Search the Petri IT Knowledgebase
search icon

close

Want to know about the security benefits of Microsoft's E5 license?

Watch Webinar Now
Icon for Live Webinar!

Live Webinar!

Native Microsoft 365 Recovery Pitfalls

Icon for Latest Whitepaper

Latest Whitepaper

7 Critical Reasons for Microsoft 365 Backup

Icon for On-Demand Webinar

On-Demand Webinar

Anatomy of a Project – Project Management with Micros...

Icon for On-Demand Webinar

On-Demand Webinar

Combating Cyberattacks in 2022: Prepare to Defend Your ...

Home

Active Directory

Getting Started with Azure Active Directory Domain Services

Russell Smith

 |

Nov 11, 2016

cloud-computing-hands-hero

In today’s Ask the Admin, I’ll show you how to configure Azure Active Directory (AAD) Domain Services and connect it to your AAD tenant.

AAD Domain Services allows organizations to “lift-and-shift” apps that use on-premises AD for authentication to the cloud, extending the capabilities of AAD to provide many of the features of an on-premises AD deployments, but without the effort of installing domain controllers (DCs) in the cloud, setting up ExpressRoute, or a VPN to connect on-premises DCs to Azure. AAD Domain Services supports Kerberos, Windows Integrated Authentication, and NTLM, plus Group Policy and Lightweight Directory Access Protocol (LDAP).

 

 

In this article, I’ll show you how to enable AAD Domain Services to work with an existing AAD tenant. For more information about setting up AAD, see What is Azure Active Directory? on the Petri IT Knowledgebase.

There are four steps required to set up AAD Domain Services:

  1. Create an administrative group called AAD DC Administrators. Users of this group can manage Azure Active Directory Domain Services and perform tasks, such as adding VMs to the domain.
  2. Set up a virtual network and subnet. AAD Domain Services must be associated with and enabled in a subnet in a virtual network.
  3. Update DNS settings for the virtual network to point to the IP address(es) assigned to AAD Domain Services.
  4. Users wanting to use AAD Domain Services must change their passwords to generate the credential hashes that are required by AAD Domain Services.

Create an Administrative Group in AAD

The first task is to create an administrative group in AAD. This special administrative group is called AAD DC Administrators, and members are granted administrative privileges on domain-joined devices. It’s worth noting that configuration of Azure AD Domain Services is currently supported in only the classic portal.

Add the AAD DC Administrators to AAD (Image Credit: Russell Smith)

Add the AAD DC Administrators to AAD (Image Credit: Russell Smith)

  • Log in to the Azure classic portal here: https://manage.windowsazure.com.
  • Click Active Directory in the left panel and select your directory.
  • Click the Groups tab and then Add a Group.
  • Name the group AAD DC Administrators and set GROUP TYPE to Security. Note that you must use as the name for this group.
  • Click AAD DC Administrators in the list of the groups, and then Add members at the bottom of the screen.
  • In the Add members dialog box, select one or more existing users to add to the group.
Add the AAD DC Administrators to AAD (Image Credit: Russell Smith)

Add the AAD DC Administrators to AAD (Image Credit: Russell Smith)

Enable Azure AD Domain Services in a Virtual Network

AAD Domain Services only supports virtual networks created in the classic portal, so you won’t be able to add Domain Services support for networks created using Azure Resource Manager (ARM). For more information about creating virtual networks in the classic portal, see Set Up a Virtual Network in Windows Azure on Petri IT Knowledgebase.

To complete the steps below, you’ll need a virtual network and subnet created in the classic portal. Not all Azure regions support AD Domain Services, so check that virtual network is in a supported region on the Azure services by region page. Microsoft also recommends using a dedicated subnet for AAD Domain Services.

Enable Domain Services for the directory (Image Credit: Russell Smith)

Enable Domain Services for the directory (Image Credit: Russell Smith)

  • Click Active Directory in the left panel of the portal and select your directory.
  • Switch to the CONFIGURE tab.
  • Scroll down to domain services and set ENABLE DOMAIN SERVICES FOR THIS DIRECTORY to YES.
  • In the DNS DOMAIN NAME OF DOMAIN SERVICES drop-down menu, select the domain name you’d like to use for the AD domain. Alternatively, type a domain name into the drop-down menu box.

The domain prefix should be no longer than 15 characters and the domain name shouldn’t already be in use in the virtual network.

  • In the CONNECT DOMAIN SERVICES TO THIS VIRTUAL NETWORK drop-down menu, select the virtual network subnet for which you’d like to enable AAD domain services.
  • Click SAVE at the bottom of the portal window, and you’ll notice that the configuration status changes to pending. This process can take up to 30 minutes.

Configure DNS

Once the operation is complete, you’ll see an IP address appear under domain services — or two if high availability is enabled for your AAD. Make a note of these IP addresses.

  • Click NETWORKS in the left pane, and select the virtual network where Azure AD Domain Services is enabled.
  • Switch to the CONFIGURE tab.
  • Under dns servers, add the IP addresses that appeared under domain services from the previous steps. The names of the servers can be anything you choose.
  • Click SAVE at the bottom of the screen.
Configure DNS settings for the virtual network (Image Credit: Russell Smith)

Configure DNS settings for the virtual network (Image Credit: Russell Smith)

Generate Credential Hashes

The instructions that follow are for cloud-only AAD tenants. If you have set up AAD to synchronize with on-premises AD, you’ll need to enable synchronization of NTLM and Kerberos credential hashes to AAD.

Each user that wants to access AAD Domain Services will need to follow these steps, and password management must be enabled for the Azure AD tenant.

  • Go to the Azure AD Access Panel page at http://myapps.microsoft.com.
  • Switch to the profile tab.
  • Click the Change password tile.
  • Follow the instructions to change the password.

Once the user’s password has been changed, they should wait at least twenty minutes before attempting to log in to computers joined to the managed domain.

More from Russell Smith

Microsoft Teams

How to Share Files in Teams (And Understand Where They Are Stored)
Security Authenticator

Apple Passkeys Are Here - But Microsoft Leads the Way with Passwordless Authentication

Top 5 New Features in Microsoft Teams - July 2022

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

More in Active Directory

Windows

How To Install Active Directory Users And Computers: A Step-by-Step Guide

Aug 12, 2022 | Michael Reinders

Windows 365

Microsoft Launches New On-Premises Unified Update Platform To Manage Windows Updates

Jul 27, 2022 | Rabia Noureen

Windows

How to Fix The "Trust Relationship Between This Workstation And The Primary Domain Failed" Error

Jul 27, 2022 | Michael Reinders

Cloud Computing

iCloud for Windows Now Lets Users Generate 2FA Codes

Jul 26, 2022 | Rabia Noureen

Windows 12 due for release in 2024

Windows 12 Won't Be a Big Bang Release. Here's Why.

Jul 22, 2022 | Russell Smith

PowerShell

How to Install Active Directory PowerShell Module

Jul 18, 2022 | Michael Reinders

Most popular on petri

Article saved!

Access saved content from your profile page. View Saved

Reach out

Learn More

Sitemap

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use