
close
close
In today’s Ask the Admin, I’ll show you how to configure Azure Active Directory (AAD) Domain Services and connect it to your AAD tenant.
advertisment
AAD Domain Services allows organizations to “lift-and-shift” apps that use on-premises AD for authentication to the cloud, extending the capabilities of AAD to provide many of the features of an on-premises AD deployments, but without the effort of installing domain controllers (DCs) in the cloud, setting up ExpressRoute, or a VPN to connect on-premises DCs to Azure. AAD Domain Services supports Kerberos, Windows Integrated Authentication, and NTLM, plus Group Policy and Lightweight Directory Access Protocol (LDAP).
In this article, I’ll show you how to enable AAD Domain Services to work with an existing AAD tenant. For more information about setting up AAD, see What is Azure Active Directory? on the Petri IT Knowledgebase.
advertisment
There are four steps required to set up AAD Domain Services:
The first task is to create an administrative group in AAD. This special administrative group is called AAD DC Administrators, and members are granted administrative privileges on domain-joined devices. It’s worth noting that configuration of Azure AD Domain Services is currently supported in only the classic portal.
Add the AAD DC Administrators to AAD (Image Credit: Russell Smith)
Add the AAD DC Administrators to AAD (Image Credit: Russell Smith)
AAD Domain Services only supports virtual networks created in the classic portal, so you won’t be able to add Domain Services support for networks created using Azure Resource Manager (ARM). For more information about creating virtual networks in the classic portal, see Set Up a Virtual Network in Windows Azure on Petri IT Knowledgebase.
To complete the steps below, you’ll need a virtual network and subnet created in the classic portal. Not all Azure regions support AD Domain Services, so check that virtual network is in a supported region on the Azure services by region page. Microsoft also recommends using a dedicated subnet for AAD Domain Services.
advertisment
Enable Domain Services for the directory (Image Credit: Russell Smith)
The domain prefix should be no longer than 15 characters and the domain name shouldn’t already be in use in the virtual network.
Once the operation is complete, you’ll see an IP address appear under domain services — or two if high availability is enabled for your AAD. Make a note of these IP addresses.
Configure DNS settings for the virtual network (Image Credit: Russell Smith)
The instructions that follow are for cloud-only AAD tenants. If you have set up AAD to synchronize with on-premises AD, you’ll need to enable synchronization of NTLM and Kerberos credential hashes to AAD.
Each user that wants to access AAD Domain Services will need to follow these steps, and password management must be enabled for the Azure AD tenant.
Once the user’s password has been changed, they should wait at least twenty minutes before attempting to log in to computers joined to the managed domain.
More from Russell Smith
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Active Directory
Microsoft Releases Out-Of-Band Patches to Fix Windows AD Authentication Issues
May 20, 2022 | Rabia Noureen
Cloud Conversations – Ståle Hansen on Digital Wellbeing and Viva Explorers
May 19, 2022 | Laurent Giret
Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers
May 11, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group