A lot of people are already using Azure AD, either for Office 365 or some other applications – maybe even 3rd party application like Salesforce, ServiceNow etc. You could also be using it for Windows 10 workplace or domain join and automatic MDM enrollment. The possibilities of Azure AD is… not unlimited, but it feels damn close
Now a new feature has arrived, and I’ve been lucky enough to test it through early previews and see the development. Let me start by saying: A LOT of work has gone into this, and the Azure AD team has been very good at listening to the feedback and quick to fix the bugs there were. Anyways, the new feature is Azure AD Domain Services (AAD DS) – yes, just like the role in Windows Server. It’s basically domain controller as a service, how cool is that?
“Why would I want to use that?” you may ask.. Well, why do you need other “as-a-service”-offerings? Because you don’t want to maintain it yourself, or maybe don’t have the resources for it. I’ve done a fair share of Azure IaaS environments over the last couple of years, some hybrid, and some of them pure Azure. Those that are pure Azure is often for small organizations that don’t have the skills and/or time to maintain domain controllers themselves. AAD DS is a perfect solution for those customers.
Azure AD Domain Services features:
- -Domain join – join your servers/computers to AAD DS
- -User attributes and group memberships sync with Azure AD
- -Usernames/passwords are synced with Azure AD
- -GPO’s for the built in Users and Computers containers
- -High availability – 2 Domain Controllers are provisioned
- …and well, a lot more, since it’s built on Windows Server ADDS
And some pointers:
- -Since this is a service managed by Microsoft, you won’t get “Domain Admin” or “Enterprise Admin” privileges
- -You cannot manage users or groups from the normal AD consoles – use the Azure AD portal to do this
- -Azure Resource Manager based networks are not supported, which also means you cannot use ARM based VMs
This might seem very simple and not very usable, and I agree at some level. But keep in mind that this is for simple deployments, and development is ongoing. If you need a feature, request it at uservoice. In general, don’t think of this as a regular Active Directory, it’s a service that Microsoft is managing for you. You only get to manage users, groups, a limited set of GPOs and stuff like that.
The service will cost $0.20/hour with a 50% discount during public preview. Other, smaller, tiers should be available in the future.
Okay, enough talking.. How does this work? There are some different deplyment types:
1. Cloud-Only – this is where you don’t have an existing infrastructure – domain controllers – but need the domain services
2. Azure AD with sync – this is when you have an existing AD and you’re already syncing users to your Azure AD
3. No Azure AD – kind of self-explanatory. No Azure AD, no sync to Azure AD etc. You might have an Active Directory already.
I will focus on the first scenario in this post.
Let’s walk through the prerequisites:
- -You need an Azure AD – this can be with a custom domain or the *.onmicrosoft.com domain you’re assigned when you create the Azure AD. If you use a custom domain, this does NOT have to be a public domain, like cloudpuzzles.net, you can use .local and whatnot. No need to verify the domain, as long as it’s just for AAD DS, but I would highly recommend using a public domain for everything else than tests
- -You need a network with at least one subnet – AAD DS does not span networks at the moment, so you would need to connect you networks through VPN if you have multiple
- -A group in your Azure AD named “AAD DC Administrators” – it’s important you use this exact name, as users in this group will be administrators and able to add servers to the domain etc.
To get started, open up the Azure portal (http://manage.windowsazure.com) and browse to your Azure AD. We will start out by creating the admin group that AAD DS needs. Click Add group in the bottom:
Name the group – remember, it’s important that it is named AAD DC Administrators! You can add a description of your choice if you want:
Now add members to the group:
Make sure the correct users were added:
Now select the Configure tab in Azure AD:
Scroll down to Domain Services and enable it:
After you enable it, a few options will show. First select (or type) the domain name you would like to use:
Next select the network you would like to connect Domain Services to:
In the bottom, click save. Azure will now start provisioning the first Domain Controller and when it’s ready, the second will be deployed. It takes approximately 15-20 minutes per DC.
When the first DC is provisioned, you’ll see the IP address beneath the settings:
Shortly after, the second IP will show up. Now we need to add these IP’s as DNS servers on the network in Azure. Browse to your network, select Configure and add the IP addresses under DNS Servers:
After this, you will need to reset the password of the user you added to the AAD DC Administrators group. This is required to synchronize the users password with Azure AD Domain Services. It can be done by logging on to http://myapps.microsoft.com with the user and reset the password from there (sorry about the language on the picture, I hope you get the point ):
Now you need some patience. AAD DS will be syncing with AAD, and depending on the number of users/groups you have, this could take some time. For a medium sized AD with a few hundred users it could take a couple of hours. As of now there is no way to see sync status, but I know Microsoft is looking in to it.
When your sync is complete, spin up a VM and let it obtain the DNS settings, then you will be able to join it to the domain using the users you added to AAD DC Administrators group:
After joining a server to the domain, you will be able to manage Group Policy through GPMC:
As you can see, there is limited set of Group Policies. The only ones you can edit, is AADDC Computers GPO and AADDC Users GPO. You do not have access to Default Domain Controllers Policy or Default Domain Policy, nor can you create new policies:
I have been testing with Windows 10 Azure AD Join, to see if I could access domain resources from a Azure AD Joined computer, but currently this does not work. Users simply don’t have the same SID on the Windows 10 device.
