Since the evolution of Azure active directory, it has become a popular identity management solution on Azure. But note that it is just an identity solution and does not provide all features what Windows Active Directory offers e.g. domain controller
services, certificate services etc.
Typically, if your organization’s workstations, servers and devices needs to be joined to your domain then you will need to provision your on premises domain controller and then each device will be joined to the domain. But wait, before we move ahead
with this let’s dive deep into few core concepts.
Well, existence of each thing has some definite meaning and same applies to the domain. Domain concept was introduced so that individual user can be granted access with set of permissions to multiple computer resources with same credentials. So in
a nutshell, domain is a logical grouping of computer resources sharing central directory of users. This directory is known as Active Directory.
Domain controller is nothing but a windows based computer containing central directory of users, best described as the centre-piece of active directory. Since the domain controller is windows based operating system machine so all other computer resources
in a domain also need to have windows based operating system.
Now as described above, the centerpiece of AD i.e. domain controller is responsible for providing set of services to all the resources within a domain are called as domain services. Now these services could be security policy enforcement, access control,
user authentication etc.
Now with these basics, let’s go ahead and see what Azure Active Directory Domain Services is.
The idea behind having active directory domain services is as simple as having your domain controller in cloud and use its services online. Meaning that, when you create an Azure active directory and provision users in it, all those users have their
‘*.onmicrosoft.com” domain associated with them. Now your computer resources like servers, workstations can be brought into this *.onmicrosoft.com domain and let your Azure AD users sign in to these resources using their Azure AD credentials.
Now, if you are not happy with this default *.onmicrosoft.com domain and already have your own custom domain then you can use your domain and bring your resources on your custom domain.
Let’s see how we can leverage and configure ADDS.
Configuration of ADDS is usually 5 stepped process.
Let’s see each step in details.
First things first,
The azure ADDS service is currently in preview and required virtual network should be in the same region where ADDS services are available. Also the VNET has to be created in classic mode as currently ADDS does not support ARM based VNETs.
For this article, we will be creating our AD and classic VNET in east us location where ADDS is available.
List of available azure services by region can be seen here -
Services by region.
Let’s start from scratch and crate a brand new Azure AD with name ‘alphacorpinc’. Currently Azure AD management operations are supported only through classic azure portal.
It opens up a modal dialogue asking to enter metadata for your new AD like domain name. We will give the same domain name as AD name as ‘alphacorpinc’ and will not select the last checkbox for specifying B2C directory.
Click ok and it starts provisioning your new AD in Azure.
Now once the AD is created, we will need to create a group. Please note that this group creation is a mandate and group only with name “AAD DC Administrators” has to be created. Members of this group will be provided special rights and will be added
to administrator group of the domain joined machines automatically.
We will create a user in Azure AD in a “User” role and will add the user in group mentioned above.
To create a user in AD, navigate to the Azure AD and click on Users tab. Select Add from bottom action bar.
Next screen will give you option to generate the temporary password. Copy the generated password and login to azure portal with this user credentials i.e. ADDCAdmin@alphacorpinc.onmicrosoft.com where you will be asked to create new password for this
user. Make note of this new password, we will be needing it next steps.
Now let’s create a group as mentioned above and add this newly created user in the group.
To create a group in Azure AD, click on groups tab and select add group from bottom action bar.
Click ok and add user which we just created in the group.
And with that, we are done with step 1, let’s proceed with step 2.
As anyways we would need to create a network while provisioning on premises DC or DC on a VM which acts as a logical boundary for resources i.e. all resources belonging to this network can be brought on to the domain and can establish communication
As mentioned above, this has to be a classic VNET since ADDS currently only supports classic VNET and it has to be in the region where ADDS services are supported.
To create a new VNET in azure, click on new and select virtual network. We will name our VNET as ‘AlphaCorpVNet’.
Note that we selected the DNS Server option as ‘None’ and we will be updating it later once we enable the ADDS in next step.
Enable and configure ADDS in Azure AD
Let’s navigate back to the Azure AD created in step 1. Select Configure tab from the top on your AD home page.
Find the section Domain Services and select ‘Yes’ option for setting ‘ENABLE DOMAIN SERVICES FOR THIS DIRECTORY’.
Once you enable the ADDS option, you will be asked to choose the domain name and VNet. Domain name option lists all the registered i.e. verified and unverified domain names of the Azure AD.
Click save and it will enable ADDS for Azure AD.
Note that the DNS domain name of domain services dropdown contains the default AD domain, you can either keep it or change it to your desired domain name. If you have added your custom domains (verified and unverified both) in the AD then those will
be shown in the dropdown too. You will not be able to change this once you click save and once domain services are enabled.
After few minutes, you will be able to see the DNS Server addresses coming up on the same page of Azure AD i.e. configuration tab. The reason it takes few minutes to show those IP addresses to you is because in background it provisions and configures
domain controller server and once it is ready then it comes back with DNS address.
Take a note of these DNS server addresses which we will be updating in ‘AlphaCorpVNet’.
Navigate to the AlphaCorpVNet and click on configure tab.
Add both DNS entries obtained from Azure AD configuration page as DNS server for VNET and Save the VNET settings.
Once the entire set up is ready, now it is time to validate whether ADDS setup is working or not. Best way to do is by provisioning a domain joined virtual machine in Azure.
Let’s create a classic mode i.e. IaaS v1 virtual machine and we will try to bring it on the alphacorpinc domain. Note that we will need to create VM in same Vnet where ADDS DNS is updated i.e. in AlphaCorpVnet.
Once the VM is created, login to it using RDP via local administrator account specified during the VM creation.
In Server manager, select local server node from left and click on workgroup name.
Select Domain and enter domain name, you should be able to get credential prompt after clicking on OK button if VM is able to find the DNS if not then as an alternative you can set preferred DNS address of the VM by modifying network TCP IP properties
and set ADDS DNS address as preferred.
After clicking Ok and close, you will be disconnected from RDP session.
Restart the VM from Azure portal and log in to RDP session again.
Now repeat the step in order to join VM to domain from workgroup by going to server manager. You will be asked for credentials to join VM to the specified domain.
Specify the credentials of a user which we created in step 1 and added to the group ‘AAD DC Administrators’.
After successful authentication, VM will be joined to the domain and below message can be seen.
(Please note that if you have recently updated credentials of the authenticating user, then it might take some time to reflect the updated password).
Restart the VM and now you will be able to log on to the VM with your Azure AD user which proves that ADDS setup has been correctly setup and is in place.
By now, some of you might be wondering that though I have ADDS set up in place and machines are getting joined to the domain but where can I configure settings of my domain on domain controller which is running on cloud?
Well you are right and that’s the valid question. There are two ways to do it.
Since we have just joined a VM to the Azure AD domain, so lets see details of the second approach.
Log on to the domain joined VM using credentials of a user added in ‘AAD DC Administrators’ group of Azure AD.
Open Server Manager and click on Add roles and features. Navigate to the features selection dialogue and select below features
This basically enables the access to Active Directory Administration Tools.
Once the installation is complete, open up AD administration center.
Which may look something like this
Click on the domain name shown on the left and navigate to the AADDC Computers.
You will be able to overview and manage all the domain joined VMs from this console.
Like mentioned before, ADDS currently supports only ASM based VNETs i.e. classic VNETs and so only classic mode VMs can be joined to the domain but what is the workaround to join ARM based VMs to Azure AD Domain? We will be seeing it in upcoming article
by leveraging Peering concept of VNETs.