Microsoft AZ-800 - Administering Windows Server Hybrid Core Infrastructure

In hybrid name-resolution designs covered in Administering Windows Server Hybrid Core Infrastructure , Azure Private DNS does not supp ort zone transfers and therefore you cannot host it on, or pull it into, on-premises DNS by using stub or secondary zones. The guidance states that when on-premises clients must resolve names that live in an Azure Private DNS zone , the recommended pattern is to place a DNS forwarder in Azure (typically a Windows Server VM running the DNS role) that can directly query the Azure resolver from inside the virtual network. Then, on-premises Windows DNS servers are configured with a conditional forwarder that for wards queries for the private zone’s suffix to the Azure DNS forwarder over the VPN/ExpressRoute connection.

This achieves the following:

Keeps the authoritative zone in Azure Private DNS while making it reachable from on-premises.

Avoids unsupported mechanisms (no AXFR/IXFR available from Azure Private DNS, so stub and secondary zones won’t work).

Uses least privilege and minimal change on both sides: add a DNS VM in Azure (E) and create a conditional forwarder on DC1 for fabrikam.com pointing to that VM’s private IP (A).

Options B and C require zone transfers, which are not available from Azure Private DNS, and D (changing VNet DNS servers) affects Azure VMs’ resolver settings but does not enable on-premises resolution of the Azure-hosted private zone .

In the Administering Windows Server Hybrid Core Infrastructure objectives for publishing on-premises apps to cloud identities, Azure AD Application Proxy is the prescribed solution for exposing internal, Kerberos-based web apps to Azure AD users with minimal changes. The guidance explains that Application Proxy is a cloud service in Azure AD which publishes internal HTTP/HTTPS applications and supports Kerberos Constrained Delegation (KCD) so that “users authenticate with Azure AD and the service performs single sign-on to the on-premises app using Kerberos.” To enable it, you turn on the Application Proxy service in the Azure AD tenant and configure the application object for passthrough/Pre-Auth and KCD. The on-premises requirement is to install the Azure AD Application Proxy connector on a domain-joined Windows Server that can reach the internal application; the connector establishes outbound-only connections to the service, avoiding inbound firewall changes and minimizing administrative effort. The materials also contrast this with Web Application Proxy (WAP) for AD FS publishing, which requires additional infrastructure and does not leverage Azure AD cloud pre-authentication. Therefore, to let Azure AD accounts reach an on-premises Kerberos-only app with least effort, configure the Azure AD Application Proxy service (in Azure AD) and deploy the Azure AD Application Proxy connector (on-premises), then enable KCD for the published app.

In Windows remoting, hopping from one server to another (Server1 → Server2 → Backup1) triggers the “second-hop” problem because the user’s TGT is not forwarded. The AZ-800 material explains that members of Protected Users cannot use NTLM, DES/RC4, or unconstrained delegation, and their credentials cannot be cached or delegated. Therefore, CredSSP or unconstrained delegation cannot be used. The guide prescribes Kerberos constrained delegation to allow a middle-tier server to act on the user’s behalf, and specifically recommends resource-based constrained delegation (RBCD) because it is configured on the resource (Backup1) by setting msDS-AllowedToActOnBehalfOfOtherIdentity to allow the front-end computer account (Server2$) to delegate to the service SPN on the resource. This model follows least privilege, avoids broad domain-wide delegation, works with Protected Users, and requires minimal administration because you touch only the destination resource. In short: configure RBCD on Backup1 to permit Server2 to obtain S4U2Proxy tickets to the share service, enabling User1’s PowerShell session on Server2 to access Backup1 while remaining compliant with Protected Users restrictions and Kerberos-only authentication.

ï‚· User1 can establish a PowerShell remoting session from Server1 to Server2. Yes

ï‚· User2 can establish a PowerShell remoting session from Server2 to DC1. No

ï‚· User3 can establish a PowerShell remoting session from Server1 to Server2. No

PowerShell Remoting (WinRM) security and connectivity are central themes in the Administering Windows Server Hybrid Core Infrastructure curriculum. The ability to establish a remote session is determined by three factors: the service state on the target, the network path, and the user ' s effective permissions.

