- What Domain 4 Actually Covers
- IP Addressing, DNS, and Name Resolution
- DHCP Deployment and High Availability
- Remote Access, VPN, and Site-to-Site Connectivity
- Hybrid Networking with Azure
- How Domain 4 Questions Are Actually Written
- Scheduling Domain 4 Inside Your Study Plan
- Who Actually Uses This Domain on the Job
- Domain 4 vs. the Other Four Domains
- Frequently Asked Questions
- Domain 4 makes up 15-20% of AZ-800, covering on-premises networking plus Azure hybrid connectivity.
- Expect scenario questions on DNS, DHCP failover, VPN, and Azure VPN Gateway configuration together.
- AZ-800 costs $165 USD in the U.S. and requires a 700/1000 to pass.
- AZ-800 retires September 30, 2026 at 5:00 PM CST, replaced by AZ-802.
What Domain 4 Actually Covers
Domain 4, Implement and manage an on-premises and hybrid networking infrastructure, sits at 15-20% of the AZ-800 exam blueprint - the same weight band as Domain 3 (virtual machines and containers) and Domain 5 (storage and file services). It's the domain that tests whether you can keep traffic flowing correctly between an on-premises Windows Server environment and Azure, which is the entire premise of the "hybrid administrator" title.
Unlike Domain 1, which dominates the exam at 30-35% and centers on Active Directory Domain Services, Domain 4 is more infrastructure-plumbing focused: IP addressing, name resolution, DHCP scopes, VPN tunnels, and the Azure-side constructs (VNets, gateways, peering) that let an on-premises network extend into the cloud. If you want the full breakdown of how this domain relates to the other four, the AZ-800 Exam Domains 2026 guide maps out all five content areas side by side.
IP Addressing, DNS, and Name Resolution
Name resolution is the backbone of Domain 4, and it's also where Domain 4 quietly overlaps with Domain 1's AD DS content - DNS zones, after all, host the SRV records that let domain controllers find each other. Candidates should be comfortable with:
- Configuring primary, secondary, and Active Directory-integrated DNS zones
- Setting up conditional forwarders and stub zones for hybrid name resolution between on-premises and Azure Private DNS
- Understanding DNS policies, split-brain DNS, and DNSSEC basics
- Troubleshooting resolution failures using
nslookup,Resolve-DnsName, and event logs - Designing IP addressing schemes that don't collide when a VNet gets connected to an on-premises subnet
Name Resolution in Hybrid Scenarios
A recurring exam pattern involves a domain-joined VM in Azure that needs to resolve on-premises hostnames, or vice versa. Candidates must know when to use conditional forwarders versus Azure Private DNS Resolver, and how DNS server IP settings on a VNet affect domain join operations.
- Practice configuring Azure Private DNS zones linked to VNets
- Know the default behavior when no custom DNS server is specified on a VNet
DHCP Deployment and High Availability
DHCP shows up in Domain 4 mostly through the lens of resiliency and centralized management, not basic scope creation. Expect exam content on:
- DHCP failover configuration (load-balance mode vs. hot standby mode)
- Superscopes and multicast scopes
- DHCP policies for assigning options based on client class
- Migrating and backing up DHCP databases between servers
- Managing DHCP through Windows Admin Center and PowerShell cmdlets like
Add-DhcpServerv4ScopeandSet-DhcpServerv4OptionValue
Because AZ-800 emphasizes management tooling explicitly - Windows Admin Center, PowerShell, and Azure-native services - expect at least one question where the "correct" answer is dictated by which tool the scenario says is available, not just which feature would technically work.
Key Takeaway
When a Domain 4 question mentions DHCP failover, check whether the scenario calls for load-balancing (both servers active) or hot standby (one primary, one backup) - the wrong mode is a common wrong-answer trap.
