az ad ds

Note

This reference is part of the ad extension for the Azure CLI (version 2.15.0 or higher). The extension will automatically install the first time you run an az ad ds command. Learn more about extensions.

Manage domain service with azure active directory.

Commands

az ad ds create

Create a new domain service with the specified parameters.

az ad ds delete

The Delete Domain Service operation deletes an existing Domain Service.

az ad ds list

List domain services in resource group or in subscription.

az ad ds show

Get the specified domain service.

az ad ds update

Update the existing deployment properties for domain service.

az ad ds wait

Place the CLI in a waiting state until a condition of the ad ds is met.

az ad ds create

Create a new domain service with the specified parameters.

az ad ds create --domain
                --name
                --replica-sets
                --resource-group
                [--domain-config-type {FullySynced, ResourceTrusting}]
                [--external-access {Disabled, Enabled}]
                [--filtered-sync {Disabled, Enabled}]
                [--ldaps {Disabled, Enabled}]
                [--no-wait]
                [--notify-dc-admins {Disabled, Enabled}]
                [--notify-global-admins {Disabled, Enabled}]
                [--notify-others]
                [--ntlm-v1 {Disabled, Enabled}]
                [--pfx-cert]
                [--pfx-cert-pwd]
                [--resource-forest {Disabled, Enabled}]
                [--settings]
                [--sku {Enterprise, Premium, Standard}]
                [--sync-kerberos-pwd {Disabled, Enabled}]
                [--sync-ntlm-pwd {Disabled, Enabled}]
                [--sync-on-prem-pwd {Disabled, Enabled}]
                [--tags]
                [--tls-v1 {Disabled, Enabled}]

Examples

Create Domain Service

az ad ds create --domain "TestDS.com" --replica-sets location="West US" subnet-id="<subnetId>" --name "TestDS.com" --resource-group "rg"

Create Domain Service with specified settings (Line breaks for legibility only)

az ad ds create --domain "TestDS.com" --replica-sets location="West US" subnet-id="<subnetId>" --name "TestDS.com" --resource-group "rg"
--ntlm-v1 "Enabled" --sync-ntlm-pwd "Enabled" --tls-v1 "Disabled" --filtered-sync "Enabled" --external-access "Enabled"
--ldaps "Enabled" --pfx-cert "cert or path to cert" --pfx-cert-pwd "<pfxCertificatePassword>"
--notify-others "a@gmail.com" "b@gmail.com" --notify-dc-admins "Enabled" --notify-global-admins "Enabled"

Required Parameters

--domain

The name of the Azure domain that the user would like to deploy Domain Services to.

--name -n

The name of the domain service.

--replica-sets

List of ReplicaSets.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--domain-config-type

Domain Configuration Type.

accepted values: FullySynced, ResourceTrusting
--external-access

A flag to determine whether or not Secure LDAP access over the internet is enabled or disabled.

accepted values: Disabled, Enabled
--filtered-sync

Enabled or Disabled flag to turn on Group-based filtered sync.

accepted values: Disabled, Enabled
--ldaps

A flag to determine whether or not Secure LDAP is enabled or disabled.

accepted values: Disabled, Enabled
--no-wait

Do not wait for the long-running operation to finish.

--notify-dc-admins

Should domain controller admins be notified.

accepted values: Disabled, Enabled
--notify-global-admins

Should global admins be notified.

accepted values: Disabled, Enabled
--notify-others

The list of additional recipients.

--ntlm-v1

A flag to determine whether or not NtlmV1 is enabled or disabled.

accepted values: Disabled, Enabled
--pfx-cert

The certificate required to configure Secure LDAP. The parameter passed here should be the file path to the certificate pfx file or a base64encoded representation of the certificate pfx file.

--pfx-cert-pwd

The password to decrypt the provided Secure LDAP certificate pfx file.

--resource-forest

Resource Forest.

accepted values: Disabled, Enabled
--settings

List of settings for Resource Forest. This can be either a JSON-formatted string or the location to a file containing the JSON object.

--sku

Sku Type.

accepted values: Enterprise, Premium, Standard
--sync-kerberos-pwd

A flag to determine whether or not SyncKerberosPasswords is enabled or disabled.

accepted values: Disabled, Enabled
--sync-ntlm-pwd

A flag to determine whether or not SyncNtlmPasswords is enabled or disabled.

accepted values: Disabled, Enabled
--sync-on-prem-pwd

A flag to determine whether or not SyncOnPremPasswords is enabled or disabled.

accepted values: Disabled, Enabled
--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--tls-v1

A flag to determine whether or not TlsV1 is enabled or disabled.

accepted values: Disabled, Enabled

az ad ds delete

The Delete Domain Service operation deletes an existing Domain Service.

az ad ds delete --name
                --resource-group
                [--no-wait]
                [--yes]

Examples

Delete Domain Service

az ad ds delete --name "TestDomainService.com" --resource-group "TestResourceGroup"

Required Parameters

--name -n

The name of the domain service.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--no-wait

Do not wait for the long-running operation to finish.

