This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
I have spun an "Azure-Active-directory Domain Service"
Now I am standing up "Enterprise CA" server role on one the Windows Server VM that is joined to this AAD-DS
Is the design possible ?
Can I use AAD-DS with my PKI infrastructure ?
OR
I have to spin up self-service Active Directory ?
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
If you want install Enterprise CA , you have to installed on server member of a active directory domain:
You can install Standalone CA , to avoid installing new domain for Enterprise CA.
Please don't forget to mark helpful reply as answer
Thanks @Thameur-BOURBITA
I believe that is what I said.
This vm on which I am installing and configuring AD CS Certificate Authority role is joined to the AAD DS domain.
Would it work ??
This vm on which I am installing and configuring AD CS Certificate Authority role is joined to the AAD DS domain.
Would it work ??
If you choose standard PKI yes it will work. However ,Enterprise CA option will be unavailable when you launch PKI installation.
Please don't forget to mark helpful reply as answer
What is the reason for unavailability ??
Is it because this AD is not the regular AD but AAD-DS ??
When you install enterprise CA in AD DS , many configuration settings will be saved on active directory in Configuration partition.
The biggest difference between on-premises Active Directory and Azure AD is in the way they are structured and design, for this reason you can't install Enterprise CA in AAD , because AAD can't save the configuration settings of CA enterprise like a work-group machine.
Please don't forget to mark helpful reply as answer
Got it mostly.
Thanks @Thameur-BOURBITA
Just to confirm before closing this thread...
You are talking about AAD-DS (and not Azure-AD) right?
I believe you have practically tried after spinning up AAD-DS in one Vnet.
Thanks
You are talking about AAD-DS (and not Azure-AD) right?
@testuser7 :Sorry , for the confusion.
To answer to your question ,I'm talking about Azure active directory and Azure AD DS . AD DS is not a domain controller on VM in Cloud.
I have a client use ADDS DS only for GPO, below some difference between AADS DS and AD DS:
917392
Please don't forget to mark helpful reply as answer
Thanks @Thameur-BOURBITA for the chart. It helps.
I am sorry but still there is a slight confusion in my mind.
AAD is NOT in the picture at all.
We just wanted to make sure if this managed-service called AAD-DS capable to support Enterprise PKI infrastructure.
Can it push the auto-enrollment of enterprise-certs to its domain-joined VMs etc. ??
Hi
Can it push the auto-enrollment of enterprise-certs to its domain-joined VMs etc. ??
I didn't test it but I think yes , because AADS-DS support GPO like AD DS and auto-enrollment is configured through group policy.
I am sorry but still there is a slight confusion in my mind.
We just wanted to make sure if this managed-service called AAD-DS capable to support Enterprise PKI infrastructure.
If you still not sure , I recommend you to contact Microsoft directly , to give a confirmation and answer for all questions about Cloud and supported configuration.
Please don't forget to mark to mark helpful reply as answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 71%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVL%3C/text%3E%3C/svg%3E)
AAD : Azure AD
ADDS : Active Directory Directory Services
ADD-DS simply does not exist (it refers to AAD). AAD is not ADDS, AAD is flat whereas ADDS uses tree structures and partitions.
@VEIRMAN Loic AAD-DS does exist (Azure AD Directory Services) and it does not support Enterprise CA due to the limited permissions you will get as AAD-DS Admin
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 48%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)