Azure: Active Directory Domain Services (Managed Domain)
Overview
Azure Active Directory (AD) Domain Services gives the ability to join computers on a domain without any need to manage or deploy a Domain Controller. The users can sign-in by using their existing corporate credentials.
Features
In this service are available many features such as :
- domain-join
- Join computers in the managed domain with simple steps.
- domains with custom names
- We can create domains with custom names, also unverified domain names supported.
- NTLM & Kerberos authentication
- This gives the ability to deploy applications that rely on Windows-integrated Authentication.
- Corporate credentials/passwords
- Users can log-in using their corporate credentials.
- Integrated with Azure AD
- User groups, accounts of an existing on-premises domain can easily and automated synchronize to managed domain service.
- LDAP bind & LDAP read support
- Applications with LDAP support will working fine.
- Secure LDAP
- This is an optional feature and can be enabled from the Azure Portal.
- Group Policy
- Built-in GPO for the user and Computers containers.
- Manage DNS
- DNS management is only available for the "AAD DC Administrators" group.
- Custom OUs
- Organizational Units (OUs) can be created from the users that belong to "AAD DC Administrators" group
- Available in many regions
- This service is available in many regions. In the Azure Services by region page, we can see these regions.
- Highly Available
- The service offers high availability for the domain
- AD account lockout protection
- If five invalid password is used within two minutes, account locked out for 30 minutes and unlocks automatically after a period time of 30 minutes.
- Known management tools
- Users can use known tools for domain management, such as Active Directory Administrative Center or Active Directory PowerShell to administer managed domains.
- Simple deployment
- This service can be easily enabled. In this post, we talk for how can someone deploy this.
Note
We can create a single Active Directory domain for each Azure AD directory
Create "Azure AD Domain Services"
By following the next steps we will create an "Azure AD Domain Services" service.
Note
To create a Managed Domain MUST be the directory administrator
Search Service
At the left main blade on Azure portal click [All services] and in the search box type [Azure Domain....], select the result that will appear {Azure AD Domain Services} and click Create.
Configure Basics Settings
The first must be configured is the basic settings, which are :
- DNS domain name: Choose a DNS domain name for the managed domain
- Subscription: Select an Azure Subscription
- Resource Group: Create a New or Select an existing Resource Group
- Location: Select the region that the resources will be deployed.
Virtual Network Parameters
The second stage of the configuration includes the Network configuration settings, and these are :
- Network: Create or Select the VNet and the Subnet on which the managed domain be available.
- Subnet: Create a dedicated Subnet for the managed domain with at least 3 available IP addresses.
 Caution |
|---|
| A network security group will be automatically created and associated to the subnet to protect AAD Domain Services. The network security group will be configured according to guidelines for configuring NSGs. |
Configure Group Membership
The third step includes the Group Membership, as the title said it's about the users of the "AAD DC Administrators" which will have the necessary privileges to administer the managed domain.
Summary
Finally, the Summary blade makes a summary of the configuration parameters which the managed domain will be created, and if all looks great then just push the "magic" button, called [OK]
Sync Users & Groups from an existing On-Premises Domain Controller
We create the Azure Active Directory Domain Service, and we are ready to sync the existing groups and users to our new deployed azure AD DS service.
To do that we need to complete some actions first.
Prerequisites
- Download Azure AD Connect the latest version
- Exist an on-premise Domain Controller (Windows Server 2012 or higher)
Azure AD Connect (Installation)
Step 1. Welcome Screen
Select the checkbox with the License terms and privacy notice.
Step 2. Express Settings
At the second step just click "Use express settings"
Step 3. Connect to Azure AD
Type the Azure AD global administrator credentials, the USERNAME, and the PASSWORD.
| Caution |
|---|
| Do not use the custom domain! Use the domain username@xxxxxxx.onmicrosoft.com |
Step 4. Connect to AD DS
In the fourth step, type the on-premises Active Directory Domain Services enterprise administrator credentials, USERNAME, and PASSWORD, as the image below shows.
Step 5. Azure AD sign-in
In this demo, we select the checkbox [Continue without matching all UPN suffixes to verified domains] and click Next.
Note
Not Added means, that Azure AD Connect could not found the custom domain "cloudopszone.com" that corresponded to the UPN suffix. The UPN suffix of the users of this domain will be changed to the default .onmicrosoft.com suffix if the domain isn't added and verified in Azure.
Step 6. Configure
The penultimate step needs just a click on the option [Start the synchronization process when configuration completes.], and click the Install button.
Step 7. Configure2
In the final step, we see an overview of the completed steps and click Exit.
Join To The New Domain
After the Azure AD Connect finishes with syncs we are ready to do the final test and is no more than Join an Azure VM to the new domain. To do that we will use a Virtual Machine on Azure in the same Virtual Network.
Change from Workgroup to Domain
The image below shows the message that the computer (Azure VM) successfully joined the domain {cloudopszone.com}
Connect Using RDP
We sync a test user with the name "accountant01", try to connect VM with this user and the results are shown in the next image.
Logged User
The image below just shows that the logged user is the synced domain user.
Check Service Health
A very basic action that we should do after all the above steps are completed is to check the service health. We can do this from the Azure Portal. The next steps will show the way to do that.
Azure AD Domain Services
Service Health
At the Azure Portal, click Overview from the left blade of the [Azure Domain Services] service, and then click the [View health] button, as the image below shows. The service is Up and Running!
Pricing Details
Azure Active Directory Domain Services usage is based on per hour charges, for the SKU selected for your instance.
The table below shows the pricing details per hour/month based on the SKU selected.
| STANDARD | ENTERPRISE | PREMIUM | |
| AAD DS Core Service | |||
| Suggested Auth Load (peak, per hour) | 0 to 3,000 | 3,000 to 10,000 | 10,000 to 70,000 |
| Suggested Object Count | 0 to 25,000 | 25,000 to 100,000 | 100,000 to 500,000 |
| Backup Frequency | 5 days | 3 days | Daily |
| COST | |||
| User Forest (each pair) | $0.15/hour | $0.40/hour | $1.60/hour |
| Resource Forest (each pair, Preview) | N/A | $0.20/hour | $0.80/hour |
In the image below we can see a simple cost example, for 50 users.
| Active Directory | Domain Services |
| No Of Users: 50 | Directory Objects: Less than 25,000 |
| Cost Per User: € 0,84 | 1 month duration: € 0,3 |
| Total: € 42,17 | Total: € 146,31 |
Conclusion
In this post, we talk for a service that gives the ability to users to create a 100% domain controller in the Azure Cloud, without the need for maintenance because Microsoft takes care of it. The cost of this service is not excessive and the service SLA is 99,9%.
Useful Links
- Service Overview
- Documentation
- Pricing
- Azure Friday Videos
- Channel 9 Videos
- Azure Active Directory Domain Services status
- Azure AD sign-in configuration
- SLA for Azure Active Directory Domain Services