A lot of people are already using Azure AD, either for Office 365 or some other applications – maybe even 3rd party application like Salesforce, ServiceNow etc. You could also be using it for Windows 10 workplace or domain join and automatic MDM enrollment. The possibilities of Azure AD is… not unlimited, but it feels damn close
Now a new feature has arrived, and I’ve been lucky enough to test it through early previews and see the development. Let me start by saying: A LOT of work has gone into this, and the Azure AD team has been very good at listening to the feedback and quick to fix the bugs there were. Anyways, the new feature is Azure AD Domain Services (AAD DS) – yes, just like the role in Windows Server. It’s basically domain controller as a service, how cool is that?
“Why would I want to use that?” you may ask.. Well, why do you need other “as-a-service”-offerings? Because you don’t want to maintain it yourself, or maybe don’t have the resources for it. I’ve done a fair share of Azure IaaS environments over the last couple of years, some hybrid, and some of them pure Azure. Those that are pure Azure is often for small organizations that don’t have the skills and/or time to maintain domain controllers themselves. AAD DS is a perfect solution for those customers.
Azure AD Domain Services features:
- -Domain join – join your servers/computers to AAD DS
- -User attributes and group memberships sync with Azure AD
- -Usernames/passwords are synced with Azure AD
- -GPO’s for the built in Users and Computers containers
- -High availability – 2 Domain Controllers are provisioned
- …and well, a lot more, since it’s built on Windows Server ADDS
And some pointers:
- -Since this is a service managed by Microsoft, you won’t get “Domain Admin” or “Enterprise Admin” privileges
- -You cannot manage users or groups from the normal AD consoles – use the Azure AD portal to do this
- -Azure Resource Manager based networks are not supported, which also means you cannot use ARM based VMs
This might seem very simple and not very usable, and I agree at some level. But keep in mind that this is for simple deployments, and development is ongoing. If you need a feature, request it at uservoice. In general, don’t think of this as a regular Active Directory, it’s a service that Microsoft is managing for you. You only get to manage users, groups, a limited set of GPOs and stuff like that.
The service will cost $0.20/hour with a 50% discount during public preview. Other, smaller, tiers should be available in the future.
Okay, enough talking.. How does this work? There are some different deplyment types:
1. Cloud-Only – this is where you don’t have an existing infrastructure – domain controllers – but need the domain services
2. Azure AD with sync – this is when you have an existing AD and you’re already syncing users to your Azure AD
3. No Azure AD – kind of self-explanatory. No Azure AD, no sync to Azure AD etc. You might have an Active Directory already.
I will focus on the first scenario in this post.
Let’s walk through the prerequisites:
- -You need an Azure AD – this can be with a custom domain or the *.onmicrosoft.com domain you’re assigned when you create the Azure AD. If you use a custom domain, this does NOT have to be a public domain, like cloudpuzzles.net, you can use .local and whatnot. No need to verify the domain, as long as it’s just for AAD DS, but I would highly recommend using a public domain for everything else than tests
- -You need a network with at least one subnet – AAD DS does not span networks at the moment, so you would need to connect you networks through VPN if you have multiple
- -A group in your Azure AD named “AAD DC Administrators” – it’s important you use this exact name, as users in this group will be administrators and able to add servers to the domain etc.
To get started, open up the Azure portal (http://manage.windowsazure.com) and browse to your Azure AD. We will start out by creating the admin group that AAD DS needs. Click Add group in the bottom:
Name the group – remember, it’s important that it is named AAD DC Administrators! You can add a description of your choice if you want:
Now add members to the group:
Make sure the correct users were added:
Now select the Configure tab in Azure AD:
Scroll down to Domain Services and enable it:
After you enable it, a few options will show. First select (or type) the domain name you would like to use:
Next select the network you would like to connect Domain Services to:
In the bottom, click save. Azure will now start provisioning the first Domain Controller and when it’s ready, the second will be deployed. It takes approximately 15-20 minutes per DC.
When the first DC is provisioned, you’ll see the IP address beneath the settings:
Shortly after, the second IP will show up. Now we need to add these IP’s as DNS servers on the network in Azure. Browse to your network, select Configure and add the IP addresses under DNS Servers:
After this, you will need to reset the password of the user you added to the AAD DC Administrators group. This is required to synchronize the users password with Azure AD Domain Services. It can be done by logging on to http://myapps.microsoft.com with the user and reset the password from there (sorry about the language on the picture, I hope you get the point ):
Now you need some patience. AAD DS will be syncing with AAD, and depending on the number of users/groups you have, this could take some time. For a medium sized AD with a few hundred users it could take a couple of hours. As of now there is no way to see sync status, but I know Microsoft is looking in to it.
When your sync is complete, spin up a VM and let it obtain the DNS settings, then you will be able to join it to the domain using the users you added to AAD DC Administrators group:
After joining a server to the domain, you will be able to manage Group Policy through GPMC:
As you can see, there is limited set of Group Policies. The only ones you can edit, is AADDC Computers GPO and AADDC Users GPO. You do not have access to Default Domain Controllers Policy or Default Domain Policy, nor can you create new policies:
I have been testing with Windows 10 Azure AD Join, to see if I could access domain resources from a Azure AD Joined computer, but currently this does not work. Users simply don’t have the same SID on the Windows 10 device.
That’s all for now, there’s more to come though