Skip to main content

Azure Active Directory Domain Services

What is Azure Active Directory Domain Services?

Azure Active Directory Domain Services enables organizations to use domains services such as domain joining, Group Policies, LDAP, Kerberos/NTLM authentication same as the on-premises windows based active directory.

Azure active directory domain services extend Azure AD to support DNS name resolution, Custom Organizational Units, Kerberos, NTLM, Group Policy, domain joining, LDAP bind or read and Secure LDAP. With managed domain as the name suggests we can use domain services without the need of deploying, managing or patching domain controllers.

 

What are the prerequisites?

To deploy azure ADDS following resources and privileges are required:

·         An Azure Subscription,

·         Azure AD tenant associated to the subscription, the tenant either be synchronized with an on-premises directory or cloud-only directory. For our demo purpose, I will use the cloud-only directory,

·         Global administrator privilege on the tenant to deploy Azure ADDS,

·         And Contributor privilege on the subscription

 

What are the advantages?

·     Easy to deploy: Azure AD Domain services can be enabled with a single wizard on the Azure portal, without the need of deployment of domain controllers and it’s management.

·    High Availability, managed domains are Azure service with an uptime of 99.9 % SLA.

·   With Kerberos/NTLM Authentication support, you can deploy any application or workload, those have a dependency on legacy authentication protocol.

·     In-Built DNS Update, same as on-premises AD, the managed domain is also highly dependent on DNS for name resolution, Azure AD Domain Services comes with in-built DNS records and updates. You do not need to managed DNS separately.

·       Microsoft manages the Domain Controllers including the deployment, backup, and restoration.

 

What are the limitations?

Since it is managed domain, it comes with certain limitations:

·    Lack of control, you do not get domain admin or enterprise admin privileges. For any application installation requires such access are of the list for example ADFS or Exchange

·         Kerberos delegation is not possible.

·         Custom GPOs are not allowed.

·      One way sync, any custom object created under the managed domain will not be reflected in Azure AD.

Custom schema extension is not supported.


Next:

How to Configured Azure AD Domain ServiceStep by Step

Labels:

Comments

Post a Comment

Appreciate your Feedbacks\Comments

Popular posts from this blog

About Hari Shanker

Thanks for visiting my site! My name is Hari Shanker, this is my weblog about various technical subjects. cloud computing and the occasional personal topics too. PROFESSIONAL INFORMATION I’ve been in the Information Technology field for more than 16 years, starting out with desktop support. Along the way, I worked as a systems administrator, Active Directory Specialist, Azure Specialist. Most recently, I was the Solution architect for Microsoft Azure at Rackspace. Currently, I work for Cognizant as a Principal Architect for Cloud Transformation & Solutioning. PERSONAL INFORMATION I live with my parents in the New Delhi area. Much of my time remains busy in my office and activities on various technical forums. During my leisure time, I love to spend time with Family & Friends and spend holidays on Hill stations. DISCLAIMER Any views or opinions expressed here are strictly my own. I am a blogger who works for an organization/company, I am not an organiz...
3 comments
Read more

LDIFDE (LDAP Data Interchange Format Directory Exchange)

LDIFDE (LDAP Data Interchange Format Directory Exchange) A previous article described about CSVDE usage. This article will walk you through another tool LDIFDE (LDAP Data Interchange Format Directory Exchange), it is also a command prompt-based tool similar to CSVDE to export information from Active Directory. LDIFDE and CSVDE both are the tools that can be used to export data from Active Directory, and for creating AD objects by using data presented in LDIF or CSV format. The exported data can be filtered
3 comments
Read more

Troubleshooting Memory Leak on Domain Controller in Lsass.exe Process

What is a memory leak? Application codes require that some amount of memory to be allocated, for storing values that will be worked with, and then deallocated when the code is finished working with them. This is a concern to Active Directory administrator because we don’t always have full control over all of the code which runs in our environment. Sometimes some applications have the specific problem of not being able to deallocate their memory usage when running on or against a domain controller, resulting in a memory leak. There can be memory leaks in either kernel or user mode but application derived memory leaks are by nature user mode leaks.
2 comments
Read more