- Why Domain 1 Carries the Most Weight on AZ-800
- Core Topics Inside Domain 1
- Installing and Configuring Domain Controllers
- Managing AD DS Objects On-Premises and in Azure
- Hybrid Identity, Azure AD DS, and Entra Connect
- Group Policy and Security Baselines
- How Domain 1 Questions Are Actually Asked
- Scheduling Domain 1 Inside Your AZ-800 Prep
- Who Hires for This Skill Set
- Frequently Asked Questions
- Domain 1 is the largest AZ-800 domain at 30-35%, so it decides more of your score than any other area.
- Expect scenario questions on domain controllers, FSMO roles, trusts, Group Policy, and hybrid identity together.
- Azure AD DS, Microsoft Entra Connect, and Azure Arc-enabled servers now sit inside a "traditional" AD topic.
- The exam updated January 21, 2026, and AZ-800 retires September 30, 2026, so plan your attempt accordingly.
Why Domain 1 Carries the Most Weight on AZ-800
Every AZ-800 candidate eventually notices the same thing: Active Directory Domain Services just won't stop showing up. That's because Microsoft weights Deploy and manage AD DS in on-premises and cloud environments at 30-35% of the exam, making it the single biggest domain by a wide margin over the other four. If you're building a study plan from our AZ-800 Study Guide 2026: How to Pass on Your First Attempt, this is the domain that should get the most calendar time, not an equal slice alongside networking or storage.
For a full breakdown of how this domain compares to the other four, see our AZ-800 Exam Domains 2026: Complete Guide to All 5 Content Areas. This article goes deeper specifically on Domain 1 - the objectives, the question patterns, and the exact skills Microsoft expects you to demonstrate.
Core Topics Inside Domain 1
Microsoft's exam skills outline groups this domain into several practical task areas. While Microsoft doesn't publish a rigid public sub-list with fixed percentages, based on the domain title and the role's stated audience (administrators managing Windows Server workloads "in on-premises and hybrid environments using Windows Admin Center, PowerShell, Azure Arc, Azure Policy, Azure Monitor, Azure Update Manager, Microsoft Defender technologies, and Azure IaaS VM administration"), Domain 1 realistically covers:
- Installing and configuring domain controllers, both physical/virtual on-premises and as Azure IaaS VMs
- Managing AD DS objects - users, groups, computers, organizational units - using tools ranging from Active Directory Administrative Center to PowerShell scripting
- Configuring and managing multi-domain and multi-forest environments, including trusts
- Implementing and managing Group Policy Objects (GPOs), including security baselines
- Managing Active Directory sites, replication, and FSMO role placement
- Implementing and managing hybrid identity, including Microsoft Entra Connect (Azure AD Connect) sync and Azure AD Domain Services
- Backing up, restoring, and recovering AD DS, including tombstone and USN rollback scenarios
Domain 1: Deploy and manage AD DS in on-premises and cloud environments
Candidates must understand how the same identity infrastructure spans a physical datacenter, an Azure VM, and a cloud-native directory extension - and know which tool to use for each layer.
- Know the difference between promoting a domain controller on-premises versus in an Azure IaaS VM
- Understand when Azure AD DS is the right fit versus deploying a full domain controller in Azure
- Be fluent in PowerShell cmdlets for AD DS object management, not just the GUI
Installing and Configuring Domain Controllers
A meaningful chunk of Domain 1 scenario questions revolve around domain controller lifecycle tasks: promoting a new server to a DC, decommissioning an old one cleanly, and placing DCs correctly across sites for replication efficiency. Expect to reason through questions like "a branch office has slow WAN links and needs local authentication - what should you deploy?" These aren't memorization questions; they test whether you understand the operational trade-offs of Read-Only Domain Controllers (RODCs), global catalog placement, and site-link costs.
You'll also need command-line fluency. Candidates who only click through Server Manager tend to struggle here - the exam frequently frames tasks as "which PowerShell cmdlet accomplishes this" or asks you to sequence steps in a build-list/drag-and-drop format. Practicing Install-ADDSForest, Install-ADDSDomainController, and related cmdlets in a lab (not just reading about them) pays off directly.
Managing AD DS Objects On-Premises and in Azure
Object management questions test whether you can administer users, groups, and computers consistently regardless of where the domain controller physically lives. Scenarios often layer in delegation of control, organizational unit design, and group nesting strategy (AGDLP/AGUDLP-style thinking), then ask you to identify a misconfiguration or the most efficient fix.
- Delegating administrative permissions at the OU level without over-granting rights
- Using dynamic access control concepts alongside traditional group-based permissions
- Managing AD DS from Windows Admin Center in hybrid scenarios, since the exam explicitly lists it as a required tool
- Scripting bulk object changes with PowerShell when GUI-based administration doesn't scale
Key Takeaway
If you can only demonstrate GUI-based AD administration, you are underprepared. Build muscle memory with PowerShell equivalents for every object-management task you practice.
Hybrid Identity, Azure AD DS, and Entra Connect
This is the part of Domain 1 that trips up candidates whose experience is purely on-premises. Microsoft explicitly expects hybrid administration skill, which means you need working knowledge of:
- Microsoft Entra Connect (formerly Azure AD Connect): sync scope, filtering, password hash sync versus pass-through authentication trade-offs
- Azure AD Domain Services: when to deploy it instead of standing up domain controllers in Azure, and its limitations versus full AD DS
- Azure Arc-enabled servers: extending management and policy to on-premises or third-party cloud machines through an identity and management lens
- Coexistence scenarios where on-premises AD, Azure AD DS, and Microsoft Entra ID all need to interoperate without creating conflicting identities
Expect exam scenarios that describe a company migrating workloads to Azure while trying to preserve existing group policy and authentication behavior - you'll be asked to pick the identity architecture that satisfies stated constraints (cost, latency, administrative overhead) rather than simply naming a feature.