User1 (Serv er1 to Server2) : On Server2 , the Enable-PSRemoting cmdlet has been executed. By default, this configures the WinRM service to allow connections from members of the local Administrators group. Since User1 is a member of the Contoso\Administrators group, and this domain group is a member of the local Administrators group on all member servers by default, User1 has the necessary rights to establish a session to Server2.

User2 (Server2 to DC1) : While User2 is a member of the Contoso\Remote Management Users grou p—a group specifically designed to provide non-administrative users with remoting access—the scenario explicitly states that Enable-PSRemoting was run only on Server2 . For any user to establish a remoting session to DC1 , the WinRM listener must first be en abled and configured on that specific target. Because the prompt does not indicate that remoting was enabled on DC1, the connection will fail regardless of User2 ' s group membership.

User3 (Server1 to Server2) : User3 is a member of the local Server2\Power U sers group. According to official documentation, the Power Users group does not possess the default permissions required to access the WinRM endpoints (Microsoft.PowerShell or Microsoft.Windows.ServerManager). Only members of the local Administrators or Re mote Management Users groups are granted these rights when Enable-PSRemoting is executed. Therefore, User3 cannot establish the session.

Infrastructure documents: =

SMB Direct uses RDMA-capable NICs and the SMB Direct Windows feature to create high-throughput, low-latency SMB connections. The Administering Windows Server Hybrid Core Infrastructure training states that “SMB Direct is provided as a Windows feature (SMBDirect) and, when enabled on servers with RDMA-capable adapters, SMB will negotiate RDMA transports (SMB Direct connections).” To prevent the creation of SMB Direct connections, you disable the Windows feature so that SMB cannot negotiate RDMA. The recommended method on Windows Server is:

Disable-WindowsOptionalFeature -Online -FeatureName SMBDirect

The same materials distinguish this from other actions: removing arbitrary roles/features ( Remove-WindowsFeature ) isn’t specific to client features like SMBDirect; changing adapter advanced properties ( Set-NetAdapterAdvancedProperty ) doesn’t guarantee SMB Direct negotiation is blocked; and disabling a binding ( Disable-NetAdapterBinding ) targets specific protocol bindings (e.g., IPv6, QoS) rather than the SMB Direct feature itself. Disabling the SMBDirect optional feature is the supported, deterministic way to ensure no SMB Direct (RDMA) sessions will be negotiated on the server, while leaving regular SMB (TCP) operational. Therefore, the correct cmdlet to meet the requirement is Disable-WindowsOptionalFeature with the SMBDirect feature name.

In the Administering Windows Server Hybrid Core Infrastructure material under Windows Remote Management/PowerShell Remoting and authentic ation, Microsoft describes the classic “second-hop” issue: when you start a remote session to Server2 using Kerberos and then try to reach a resource on Server3 , “ your delegated credentials are not forwarded by default .” The guide explains that Kerberos “ d oes not allow delegation unless it is explicitly configured ,” and the recommended domain-based solution is Kerberos constrained delegation (KCD) . With KCD you “ permit a specific computer account to delegate a user’s Kerberos credentials only to explicitly listed services ,” for example allowing Server2 (the WinRM/HTTP endpoint you connect to) to delegate to CIFS on Server3 so file or other resource access succeeds during the second hop.

The docs contrast this with alternatives: CredSSP can work but “ is broad er in exposure and requires enabling a less restrictive credential delegation mechanism ,” while JEA limits what commands can be run and does not solve credential delegation . Selective authentication applies to forest trusts, and Enforce user logon restrict ions relates to KDC validation and is not a remedy for second-hop delegation . Because the requirement is to pass credentials from Server1 → Server2 → Server3 with minimal administrative touch and preserve security boundaries, configuring Kerberos constrain ed delegation on Server2’s computer account for the target services on Server3 is the correct approach.

