Creating Azure Active Directory Domain Services

Posted: October 30, 2019 in Azure

Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, and Kerberos / NTLM authentication that is fully compatible with Windows Server Active Directory.

Adding custom domain to Azure

In Azure portal click Azure Active Directory


Then click Custom domain names


Click Add custom domain


Type your domain name


Create TXT DNS entry in your domain register




I’m using GoDaddy so i added TXT entry there:



Once added, in Azure portal click Verify button.



Creating user


Click Azure Active Directory – Users



Create user


Login with the user to (you have to change the password during first login)

Creating Virtual Network

Click Create resource – type Virtual Network, add name, address space and range




Creating Active Directory Domain Service

Again, click Create resource – type Azure AD Domain Services


Type domain name and select Resource group



Select Virtual network



Select users who will be AD Domain administrators




Choose what groups in Azure AD will be synchronized with Domain service





It will take about 1.5 hours for Domain services to be created


Azure will create 2 Domain controller to which we can’t make RDP connection.



In order for Azure VM to be joined to the Azure Domain Services, VM needs to be rebooted.

Unfortunately, only one Domain Group policy can be created.:(



Azure Active Directory disadvantages


  • Azure AD DS is not intended to be a replacement for your on-premises domain controllers, and has a number of limitations that make doing not recommended
  • Only one Default Domain and Domain controller policy, it’s because customer do not have access to Domain controllers, MS don’t want you applying GPOs to their domain controllers.
  • No Domain Admin Rights (only access to specific services)
  • The lack of admin rights also means things like setting up Kerberos Delegation aren’t possible, so that means thinks like app proxy Window Auth are off the list
  • Single instance, in a single region only (no DR)
  • You can create custom OUs but these OUs are only shown on the AD DS side of things, any users in these custom OUs won’t show in the Azure AD
  • Users sourced from AAD are restricted to a single OU
  • AAD DS was created as a means for people to lift and shift applications into Azure that required access to an LDAP AD server, and that is what the restrictions are designed around. The assumption is that you will still maintain an on-premises domain and sync this to AAD.
  • AAD DS Requires a v1 VNET, so if your using v2 VNETs you’ll need to create a separate VNET and join them either by VNET peering or VPN



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s