Remote Access, VPN, and Site-to-Site Connectivity
Remote access content bridges classic Windows Server roles with Azure connectivity, and it's one of the more "hybrid" sections of the entire exam. You should be able to configure and troubleshoot:
- Routing and Remote Access Service (RRAS) for VPN and NAT
- Always On VPN device tunnel and user tunnel scenarios
- Site-to-site VPN between on-premises RRAS/third-party devices and Azure VPN Gateway
- Point-to-site VPN for individual client connectivity into a VNet
- Network address translation and routing table configuration for hybrid traffic flow
These topics connect closely with the VM networking material tested in Domain 3, since a VPN's usefulness is ultimately judged by whether an Azure IaaS VM can talk to an on-premises resource. If you haven't already reviewed that material, the Domain 3 study guide covers the VM side of that equation in detail.
Hybrid Networking with Azure
This is the section that most clearly separates AZ-800 from a legacy on-premises networking exam. Candidates are expected to demonstrate working knowledge of:
- Virtual network (VNet) creation, subnetting, and peering
- Network security groups (NSGs) and how they interact with subnet and NIC-level rules
- Azure VPN Gateway SKUs and configuration options for site-to-site and point-to-site scenarios
- Basic ExpressRoute concepts as an alternative to VPN for dedicated connectivity
- Azure Bastion for secure remote management without exposing RDP/SSH publicly
- Integrating Azure Arc-enabled servers into network management workflows, since Arc is explicitly listed among the tools AZ-800 candidates should know
How Domain 4 Questions Are Actually Written
Microsoft does not publish a fixed item count for AZ-800, and the exam uses a variable mixed format rather than a static number of multiple-choice items. For Domain 4 specifically, expect this mix of question styles:
- Multiple choice and multiple response - identifying the correct DNS record type, DHCP failover mode, or NSG rule priority
- Scenario/case study questions - a company description with an existing on-premises network and a stated Azure migration goal, followed by several questions about routing, name resolution, or VPN configuration
- Drag-and-drop / build-list items - sequencing the steps to configure a site-to-site VPN or ordering DNS query resolution flow
- Occasional lab or performance-based tasks, where availability and timing vary by delivery
Plan for roughly 100 minutes of exam time for the non-lab role-based format, with total seat time running longer once you factor in the NDA agreement and survey. A 700 out of 1000 is the passing bar across the whole exam - Domain 4 doesn't have its own separate pass/fail threshold, but under-preparing for a 15-20% chunk of the exam makes reaching 700 overall much harder. For a broader look at how difficult the exam feels in practice, see How Hard Is the AZ-800 Exam?, and for the data-backed view of outcomes, check the AZ-800 Pass Rate 2026 breakdown.
Scheduling Domain 4 Inside Your Study Plan
Because Domain 4 sits in the middle weight tier (15-20%), it deserves a dedicated study block but shouldn't consume the same time as Domain 1's AD DS content. A practical approach many candidates use is a weekly rotation that pairs networking concepts with hands-on lab time immediately after, rather than reading theory in isolation.
DNS and DHCP Deep Dive
- Build a lab domain with conditional forwarders and DHCP failover
- Practice PowerShell cmdlets for both roles
VPN and Remote Access
- Configure RRAS site-to-site VPN in a lab
- Stand up an Azure VPN Gateway and connect it to an on-premises simulated network
Azure VNets, NSGs, and Arc Integration
- Peer two VNets and test connectivity
- Onboard a lab VM to Azure Arc and review its networking prerequisites
If you're building your full study calendar rather than just this domain, the AZ-800 Study Guide 2026 lays out a complete week-by-week plan across all five domains, and the Domain 1 guide is worth pairing with your Domain 4 review since AD-integrated DNS zones connect both areas.
Who Actually Uses This Domain on the Job
Domain 4 knowledge maps directly to day-to-day responsibilities for systems administrators, network administrators, and infrastructure engineers who maintain hybrid environments - organizations that haven't fully moved off Windows Server but run workloads in Azure. Employers hiring for these roles typically expect comfort with Windows Admin Center, PowerShell scripting, Azure networking constructs, and troubleshooting connectivity issues that span both environments.
