Creating Azure Active Directory Domain Services

Posted: October 30, 2019 in Azure

Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, and Kerberos / NTLM authentication that is fully compatible with Windows Server Active Directory.

Adding custom domain to Azure

In Azure portal click Azure Active Directory

dns_name_1.png

Then click Custom domain names

dns_name_2.png

Click Add custom domain

dns_name_3.png

Type your domain name

dns_name_4.png

Create TXT DNS entry in your domain register

 

dns_name_6.png

 

I’m using GoDaddy so i added TXT entry there:

dns_name_5

 

Once added, in Azure portal click Verify button.

 

dns_name_7.png

Creating user

 

Click Azure Active Directory – Users

 

create_user_1.PNG

Create user

create_user_2.PNG

Login with the user to https://myapps.microsoft.com/ (you have to change the password during first login)

Creating Virtual Network

Click Create resource – type Virtual Network, add name, address space and range

 

create_vn.PNG

 

Creating Active Directory Domain Service

Again, click Create resource – type Azure AD Domain Services

azure_adds_1

Type domain name and select Resource group

 

azure_adds_2.PNG

Select Virtual network

 

azure_adds_3.PNG

Select users who will be AD Domain administrators

azure_adds_4.PNG

 

azure_adds_5.PNG

Choose what groups in Azure AD will be synchronized with Domain service

 

azure_adds_6.PNG

 

azure_adds_7.PNG

It will take about 1.5 hours for Domain services to be created

azure_adds_8

Azure will create 2 Domain controller to which we can’t make RDP connection.

Capture.PNG

 

In order for Azure VM to be joined to the Azure Domain Services, VM needs to be rebooted.

Unfortunately, only one Domain Group policy can be created.:(

1.PNG

 

Azure Active Directory disadvantages

 

  • Azure AD DS is not intended to be a replacement for your on-premises domain controllers, and has a number of limitations that make doing not recommended
  • Only one Default Domain and Domain controller policy, it’s because customer do not have access to Domain controllers, MS don’t want you applying GPOs to their domain controllers.
  • No Domain Admin Rights (only access to specific services)
  • The lack of admin rights also means things like setting up Kerberos Delegation aren’t possible, so that means thinks like app proxy Window Auth are off the list
  • Single instance, in a single region only (no DR)
  • You can create custom OUs but these OUs are only shown on the AD DS side of things, any users in these custom OUs won’t show in the Azure AD
  • Users sourced from AAD are restricted to a single OU
  • AAD DS was created as a means for people to lift and shift applications into Azure that required access to an LDAP AD server, and that is what the restrictions are designed around. The assumption is that you will still maintain an on-premises domain and sync this to AAD.
  • AAD DS Requires a v1 VNET, so if your using v2 VNETs you’ll need to create a separate VNET and join them either by VNET peering or VPN

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s