Skip to content

Knowledge Junction

Junction where Knowledge is the sovereign, where problem meet solution, technology get explored.. Office 365, Azure, SharePoint, SharePoint Online, PowerShell, Microsoft Graph, M365

  • Home
  • About Knowledge-Junction
  • Technologies
    • Office 365
    • Microsoft Graph
    • Python
    • Azure
    • C#
    • SQL Server
    • SharePoint
    • SharePoint 2019
    • .Net
    • PowerShell cmdlets
    • IIS
    • Tools
      • Eclipse
      • JavaScript Regions
    • Visual Studio Extensions
    • Java Script
    • Type Script
    • Azure
      • Azure Governance
      • Azure Blueprints
      • Management Group
      • Azure Identity And Access Management
      • Azure Networking
      • Azure Active Directory
      • SharePoint Online
      • Microsoft Azure
  • Certification
    • Office 365 : 70-347 : Enabling Office 365 Services
    • 70-532: Developing Microsoft Azure Solutions
    • AZ-103: Microsoft Azure Administrator
    • AZ-900 MICROSOFT AZURE FUNDAMENTALS
    • M365 Certifications
      • Office 365 : 70-347 : Enabling Office 365 Services
      • M365 : MS-900 : Microsoft 365 Fundamentals
    • PL-900: Microsoft Certified Power Platform Fundamentals

Azure Identity And Access Management Part 27 – Azure Active Directory – Domain Service ( Azure AD DS) 2 – Configure An Azure AD DS Managed Domain

July 8, 2020July 16, 2020 ~ Manas Ranjan Moharana



Hello Friends,

Hope you all are doing good !!!

In our last articles we have started with a very important topic about Azure AD Domain Service (Azure AD DS) go through the overview of the service. Today In this article, we will continue with the same topic and will see how to create and configure an Azure AD DS Managed Domain.

If you have missed our previous articles on Azure Identity And Access Management (IAM), please check it in following links.

Part 1 – Azure Active Directory – Overview

Part 2 – Azure Active Directory – Enterprise Users

Part 3 – Azure Active Directory – Create Custom Directory Role & Assign Role using Power-Shell

  • *
  • *
  • *

Part 20 – Azure Active Directory – Entitlement Management 2 – Entitlement Management Roles 1 – Administrator And Catalog Creator

Part 21 – Azure Active Directory – Entitlement Management 3 – Entitlement Management Roles 2 – Access Package Manager

Part 22 – Azure Active Directory – Entitlement Management 4 – Entitlement Management Roles 3 – Requestor And Approver

Part 23 – Azure Active Directory – Terms Of Use

Part 25 – Azure Active Directory – Identity Governance

Part 26 – Azure Active Directory – Domain Service ( Azure AD-DS) 1 – Overview

Next Article : Part 28 – Azure Active Directory – Domain Service ( Azure AD-DS) 3 – Join Windows Server VM To An Azure AD DS Managed Domain

Create And Configure Azure AD Domain Service :

As we discussed in our last article that, Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. So lets proceed with this topic and let’s create and configure one Azure AD Domain Service.

Prerequisites :

Before we start with the configuration, we need the following resources and privileges.

  • An active Azure subscription with an Azure Active Directory directory.
  • we need global administrator privileges in your Azure AD Directory and  Contributor privileges in Azure subscription to create the required Azure AD DS resources like resource group.
  • Create one virtual network if not exist.

Now let’s go through the following steps to create and configure an Azure Active Directory Domain Service using Azure portal.

Step 1 – Log-in to Azure portal and from Azure portal left menu select Create a resource and search for Azure AD domain services in market place.

Figure 1– Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – In Market Place

Step 2 – Click on Azure AD domain services to start configuring the service as showing in the following figure.

Step 3 – On the Azure AD Domain Services page, click on +Add or Create Azure AD Domain Services button.

