Transcription of Working with Azure Active Directory Domain Services
1 Working with Azure Active Directory Domain ServicesAuthor : Sarvesh GoelDate : September 5, 2016 Working with Azure Active Directory Domain ServicesAzure Active Directory is a critical feature released by Microsoft that provides support formodern protocols such as WS-Fed, OpenID, SAML, OAuth etc. in addition to providing built-inMFA, B2B and B2C support for the hosted applications. Azure Active Directory DomainServices now additionally supports like NTLM, Kerberos, LDAP and Secure Servers to Policy for Computers and Domain name with Custom Organization Domain Services providing High with Azure AD for Users and Groups synchronizationBelow are the few short comings of Azure Active Directory Domain Azure Service Manager (aka Classic Portal) as Azure AD is only supported inthe Classic Portal and not on the Azure Resource Manager (aka V2 Portal)
2 , whichmeans if we have all workloads in Azure Resource Manager then for leveraging AzureAD Domain Services we need to create a VNet in Classic Portal and then create VNet-to-VNet peering for extending service to resources in Azure Resource created Highly Available Azure AD Domain Services only in one region where VNet iscreated, extending Azure AD Domain Services to other regions may not be possible atthis it is managed Azure Active Directory Domain Services , it doesn't provide tenantwith Domain Admins and Schema Admins us now see how to create Azure Active Directory DomainServices on Azure , and how to manage we create Azure Active Directory Domain Services , we need to create VNet that AzureAD DS will link itself to1.
3 Create New VNet in Azure Classic Portal , in this case we have created a VNet byname AAD_DS_Vnet 1 / 162. Leave the preferred DNS Server IPs empty. We will fill them once Azure AD Domain Servicesare created and shows us the IP address of the managed Domain Controllers. DNS entries herewill be supplied to all VMs in the VNet for Domain Controller communication. 2 / 163. Define your address space and subnets here. Azure AD Domain Services will consume theIP address from the subnet you define here 3 / 164.
4 Once the VNet is successfully created, we now need to create Azure AD and remember notto tick This is a B2C Directory checkbox as Azure AD Domain Services are not supported withB2C Directory 4 / 165. After Azure AD is created, go to Configure tab and toggle the switch to enable Azure ActiveDirectory Domain Services6. Wait for few minutes and see two managed Domain controllers build. In this case there are 5 / 16two Domain Controllers with IP address and , and these IPs will be used inPrimary and Secondary IP address 6 / 16 Create Virtual Machine on Azure and Join to Azure AD DomainServices managed domain1.
5 Create a New Virtual Machine in Azure Service Manager portal and create it on the VNet thatwas created above 7 / 162. Ensure that the VM is connect to the VM Net that is associated with Azure AD DS 8 / 16 9 / 163. Now the VM is build, and it had received the Azure AD DS Domain Controller IPs and it is 10 / 16able to ping Domain controller DNS nameManage Azure Active Directory Domain Services - Join Domain ,Organizational Unit and Group PolicyCreate a new User "joindomain" (or any other name of your choice), a new group "aad dcadministrators" (should be exact name, as it is the group that Microsoft creates to manage theOUs and Group Polices) and add the user account to this group.
6 Once this is done, you will beable to join computers to Domain . 11 / 16 The VM that was created was joined to Domain using this account. 12 / 16 Manage OUs and Group PoliciesInstall the AD Management tools and Group Policy management tools on the VM that wascreated or any other system. For the simplicity in illustration, I have installed the tools on thesame VM itself. 13 / 16 Below is the default OU structure of the Azure Active Directory Domain Services and few keypoints are Organizational Units named "AADC Computers" and "AADDC User" tostore the Computer and User accounts will not be able to create new Organization that we created in Azure Portal AAD DC Administrators is sync'ed with AzureAD Domain Services to provide management of AAD DC Administrators are the also DNS Admins.
7 Which means they willbe able to create and manage DNS domains as desired 14 / 16 Below is the Group Policy structure are two default Group Polices - One that is linked to Computers OU and other thatis linked to Users can't create more Group Policies and all policies should be managed within thesetwo AAD DC Administrators have edit settings right on the Group Policies 15 / 16 ConclusionNow that we have seen how Azure Active Directory Domain Services is created and managedon Cloud, we need to analyze if it is really practical for medium or large organizations toleverage Azure ADDS.
8 The lack of control over Schema / Domain really restricts organizationsto modify the Domain environment based on their ecosystem. I feel Azure AD is a great tool onCloud with support for Applications integrations, Business Integrations like B2B / B2C or AzureAccess Control and MFA, but Azure ADDS would still need to be evolved to meet the largeorganizations requirements. It may be great for small or start-ups to leverage NTLM, Kerberosprotocols without having to design the Active Directory environment and the next posts, I will explain how Azure Active Directory Domain Services behave withsynchronized post comments on the article with your feedbackPowered by TCPDF ( ) 16 / 16
