Skip to main content

How to configure Azure Active Directory Domain Services


1.      Login to Azure Portal.

2.      Type Domain Services in the search bar on the portal’s home page and click Azure AD Domain Services.

3.   

   Click Create Azure AD Domain Services.

4.      In the new pane under Basics:

a.      Select right subscription (If you do not have multiple subscriptions leave it default).

b.   Under the Resource Group, click create new and provide the desired name for your resource group (I have named it as ADDSLABRG) and click OK.

c.   You can update the DNS Name, Location, SKU, and Forest Type as per your requirement, I will keep it default for now.

d.      Click Next for Networking Pane.

SKU Decision:
Azure AD Domain Services performance and features will be different based on SKU we choose. We can change the SKU as per the business requirement changes, post deployment.

SKU Name

Max Object Count

Suggested Object Count

Suggested Authentication load per hour

Backup Frequency

Resource Forest Trust

Standard

Unlimited

up to 25000

up to 3000

Every 5 days

N/A

Enterprise

Unlimited

up to 100000

up to 10000

Every 7 days

up to 5 Trusts

Premium

Unlimited

up to 500000

up to 70000

Daily

up to 10 Trusts

Source: Microsoft Documentation

Forest Type Decision:
User Forest is the default option when a managed domain is created and synchronizes all the object from Azure AD that includes synced user account form on-premises AD. For a user forest to work and authenticate against the managed domain user password hashes must get synchronized.
User forests are best positioned when your users sign-in using their username and password.

Resource Forest, with this option users, get authenticate over one-way forest trust from on-premises AD forest, password hash does not get sync to the managed domain and all the user credentials remain with Azure AD. Users sign-in using on-premises AD, which removes the need to synchronize on-premises user password hashes. This approach requires either enterprise or premium SKU of Azure AD Domain Services.
Resource forests are best positioned when an organization unable to leverage password hash synchronization for some limitation such as using smart cards for user authentication.

5.    Under the Networking pane, click create new under Virtual Network to create the desired network or select the designated one if you already have a virtual network and subnet created. Once done click Next.

6.      Under Administration, click Manage group membership.

a.      I the Members Pane, click + Add Members.

b.      Select users to be part of the group to allow them to manage Azure AD Domain Services and close the Members pane.

c.       Click Next.

7.      Under the Synchronization pane, we need to decide whether we want to sync all the users from Azure AD to managed domain or selected group, for this example I will keep the default setting of ALL and click Next.

8.      Under Review + Create, verify the details, wait for validation to complete, and click Create.

 

9.    Please click OK, to acknowledge that you understand the list of configurations setting cannot be change post-deployment.

10.  Wait for deployment to complete.

11. Complete deployment and initial sync will take some time. You can monitor the progress under the notification icon in the top right corner of the Azure portal.

12.  The deployment is successfully completed.


13.  Now we need to configure the DNS in the VNET so the name resolution works properly and VMs can find the domain.

a.      When you open the newly created domain for first time you may see a warning.



b.      Click on the warning to run the diagnosis, it will take you to fix the DNS configuration. Click Fix and DNS configuration is done.

14.     Password hash synchronization:

Before we can use the Azure AD domain services for Azure AD user account authentication, password hashes have to be synchronized with the managed domain. Since we have cloud-only user account users required to change their password to synchronize their password hashes to the managed domain.

i.      It can either be reset by Admins through the Azure portal and a temp password will be generated and shared with the respective user. Users will need to change it in their next login.

ii.      Or If you are using Azure AD premium license, Users can change their account password in the Azure AD Access Panel if self-service password resets are enabled.

15.  Azure AD Domain Service Administration:

  • For day-to-day administration of managed domain, you will need to domain-joined virtual machine with RSAT tool installed on it.
  • The VM should either be in the same VNET or in any peered VNET to allow communication with Azure AD Domain Services.
  • The VM should be on a different subnet than the Azure AD Domain Service.

Labels:

Comments

  1. upendra_hopesJanuary 18, 2021 at 9:09 AM

    Hari, Thank you for sharing such clear explanation on configuring Azure AD Domain Service.

    ReplyDelete

Post a Comment

Appreciate your Feedbacks\Comments

Popular posts from this blog

About Hari Shanker

Thanks for visiting my site! My name is Hari Shanker, this is my weblog about various technical subjects. cloud computing and the occasional personal topics too. PROFESSIONAL INFORMATION I’ve been in the Information Technology field for more than 16 years, starting out with desktop support. Along the way, I worked as a systems administrator, Active Directory Specialist, Azure Specialist. Most recently, I was the Solution architect for Microsoft Azure at Rackspace. Currently, I work for Cognizant as a Principal Architect for Cloud Transformation & Solutioning. PERSONAL INFORMATION I live with my parents in the New Delhi area. Much of my time remains busy in my office and activities on various technical forums. During my leisure time, I love to spend time with Family & Friends and spend holidays on Hill stations. DISCLAIMER Any views or opinions expressed here are strictly my own. I am a blogger who works for an organization/company, I am not an organiz...
3 comments
Read more

LDIFDE (LDAP Data Interchange Format Directory Exchange)

LDIFDE (LDAP Data Interchange Format Directory Exchange) A previous article described about CSVDE usage. This article will walk you through another tool LDIFDE (LDAP Data Interchange Format Directory Exchange), it is also a command prompt-based tool similar to CSVDE to export information from Active Directory. LDIFDE and CSVDE both are the tools that can be used to export data from Active Directory, and for creating AD objects by using data presented in LDIF or CSV format. The exported data can be filtered
3 comments
Read more

Troubleshooting Memory Leak on Domain Controller in Lsass.exe Process

What is a memory leak? Application codes require that some amount of memory to be allocated, for storing values that will be worked with, and then deallocated when the code is finished working with them. This is a concern to Active Directory administrator because we don’t always have full control over all of the code which runs in our environment. Sometimes some applications have the specific problem of not being able to deallocate their memory usage when running on or against a domain controller, resulting in a memory leak. There can be memory leaks in either kernel or user mode but application derived memory leaks are by nature user mode leaks.
2 comments
Read more