This is also where the certification's practical value shows up most clearly: hybrid connectivity problems (a VPN tunnel drops, DNS resolution fails after a VNet peering change, a DHCP failover pair goes out of sync) are exactly the kind of incidents these administrators get paged for. If you're evaluating whether the credential translates into better job opportunities or compensation, the AZ-800 Salary Guide 2026 and ROI analysis both address that question directly, and the AZ-800 Jobs page outlines common role titles tied to this skill set.
Domain 4 vs. the Other Four Domains
Seeing Domain 4's weight next to the rest of the blueprint helps with time allocation decisions during study:
| Domain | Weight | Primary Focus |
|---|---|---|
| Domain 1: AD DS in on-premises and cloud environments | 30-35% | Directory services, hybrid identity, AD DS management |
| Domain 2: Manage Windows Servers and workloads in a hybrid environment | 10-15% | Server management tooling, Azure Arc, Azure Policy |
| Domain 3: Manage virtual machines and containers | 15-20% | Azure IaaS VMs, Hyper-V, containers |
| Domain 4: On-premises and hybrid networking infrastructure | 15-20% | DNS, DHCP, VPN, Azure VNets and gateways |
| Domain 5: Manage storage and file services | 15-20% | Storage Spaces, file servers, Azure File Sync |
Because three of the five domains share the 15-20% band, it's easy to under-plan for Domain 4 while over-focusing on Domain 1. A balanced review schedule that treats Domains 3, 4, and 5 with roughly equal seriousness tends to produce steadier results than one that leans almost entirely on AD DS review. For a topic-by-topic breakdown of every domain, revisit the complete domains guide, and if you haven't compared the Domain 2 material against Domain 4 yet, the Domain 2 guide shows where Azure Arc and Azure Policy content connects back to the networking scenarios covered here.
Key Takeaway
Don't treat Domain 4 as "just networking" - the exam consistently blends it with Azure-side constructs, so lab time in an actual Azure subscription matters as much as reviewing Windows Server networking roles.
Frequently Asked Questions
Both are tested. Microsoft's exam guidance expects candidates to administer workloads using tools like Windows Admin Center, PowerShell, and Azure services, and Domain 4 scenarios regularly combine on-premises DNS/DHCP/VPN with Azure VNets, NSGs, and gateways. Skipping the Azure side leaves a real gap.
Domain 1 carries more weight (30-35% vs. 15-20%) and covers more ground overall, but Domain 4's scenario questions can feel harder because they often require tracing a problem across two environments at once - on-premises and Azure - rather than staying within a single system.
AZ-800 costs $165 USD in the United States (regional pricing may differ), delivered via Pearson VUE test centers or OnVUE online proctoring. The exam uses a variable mixed format - multiple choice, multiple response, case studies, drag-and-drop, and sometimes labs - and Domain 4 questions are distributed throughout the exam rather than grouped separately. Full cost details are in the AZ-800 Certification Cost breakdown.
Yes. AZ-800 and AZ-801 retire September 30, 2026 at 5:00 PM CST and will be replaced by AZ-802, but until then AZ-800 remains one of the two required exams for the Windows Server Hybrid Administrator Associate credential. The hybrid networking skills in Domain 4 are also foundational and likely to carry forward into AZ-802's content.
Build a small lab with a domain controller, a DHCP server, and an Azure subscription with at least one VNet, then practice connecting them via VPN. You can also work through scenario-style practice questions on our AZ-800 practice test platform to get comfortable with how Domain 4 case studies are structured, and revisit the full study guide for a complete review sequence across all five domains.
- AZ-800 Domain 1: Deploy and manage Active Directory Domain Services (AD DS) in on-premises and cloud environments (30-35%) - Complete Study Guide 2026
- AZ-800 Domain 2: Manage Windows Servers and workloads in a hybrid environment (10-15%) - Complete Study Guide 2026
- AZ-800 Domain 3: Manage virtual machines and containers (15-20%) - Complete Study Guide 2026
- AZ-800 Exam Domains 2026: Complete Guide to All 5 Content Areas