Working with Azure Active Directory Domain Services
Azure Active Directory is a critical feature released by Microsoft that provides support for modern protocols such as WS-Fed, OpenID, SAML, OAuth etc. in addition to providing built-in MFA, B2B and B2C support for the hosted applications. Azure Active Directory Domain Services now additionally supports –
- Protocols like NTLM, Kerberos, LDAP and Secure LDAP
- Join Servers to Domain
- Group Policy for Computers and Users
- AD Domain name with Custom Name
- Custom Organization Unit
- Managed Domain Services providing High Availability
- Integration with Azure AD for Users and Groups synchronization
Below are the few short comings of Azure Active Directory Domain Services
- Requires Azure Service Manager (aka Classic Portal) as Azure AD is only supported in the Classic Portal and not on the Azure Resource Manager (aka V2 Portal), which means if we have all workloads in Azure Resource Manager then for leveraging Azure AD Domain Services we need to create a VNet in Classic Portal and then create VNet-to-VNet peering for extending service to resources in Azure Resource Manager
- It created Highly Available Azure AD Domain Services only in one region where VNet is created, extending Azure AD Domain Services to other regions may not be possible at this stage.
- Since it is managed Azure Active Directory Domain Services, it doesn’t provide tenant with Domain Admins and Schema Admins rights.
Let us now see how to create Azure Active Directory Domain Services on Azure, and how to manage them.
Before we create Azure Active Directory Domain Services, we need to create VNet that Azure AD DS will link itself to
1. Create New VNet in Azure Classic Portal , in this case we have created a VNet by name AAD_DS_Vnet
2. Leave the preferred DNS Server IPs empty. We will fill them once Azure AD Domain Services are created and shows us the IP address of the managed Domain Controllers. DNS entries here will be supplied to all VMs in the VNet for Domain Controller communication.
3. Define your address space and subnets here. Azure AD Domain Services will consume the IP address from the subnet you define here
4. Once the VNet is successfully created, we now need to create Azure AD and remember not to tick This is a B2C directory checkbox as Azure AD Domain Services are not supported with B2C directory
5. After Azure AD is created, go to Configure tab and toggle the switch to enable Azure Active Directory Domain Services
6. Wait for few minutes and see two managed domain controllers build. In this case there are two Domain Controllers with IP address 10.0.0.4 and 10.0.0.5, and these IPs will be used in Primary and Secondary IP address
Create Virtual Machine on Azure and Join to Azure AD Domain Services managed domain
1. Create a New Virtual Machine in Azure Service Manager portal and create it on the VNet that was created above
2. Ensure that the VM is connect to the VM Net that is associated with Azure AD DS
3. Now the VM is build, and it had received the Azure AD DS Domain Controller IPs and it is able to ping domain controller DNS name
Manage Azure Active Directory Domain Services – Join Domain, Organizational Unit and Group Policy
Create a new User “joindomain” (or any other name of your choice), a new group “aad dc administrators” (should be exact name, as it is the group that Microsoft creates to manage the OUs and Group Polices) and add the user account to this group. Once this is done, you will be able to join computers to domain.
The VM that was created was joined to domain using this account.
Manage OUs and Group Policies
Install the AD Management tools and Group Policy management tools on the VM that was created or any other system. For the simplicity in illustration, I have installed the tools on the same VM itself.
Below is the default OU structure of the Azure Active Directory Domain Services and few key points –
- There are Organizational Units named “AADC Computers” and “AADDC User” to store the Computer and User accounts respectively.
- You will not be able to create new Organization Units
- Group that we created in Azure Portal AAD DC Administrators is sync’ed with Azure AD Domain Services to provide management access
- Members of AAD DC Administrators are the also DNS Admins, which means they will be able to create and manage DNS domains as desired
Below is the Group Policy structure –
- There are two default Group Polices – One that is linked to Computers OU and other that is linked to Users OU
- You can’t create more Group Policies and all policies should be managed within these two policies
- Group AAD DC Administrators have edit settings right on the Group Policies
Now that we have seen how Azure Active Directory Domain Services is created and managed on Cloud, we need to analyze if it is really practical for medium or large organizations to leverage Azure ADDS. The lack of control over Schema / Domain really restricts organizations to modify the Domain environment based on their ecosystem. I feel Azure AD is a great tool on Cloud with support for Applications integrations, Business Integrations like B2B / B2C or Azure Access Control and MFA, but Azure ADDS would still need to be evolved to meet the large organizations requirements. It may be great for small or start-ups to leverage NTLM, Kerberos protocols without having to design the Active Directory environment and manage.
In the next posts, I will explain how Azure Active Directory Domain Services behave with synchronized Identity.
Please post comments on the article with your feedback