Search the Petri IT Knowledgebase
search icon

close

Windows

Cloud

Microsoft 365

PowerShell

Active Directory

Security

Windows Server

Video

If you are a large enterprise, don't miss our IT cost-cutting webinar!

Register today!
Icon for Live Conference on December 8!

Live Conference on December 8!

GET-IT Microsoft Teams Conference

Icon for On-Demand Webinar

On-Demand Webinar

MVP Panel Talk: Do You Need to Backup Microsoft 36...

Icon for Live Webinar Coming Dec. 14th!

Live Webinar Coming Dec. 14th!

Recession Proof Your IT: How to Reduce IT Costs Wi...

Icon for New E-Book

New E-Book

Tracking Tasks in Microsoft 365

Home

Active Directory

Getting Started with Azure Active Directory Domain Services

Russell Smith

 |

Nov 11, 2016

cloud-computing-hands-hero

In today’s Ask the Admin, I’ll show you how to configure Azure Active Directory (AAD) Domain Services and connect it to your AAD tenant.

AAD Domain Services allows organizations to “lift-and-shift” apps that use on-premises AD for authentication to the cloud, extending the capabilities of AAD to provide many of the features of an on-premises AD deployments, but without the effort of installing domain controllers (DCs) in the cloud, setting up ExpressRoute, or a VPN to connect on-premises DCs to Azure. AAD Domain Services supports Kerberos, Windows Integrated Authentication, and NTLM, plus Group Policy and Lightweight Directory Access Protocol (LDAP).

 

 

In this article, I’ll show you how to enable AAD Domain Services to work with an existing AAD tenant. For more information about setting up AAD, see What is Azure Active Directory? on the Petri IT Knowledgebase.

There are four steps required to set up AAD Domain Services:

  1. Create an administrative group called AAD DC Administrators. Users of this group can manage Azure Active Directory Domain Services and perform tasks, such as adding VMs to the domain.
  2. Set up a virtual network and subnet. AAD Domain Services must be associated with and enabled in a subnet in a virtual network.
  3. Update DNS settings for the virtual network to point to the IP address(es) assigned to AAD Domain Services.
  4. Users wanting to use AAD Domain Services must change their passwords to generate the credential hashes that are required by AAD Domain Services.

Create an Administrative Group in AAD

The first task is to create an administrative group in AAD. This special administrative group is called AAD DC Administrators, and members are granted administrative privileges on domain-joined devices. It’s worth noting that configuration of Azure AD Domain Services is currently supported in only the classic portal.

Add the AAD DC Administrators to AAD (Image Credit: Russell Smith)

Add the AAD DC Administrators to AAD (Image Credit: Russell Smith)

  • Log in to the Azure classic portal here: https://manage.windowsazure.com.
  • Click Active Directory in the left panel and select your directory.
  • Click the Groups tab and then Add a Group.
  • Name the group AAD DC Administrators and set GROUP TYPE to Security. Note that you must use as the name for this group.
  • Click AAD DC Administrators in the list of the groups, and then Add members at the bottom of the screen.
  • In the Add members dialog box, select one or more existing users to add to the group.
Add the AAD DC Administrators to AAD (Image Credit: Russell Smith)

Add the AAD DC Administrators to AAD (Image Credit: Russell Smith)

Enable Azure AD Domain Services in a Virtual Network

AAD Domain Services only supports virtual networks created in the classic portal, so you won’t be able to add Domain Services support for networks created using Azure Resource Manager (ARM). For more information about creating virtual networks in the classic portal, see Set Up a Virtual Network in Windows Azure on Petri IT Knowledgebase.

To complete the steps below, you’ll need a virtual network and subnet created in the classic portal. Not all Azure regions support AD Domain Services, so check that virtual network is in a supported region on the Azure services by region page. Microsoft also recommends using a dedicated subnet for AAD Domain Services.

Enable Domain Services for the directory (Image Credit: Russell Smith)

Enable Domain Services for the directory (Image Credit: Russell Smith)

  • Click Active Directory in the left panel of the portal and select your directory.
  • Switch to the CONFIGURE tab.
  • Scroll down to domain services and set ENABLE DOMAIN SERVICES FOR THIS DIRECTORY to YES.
  • In the DNS DOMAIN NAME OF DOMAIN SERVICES drop-down menu, select the domain name you’d like to use for the AD domain. Alternatively, type a domain name into the drop-down menu box.

The domain prefix should be no longer than 15 characters and the domain name shouldn’t already be in use in the virtual network.

  • In the CONNECT DOMAIN SERVICES TO THIS VIRTUAL NETWORK drop-down menu, select the virtual network subnet for which you’d like to enable AAD domain services.
  • Click SAVE at the bottom of the portal window, and you’ll notice that the configuration status changes to pending. This process can take up to 30 minutes.

Configure DNS

Once the operation is complete, you’ll see an IP address appear under domain services — or two if high availability is enabled for your AAD. Make a note of these IP addresses.

  • Click NETWORKS in the left pane, and select the virtual network where Azure AD Domain Services is enabled.
  • Switch to the CONFIGURE tab.
  • Under dns servers, add the IP addresses that appeared under domain services from the previous steps. The names of the servers can be anything you choose.
  • Click SAVE at the bottom of the screen.
Configure DNS settings for the virtual network (Image Credit: Russell Smith)

Configure DNS settings for the virtual network (Image Credit: Russell Smith)

Generate Credential Hashes

The instructions that follow are for cloud-only AAD tenants. If you have set up AAD to synchronize with on-premises AD, you’ll need to enable synchronization of NTLM and Kerberos credential hashes to AAD.

Each user that wants to access AAD Domain Services will need to follow these steps, and password management must be enabled for the Azure AD tenant.

  • Go to the Azure AD Access Panel page at http://myapps.microsoft.com.
  • Switch to the profile tab.
  • Click the Change password tile.
  • Follow the instructions to change the password.

Once the user’s password has been changed, they should wait at least twenty minutes before attempting to log in to computers joined to the managed domain.

More from Russell Smith

Microsoft Teams

Microsoft Teams Alternatives for Small Business
Windows 11 approved hero 3

What’s New in Windows – November 2022
Microsoft Teams

Free Microsoft Teams GET-IT Virtual Conference Dec 8

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

More in Active Directory

Cloud Computing

Microsoft Adds RDP Shortpath Support to Azure Virtual Desktop

Dec 7, 2022 | Rabia Noureen

Network Security

How to Enable and Use the Active Directory Recycle Bin

Nov 21, 2022 | Michael Reinders

Windows

How to Use LAPS to Manage Local Admin Account Passwords in Active Directory and Azure AD

Nov 14, 2022 | Michael Reinders

Zoom video calls

Zoom Adds New Email and Calendar Products to Improve Collaboration

Nov 9, 2022 | Rabia Noureen

Cloud Computing

How to List All Users in Active Directory

Nov 7, 2022 | Michael Reinders

Security

Budget for Operational Resilience in 2023

Oct 20, 2022 | Russell Smith

Most popular on petri

Article saved!

Access saved content from your profile page. View Saved

Reach out

Learn More

Sitemap

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use

 |

Privacy Policy