--yes -y

Do not prompt for confirmation.

az ad ds list

List domain services in resource group or in subscription.

az ad ds list [--resource-group]

Examples

List Domain Service By Group

az ad ds list --resource-group "TestResourceGroup"

List Domain Service By Sub

az ad ds list

Optional Parameters

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az ad ds show

Get the specified domain service.

az ad ds show --name
              --resource-group

Examples

Get Domain Service

az ad ds show --name "TestDomainService.com" --resource-group "TestResourceGroup"

Required Parameters

--name -n

The name of the domain service.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

az ad ds update

Update the existing deployment properties for domain service.

az ad ds update --name
                --resource-group
                [--domain-config-type {FullySynced, ResourceTrusting}]
                [--external-access {Disabled, Enabled}]
                [--filtered-sync {Disabled, Enabled}]
                [--ldaps {Disabled, Enabled}]
                [--no-wait]
                [--notify-dc-admins {Disabled, Enabled}]
                [--notify-global-admins {Disabled, Enabled}]
                [--notify-others]
                [--ntlm-v1 {Disabled, Enabled}]
                [--pfx-cert]
                [--pfx-cert-pwd]
                [--replica-sets]
                [--resource-forest {Disabled, Enabled}]
                [--settings]
                [--sku {Enterprise, Premium, Standard}]
                [--sync-kerberos-pwd {Disabled, Enabled}]
                [--sync-ntlm-pwd {Disabled, Enabled}]
                [--sync-on-prem-pwd {Disabled, Enabled}]
                [--tags]
                [--tls-v1 {Disabled, Enabled}]

Examples

Update sku

az ad ds update --name "TestDS.com" --resource-group "rg" --sku "Enterprise"

Update domain security settings

az ad ds update --name "TestDS.com" --resource-group "rg" --ntlm-v1 "Enabled" --tls-v1 "Disabled"

Update ldaps settings

az ad ds update --name "TestDS.com" --resource-group "rg" --external-access "Enabled" --ldaps "Enabled" --pfx-cert "MIIDPDCCAiSg..." --pfx-cert-pwd "<pfxCertificatePassword>"

Update notification settings

az ad ds update --name "TestDS.com" --resource-group "rg" --notify-dc-admins "Enabled" --notify-global-admins "Disabled"

Required Parameters

--name -n

The name of the domain service.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--domain-config-type

Domain Configuration Type.

accepted values: FullySynced, ResourceTrusting
--external-access

A flag to determine whether or not Secure LDAP access over the internet is enabled or disabled.

accepted values: Disabled, Enabled
--filtered-sync

Enabled or Disabled flag to turn on Group-based filtered sync.

accepted values: Disabled, Enabled
--ldaps

A flag to determine whether or not Secure LDAP is enabled or disabled.

accepted values: Disabled, Enabled
--no-wait

Do not wait for the long-running operation to finish.

--notify-dc-admins

Should domain controller admins be notified.

accepted values: Disabled, Enabled
--notify-global-admins

Should global admins be notified.

accepted values: Disabled, Enabled
--notify-others

The list of additional recipients.

--ntlm-v1

A flag to determine whether or not NtlmV1 is enabled or disabled.

accepted values: Disabled, Enabled
--pfx-cert

The certificate required to configure Secure LDAP. The parameter passed here should be the file path to the certificate pfx file or a base64encoded representation of the certificate pfx file.

--pfx-cert-pwd

The password to decrypt the provided Secure LDAP certificate pfx file.

--replica-sets

List of ReplicaSets.

--resource-forest

Resource Forest.

accepted values: Disabled, Enabled
--settings

List of settings for Resource Forest. This can be either a JSON-formatted string or the location to a file containing the JSON object.

--sku

Sku Type.

accepted values: Enterprise, Premium, Standard
--sync-kerberos-pwd

A flag to determine whether or not SyncKerberosPasswords is enabled or disabled.

accepted values: Disabled, Enabled
--sync-ntlm-pwd

A flag to determine whether or not SyncNtlmPasswords is enabled or disabled.

accepted values: Disabled, Enabled
--sync-on-prem-pwd

A flag to determine whether or not SyncOnPremPasswords is enabled or disabled.

accepted values: Disabled, Enabled
--tags

Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.

--tls-v1

A flag to determine whether or not TlsV1 is enabled or disabled.

accepted values: Disabled, Enabled

az ad ds wait

Place the CLI in a waiting state until a condition of the ad ds is met.

az ad ds wait --name
              --resource-group
              [--created]
              [--custom]
              [--deleted]
              [--exists]
              [--interval]
              [--timeout]
              [--updated]

Examples

Pause executing next line of CLI script until the ad ds is successfully created.

az ad ds wait --name "TestDomainService.com" --resource-group "TestResourceGroup" --created

Pause executing next line of CLI script until the ad ds is successfully updated.

az ad ds wait --name "TestDomainService.com" --resource-group "TestResourceGroup" --updated

Pause executing next line of CLI script until the ad ds is successfully deleted.

az ad ds wait --name "TestDomainService.com" --resource-group "TestResourceGroup" --deleted

Required Parameters

--name -n

The name of the domain service.

--resource-group -g

Name of resource group. You can configure the default group using az configure --defaults group=<name>.

Optional Parameters

--created

Wait until created with 'provisioningState' at 'Succeeded'.

--custom

Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].

--deleted

Wait until deleted.

--exists

Wait until the resource exists.

--interval

Polling interval in seconds.

default value: 30
--timeout

Maximum wait in seconds.

default value: 3600
--updated

Wait until updated with provisioningState at 'Succeeded'.