Getting Started with Azure Active Directory Domain Services

In today’s Ask the Admin, I’ll show you how to configure Azure Active Directory (AAD) Domain Services and connect it to your AAD tenant.

AAD Domain Services allows organizations to “lift-and-shift” apps that use on-premises AD for authentication to the cloud, extending the capabilities of AAD to provide many of the features of an on-premises AD deployments, but without the effort of installing domain controllers (DCs) in the cloud, setting up ExpressRoute, or a VPN to connect on-premises DCs to Azure. AAD Domain Services supports Kerberos, Windows Integrated Authentication, and NTLM, plus Group Policy and Lightweight Directory Access Protocol (LDAP).

 

 

In this article, I’ll show you how to enable AAD Domain Services to work with an existing AAD tenant. For more information about setting up AAD, see What is Azure Active Directory? on the Petri IT Knowledgebase.

There are four steps required to set up AAD Domain Services:

1. Create an administrative group called AAD DC Administrators. Users of this group can manage Azure Active Directory Domain Services and perform tasks, such as adding VMs to the domain.
2. Set up a virtual network and subnet. AAD Domain Services must be associated with and enabled in a subnet in a virtual network.
3. Update DNS settings for the virtual network to point to the IP address(es) assigned to AAD Domain Services.
4. Users wanting to use AAD Domain Services must change their passwords to generate the credential hashes that are required by AAD Domain Services.

Create an Administrative Group in AAD

The first task is to create an administrative group in AAD. This special administrative group is called AAD DC Administrators, and members are granted administrative privileges on domain-joined devices. It’s worth noting that configuration of Azure AD Domain Services is currently supported in only the classic portal.

• Log in to the Azure classic portal here: https://manage.windowsazure.com.
• Click Active Directory in the left panel and select your directory.
• Click the Groups tab and then Add a Group.
• Name the group AAD DC Administrators and set GROUP TYPE to Security. Note that you must use as the name for this group.
• Click AAD DC Administrators in the list of the groups, and then Add members at the bottom of the screen.
• In the Add members dialog box, select one or more existing users to add to the group.

Enable Azure AD Domain Services in a Virtual Network

AAD Domain Services only supports virtual networks created in the classic portal, so you won’t be able to add Domain Services support for networks created using Azure Resource Manager (ARM). For more information about creating virtual networks in the classic portal, see Set Up a Virtual Network in Windows Azure on Petri IT Knowledgebase.

To complete the steps below, you’ll need a virtual network and subnet created in the classic portal. Not all Azure regions support AD Domain Services, so check that virtual network is in a supported region on the Azure services by region page. Microsoft also recommends using a dedicated subnet for AAD Domain Services.

• Click Active Directory in the left panel of the portal and select your directory.
• Switch to the CONFIGURE tab.
• Scroll down to domain services and set ENABLE DOMAIN SERVICES FOR THIS DIRECTORY to YES.
• In the DNS DOMAIN NAME OF DOMAIN SERVICES drop-down menu, select the domain name you’d like to use for the AD domain. Alternatively, type a domain name into the drop-down menu box.

The domain prefix should be no longer than 15 characters and the domain name shouldn’t already be in use in the virtual network.

• In the CONNECT DOMAIN SERVICES TO THIS VIRTUAL NETWORK drop-down menu, select the virtual network subnet for which you’d like to enable AAD domain services.
• Click SAVE at the bottom of the portal window, and you’ll notice that the configuration status changes to pending. This process can take up to 30 minutes.

Configure DNS

Once the operation is complete, you’ll see an IP address appear under domain services — or two if high availability is enabled for your AAD. Make a note of these IP addresses.

• Click NETWORKS in the left pane, and select the virtual network where Azure AD Domain Services is enabled.
• Switch to the CONFIGURE tab.
• Under dns servers, add the IP addresses that appeared under domain services from the previous steps. The names of the servers can be anything you choose.
• Click SAVE at the bottom of the screen.

Generate Credential Hashes

The instructions that follow are for cloud-only AAD tenants. If you have set up AAD to synchronize with on-premises AD, you’ll need to enable synchronization of NTLM and Kerberos credential hashes to AAD.

Each user that wants to access AAD Domain Services will need to follow these steps, and password management must be enabled for the Azure AD tenant.

• Go to the Azure AD Access Panel page at http://myapps.microsoft.com.
• Switch to the profile tab.
• Click the Change password tile.
• Follow the instructions to change the password.

Once the user’s password has been changed, they should wait at least twenty minutes before attempting to log in to computers joined to the managed domain.