Azure Active Directory (AD) Domain Services gives the ability to join computers on a domain without any need to manage or deploy a Domain Controller. The users can sign-in by using their existing corporate credentials.
Features
In this service are available many features such as :
domain-join
Join computers in the managed domain with simple steps.
domains with custom names
We can create domains with custom names, also unverified domain names supported.
NTLM & Kerberos authentication
This gives the ability to deploy applications that rely on Windows-integrated Authentication.
Corporate credentials/passwords
Users can log-in using their corporate credentials.
Integrated with Azure AD
User groups, accounts of an existing on-premises domain can easily and automated syncronize to managed domain service.
LDAP bind & LDAP read support
Applications with LDAP support will working fine.
Secure LDAP
This is an optional feature and can be enabled from the Azure Portal.
Group Policy
Built-in GPO for the user and Computers containers.
Manage DNS
DNS management is only available for the “AAD DC Administrators” group.
Custom OUs
Organizational Units (OUs) can be created from the users that belong to “AAD DC Administrators” group
Available in many regions
This service is available in many regions. In the Azure Services by region page, we can see these regions.
Highly Available
The service offers high availability for the domain
AD account lockout protection
If five invalid password is used within two minutes, account locked out for 30 minutes and unlocks automatically after a period time of 30 minutes.
Known management tools
Users can use known tools for domain management, such as Active Directory Administrative Center or Active Directory PowerShell to administer managed domains.
Simple deployment
This service can be easily enabled. In this post, we talk for how can someone deploy this.
Note
We can create a single Active Directory domain for each Azure AD directory
Create “Azure AD Domain Services”
By following the next steps we will create an “Azure AD Domain Services” service.
Important
To create a Managed Domain MUST be the directory administrator
Search Service
At the left main blade on Azure portal click [All services] and in the search box type [Azure Domain….], select the result that will appear {Azure AD Domain Services} and click Create.
Configure Basics Settings
The first must be configured is the basic settings, which are :
DNS domain name: Choose a DNS domain name for the managed domain
Subscription: Select an Azure Subscription
Resource Group: Create a New or Select an existing Resource Group
Location: Select the region that the resources will be deployed.
Virtual Network Parameters
The second stage of the configuration includes the Network configuration settings, and these are :
Network: Create or Select the VNet and the Subnet on which the managed domain be available.
Subnet: Create a dedicated Subnet for the managed domain with at least 3 available IP addresses.
Caution
A network security group will be automatically created and associated to the subnet to protect AAD Domain Services. The network security group will be configured according to guidelines for configuring NSGs.
Configure Group Membership
The third step includes the Group Membership, as the title said it’s about the users of the “AAD DC Administrators” which will have the necessary privileges to administer the managed domain.
Summary
Finally, the Summary blade makes a summary of the configuration parameters which the managed domain will be created, and if all looks great then just push the “magic” button, called [OK]
Sync Users Groups from an existing On-Premises Domain Controller
We create the Azure Active Directory Domain Service, and we are ready to sync the existing groups and users to our new deployed azure AD DS service.
To do that we need to complete some actions first.
Prerequisites
Exist an on-premise Domain Controller (Windows Server 2012 or higher)
Azure AD Connect (Installation)
Step 1. Welcome Screen
Select the checkbox with the License terms and privacy notice.
Step 2. Express Settings
At the second step just click “Use express settings”
Step 3. Connect to Azure AD
Type the Azure AD global administrator credentials, the USERNAME, and the PASSWORD.
Step 4. Connect to AD DS
In the fourth step, type the on-premises Active Directory Domain Services enterprise administrator credentials, USERNAME, and PASSWORD, as the image below shows.
Step 5. Azure AD sign-in
In this demo, we select the checkbox [Continue without matching all UPN suffixes to verified domains] and clickNext.
Note
Not Added means, that Azure AD Connect could not found the custom domain “cloudopszone.com” that corresponded to the UPN suffix. The UPN suffix of the users of this domain will be changed to the default.onmicrosoft.com suffix if the domain isn’t added and verified in Azure.
Step 6. Configure
The penultimate step needs just a click on the option [Start the synchronization process when configuration completes.], and click the Install button.
Step 7. Configure2
In the final step, we see an overview of the completed steps and click Exit.
Join To The New Domain
After the Azure AD Connect finishes with syncs we are ready to do the final test and is no more than Join an Azure VM to the new domain. To do that we will use a Virtual Machine on Azure in the same Virtual Network.
Change from Workgroup to Domain
The image below shows the message that the computer (Azure VM) successfully joined the domain {cloudopszone.com}
Connect Using RDP
We sync a test user with the name “accountant01”, try to connect VM with this user and the results are shown in the next image.
Logged User
The image below just shows that the logged user is the synced domain user.
Check Service Health
A very basic action that we should do after all the above steps are completed is to check the service health. We can do this from the Azure Portal. The next steps will show the way to do that.
Azure AD Domain Services
Service Health
At the Azure Portal, click Overview from the left blade of the [Azure Domain Services] service, and then click the [View health] button, as the image below shows. The service is Up and Running!
Pricing Details
Azure Active Directory Domain Services usage is based on per hour charges, for the total number of objects in AD Managed domain and includes, domain-joined computers, groups, and users.
The table below shows the pricing details per hour/month based on the number of active directory objects.
In the image below we can see a simple cost example, for 50 users.
Active Directory Domain Services
No Of Users: 50 Directory Objects: Less than 25,000 Cost Per User: € 0,84 1 month duration: € 0,3 Total: € 42,17 Total: € 146,31
—————————————————————————————–
Conclusion
In this post, we talk for a service that gives the ability to users to create a 100% domain controller in the Azure Cloud, without the need for maintenance because Microsoft takes care of it. The cost of this service is not excessive and the service SLA is 99,9%.