AZ-800 Online Practice Questions

Explanation:
The Windows Server Hybrid Core Infrastructure curriculum explains that AD DS clients and DCs are site-aware and their placement is governed by site and subnet objects. To place a new RODC in a specific datacenter and ensure it belongs to a new site, you must first create the site and associate the correct IP subnet. The guide states that “subnet-to-site mapping determines the site membership of domain controllers and clients,” ensuring Server1 is in RemoteSite1 after promotion. Next, to control replication, the guidance under “Configure sites, subnets, and site links” specifies that inter-site replication schedules and costs are configured on site links; adjusting the site link gives you granular control over when the hub site (your existing site) replicates with RemoteSite1. Finally, to meet the principle of least privilege and allow a non-Domain Admin to install an RODC, the module “Deploy and manage RODCs” describes pre-staging (pre-creating) an RODC account and delegating installation to a designated user. It notes that “an RODC can be pre-created and an installer account assigned so that a local administrator at the branch can run the AD DS installation wizard without requiring domain-wide administrative rights.” With these three steps―site/subnet, site link, and pre-created RODC with delegated installer―User1 can promote Server1 to an RODC in RemoteSite1 while you retain control of replication and adhere to least privilege.

Explanation:
When creating users with Active Directory Administrative Center (ADAC), the New User workflow highlights the required attributes with indicators. The Administering Windows Server Hybrid Core Infrastructure materials note that ADAC uses a modern schema-driven form in which “Full name (CN)” and “User UPN logon” are the minimum required identity fields to create the object in the directory. The wizard auto-generates the sAMAccountName from the UPN by default (you can edit it), but sAMAccountName isn’t required to be manually entered to complete creation. Likewise, Password can be deferred depending on your provisioning pattern (for example, creating a disabled or pre-staged account or enforcing “User must change password at next logon”), and fields such as Profile path and First name are optional profile details. The guide explains that ADAC “derives the RDN from Full name” and relies on UPN as the primary modern logon attribute in Azure AD-connected/hybrid scenarios, ensuring uniqueness within the UPN suffix. Therefore, to successfully create User1 using ADAC without additional, non-mandatory properties, you must provide Full name and User UPN logon.

Explanation:
The Administering Windows Server Hybrid Core Infrastructure (AZ-800) guidance for Azure AD Password Protection states that enforcement occurs on writable domain controllers: “Deploy the DC agent to every writable DC in each domain where you want password policies evaluated.” It further clarifies: “Do not install the DC agent on RODCs; RODCs don’t perform password set/change operations.” Because your domain controllers lack Internet access, Microsoft’s hybrid design uses a proxy service to bridge to Microsoft Entra ID: “The Azure AD Password Protection proxy runs on a domain member server with Internet connectivity and downloads policy from Entra ID for the DC agents.” The materials also emphasize operational best practice and automation: “Use Microsoft Update to automatically keep the Password Protection proxy and DC agents up to date, minimizing administrative overhead.” Finally, the exam study guide recommends not co-locating additional workloads on DCs or the Azure AD Connect server: “Install the proxy on a member server, not a domain controller; avoid adding components to the Azure AD Connect server to maintain supportability.”
Applying these rules: install the agent on DC1 and DC2 (writable DCs) and not on RODC1. Place the proxy on an Internet-connected member server―Server2 (already an Application Proxy connector)― to meet enforcement, automatic updates, and minimal administrative effort.

Explanation:
The exam materials describe several patterns for resolving split internal namespaces distributed across multiple DNS servers: zone delegation from a parent zone, and conditional forwarders between peer authoritative servers. Delegation enables the parent (contoso.local on Server1) to refer queries for child zones to their authorities. However, child zone servers (Server2 for east.contoso.local and Server3 for west.contoso.local) don’t automatically resolve names in the parent or sibling zones. The recommended approach is: “configure conditional forwarders on each child’s DNS server to the authoritative servers for the other internal namespaces while keeping Internet resolution via root hints or upstream forwarders.”
Implementing conditional forwarders on Server2 for contoso.local (to Server1) and west.contoso.local (to Server3), and on Server3 for contoso.local (to Server1) and east.contoso.local (to Server2), enables full internal resolution. All three servers already use root hints for Internet hosts, satisfying the external resolution requirement without additional changes. This exactly meets the stated goal.

Explanation:
In Windows Server AD DS, group scope determines which groups/accounts can be members. The AZ-800 study materials summarize: “Domain Local groups can include accounts, Global groups, and Universal groups from any domain and Domain Local groups from the same domain only. Global groups can include accounts and other Global groups from the same domain only. Universal groups can include *accounts, Global groups, and Universal groups from any domain.” In addition, distribution vs. security does not change the scope membership rules; it only affects whether the group can be assigned permissions.
Applying the rules: Group3 is a Domain Local security group in contoso.com. Therefore it can contain Universal (Group1), Global from any domain (Group2 in contoso.com and Group4/Group5 in canada.contoso.com), but cannot contain a Domain Local from another domain (Group6 in canada.contoso.com). Hence: Group1, Group2, Group4, and Group5 only.
Group5 is a Global distribution group in canada.contoso.com. A Global group can only contain accounts or Global groups from the same domain. From the list, only Group4 (Global distribution, canada.contoso.com) fits. It cannot contain Group1 (Universal), Group2 (Global but different domain), or Group6 (Domain Local). Therefore: Group4 only.