Figure 2 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – New Azure ADDS

In turn it will launch Create Azure AD Domain Services wizard. As shown in following figure, there are 5 different sections/tabs need to be configured to finalize the configuration. The first one is the Basics tab.

Step 4 – Select the Azure Subscription and Resource Group in which we would like to create our managed domain. We can also create the resource group from this page, if we don’t have it already.

Step 5 – Now the most important property to set is DNS Domain Name . As we can see in the following figure, I have given ‘ manasmoharna@ onmicrosoft.com ‘. We should consider the following points when, choose our this DNS name. Following points are copied from Microsoft document to help the reader.

  • Built-in domain name: By default, the built-in domain name of the directory is used (a .onmicrosoft.com suffix). If we wish to enable secure LDAP access to the managed domain over the internet, we can’t create a digital certificate to secure the connection with this default domain. Microsoft owns the .onmicrosoft.com domain, so a Certificate Authority (CA) won’t issue a certificate.
  • Custom domain names: The most common approach is to specify a custom domain name, typically one that we already own and is routable. When we use a routable, custom domain, traffic can correctly flow as needed to support our applications.
  • Non-routable domain suffixes: Microsoft generally recommend that we should avoid a non-routable domain name suffix, such as contoso.local. The .local suffix isn’t routable and can cause issues with DNS resolution.
  • Domain prefix restrictions: We can’t create a managed domain with a prefix longer than 15 characters.
  • Network name conflicts: The DNS domain name for our managed domain shouldn’t already exist in the virtual network.

Step 6 – After select Region the next important property is SKU. The performance, backup frequency, and maximum number of forest trusts can create is based on the SKU we choose. But we can change the SKU after the managed domain has been created if our requirements change. Here I have choosed Standard as my SKU as shown in the following figure.

Figure 3– Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services configuration- Basic

Step 7 – The last property of basic tab is to select the Forest Type. By default, a managed domain is created as a User forest. This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. A Resource forest only synchronizes users and groups created directly in Azure AD. I have selected the default User forest.

Step 8 – After configuring Basic tab the next is to configure Networking tab. As shown in the following figure, we need to select the Virtual Network (V-Net). We can create a new V-Net by clicking Create New button. If we are selecting a existing network, we need to make sure that the network configuration does not blocking the ports required for Azure AD Domain Service to run. Learn how to create and configure Azure Virtual Network (V-Net).

Step 9 – The last property of the Networking tab is select Subnet. Azure AD Domain services uses a dedicated subnet within a V-Net. We should not use this subnet for any other purpose. Azure AD DS will deploy both Domain Controllers (DC) under this subnet. Following figure showing my configuration. The address range of my subnet is ‘10.0.1.0/24‘

Figure 4– Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services Configuration – Networking

Step 10 – Now the next one is Administration tab, where we need to configure AAD DC Administrators group. This is one built-in group, in which we can add all administrators, who can manipulate Manage Domain. Also here we can configure the recipients for the notification.

Figure 5 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services Configuration- Administration

Step 11 – The next tab is Synchronization, here we need to configure Synchronization Type. As we know Azure AD Domain Services provides a one-way synchronization from Azure Active Directory to the managed domain. Here I have selected All .

Figure 6 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services Configuration – Synchronization

Step 12 – Review + Create is the last tab, where it allow us to review our configuration before create it. Once we verified that, all our configuration is as per the requirement click Create button to proceed. Also we can see there is one link ‘Download a template for automation ‘ link to download the template if we want to keep consistency in future deployment.

Figure 7 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services Configuration – Review and Create

Step 13 – We will get the following notification before we create the Azure AD DS. Because we can not change the following configuration. So review carefully before create.

Figure 8 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services Configuration – confirmation

In the following figure, we can see that the deployment is going on. It will take around 1 hour to successfully complete the deployment of the Manage Domain.

