Skip to main content

How to configure Azure Active Directory Domain Services


1.      Login to Azure Portal.

2.      Type Domain Services in the search bar on the portal’s home page and click Azure AD Domain Services.

3.   

   Click Create Azure AD Domain Services.

4.      In the new pane under Basics:

a.      Select right subscription (If you do not have multiple subscriptions leave it default).

b.   Under the Resource Group, click create new and provide the desired name for your resource group (I have named it as ADDSLABRG) and click OK.

c.   You can update the DNS Name, Location, SKU, and Forest Type as per your requirement, I will keep it default for now.

d.      Click Next for Networking Pane.

SKU Decision:
Azure AD Domain Services performance and features will be different based on SKU we choose. We can change the SKU as per the business requirement changes, post deployment.

SKU Name

Max Object Count

Suggested Object Count

Suggested Authentication load per hour

Backup Frequency

Resource Forest Trust

Standard

Unlimited

up to 25000

up to 3000

Every 5 days

N/A

Enterprise

Unlimited

up to 100000

up to 10000

Every 7 days

up to 5 Trusts

Premium

Unlimited

up to 500000

up to 70000

Daily

up to 10 Trusts

Source: Microsoft Documentation

Forest Type Decision:
User Forest is the default option when a managed domain is created and synchronizes all the object from Azure AD that includes synced user account form on-premises AD. For a user forest to work and authenticate against the managed domain user password hashes must get synchronized.
User forests are best positioned when your users sign-in using their username and password.

Resource Forest, with this option users, get authenticate over one-way forest trust from on-premises AD forest, password hash does not get sync to the managed domain and all the user credentials remain with Azure AD. Users sign-in using on-premises AD, which removes the need to synchronize on-premises user password hashes. This approach requires either enterprise or premium SKU of Azure AD Domain Services.
Resource forests are best positioned when an organization unable to leverage password hash synchronization for some limitation such as using smart cards for user authentication.

5.    Under the Networking pane, click create new under Virtual Network to create the desired network or select the designated one if you already have a virtual network and subnet created. Once done click Next.

6.      Under Administration, click Manage group membership.

a.      I the Members Pane, click + Add Members.

b.      Select users to be part of the group to allow them to manage Azure AD Domain Services and close the Members pane.

c.       Click Next.

7.      Under the Synchronization pane, we need to decide whether we want to sync all the users from Azure AD to managed domain or selected group, for this example I will keep the default setting of ALL and click Next.

8.      Under Review + Create, verify the details, wait for validation to complete, and click Create.

 

9.    Please click OK, to acknowledge that you understand the list of configurations setting cannot be change post-deployment.

10.  Wait for deployment to complete.

11. Complete deployment and initial sync will take some time. You can monitor the progress under the notification icon in the top right corner of the Azure portal.

12.  The deployment is successfully completed.


13.  Now we need to configure the DNS in the VNET so the name resolution works properly and VMs can find the domain.

a.      When you open the newly created domain for first time you may see a warning.



b.      Click on the warning to run the diagnosis, it will take you to fix the DNS configuration. Click Fix and DNS configuration is done.

14.     Password hash synchronization:

Before we can use the Azure AD domain services for Azure AD user account authentication, password hashes have to be synchronized with the managed domain. Since we have cloud-only user account users required to change their password to synchronize their password hashes to the managed domain.

i.      It can either be reset by Admins through the Azure portal and a temp password will be generated and shared with the respective user. Users will need to change it in their next login.

ii.      Or If you are using Azure AD premium license, Users can change their account password in the Azure AD Access Panel if self-service password resets are enabled.

15.  Azure AD Domain Service Administration:

  • For day-to-day administration of managed domain, you will need to domain-joined virtual machine with RSAT tool installed on it.
  • The VM should either be in the same VNET or in any peered VNET to allow communication with Azure AD Domain Services.
  • The VM should be on a different subnet than the Azure AD Domain Service.

Labels:

Comments

  1. upendra_hopesJanuary 18, 2021 at 9:09 AM

    Hari, Thank you for sharing such clear explanation on configuring Azure AD Domain Service.

    ReplyDelete

Post a Comment

Appreciate your Feedbacks\Comments

Popular posts from this blog

LDIFDE (LDAP Data Interchange Format Directory Exchange)

LDIFDE (LDAP Data Interchange Format Directory Exchange) A previous article described about CSVDE usage. This article will walk you through another tool LDIFDE (LDAP Data Interchange Format Directory Exchange), it is also a command prompt-based tool similar to CSVDE to export information from Active Directory. LDIFDE and CSVDE both are the tools that can be used to export data from Active Directory, and for creating AD objects by using data presented in LDIF or CSV format. The exported data can be filtered
3 comments
Read more

How to check your SID's for Windows server

For an IT Professional it is quite common to have a virtual LAB environment and it is also common to face issue related to similar SID (Security Identifier) on multiple VMs on the network. Earlier there was a tool “ NewSID ” was being used to overcome from this problem but that’s been retired and not being supported by Microsoft anymore. The recommended way is to use “SysPrep” to change SID of any windows operating system. Before proceeding with “SysPrep”, it’s better to understand how to check SID!! There is a free tool can be downloaded from sysinternal called “ PsGetSID ” , I’ll show how easily one can check machine’s SID.
Post a Comment
Read more

Cloud Transformation Key Strategies: Hybrid & Multi-Cloud

While multi-cloud and hybrid offer great flexibility, they also bring complexity. It’s not just about deploying across platforms; it’s about ensuring these environments work seamlessly, securely, and efficiently. Balancing benefits and challenges requires strategy, best practices, and openness to new approaches. Understanding Multi-Cloud and Hybrid Cloud: What Are They? Before diving into the details, it’s important to clarify what we mean by multi-cloud and hybrid cloud: Multi-Cloud : Multi-cloud refers to the use of multiple public cloud services from different providers, such as AWS, Azure, Google Cloud, or IBM Cloud. Organizations adopt multi-cloud strategies to avoid vendor lock-in, leverage the strengths of each provider, and optimize costs and performance. Hybrid Cloud : Hybrid cloud combines public cloud services with private cloud or on-premises infrastructure, creating a unified, flexible environment. This approach allows organizati...
Post a Comment
Read more