That’s all for now, there’s more to come though
I run a super small office 2 desktops with 2 laptops that stay in the office 90% of the time. also have 8 laptops that spend 80-90% of their time out of the office. I have had 2 servers for years. one as a DC and the other as a Application server for my accounting LOB apps (peachtree and payroll). Originally my DC was an sbs 2003 box for all the reasons that made sbs great: exchange, vpn, printer services, AD, DC, DNS, file redirection, sharepoint, etc…
earlier this year sbs decided to quit on me
I moved to a trial of 2012 essentials and without a functioning system I had to create my domain from scratch… unjoin/rejoin the domain on all of the users systems, rejoin the application server, move all the user docs from the old profile to the new one and then wait forever for them to sync only to find out that as an admin I could not see into their redirected folders like I could in 2003, etc etc etc.
Now only 9 months later 2012 has decided it no longer wants to boot and I have had it…. I have never been so frustrated troubleshooting a windows boot problem as with 2012. Unable to solve my boot issue I am back at square one recreating a domain that I will need to unjoin/rejoin, docs, users profiles, etc.
Both of my accounting apps now have cloud services, 2012 essentials forced me to signup for Office365 for my sharepoint/exchange solution; I can have users save their docs to OneDrive, I use a discreet firewall router for DNS and DHCP, so the only thing left is print server. Id rather not run a server at all and simply manually configure all of my devices to use the network printers I have.
Im trying to understand if this Azure AD product is what i should be looking for to keep parity with what I am accustomed to or if I am not understanding its purpose and if its even necessary in my use case (these are all company owned devices) and I should really be looking at Intune (or another MDM) and forget about the Domain construct all together
so…. the day after I posted this comment I decided to just push forward with this. In case anyone else out there is wondering i decided to followup my own comment.
coming from SBS mind set this new service is really what you want if you are a mostly mobile shop. paying the monthly/yearly cost for office365 business was something I was already doing, not having a server forced me to take a serious look at onedriveforbusiness (ODFB) I have read online that it is not reliable and we will just have to see as I rollout to all of my (admittedly few users). also after not using sharepoint since I left sbs 2003 one drive for business reminded me how great having sharepoint was at one time and I have commited to using it again. Now that doc store, exchange, “VPN”/mobile connectivity to services via the cloud, and mail are all covered by office365 and I am moving the few network LOB apps to their own respective clouds I dont NEED a dc here in the office and it only creates a single point of failure for my users. Azure AD allows users to take a laptop out of the box and simply login to their office365/azure account during intial startup and domain join my company. auto-login to portal.office.com download the software, click sync on ODFB web portal to get all their docs locally and done. Apparently GPOs are even supported through the service so in theory I could push office network printer config to these users but for the time being I will just KISS (Keep it Simple Stupid). one drive personal and business are seperate which further incentivies BYOD. I was suprised Azure AD even forced password policies on my new laptop because of some default settings I had not played with. I can see the devices each user has connected and even block them. anyway still learning about this service but its pretty cool to know I dont ever have to worry about a DC failing on me and wiping out my entire organizations configuration.
Sounds like some annoying issues you’ve had! Glad you found a way though. The AAD DS solution is great for small businesses that don’t want to maintain a domain. If you are not using LDAP/GPO, you could probably spare the AAD DS feature (and some money), and just use AAD Join, which is built in to Windows 10. I’ve written about this feature earlier too: https://cloudpuzzles.net/2015/02/joining-windows-10-device-azure-active-directory/
And I have another piece about it in the works 🙂
Edit: Also keep in mind that the AAD DS feature is in preview.
As a pure office 365 company (no internal/external DCs) will AAD DS allow me to have laptops/PCs signing in with their office 365 password (instead of a local account as we currently do) AND also allow me to enforce group policy such as making users change password every xx days?
You could do that, yes. But it would require a VPN connection between Azure and your clients.
You can configure password policies in Azure AD (which Office 365 uses), if that’s all you want to do?
It would be great to see an article on setting up policy enforcement for the small office situation described above.
How do you edit Computers or Users GPO? Which group your account shall be in to have this available? Mine is grayed out, while account I’m using is in Global Admins group in portal.
Your account should be a member of “AAD DC Administrators” group, that we create in the beginning.
Do I need to have a server in the cloud to use Azure Active Directory Domain Services? Can I use a Windows 10 PC with RSAT connected to my Azure network via iPSEC VPN (firewall) to manage Azure Active Directory Domain Services? Can I simply “Join” Windows 7/10 PCs at my office to Azure Active Directory Domain Services if I have a VPN connection to my Azure network?
You don’t need a server in the cloud to use AAD DS. Windows 10 RSAT should work (I only used it on Windows Server 2012 R2 though), as long as you have a VPN connection to the network your AAD DS instances are connected to, and you computer is joined to the domain.
Many thanks. That was very helpful.
with reference to this post i wish to understand the second type of setup “Azure AD with sync – this is when you have an existing AD and you’re already syncing users to your Azure AD”
we have same kind of environment and wish to join our systems through Azure AD and manage them through SCCM.