When I was to be a presenter in the MUGI (Microsoft User Group Indonesia) event on October I delivered about Azure Active Directory and one of parts is Azure AD Domain Services. I think this one is interesting because some people still confuse about differences between Azure AD Domain Services and Domain Services on Premise.
Introducing Azure AD Domain Services
Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory. You can consume these domain services without the need for you to deploy, manage, and patch domain controllers in the cloud. Azure AD Domain Services integrates with your existing Azure AD tenant, thus making it possible for users to log in using their corporate credentials. Additionally, you can use existing groups and user accounts to secure access to resources, thus ensuring a smoother ‘lift-and-shift’ of on-premises resources to Azure Infrastructure Services.
Azure AD Domain Services functionality works seamlessly regardless of whether your Azure AD tenant is cloud-only or synced with your on-premises Active Directory.
Azure AD Domain Services for cloud-only organizations
A cloud-only Azure AD tenant (often referred to as ‘managed tenants’) does not have any on-premises identity footprint. In other words, user accounts, their passwords, and group memberships are all native to the cloud – that is, created and managed in Azure AD. Consider for a moment that Contoso is a cloud-only Azure AD tenant. As shown in the following illustration, Contoso’s administrator has configured a virtual network in Azure Infrastructure Services. Applications and server workloads are deployed in this virtual network in Azure virtual machines. Since Contoso is a cloud-only tenant, all user identities, their credentials, and group memberships are created and managed in Azure AD.
Azure AD Domain Services for hybrid organizations
Organizations with a hybrid IT infrastructure consume a mix of cloud resources and on-premises resources. Such organizations synchronize identity information from their on-premises directory to their Azure AD tenant. As hybrid organizations look to migrate more of their on-premises applications to the cloud, especially legacy directory-aware applications, Azure AD Domain Services can be useful to them.
Compare Azure AD Domain Services to DIY AD domain in Azure
The following table helps you decide between using Azure AD Domain Services and managing your own AD infrastructure in Azure.
Azure AD registered and Azure AD joined devices
Differences between Azure Active Directory (AD) join and Azure AD Domain Services and helps you choose, based on your use-cases.
With Azure AD Domain Services, you can enjoy the following benefits:
Simple – You can satisfy the identity needs of virtual machines deployed to Azure Infrastructure services with a few simple clicks. You do not need to deploy and manage identity infrastructure in Azure or setup connectivity back to your on-premises identity infrastructure.
Integrated – Azure AD Domain Services is deeply integrated with your Azure AD tenant. You can now use Azure AD as an integrated cloud-based enterprise directory that caters to the needs of both your modern applications and traditional directory-aware applications.
Compatible – Azure AD Domain Services is built on the proven enterprise grade infrastructure of Windows Server Active Directory. Therefore, your applications can rely on a greater degree of compatibility with Windows Server Active Directory features. Not all features available in Windows Server AD are currently available in Azure AD Domain Services. However, available features are compatible with the corresponding Windows Server AD features you rely on in your on-premises infrastructure. The LDAP, Kerberos, NTLM, Group Policy, and domain join capabilities constitute a mature offering that has been tested and refined over various Windows Server releases.
Cost-effective – With Azure AD Domain Services, you can avoid the infrastructure and management burden that is associated with managing identity infrastructure to support traditional directory-aware applications. You can move these applications to Azure Infrastructure Services and benefit from greater savings on operational expenses.
Enable Azure AD Domain Services using the Azure Portal
To launch the Enable Azure AD Domain Services wizard, complete the following steps:
1. Go to the Azure portal
2. In the left pane, click on New.
3. In the New page, type Domain Services into the search bar.
4. Click to select Azure AD Domain Services from the list of search suggestions. On the Azure AD Domain Services page, click the Create button.
5. The Enable Azure AD Domain Services wizard is launched.
Configure Azure AD Domain Services using the Azure Portal
1. In the DNS domain name for the managed domain. You can also choose the resource group and Azure location to which the managed domain should be deployed:
Choose the DNS domain name for your managed domain.
Select the Azure Subscription in which you would like to create the managed domain.
Select the Resource group to which the managed domain should belong. You can choose either the Create new or Use existing options to select the resource group.
Choose the Azure Location in which the managed domain should be created. On the Network page of the wizard, you see only virtual networks that belong to the location you have selected.
When you are done, click OK to move on to the Network page of the wizard.
2. The next configuration task is to create an Azure virtual network and a dedicated subnet within it. You enable Azure Active Directory Domain Services in this subnet within your virtual network. You may also pick an existing virtual network and create the dedicated subnet within it.
Click Virtual network to select a virtual network.
On the Choose virtual network page, you see all existing virtual networks. You see only the virtual networks that belong to the resource group and Azure location you have selected on the Basics wizard page.
Choose the virtual network in which Azure AD Domain Services should be enabled. You can either pick an existing virtual network or create a new one.
Create virtual network: Click Create new to create a new virtual network. We highly recommend using a dedicated subnet for Azure AD Domain Services. For example, create a subnet with the name ‘DomainServices’, making it easy for other administrators to understand what is deployed within the subnet. Click OK when you’re done.