Figure 9 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Deploying

Once our managed domain is fully provisioned, the managed domain is associated with our Azure AD tenant. During the provisioning process, Azure AD DS creates two Enterprise Applications named Domain Controller (DC) Services and AzureActiveDirectoryDomainControllerServices in the Azure AD tenant. The both DCs are created under dedicated subnet and reserve the IP from if as in our case the both IPs are 10.0.1.4 and 10.0.1.5.

Step 13 – Now we should configure the virtual network to allow other connected VMs and applications to use the managed domain. Let’s update the DNS server settings for our virtual network to point to the two IP addresses (10.0.1.4 and 10.0.1.5.) where Azure AD DS is deployed. Go to Overview page of Azure AD Domain services =>

Figure 10– Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Configure DNS server Settings

Step 14 – To update the DNS server settings for the virtual network, select the Configure button as shown in the above figure. The DNS settings are automatically configured for our virtual network. Now our managed domain is ready to use.

Figure 11 – Azure Identity and Access Management -IAM-Azure Active Directory – Domain Services – Running

As we know to authenticate users on the managed domain, Azure AD DS needs password hashes in a format that’s suitable for NT LAN Manager (NTLM) and Kerberos authentication. The steps to generate and store these password hashes are different between cloud-only user accounts created in Azure AD and user accounts that are synchronized from our on-premises directory using Azure AD Connect. For cloud-only user accounts, users must change their passwords before they can use Azure AD DS. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. The account isn’t synchronized from Azure AD to Azure AD DS until the password is changed.

As I am exploring the Azure Identity and Access Management (IAM) in a detail level specially with active directory . Please let me know if I missed anything important or if my understanding is not up to mark.

Next Article : Part 28 – Azure Active Directory – Domain Service ( Azure AD-DS) 3 – Join Windows Server VM To An Azure AD DS Managed Domain

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.

Thanks for reading 🙂

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • WhatsApp
  • Email
  • Print

Like this:

Like Loading...

Related Articles

Posted in AZ-103: Microsoft Azure Administrator, AZ-104: Microsoft Azure Administrator, Azure, Azure Active Directory, Azure Identity And Access Management, Cloud, Cloud Identities, Exchange Online, Microsoft Azure, O365 Certifications, Office 365, SharePoint Online, SharePoint Online, Technologies ADDSAZ-103: Microsoft Azure AdministratorAZ-300: Microsoft Azure Architect TechnologiesAZ-301: Microsoft Azure Architect DesignAZ-303: Azure Solutions ArchitectAZ-500: Microsoft Azure Security TechnologiesAzur Custom RoleAzureAzure Active DirectoryAzure Active Directory Custom RoleAzure Active Directory featuresAzure Active Directory pricingAzure AD Access ReviewAzure AD AuthenticationAzure AD DeviceAzure AD Device IdentityAzure AD Device Identity Management. Azure AD JoinedAzure AD Domain ServiceAzure AD DSAzure AD Entitlement ManagementAzure AD Google Federation for B2B userAzure AD Identity GovernanceAzure AD Identity ProtectionAzure AD PIMAzure AD Privileged Identity Management (PIM)Azure AD registeredAzure AD Schema extensionAzure Identity And Access ManagementAzure MFAAzure RBACAzure Role AssignmentAzure Role-Based Access Control (RBAC)Bulk Update Azure AD user profilesBusiness-to-Business (B2B)Custom Role AssignmentDevice ManagementDirectory schema extensionsDomain JoinDomain servicesEmail one-time passcodeEntitlement Management Access PackageExam AZ-104: Microsoft Azure AdministratorExtension AttributeGuest UserHybrid Azure AD joinedMulti-Factor Authentication (MFA) For Guest UserPrivileged identity management (PIM)Register Azure AD UserRisk Detection ReportRisk Sign-in ReportRisk User ReportSelf-Service Password Reset (SSPR)Sign-in risk PolicySync Password HashesTerms Of UseUser risk policy

