Administer Azure AD Domain Services

We can check user & computer in Azure AD Domain Services using AD administrative tools. AD administrative tools can be installed as part of the Remote Server Administration Tools (RSAT) optional feature on Windows Server and client machines joined to the managed domain (Azure AD Domain Services).


Install Active Directory administration tools on the Windows Server 2016 virtual machine on Azure

Perform the following steps to install the Active Directory Administration tools on the domain joined virtual machine.

1. Login to VM that already joined to Azure AD Domain Services use the credentials of a user belonging to the ‘AAD DC Administrators’ group.

2. From the Start screen, open Server Manager. Click Add Roles and Features in the central pane of the Server Manager window.


3. On the Before You Begin page of the Add Roles and Features Wizard, click Next.


4. On the Installation Type page, leave the Role-based or feature-based installation option checked and click Next.

5. On the Server Selection page, select the current virtual machine from the server pool, and click Next.


6.  On the Server Roles page, click Next. We skip this page since we are not installing any roles on the server.

7. On the Features page, click to expand the Remote Server Administration Tools node and then click to expand the Role Administration Tools node. Select AD DS and AD LDS Tools feature from the list of role administration tools.


8. On the Confirmation page, click Install to install the AD and AD LDS tools feature on the virtual machine. When feature installation completes successfully, click Close to exit the Add Roles and Features wizard.


9. After Finish click close.


Connect to and explore the managed domain

Now that the AD Administrative Tools are installed on the domain joined virtual machine, we can use these tools to explore and administer the managed domain.

Note: You need to be a member of the ‘AAD DC Administrators’ group, to administer the managed domain.

Members of the ‘AAD DC Administrators’ group are granted privileges on the managed domain that enable them to perform tasks such as:

  • Join machines to the managed domain.
  • Configure the built-in GPO for the ‘AADDC Computers’ and ‘AADDC Users’ containers in the managed domain.
  • Administer DNS on the managed domain.
  • Create and administer custom Organizational Units (OUs) on the managed domain.
  • Gain administrative access to computers joined to the managed domain.

The domain is managed by Microsoft, including activities such as patching, monitoring and, performing backups. Therefore, the domain is locked down and you do not have privileges to perform certain administrative tasks on the domain. Some examples of tasks you cannot perform are below.

  • You are not granted Domain Administrator or Enterprise Administrator privileges for the managed domain.
  • You cannot extend the schema of the managed domain.
  • You cannot connect to domain controllers for the managed domain using Remote Desktop.
  • You cannot add domain controllers to the managed domain.

1. Click Tools and choose Active Directory Users & Computers.


2. Expand Domain then click Computers, you will see list computer that already joined to Azure AD Domain Services.


3. Click Users and you will see User & Group like on Azure Active Directory tenant.


Leave a Reply