What is Azure Active Directory Domain Services (Azure AD DS)?
Azure AD DS provides domain services without the need to deploy and manage actual domain domain controllers, services include group policy, domain join and even Kerberos/NTLM authentication. The AD DS instance also integrates with your existing Azure AD tenant, allowing you to include existing AD tenant groups and user accounts.
Sounds cool? Lets have at a look at configuring
Please note:- you need to have global administrator privileges in your Azure AD tenant to enable Azure AD DS along with contributor privileges in the relevant Azure Subscription to create the required Azure AD DS resources
Configuring your Azure AD DS instance
Search in MarketPlace for Azure AD DS & select create
DNS Domain Name: By default, built in directory .onmicrosoft.com domain name is used. You will probably want to use your own third-party domain to enable secure acccess
Microsoft owns the .onmicrosoft.com domain, so a Certificate Authority (CA) won’t issue a certificate
Subscription: Select Subscription Azure AD DS will be connected to
Resource Group: Group that will have the resource configured on
Location: Location of the Azure AD DS Service
For this example, I am creating a new Virtual Network and subnet /24 that will be used for the Azure AD DS configuration.
Note:- The subnet you decide on must have 3-5 available IPs
This group of users manage the Azure AD DS domain. All members are granted administrative permissions on VMs that become domain joined to this domain.
For this example, I will be only synching “AAD DC Administrators” group, if selected all – it will synch all the Azure AD Groups
Review and create
Once successfully deployed, you will notice some new resources in the Resource Group
One step left to do is changing the current DNS to the DNS of the Azure AD DS. Click on your new Domain Service, in my example – thomasthornton.cloud
The vNET DNS has been changed!
Join a Virtual Machine to your newly created domain
Create a Virtual Machine and deploy into the vNET that has Azure AD DS as above.
In my example I will be using Windows Server 2016.
Open system properties and notice Virtual Machine is currently in a workgroup
Click change, enter domain you created as above.
Enter credentials from a user that is part of the Azure AD Group: AAD DC Administrators Note below is required before a user account can successfully achieve this domain join
Users cannot bind using secure LDAP or sign in to the managed domain, until you enable password hash synchronization to Azure AD Domain Services. Follow the instructions below, depending on the type of users in your Azure AD directory. Complete both sets of instructions if you have a mix of cloud-only and synced user accounts in your Azure AD directory.Azure Portal
Instructions for cloud-only user accounts
Instructions for synced user accounts
You have now successfully domain joined a virtual machine to Azure AD DS!