin Center.
What should you do in Windows Admin Center?
A. Set Performance Profile to On B. Set Require manage-as sessions to re-authenticate to On C. From the Proxy settings, configure a bypass list. D. Add a security group to the allowed groups.
D. Add a security group to the allowed groups.
Question 247:
Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
Your network contains an Active Directory Domains Services (AD DS) domain named contoso.com.
You implement a central store.
You create a new Group Policy Object (GPO) named GPO1.
When you attempt to edit GPO1, you see the settings shown in the exhibit. (Click the Exhibit tab.)
You need to ensure that all settings are available.
Solution: You modify the properties of GPO1.
Does this meet the goal?
A. Yes B. No
B. No
Explanation
In an Active Directory Domains Services (AD DS) domain with a central store, how to ensure that a GPO have all settings available?
Correct:
* You copy the contents of the C:\Windows\PolicyDefinitions folder to the central store.
To ensure a Group Policy Object (GPO) in an Active Directory domain with a central store has all settings available, you need to ensure the .admx and .adml files for those settings are present in the central store (the PolicyDefinitions folder within the SYSVOL share). These files contain the administrative templates that define the available settings within a GPO.
Incorrect:
* You delete the \\contoso.com\SYSVOL\contoso.com\Policies\PolicyDefinitions folder.
* You modify the properties of GPO1.
Note:
1. Understanding the Central Store:
The central store is a designated location on a domain controller (typically \\<domain>\SYSVOL\<domain>\Policies\PolicyDefinitions) where administrative template files (.admx and .adml) are stored. It ensures that all domain controllers have the same set of administrative templates for managing Group Policy, preventing inconsistencies.
It replaces the older method of storing templates within individual GPOs.
2. Ensuring Template Availability:
Locate and Download Templates: Download the necessary .admx and .adml files for the specific features or applications you want to manage. These can often be found on Microsoft's website, from the application vendor, or in the operating system's installation media.
3. Managing GPOs:
Edit GPOs: Open Group Policy Management (GPMC) and edit the desired GPO.
*-> Access Settings: When you browse the Computer or User Configuration settings in the Group Policy Management Editor, the available settings will be populated based on the templates in the central store.
Configure Settings: Configure the desired settings within the GPO as needed.
You have on-premises file servers that run Windows Server as shown in the following table.
You have the Azure file shares shown in the following table.
You add a Storage Sync Service named Sync1 and an Azure File Sync sync group named Group1. Group1 uses share1 as a cloud endpoint.
You register Server1 and Server2 with Sync1. You add D:\Folder1 from Server1 as a server endpoint in Group1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Box 1: No
A sync group contains one cloud endpoint, or Azure file share, and at least one server endpoint.
Box 2: No
Azure File Sync does not support more than one server endpoint from the same server in the same Sync Group.
Box 3: Yes
Multiple server endpoints can exist on the same volume if their namespaces are not overlapping (for example, F:\sync1 and F:\sync2) and each endpoint is syncing to a unique sync group.
Your network contains an Active Directory Domain Services (AD DS) domain.
The domain contains two servers named Server1 and Server2 that run Windows Server 2022. You plan to deploy an app named App1 that will be load balanced between Server1 and Server2.
You need to create an identity that will be used to run App1 on Server1 and Server2. The solution must meet the following requirements:
1. The password for the identity must be changed regularly.
2. Administrative effort must be minimized.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Step 1: Create a Key Distribution Services (KDS) root key
Step 2: Create a group managed account (gMSA)
Group managed service accounts
For services that run in your on-premises environment, use group managed service accounts (gMSAs) whenever possible. gMSAs provide a single identity solution for services that run on a server farm or behind a network load balancer. gMSAs can also be used for services that run on a single server.
Deploying a new server farm Part 1: Provisioning group Managed Service Accounts You can create a gMSA only if the forest schema has been updated to Windows Server 2012, the master root key (Step 1) for Active Directory has been deployed, and there is at least one Windows Server 2012 DC in the domain in which the gMSA will be created. Step 3: Install the service account on Server1 and Server2 Part 2: Configuring service identity application service
You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with a Microsoft Entra tenant. Group writeback is enabled in Microsoft Entra Connect.
The AD DS domain contains a server named Server1. Server1 contains a shared folder named share1.
You have an Azure Storage account named storage2 that uses Azure AD-based access control. The storage2 account contains a share named share2.
You need to create a security group that meets the following requirements:
1. Can contain users from the AD DS domain
2. Can be used to authorize user access to share1 and share2
What should you do?
A. In the Microsoft Entra tenant, create a security group that has assigned membership. B. In the AD DS domain, create a universal security group. C. In the Microsoft Entra tenant, create a security group that has dynamic membership. D. In the Microsoft Entra tenant, create a Microsoft 365 group.
B. In the AD DS domain, create a universal security group.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Microsoft exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your AZ-800 exam preparations
and Microsoft certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.