Group Policy and Security Baselines
Group Policy remains heavily tested because it's the mechanism administrators use to enforce configuration and security consistently across a hybrid estate. You should be comfortable with:
- GPO inheritance, blocking, enforcement, and precedence order
- Security filtering and WMI filtering to scope policy application
- Applying Microsoft-provided security baselines and understanding how they interact with existing GPOs
- Troubleshooting GPO application issues using tools like
gpresultand Group Policy Modeling
Combined with Microsoft Defender technologies and Azure Policy referenced in the exam's stated skill expectations, you may also see questions where Group Policy and cloud-based policy enforcement (Azure Policy, Azure Update Manager) need to be reconciled in a single hybrid management story.
How Domain 1 Questions Are Actually Asked
AZ-800 doesn't publish a fixed item count, but role-based exams like this one commonly mix formats: multiple choice, multiple response, drag-and-drop/build-list sequencing, and case-study-driven scenarios where several questions share one long business context. Domain 1 content shows up across all of these formats. Plan on roughly 100 minutes of exam time for the non-lab delivery, with total seat time somewhat longer once you factor in the NDA screen and any survey. A passing score is 700 on the 1-1000 scale.
If you want a broader sense of how tough the exam feels overall - not just this domain - read How Hard Is the AZ-800 Exam? Complete Difficulty Guide 2026 and AZ-800 Pass Rate 2026: What the Data Shows for context on what candidates report experiencing.
| Exam Fact | Detail |
|---|---|
| Domain 1 weight | 30-35% (largest of all five domains) |
| Exam fee (US) | $165 USD, regional pricing may apply |
| Passing score | 700 on a 1-1000 scale |
| Delivery | Pearson VUE test center or OnVUE online proctoring |
| Retirement date | September 30, 2026, 5:00 PM CST, replaced by AZ-802 |
Scheduling Domain 1 Inside Your AZ-800 Prep
Because Domain 1 is worth nearly double most other domains, it deserves proportionally more study time - not just more attention on exam day. A practical way to sequence this without falling into generic advice: build your lab environment first, then move from on-premises AD DS tasks into hybrid identity, since hybrid concepts build on a solid understanding of core AD DS behavior.
Core AD DS Fundamentals
- Promote and demote domain controllers in a lab, on-premises and in an Azure IaaS VM
- Practice FSMO role transfer/seizure and site/replication configuration
Object and Policy Management
- Script user/group/OU management with PowerShell
- Build and troubleshoot GPOs, apply a security baseline
Hybrid Identity
- Configure Microsoft Entra Connect sync in a test tenant
- Stand up Azure AD DS and compare it against a full DC deployment
Once Domain 1 feels solid, shift into the other four objective areas - see our companion guides on AZ-800 Domain 2: Manage Windows Servers and workloads in a hybrid environment, AZ-800 Domain 3: Manage virtual machines and containers, and AZ-800 Domain 4: Implement and manage an on-premises and hybrid networking infrastructure for the same level of detail on the remaining objectives. Then run full-length practice sessions on our AZ-800 practice test platform to check retention across all five domains together, since real exam case studies rarely test one domain in isolation.
Who Hires for This Skill Set
Domain 1 skills map directly onto roles that manage identity infrastructure for organizations moving toward hybrid cloud: systems administrators, infrastructure engineers, and hybrid cloud administrators who maintain on-premises AD DS while extending identity into Azure. Organizations running Windows Server workloads alongside Microsoft 365 and Azure subscriptions specifically look for candidates who can manage Entra Connect sync health, domain controller uptime, and Group Policy compliance without breaking authentication for the business. For a look at how this certification connects to real job listings, browse AZ-800 Jobs, and for pay expectations tied to the credential, see AZ-800 Salary Guide 2026: Complete Earnings Analysis.
If you're still deciding whether the investment is worthwhile given the exam's fee and prep time, Is the AZ-800 Certification Worth It? Complete ROI Analysis 2026 and AZ-800 Certification Cost 2026: Complete Pricing Breakdown walk through the full financial picture, including renewal through Microsoft's free annual Learn assessment once you're certified.
Frequently Asked Questions
Both. The domain name explicitly covers "on-premises and cloud environments," so expect questions on traditional domain controllers alongside Azure AD Domain Services and Microsoft Entra Connect hybrid sync scenarios.
Hands-on practice is strongly recommended. Many Domain 1 questions use case-study and drag-and-drop formats that test sequencing and troubleshooting skill, which is difficult to internalize from reading alone.
Since it's weighted at 30-35%, roughly a third of your preparation time is a reasonable target, more if AD DS and hybrid identity are newer areas for you.
Yes. Identity and hybrid management concepts, such as Azure Arc-enabled servers, appear in both, so studying them together often reinforces retention for the exam overall.
Use our AZ-800 practice test platform to work through scenario-based items covering domain controllers, Group Policy, and hybrid identity in the same mixed format the real exam uses.
- AZ-800 Domain 2: Manage Windows Servers and workloads in a hybrid environment (10-15%) - Complete Study Guide 2026
- AZ-800 Domain 3: Manage virtual machines and containers (15-20%) - Complete Study Guide 2026
- AZ-800 Domain 4: Implement and manage an on-premises and hybrid networking infrastructure (15-20%) - Complete Study Guide 2026
- AZ-800 Exam Domains 2026: Complete Guide to All 5 Content Areas