Before adding domains to the Privileged Access Service, you might want to consider which Active Directory accounts you want to manage and whether there are specific privileges you should be aware of when deciding which account passwords you want stored and managed using the Privileged Access Service.
The most likely candidates for being managed accounts are Active Directory administrative accounts and application service accounts. You can use the Privileged Access Service to manage the password for any of these accounts or add any other accounts of your choice to securely store the account information without having the password managed by the Privileged Access Service.
You should note, however, that you must add domain accounts to the domain where they belong. For example, if you want to manage a domain account that is in a child domain instead of the forest root domain, you must add the child domain to the Privileged Access Service first, then add the domain accounts you want to manage for the child domain under the child domain.