Step-By-Step: Enabling Azure AD Domain Services
Azure AD Domain Services, currently in preview, is a managed domain service providing group policy enablement, LDAP and NTLM/Kerberos Authentication without need of a Domain Controller. This service will allow you to manage your azure identities more affectively should you have a cloud-only Azure implementation. Azure AD Domain services can be deployed to the same virtual network your other IaaS workloads runs and can connect to Azure AD via a typical domain join. A hybrid offering is also available enabling on-premises identities to sync to the cloud and use those along with the azure Iaas workloads
The following video explains the main features of Azure Active Directory Domain Services:
Today’s post while highlight steps on how to enable Azure AD Domain Services and how to configure it properly for cloud-only IaaS setup.
The Azure AD instance REBELADMIN has been created already and will be used for the demo.
STEP 1: Setup Azure Virtual Network
First we need to setup a new azure virtual network. The azure AD domain service instance also need to assign to the same virtual network as your other service run in order to integrate those resources. Lets get started.
1) In Azure Classic Portal click on Networks option located on the left side
2) Click on Create a Virtual Network
3) In wizard type the name for the virtual network, select the location and then click on the arrow button
4) Click on the arrow button
NOTE: On the DNS Server and VPN Connectivity page we are not going to define any DNS servers as I will setup it in later time in this demo
5) On the Virtual Network Address Spaces page the address space is displayed and you can either customize or in this example we will proceed with default (Select Checkmark button)
6) The new virtual network is successfully created once completed
STEP 2: Enable Azure AD Domain Service
Next step is to enable the domain service now that the virtual network has been setup.
1) Click on the Azure AD directory instance which needs to enable Azure AD Domain Service (Select New > App Services > Active Directory > Directory if not yet completed)
2) Click Configure
3) Under Domain Services click Yes to enable the domain services
4) DNS Domain name of domain services – This option to define the dns domain name. If you do not have domain setup you still can use default azure name which is ends up with onmicrosoft.com.
Connect domain service to this virtual network – in here you can define which virtual network domain service should assign to. I have selected the new virtual network created on previous step. Click on Save once the changes are completed.
5) Wait until the service is activated and started which can take up to 30 minutes
6) Record the reported DNS server IP address as this is important to add these in to virtual network in order to join servers to domain
STEP 3: Add DNS server details into Virtual Network
1) Click on the virtual network where Azure AD domain service also associated with
2) Click on configure and then add the DNS server info recorded previously
3) Click on SAVE to submit the changes
STEP 4: Create an AAD DC Administrator group
It is important to note that you will not get domain admin or enterprise administrator privileges in regards to the AD instance as the Azure AD Domain service is a managed service. You are allowed to create an AAD DC Administrator group enabling all its members with administrator privileges to the domain join servers. This group will also be added to the administrators group within domain join servers. The Azure AD instance needs to be loaded again to enable this.
1) Click on the relevant Azure AD instance.
2) Click on Groups and then Add Group
3) In the Add Group window enter the group name as AAD DC Administrators and select Security for Group Type followed by clicking the checkmark button.
NOTE: You must name the group AAD DC Administrators using the same format to enable this group.
4) Next add the members as you prefer
The configuration is now complete.
Next steps are to enable password synchronization to allow users to use their cooperate logins to log in to the domain. This will be detailed in my future post.