Published by Manas Ranjan Moharana

Around 11+ years of total IT experience and since last 10 years working on almost on all version of SharePoint .Interested in learning and sharing something new to be helthy. View all posts by Manas Ranjan Moharana

Post navigation

‹ PreviousM365: Microsoft Graph – Part 11 – Send Email using Graph API from .Net Core Application with attachments
Next ›Power Platform – Create and Manage Environments in Common Data Service (CDS)

4 thoughts on “Azure Identity And Access Management Part 27 – Azure Active Directory – Domain Service ( Azure AD DS) 2 – Configure An Azure AD DS Managed Domain”

  1. kanjuspua says:
    July 9, 2020 at 7:48 am

    good

    Loading...
    Log in to Reply
  2. Pingback: Azure Identity And Access Management Part 28 – Azure Active Directory – Domain Service ( Azure AD-DS) 3 – Join Windows Server VM To An Azure AD DS Managed Domain | Knowledge Junction
  3. Pingback: Azure Identity And Access Management Part 29 – Azure Active Directory – Domain Service ( Azure AD-DS) 4 – Install Management Tools In A Domain Joined VM | Knowledge Junction
  4. Pingback: Azure Identity And Access Management Part 30 – Azure Active Directory – Domain Service ( Azure AD-DS) 5 – Create An Organizational Unit (OU) | Knowledge Junction

You must log in to post a comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 322 other subscribers

Top Posts & Pages

  • GIT : Visual Studio 2019 – resolved the issue – Git failed with a fatal error. could not read Username for ‘https://.visualstudio.com’: terminal prompts disabled? OR Error encountered while cloning the remote repository: Installation
    GIT : Visual Studio 2019 – resolved the issue – Git failed with a fatal error. could not read Username for ‘https://.visualstudio.com’: terminal prompts disabled? OR Error encountered while cloning the remote repository: Installation
  • Microsoft Teams : Integrating with Service Now – Part 4 – Teams action - For a selected message - Taking user input using Adaptive Card and creating new incident in ServiceNow
    Microsoft Teams : Integrating with Service Now – Part 4 – Teams action - For a selected message - Taking user input using Adaptive Card and creating new incident in ServiceNow
  • Office 365 : Connecting to SharePoint online site using CSOM when Multi-Factor Authentication (MFA) is enabled for the user
    Office 365 : Connecting to SharePoint online site using CSOM when Multi-Factor Authentication (MFA) is enabled for the user
  • Automatically download Outlook attachments
    Automatically download Outlook attachments
  • M365: Microsoft Graph – Part 11 – Send Email using Graph API from .Net Core Application with attachments
    M365: Microsoft Graph – Part 11 – Send Email using Graph API from .Net Core Application with attachments

Recent Posts

  • Microsoft Teams : Integrating with Service Now – Part 4 – Teams action – For a selected message – Taking user input using Adaptive Card and creating new incident in ServiceNow January 20, 2021
  • E-commerce Series – Part 8 January 17, 2021
  • E-commerce Series – Part 7 January 16, 2021
  • Microsoft Teams : Integrating with Service Now – Part 3 – Posting back ServiceNow incident number to user (to whom ticket is assigned) January 12, 2021
  • Microsoft Power Platform: Converting HTML to PDF in Power Automate using PDFShift API January 11, 2021

Follow us on Twitter

My Tweets

Hits

  • 326,645 total visitors

Our events

Articles by Author

  • 1 Yogesh Meher
  • 1 Mayur Gaikawad
  • 1 GAURAV KAWADIWALE
  • 1 Prasham Sabadra
  • 1 Kirtiranjan Moharana
  • 1 Kunal Lunkad
  • 1 Manas Ranjan Moharana
  • 1 Sanket Modi
  • 1 yogesh narayan ojha
  • 1 Prasad Pathak
  • 1 Robin (Ajay) Robert
  • 1 RohitSp
  • 1 Snehal Sabadra
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
%d bloggers like this: