Thomas Thornton

Microsoft Azure Blog – Microsoft MVP

Configuring an Azure Active Directory Domain Services instance and joining Virtual Machine to domain

on by 1 Comment

What is Azure Active Directory Domain Services (Azure AD DS)?

Azure AD DS provides domain services without the need to deploy and manage actual domain domain controllers, services include group policy, domain join and even Kerberos/NTLM authentication. The AD DS instance also integrates with your existing Azure AD tenant, allowing you to include existing AD tenant groups and user accounts.

Sounds cool? Lets have at a look at configuring

Please note:- you need to have global administrator privileges in your Azure AD tenant to enable Azure AD DS along with contributor privileges in the relevant Azure Subscription to create the required Azure AD DS resources

Configuring your Azure AD DS instance

Search in MarketPlace for Azure AD DS & select create

Basics

DNS Domain Name: By default, built in directory .onmicrosoft.com domain name is used. You will probably want to use your own third-party domain to enable secure acccess
Microsoft owns the .onmicrosoft.com domain, so a Certificate Authority (CA) won’t issue a certificate
Subscription: Select Subscription Azure AD DS will be connected to
Resource Group: Group that will have the resource configured on
Location: Location of the Azure AD DS Service

Network

For this example, I am creating a new Virtual Network and subnet /24 that will be used for the Azure AD DS configuration.
Note:- The subnet you decide on must have 3-5 available IPs

Administrative Group

This group of users manage the Azure AD DS domain. All members are granted administrative permissions on VMs that become domain joined to this domain.

Synchronization

For this example, I will be only synching “AAD DC Administrators” group, if selected all – it will synch all the Azure AD Groups

Summary

Review and create

Once successfully deployed, you will notice some new resources in the Resource Group

One step left to do is changing the current DNS to the DNS of the Azure AD DS. Click on your new Domain Service, in my example – thomasthornton.cloud

Select Configure

The vNET DNS has been changed!

Join a Virtual Machine to your newly created domain

Create a Virtual Machine and deploy into the vNET that has Azure AD DS as above.

In my example I will be using Windows Server 2016.

Open system properties and notice Virtual Machine is currently in a workgroup

Click change, enter domain you created as above.

Enter credentials from a user that is part of the Azure AD Group: AAD DC Administrators Note below is required before a user account can successfully achieve this domain join

Users cannot bind using secure LDAP or sign in to the managed domain, until you enable password hash synchronization to Azure AD Domain Services. Follow the instructions below, depending on the type of users in your Azure AD directory. Complete both sets of instructions if you have a mix of cloud-only and synced user accounts in your Azure AD directory.
Instructions for cloud-only user accounts
Instructions for synced user accounts

Azure Portal

You have now successfully domain joined a virtual machine to Azure AD DS!

1 comment

  1. Pingback: Azure Files Authentication with Azure Active Directory Domain Services – Thomas Thornton

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s