Existing virtual network: If you plan to pick an existing virtual network, create a dedicated subnet using the virtual networks extension, and then pick that subnet. Click Virtual Network to select the existing virtual network. Click Subnet to pick the dedicated subnet in your existing virtual network, within which to enable your new managed domain. Click OK when you’re done.
3. In this configuration task, you create an administrative group in your Azure AD directory. This special administrative group is called AAD DC Administrators. Members of this group are granted administrative permissions on machines that are domain-joined to the managed domain. On domain-joined machines, this group is added to the administrators group. Additionally, members of this group can use Remote Desktop to connect remotely to domain-joined machines. The wizard automatically creates the administrative group in your Azure AD directory. This group is called ‘AAD DC Administrators’. If you have an existing group with this name in your Azure AD directory, the wizard selects this group. You can configure group membership using the Administrator group wizard page.
To configure group membership, click AAD DC Administrators.
Click the Add members button to add users from your Azure AD directory to the administrator group.
When you are done, click OK to move on to the Summary page of the wizard.
On the Summary page of the wizard, review the configuration settings for the managed domain. You can go back to any step of the wizard to make changes, if necessary. When you are done, click OK to create the new managed domain.
You see a notification that shows the progress of your Azure AD Domain Services deployment. Click the notification to see detailed progress for the deployment.
Provision your managed domain
The process of provisioning your managed domain can take up to an hour.
The Overview tab shows that the managed domain is currently being provisioned. You cannot configure the managed domain until it is fully provisioned. It may take up to an hour for your managed domain to be fully provisioned.
When the managed domain is fully provisioned, the Overview tab shows the domain status as Running.
Update DNS settings for the Azure virtual network
In the preceding configuration tasks, you have successfully enabled Azure Active Directory Domain Services for your directory. The next task is to ensure that computers within the virtual network can connect and consume these services. In this article, you update the DNS server settings for your virtual network to point to the two IP addresses where Azure Active Directory Domain Services is available on the virtual network.
To update the DNS server setting for the virtual network in which you have enabled Azure Active Directory Domain Services, complete the following steps:
The Overview tab lists a set of Required configuration steps to be performed after your managed domain is fully provisioned. The first configuration step is Update DNS server settings for your virtual network.
When your domain is fully provisioned, two IP addresses are displayed in this tile. Each of these IP addresses represents a domain controller for your managed domain.
To copy the first IP address to clipboard, click the copy button next to it. Then click the Configure DNS servers button.
Paste the first IP address into the Add DNS server textbox in the DNS servers blade. Scroll horizontally to the left to copy the second IP address and paste it into the Add DNS server textbox.
Click Save when you are done to update the DNS servers for the virtual network.
Enable password synchronization to Azure Active Directory Domain Services
In preceding tasks, you enabled Azure Active Directory Domain Services for your Azure Active Directory (Azure AD) tenant. The next task is to enable synchronization of credential hashes required for NT LAN Manager (NTLM) and Kerberos authentication to Azure AD Domain Services. After you’ve set up credential synchronization, users can sign in to the managed domain with their corporate credentials.+
The steps involved are different for cloud-only user accounts vs user accounts that are synchronized from your on-premises directory using Azure AD Connect.
Type of user account
Cloud user accounts created in Azure AD
✓ Follow the instructions in this article
User accounts synchronized from an on-premises directory
✓ Synchronize passwords for user accounts synced from your on-premises AD to your managed domain
To authenticate users on the managed domain, Azure Active Directory Domain Services needs credential hashes in a format that’s suitable for NTLM and Kerberos authentication. Azure AD does not generate or store credential hashes in the format that’s required for NTLM or Kerberos authentication, until you enable Azure Active Directory Domain Services for your tenant. For obvious security reasons, Azure AD also does not store any password credentials in clear-text form. Therefore, Azure AD does not have a way to automatically generate these NTLM or Kerberos credential hashes based on users’ existing credentials.
Note: If your organization has cloud-only user accounts, all users who need to use Azure Active Directory Domain Services must change their passwords. A cloud-only user account is an account that was created in your Azure AD directory using either the Azure portal or Azure AD PowerShell cmdlets. Such user accounts aren’t synchronized from an on-premises directory.
This password change process causes the credential hashes that are required by Azure Active Directory Domain Services for Kerberos and NTLM authentication to be generated in Azure AD. You can either expire the passwords for all users in the tenant who need to use Azure Active Directory Domain Services or instruct them to change their passwords.
Because my tenant status is cloud-only so I follow this step:
- Go to the Azure AD Access Panel page for your organization.
- In the top right corner, click on your name and select Profile from the menu.
- On the Profile page, click on Change password.
- On the change password page, type your existing (old) password, type a new password, and then confirm it.
- Click submit.
A few minutes after you have changed your password, the new password is usable in Azure Active Directory Domain Services. After about 20 minutes, you can sign in to computers joined to the managed domain using the newly changed password.