Skip to main content

Azure Active Directory Domain Services

What is Azure Active Directory Domain Services?

Azure Active Directory Domain Services enables organizations to use domains services such as domain joining, Group Policies, LDAP, Kerberos/NTLM authentication same as the on-premises windows based active directory.

Azure active directory domain services extend Azure AD to support DNS name resolution, Custom Organizational Units, Kerberos, NTLM, Group Policy, domain joining, LDAP bind or read and Secure LDAP. With managed domain as the name suggests we can use domain services without the need of deploying, managing or patching domain controllers.

 

What are the prerequisites?

To deploy azure ADDS following resources and privileges are required:

·         An Azure Subscription,

·         Azure AD tenant associated to the subscription, the tenant either be synchronized with an on-premises directory or cloud-only directory. For our demo purpose, I will use the cloud-only directory,

·         Global administrator privilege on the tenant to deploy Azure ADDS,

·         And Contributor privilege on the subscription

 

What are the advantages?

·     Easy to deploy: Azure AD Domain services can be enabled with a single wizard on the Azure portal, without the need of deployment of domain controllers and it’s management.

·    High Availability, managed domains are Azure service with an uptime of 99.9 % SLA.

·   With Kerberos/NTLM Authentication support, you can deploy any application or workload, those have a dependency on legacy authentication protocol.

·     In-Built DNS Update, same as on-premises AD, the managed domain is also highly dependent on DNS for name resolution, Azure AD Domain Services comes with in-built DNS records and updates. You do not need to managed DNS separately.

·       Microsoft manages the Domain Controllers including the deployment, backup, and restoration.

 

What are the limitations?

Since it is managed domain, it comes with certain limitations:

·    Lack of control, you do not get domain admin or enterprise admin privileges. For any application installation requires such access are of the list for example ADFS or Exchange

·         Kerberos delegation is not possible.

·         Custom GPOs are not allowed.

·      One way sync, any custom object created under the managed domain will not be reflected in Azure AD.

Custom schema extension is not supported.


Next:

How to Configured Azure AD Domain ServiceStep by Step

Labels:

Comments

Post a Comment

Appreciate your Feedbacks\Comments

Popular posts from this blog

LDIFDE (LDAP Data Interchange Format Directory Exchange)

LDIFDE (LDAP Data Interchange Format Directory Exchange) A previous article described about CSVDE usage. This article will walk you through another tool LDIFDE (LDAP Data Interchange Format Directory Exchange), it is also a command prompt-based tool similar to CSVDE to export information from Active Directory. LDIFDE and CSVDE both are the tools that can be used to export data from Active Directory, and for creating AD objects by using data presented in LDIF or CSV format. The exported data can be filtered
3 comments
Read more

About Hari Shanker

Thanks for visiting my site! My name is Hari Shanker, this is my weblog about various technical subjects. cloud computing and the occasional personal topics too. PROFESSIONAL INFORMATION I’ve been in the Information Technology field for more than 16 years, starting out with desktop support. Along the way, I worked as a systems administrator, Active Directory Specialist, Azure Specialist. Most recently, I was the Solution architect for Microsoft Azure at Rackspace. Currently, I work for Cognizant as a Principal Architect for Cloud Transformation & Solutioning. PERSONAL INFORMATION I live with my parents in the New Delhi area. Much of my time remains busy in my office and activities on various technical forums. During my leisure time, I love to spend time with Family & Friends and spend holidays on Hill stations. DISCLAIMER Any views or opinions expressed here are strictly my own. I am a blogger who works for an organization/company, I am not an organiz...
3 comments
Read more

How to check your SID's for Windows server

For an IT Professional it is quite common to have a virtual LAB environment and it is also common to face issue related to similar SID (Security Identifier) on multiple VMs on the network. Earlier there was a tool “ NewSID ” was being used to overcome from this problem but that’s been retired and not being supported by Microsoft anymore. The recommended way is to use “SysPrep” to change SID of any windows operating system. Before proceeding with “SysPrep”, it’s better to understand how to check SID!! There is a free tool can be downloaded from sysinternal called “ PsGetSID ” , I’ll show how easily one can check machine’s SID.
Post a Comment
Read more