AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam

Deploy and manage AD DS domain controllers

Active Directory Domain Services (AD DS) relies on domain controllers to store directory information and authenticate users. A domain controller holds a writable copy of the Active Directory database and participates in replication to keep data consistent across the network. When planning deployments, it’s important to consider fault tolerance and location to reduce authentication delays.

To deploy a domain controller, you typically:

• Install the Active Directory Domain Services role on Windows Server.
• Run AD DS Deployment Wizard or use PowerShell commands like Install-ADDSDomainController.
• Configure DNS, create a site if needed, and verify replication.

After deployment, ongoing management tasks include:

• Monitoring health with tools like dcdiag and repadmin.
• Scheduling regular system state and AD backups.
• Applying Windows and security updates while preserving operational continuity.

In a hybrid environment, you can augment on-premises domain controllers with Azure AD Domain Services. This cloud solution provides managed domain controllers for your Azure virtual networks. It eliminates the need to provision VMs and manage patching, though you still maintain on-premises domain controllers for full writeable AD DS.

Configure and manage multi-site, multi-domain, and multi-forest environments

Large organizations often divide their AD DS architecture into multiple sites, domains, and forests to optimize performance and security. A site represents a physical location and helps control replication traffic. A domain defines an administrative boundary, and a forest contains one or more domains sharing a common schema.

When configuring multiple sites, you set up site links and assign subnets so domain controllers know their physical locations. This reduces WAN traffic by routing authentication and replication through the fastest paths.

In a multi-domain design, each domain can have its own group policies and user accounts, which simplifies delegation of administrative tasks. Domains trust each other via transitive trusts, enabling resource sharing while keeping security boundaries.

A multi-forest environment uses separate schemas and global catalogs per forest, making it ideal for organizations that require strict isolation. Forest trusts allow users in one forest to access resources in another, but you maintain independent administration and schema modifications.

Create and manage AD DS security principals

Security principals in AD DS include users, groups, and computers. These objects form the backbone of authentication and authorization in your network. By managing them properly, you enforce least privilege and keep your environment secure.

To create a user account, you can use:

• Active Directory Users and Computers (ADUC) console.
• PowerShell cmdlets like New-ADUser.
• Automation scripts for bulk account creation.

Groups simplify permissions by bundling users. Understand group scopes:

• Domain Local for resources in one domain.
• Global for users within the same domain.
• Universal across multiple domains and forests.

Service accounts run applications without using a user’s credentials. Opt for Managed Service Accounts (MSA) or Group Managed Service Accounts (gMSA) to automate password management and improve security.

Implement and manage hybrid identities

A hybrid identity connects your on-premises AD DS with Azure Active Directory (Azure AD). This setup lets users sign in to both cloud and on-site resources using the same credentials. It reduces password fatigue and simplifies identity management.

The primary tool for hybrid identity is Azure AD Connect. You can choose from:

• Password Hash Synchronization for simple sync of password hashes.
• Pass-through Authentication to validate passwords on-premises.
• Federation with AD FS for advanced claims-based authentication.

Once synchronized, you can enable features like self-service password reset and Multi-Factor Authentication (MFA). They help strengthen security while giving users more control.

Monitor synchronization with the Azure AD Connect Health portal and review sync logs regularly. Implement Conditional Access policies in Azure AD to enforce context-aware access controls on hybrid accounts.

Manage Windows Server by using domain-based Group Policies

Group Policy is a central way to configure and secure Windows clients and servers. A Group Policy Object (GPO) contains settings for both computer and user configurations. Linking GPOs to domains, sites, or OUs applies settings to targeted systems.

Key steps for GPO management include:

• Creating and editing GPOs in the Group Policy Management Console (GPMC).
• Defining policy settings such as password policies, software installation, and security options.
• Linking GPOs at the appropriate level and enforcing inheritance or blocking as needed.

Use WMI filters and security filtering to apply GPOs only to specific computers or user groups. Delegation allows you to assign GPO management tasks to other administrators without giving them full domain rights.

Troubleshoot policy issues with commands like gpupdate /force and gpresult /h. Check the Event Viewer for Group Policy-related errors to ensure your policies are applied correctly.

Conclusion

In this exam section, you learned how to deploy and manage domain controllers, ensuring replication and availability. You explored designing multi-site, multi-domain, and multi-forest environments for performance and security. You mastered creating and maintaining security principals such as users, groups, and service accounts. You also discovered how to implement and safeguard hybrid identities with Azure AD Connect and advanced authentication methods. Finally, you covered Group Policy management to enforce consistent settings and security across Windows Server and client systems. Together, these skills help you build and maintain a robust Active Directory infrastructure in both on-premises and cloud environments.