Managed Azure Active Directory Domain Services
Table of Contents
- Important Notes
- Pre Deployment Steps
- Post Deployment Steps
- Teardown Deployment
This template provisions an Azure Active Directory Domain Service (AADDS) with required VNET and NSG groups.
- The scripts create Managed Azure Active Directory Domain Services. We recommend creating a new Azure Active Directory (AD) tenant to deploy this solution.
- The subscription tenant should not have existing managed Azure Active Directory Domain Services (AADDS). Azure active directory supports only one Domain Service per tenant.
- The Domain Name provided as an input parameter while deployment should be verified within Azure Active Directory.
- AAD Domain Services requires the chosen subnet to belong to a reserved private range. Use the AADDS subnet range within one of the following IP address ranges: 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8.
- Do not run this solution in a production environment/subscription.
- It is recommended you use a clean Windows 10 (or similar) VM to perform the solution to ensure that the correct PowerShell modules get loaded.
- Deployment takes around 40-45 minutes to complete.
Pre Deployment Step
Before proceeding to the deployment of the AADDS template, we need to perform the following steps.
Note: You can perform these steps through the Azure portal as well.
1. Install the required PowerShell modules
Install and configure the Azure AD PowerShell module
Follow the instructions in the article to install the Azure AD PowerShell module and connect to Azure AD.
Install and configure the Azure PowerShell module
Follow the instructions in the article to install the Azure PowerShell module and connect to your Azure subscription.
2. Connect To Azure Active Directory
# Connect to your Azure Account. Connect-AzureAD -TenantId <Active Directory ID>
3. Register the Azure Active Directory Application Service Principal
# Create the service principal for Azure AD Domain Services. New-AzureRmADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
4. Configure Administrative Group
# Create the delegated administration group for AAD Domain Services. New-AzureADGroup -DisplayName "AAD DC Administrators" ` -Description "Delegated group to administer Azure AD Domain Services" ` -SecurityEnabled $true -MailEnabled $false ` -MailNickName "AADDCAdministrators" # Add user to "AAD DC Administrators" group # First, retrieve the object ID of the newly created 'AAD DC Administrators' group. $GroupObjectId = Get-AzureADGroup ` -Filter "DisplayName eq 'AAD DC Administrators'" | ` Select-Object ObjectId # Now, retrieve the object ID of the user you'd like to add to the group. $UserObjectId = Get-AzureADUser ` -Filter "UserPrincipalName eq 'email@example.com'" | ` Select-Object ObjectId # Add the user to the 'AAD DC Administrators' group. Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId
5. Register Resource Provider
# Login to Azure Account Connect-AzureRmAccount -TenantId <Active Directory ID> # Register the resource provider for Azure AD Domain Services with Resource Manager. Register-AzureRmResourceProvider -ProviderNamespace Microsoft.AAD
- Deployment takes around 40-50 minutes.
Post Deployment Steps
After deploying AAD Domain Services it will take around 40 minutes more to be configured internally.
1. Check AADDS status
To check configuration status: Go to the Azure portal -> Select AADDS resource group -> select Domain services resource -> health status is "Running"(refer below image)
2. Update DNS on the virtual network
Click on the "Configure" button from overview blade to update the DNS server settings to point to the two IP addresses where Azure Active Directory Domain Services is available on the virtual network.
3. Enable password hash synchronization
Users cannot bind using secure LDAP or sign in to the managed domain until you enable password hash synchronization to Azure AD Domain Services. We are using cloud-only user accounts. Refer to this document for resetting the passwords and more details.
Reset AAD User password: To use the Managed AADDS we need to perform the password hash synchronization.
You need to change the active directory administrator [AADGlobalAdminUser] password. Azure requires 20 minutes to sync the password hashes from Azure AD to manage AADDS.
To remove this deployment simply remove the resource group that contains this sample.
- Pre-requisites: https://docs.microsoft.com/azure/active-directory-domain-services/active-directory-ds-enable-using-powershell
- Networking Considerations: https://docs.microsoft.com/azure/active-directory-domain-services/active-directory-ds-networking
- Password Synchronization: https://docs.microsoft.com/azure/active-directory-domain-services/active-directory-ds-getting-started-password-sync
- Troubleshooting Guide: https://docs.microsoft.com/azure/active-directory-domain-services/active-directory-ds-troubleshooting
Tags: Microsoft.Network/networkSecurityGroups, Microsoft.Network/virtualNetworks, Microsoft.AAD/domainServices