İlginizi Çekebilir
  1. Ana Sayfa
  2. Microsoft Azure
  3. How does Azure AD DS work?

How does Azure AD DS work?

azureadds-min
DMC Teknoloji

In this post I will describe how to add Domain services to your tenant using AZURE Portal.

Before we begin let’s talk a little bit about

Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

How does DS work?

When you create an Azure AD DS managed domain, you define a unique namespace. This namespace is the domain name, such as mfarouk.com. Two Windows Server domain controllers (DCs) are then deployed into your selected Azure region. This deployment of DCs is known as a replica set.

You don’t need to manage, configure, or update these DCs. The Azure platform handles the DCs as part of the managed domain, including backups.

Azure AD DS features and benefits

  • Simplified deployment experience: Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Azure portal.
  • Integrated with Azure AD: User accounts, group memberships, and credentials are automatically available from your Azure AD tenant. New users, groups, or changes to attributes from your Azure AD tenant or your on-premises AD DS environment are automatically synchronized to Azure AD DS.
  • Use your corporate credentials/passwords: Passwords for users in Azure AD DS are the same as in your Azure AD tenant. Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the managed domain.
  • NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows-integrated authentication.
  • High availability: Azure AD DS includes multiple domain controllers, which provide high availability for your managed domain. This high availability guarantees service uptime and resilience to failures.

Now let’s start Implementation:

Login to AZURE Portal

Image-1

Create new resource group

Image-2

Click review and create

Image-3

Image-4

Search for AZURE AD DS and choose AZURE AD Domain Services

Image-5

Click ADD

Choose subscription and resource group

Image-6

After filling the required fields click Next, here I choose to create new subnet to deploy the AD DS into it.

Image-7

Image-8

Add more Administrators If needed or accept the default then click next

Image-9

Accept the default then press Next

Image-10

After validation complete press create

Image-11

Press Ok to start creating AZURE AD Domain Services

It might take an hour to be finished

Image-12

Image-13

Image-14

Image-15

Click view health

Image-16

Now let’s create a VM in the same VNet and try to join AZURE AD DS

From home page click create resource

Image-17

Choose compute then select virtual machine

Image-18

Fill the required fields the click Next

Image-19

In the Disks page accept the defaults then click next

Image-20

In the Networking page accept the defaults then click Review + Create

Image-21

Then click create

After creation completed you will be able to connect to your VM

Image-22

Click Connect è RDP

Image-23

Click download RDP File then connect to the created VM

Connect to the virtual machine using the credentials you supplied in the creation wizard

Image-24

Now let’s try to join the domain

Image-25

Click computer name then click change

Image-26

Image-27

Image-28

This failed because AZURE Active Directory Domain Services requires the legacy password of NTLM for authentication because this is a cloud only account.

To solve this Issue we have to go back to AZURE active directory from the portal and search for that user and reset the password.

Image-29

Click users

And choose the user you tried joining using it and reset password

Image-30

Click reset password

And in private browser window update the password then wait for 30 Minutes

Now let’s try to join the domain using the new password

Image-31

Image-32

Image-33

After restarting you will be able to login using the domain user

Image-34

References

https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain#deploy-the-solution

https://www.youtube.com/watch?v=OQjK4gC89Xc&t=591s

TAGs: Azure , Azure AD, , Azure Active Directory, Azure Active Directory Domain Services, Active Directory

DMC Teknoloji
Yorum Yap

Yazar Hakkında

In 2001 Mohamed Farouk graduated from Sadat academy for management science (Major Computer Sciences) in egypt. Mohamed is determined and solutions-focused information technology professional with a career progression that spans 18+ years and includes experience in the configuration, installation, upgrades, security, maintenance, integration, support, and monitoring of business-critical applications, databases, systems for SQL Server, Oracle and Microsoft Azure environments. As an experienced Project Leader committed to maintaining cutting edge AZURE technical skills and up-to-date industry knowledge, gifted with strong design skills and superb attitude when working independently or with a team of experts.

Yorum Yap