Overview

Azure Active Directory (AD) Domain Services gives the ability to join computers on a domain without any need to manage or deploy a Domain Controller. The users can sign-in by using their existing corporate credentials.

Features

In this service are available many features such as :

  • domain-join
    • Join computers in the managed domain with simple steps.
  • domains with custom names
    • We can create domains with custom names, also unverified domain names supported.
  • NTLM & Kerberos authentication
    • This gives the ability to deploy applications that rely on Windows-integrated Authentication.
  • Corporate credentials/passwords
    • Users can log-in using their corporate credentials.
  • Integrated with Azure AD
    • User groups, accounts of an existing on-premises domain can easily and automated syncronize to managed domain service.
  • LDAP bind & LDAP read support
    • Applications with LDAP support will working fine.
  • Secure LDAP
    • This is an optional feature and can be enabled from the Azure Portal.
  • Group Policy
    • Built-in GPO for the user and Computers containers.
  • Manage DNS
    • DNS management is only available for the “AAD DC Administrators” group.
  • Custom OUs
    • Organizational Units (OUs) can be created from the users that belong to “AAD DC Administrators” group
  • Available in many regions
  • Highly Available
    • The service offers high availability for the domain
  • AD account lockout protection
    • If five invalid password is used within two minutes, account locked out for 30 minutes and unlocks automatically after a period time of 30 minutes.
  • Known management tools
    • Users can use known tools for domain management, such as Active Directory Administrative Center or Active Directory PowerShell to administer managed domains.
  • Simple deployment
    • This service can be easily enabled. In this post, we talk for how can someone deploy this.
 Note
We can create a single Active Directory domain for each Azure AD directory

Create “Azure AD Domain Services”

By following the next steps we will create an “Azure AD Domain Services” service.

 Important
To create a Managed Domain MUST be the directory administrator

Search Service

At the left main blade on Azure portal click [All services] and in the search box type [Azure Domain….],  select the result that will appear {Azure AD Domain Services} and click Create.

Configure Basics Settings

The first must be configured is the basic settings, which are :

  • DNS domain name: Choose a DNS domain name for the managed domain
  • Subscription: Select an Azure Subscription
  • Resource Group: Create a New or Select an existing Resource Group
  • Location: Select the region that the resources will be deployed.

Virtual Network Parameters

The second stage of the configuration includes the Network configuration settings, and these are :

  • Network: Create or Select the VNet and the Subnet on which the managed domain be available.
  • Subnet: Create a dedicated Subnet for the managed domain with at least 3 available IP addresses.
  Caution
A network security group will be automatically created and associated to the subnet to protect AAD Domain Services. The network security group will be configured according to guidelines for configuring NSGs.  

Configure Group Membership

The third step includes the Group Membership, as the title said it’s about the users of the “AAD DC Administrators” which will have the necessary privileges to administer the managed domain.

Summary

Finally, the Summary blade makes a summary of the configuration parameters which the managed domain will be created, and if all looks great then just push the “magic” button, called [OK]

Sync Users Groups from an existing On-Premises Domain Controller

We create the Azure Active Directory Domain Service, and we are ready to sync the existing groups and users to our new deployed azure AD DS service.
To do that we need to complete some actions first.
Prerequisites

  • Download Azure AD Connect  the latest version
  • Exist an on-premise Domain Controller (Windows Server 2012 or higher)

Azure AD Connect (Installation)

Step 1. Welcome Screen

Select the checkbox with the License terms and privacy notice.

Step 2. Express Settings

At the second step just click “Use express settings

Step 3. Connect to Azure AD

Type the Azure AD global administrator credentials, the USERNAME, and the PASSWORD.

Step 4. Connect to AD DS

In the fourth step, type the on-premises Active Directory Domain Services enterprise administrator credentials, USERNAME, and PASSWORD, as the image below shows.

Step 5. Azure AD sign-in

In this demo, we select the checkbox [Continue without matching all UPN suffixes to verified domains] and clickNext.

  Note
Not Added means, that Azure AD Connect could not found the custom domain “cloudopszone.com” that corresponded to the UPN suffix. The UPN suffix of the users of this domain will be changed to the default.onmicrosoft.com suffix if the domain isn’t added and verified in Azure.

Step 6. Configure

The penultimate step needs just a click on the option [Start the synchronization process when configuration completes.], and click the Install button.

Step 7. Configure2

In the final step, we see an overview of the completed steps and click Exit.

Join To The New Domain

After the Azure AD Connect finishes with syncs we are ready to do the final test and is no more than Join an Azure VM to the new domain. To do that we will use a Virtual Machine on Azure in the same Virtual Network.

Change from Workgroup to Domain

The image below shows the message that the computer (Azure VM) successfully joined the domain {cloudopszone.com}

Connect Using RDP

We sync a test user with the name “accountant01”, try to connect VM with this user and the results are shown in the next image.

Logged User

The image below just shows that the logged user is the synced domain user.

Check Service Health

A very basic action that we should do after all the above steps are completed is to check the service health. We can do this from the Azure Portal. The next steps will show the way to do that.

Azure AD Domain Services

Service Health

At the Azure Portal, click Overview from the left blade of the [Azure Domain Services] service, and then click the [View health] button, as the image below shows. The service is Up and Running!

Pricing Details

Azure Active Directory Domain Services usage is based on per hour charges, for the total number of objects in AD Managed domain and includes, domain-joined computers, groups, and users.

The table below shows the pricing details per hour/month based on the number of active directory objects.

 TIER/NUMBER OF DIRECTORY OBJECTS1  PRICE
 Less than 25,000  €0.13/hour – €92.35/month
 25,001 to 100,000  €0.34/hour – €246.25/month
 100,001 to 500,000  ��1.35/hour – €984.98/month
 Greater than 500,000  Contact Microsoft Sales 

In the image below we can see a simple cost example, for 50 users.

Active Directory                      Domain Services

No Of Users: 50                       Directory Objects: Less than 25,000
Cost Per User: € 0,84              1 month duration: € 0,3
Total: € 42,17                           Total: € 146,31
—————————————————————————————–

Conclusion

In this post, we talk for a service that gives the ability to users to create a 100% domain controller in the Azure Cloud, without the need for maintenance because Microsoft takes care of it. The cost of this service is not excessive and the service SLA is 99,9%.

Useful Links

Share This