Within the Manage AD DS operations master roles (FSMO) section of the AZ-800 materials, Microsoft documents multiple supported me thods to identify role holders. The guidance states that the command-line utility NETDOM can enumerate all FSMO roles with: netdom query fsmo . The output lists the Schema Master , Domain Naming Master , RID Master , PDC Emulator , and Infrastructure Master , ea ch with the current role holder’s FQDN. The course notes emphasize that this method is fast, non-interactive, and does not require specific MMC snap-ins, making it suitable for both Server Core and remote administration scenarios. Because the command retur ns the PDC Emulator holder explicitly in its results, running netdom.exe query fsmo does meet the goal of identifying which server is the PDC Emulator for the domain. This aligns with best practices for quick verification of FSMO placement during operations such as time service verification, password update convergence checks, or when planning FSMO transfers and seizures.

The Windows Server DHCP role supports reservations that map a client’s unique identifier (commonly the MAC address) to a specific IPv4 address inside the scope. The AZ-800 study material describes reservations as the mechanism to “ensure that a particular device always receives the same IP address from the DHCP server while still being managed by DHCP.” When a reservation exists, the DHCP server will always offer and lease the reserved address to that client and will not allocate that address to any other client. This meets scenarios such as networked printers, appliances, or servers that require a consistent IP but where you still want centralized lease management (lease tracking, option delivery, and centralized auditing). The content further contrasts reservations with exclusions and options: exclusions remove addresses from the pool and options deliver configuration parameters, neither of which guarantees a stable assignment to a given device. Therefore, creating one DHCP reservation per printer in Scope1 precisely satisfies the requirement that the printers are always assigned the same IP address.

The Administering Windows Server Hybrid Core Infrastructure materials explain that in Azure Active Directory Domain Services (Azure AD DS) you don’t get traditional Domain Admins or Group Policy Creator Owners rights. Instead, “administration of the managed domain is delegated to the AAD DC Administrators group. Members of this group can manage Group Policy in the managed domain and administer domain-joined computers.” The guide furth er notes that Azure AD DS automatically creates two built-in OUs and GPOs : “AADDC Computers and AADDC Users , with the corresponding ‘AADDC Computers GPO’ and ‘AADDC Users GPO’ already linked.” For computer configuration that should apply to all domain-join ed machines, the materials state that “you apply or customize computer policy by editing the AADDC Computers GPO (or by creating additional GPOs and linking them to the AADDC Computers OU).” They also emphasize least-privilege and supportability guidance: “Do not modify the Default Domain Policy in Azure AD DS; use the AADDC-scoped GPOs/OUs for managed-domain policy.”

Putting this together: to let Admin1 deploy custom policy to all computers while honoring least privilege, add Admin1 to AAD DC Administrator s (the only group granted GPO management in Azure AD DS) and have them modify the existing ‘AADDC Computers GPO’ that is al ready linked to the AADDC Computers OU so the settings flow to every domain-joined computer.

Linking Try Next Closest Site to Site1 applies the policy to computers in Site1 , not to the branch clients in the new office. The WSHCI materials stress that GPO scope (site, domain, or OU) determines which computers receive the setting , but does not alter how site membership is computed . The client’s site is still determined exclusively by its IP subn et as published in Active Directory Sites and Services . The documentation summarizes: “ Site membership is calculated by matching the client’s IP to a defined AD subnet; if no match exists, DC Locator cannot assign the client to that site .” The Try Next Clo sest Site option only affects fallback when there is no DC in the client’s site ; it does not force authentication against a specific target site. Because the branch office contains only clients (no DCs) and the question’s goal is for those clients to authe nticate primarily with Site1 , simply configuring the policy in Site1 does nothing for clients that are not members of Site1. Thus, this solution does not meet the stated goal.