Azure Identity And Access Management Part 27 – Azure Active Directory – Domain Service ( Azure AD DS) 2 – Configure An Azure AD DS Managed Domain

Hello Friends,

Hope you all are doing good !!!

In our last articles we have started with a very important topic about Azure AD Domain Service (Azure AD DS) go through the overview of the service. Today In this article, we will continue with the same topic and will see how to create and configure an Azure AD DS Managed Domain.

If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.

Part 1 – Azure Active Directory – Overview

Part 2 – Azure Active Directory – Enterprise Users

Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell

• *
• *
• *

Part 20 – Azure Active Directory – Entitlement Management 2 – Entitlement Management Roles 1 – Administrator And Catalog Creator

Part 21 – Azure Active Directory – Entitlement Management 3 – Entitlement Management Roles 2 – Access Package Manager

Part 22 – Azure Active Directory – Entitlement Management 4 – Entitlement Management Roles 3 – Requestor And Approver

Part 23 – Azure Active Directory – Terms Of Use

Part 25 – Azure Active Directory – Identity Governance

Part 26 – Azure Active Directory – Domain Service ( Azure AD-DS) 1 – Overview

Next Article : Part 28 – Azure Active Directory – Domain Service ( Azure AD-DS) 3 – Join Windows Server VM To An Azure AD DS Managed Domain

Create And Configure Azure AD Domain Service :

As we discussed in our last article that, Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. So lets proceed with this topic and let’s create and configure one Azure AD Domain Service.

Prerequisites :

Before we start with the configuration, we need the following resources and privileges.

• An active Azure subscription with an Azure Active Directory directory.
• we need global administrator privileges in your Azure AD Directory and  Contributor privileges in Azure subscription to create the required Azure AD DS resources like resource group.
• Create one virtual network if not exist.

Now let’s go through the following steps to create and configure an Azure Active Directory Domain Service using Azure portal.

Step 1 – Log-in to Azure portal and from Azure portal left menu select Create a resource and search for Azure AD domain services in market place.

Step 2 – Click on Azure AD domain services to start configuring the service as showing in the following figure.

Step 3 – On the Azure AD Domain Services page, click on +Add or Create Azure AD Domain Services button.

In turn it will launch Create Azure AD Domain Services wizard. As shown in following figure, there are 5 different sections/tabs need to be configured to finalize the configuration. The first one is the Basics tab.

Step 4 – Select the Azure Subscription and Resource Group in which we would like to create our managed domain. We can also create the resource group from this page, if we don’t have it already.

Step 5 – Now the most important property to set is DNS Domain Name . As we can see in the following figure, I have given ‘ manasmoharna@ onmicrosoft.com ‘. We should consider the following points when, choose our this DNS name. Following points are copied from Microsoft document to help the reader.

• Built-in domain name: By default, the built-in domain name of the directory is used (a .onmicrosoft.com suffix). If we wish to enable secure LDAP access to the managed domain over the internet, we can’t create a digital certificate to secure the connection with this default domain. Microsoft owns the .onmicrosoft.com domain, so a Certificate Authority (CA) won’t issue a certificate.
• Custom domain names: The most common approach is to specify a custom domain name, typically one that we already own and is routable. When we use a routable, custom domain, traffic can correctly flow as needed to support our applications.
• Non-routable domain suffixes: Microsoft generally recommend that we should avoid a non-routable domain name suffix, such as contoso.local. The .local suffix isn’t routable and can cause issues with DNS resolution.
• Domain prefix restrictions: We can’t create a managed domain with a prefix longer than 15 characters.
• Network name conflicts: The DNS domain name for our managed domain shouldn’t already exist in the virtual network.

Step 6 – After select Region the next important property is SKU. The performance, backup frequency, and maximum number of forest trusts can create is based on the SKU we choose. But we can change the SKU after the managed domain has been created if our requirements change. Here I have choosed Standard as my SKU as shown in the following figure.

Step 7 – The last property of basic tab is to select the Forest Type. By default, a managed domain is created as a User forest. This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. A Resource forest only synchronizes users and groups created directly in Azure AD. I have selected the default User forest.

Step 8 – After configuring Basic tab the next is to configure Networking tab. As shown in the following figure, we need to select the Virtual Network (V-Net). We can create a new V-Net by clicking Create New button. If we are selecting a existing network, we need to make sure that the network configuration does not blocking the ports required for Azure AD Domain Service to run. Learn how to create and configure Azure Virtual Network (V-Net).

Step 9 – The last property of the Networking tab is select Subnet. Azure AD Domain services uses a dedicated subnet within a V-Net. We should not use this subnet for any other purpose. Azure AD DS will deploy both Domain Controllers (DC) under this subnet. Following figure showing my configuration. The address range of my subnet is ‘10.0.1.0/24‘

Step 10 – Now the next one is Administration tab, where we need to configure AAD DC Administrators group. This is one built-in group, in which we can add all administrators, who can manipulate Manage Domain. Also here we can configure the recipients for the notification.

Step 11 – The next tab is Synchronization, here we need to configure Synchronization Type. As we know Azure AD Domain Services provides a one-way synchronization from Azure Active Directory to the managed domain. Here I have selected All .

Step 12 – Review + Create is the last tab, where it allow us to review our configuration before create it. Once we verified that, all our configuration is as per the requirement click Create button to proceed. Also we can see there is one link ‘Download a template for automation ‘ link to download the template if we want to keep consistency in future deployment.

Step 13 – We will get the following notification before we create the Azure AD DS. Because we can not change the following configuration. So review carefully before create.

In the following figure, we can see that the deployment is going on. It will take around 1 hour to successfully complete the deployment of the Manage Domain.

Once our managed domain is fully provisioned, the managed domain is associated with our Azure AD tenant. During the provisioning process, Azure AD DS creates two Enterprise Applications named Domain Controller (DC) Services and AzureActiveDirectoryDomainControllerServices in the Azure AD tenant. The both DCs are created under dedicated subnet and reserve the IP from if as in our case the both IPs are 10.0.1.4 and 10.0.1.5.

Step 13 – Now we should configure the virtual network to allow other connected VMs and applications to use the managed domain. Let’s update the DNS server settings for our virtual network to point to the two IP addresses (10.0.1.4 and 10.0.1.5.) where Azure AD DS is deployed. Go to Overview page of Azure AD Domain services =>

Step 14 – To update the DNS server settings for the virtual network, select the Configure button as shown in the above figure. The DNS settings are automatically configured for our virtual network. Now our managed domain is ready to use.

As we know to authenticate users on the managed domain, Azure AD DS needs password hashes in a format that’s suitable for NT LAN Manager (NTLM) and Kerberos authentication. The steps to generate and store these password hashes are different between cloud-only user accounts created in Azure AD and user accounts that are synchronized from our on-premises directory using Azure AD Connect. For cloud-only user accounts, users must change their passwords before they can use Azure AD DS. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. The account isn’t synchronized from Azure AD to Azure AD DS until the password is changed.

As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with active directory . Please let me know if I missed anything important or if my understanding is not up to mark.

Next Article : Part 28 – Azure Active Directory – Domain Service ( Azure AD-DS) 3 – Join Windows Server VM To An Azure AD DS Managed Domain

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.

Thanks for reading 🙂