In this post I will describe how to add AZURE Active Directory Domain services to your tenant using AZURE Portal.
Before we begin let’s talk a little bit about AZURE Active Directory Domain Services
Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
How does Azure AD DS work?
When you create an Azure AD DS managed domain, you define a unique namespace. This namespace is the domain name, such as mfarouk.com. Two Windows Server domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set.
You don’t need to manage, configure, or update these DCs. The Azure platform handles the DCs as part of the managed domain, including backups.
Azure AD DS features and benefits
Simplified deployment experience: Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Azure portal.
Integrated with Azure AD: User accounts, group memberships, and credentials are automatically available from your Azure AD tenant. New users, groups, or changes to attributes from your Azure AD tenant or your on-premises AD DS environment are automatically synchronized to Azure AD DS.
Use your corporate credentials/passwords: Passwords for users in Azure AD DS are the same as in your Azure AD tenant. Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the managed domain.
NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows-integrated authentication.
High availability: Azure AD DS includes multiple domain controllers, which provide high availability for your managed domain. This high availability guarantees service uptime and resilience to failures.
Now let’s start Implementation:
Login to AZURE Portal
Create new resource group
Click review and create
Search for AZURE AD DS and choose AZURE AD Domain Services
Choose subscription and resource group
After filling the required fields click Next, here I choose to create new subnet to deploy the AD DS into it.
Add more Administrators If needed or accept the default then click next
Accept the default then press Next
After validation complete press create
Press Ok to start creating AZURE AD Domain Services
It might take an hour to be finished
Click view health
Now let’s create a VM in the same VNet and try to join AZURE AD DS
From home page click create resource
Choose compute then select virtual machine
Fill the required fields the click Next
In the Disks page accept the defaults then click next
In the Networking page accept the defaults then click Review + Create
Then click create
After creation completed you will be able to connect to your VM
Click Connect è RDP
Click download RDP File then connect to the created VM
Connect to the virtual machine using the credentials you supplied in the creation wizard
Now let’s try to join the domain
Click computer name then click change
This failed because AZURE Active Directory Domain Services requires the legacy password of NTLM for authentication because this is a cloud only account.
To solve this Issue we have to go back to AZURE active directory from the portal and search for that user and reset the password.
And choose the user you tried joining using it and reset password
Click reset password
And in private browser window update the password then wait for 30 Minutes
Now let’s try to join the domain using the new password
After restarting you will be able to login using the domain user
TAGs: Azure , Azure AD, Azure ADDS, Azure Active Directory, Azure Active Directory Domain Services, Active Directory