How to deploy Microsoft Entra Domain Services (Azure AD Domain Services / MEDS)

Today we will learn how to deploy Microsoft Entra Domain services. So let’s go to the Azure portal and let’s get you started!

Step 1: Go to Microsoft Entra Domain Services and create a new Microsoft Entra Domain services!

image 27

Step 2: Now we can start te setup of MEDS, fill in your preferred domain name. You can leave the default which is the same as your Azure Active Directory name ending with, but I would recommend a public URL like in my case

If you choose to enable secure LDAP access to the managed domain over the internet, expect issues creating a public DNS record or obtaining a secure LDAP certificate from a public CA for the domain name. Microsoft owns the domain and CAs will not issue certificates vouching for this domain.

Select the Subscription, Resource group and Location and go on the next step.

Step 3: Now lets add the Domain services to your preferred network. This can be the subnet with all your Azure IaaS machines, but it might be a separated subnet or even separated VNET (note: VNET peering is required with additional cost if you choose that option). So lets select your desired VNET or create a new one. For this manual I choose to create everything new.

Step 4: There is an AAD DC Administrators group created to manage this domain. Please select the users that will be admin for this managed AD DS environment.

For this manual I’ve chosen to add my self

Step 5: It might not be required to synchronize all identities to your Azure AD Domain Services. If you just want a selection of your users to be synchronized, change the setting to Scoped, and select the groups you want to synchronize from your Azure AD Tenant. This might also be groups synchronized from your on-premise AD if you have one synced.

Step 6: Let’s review what we’ve just selected, and let’s review the infographic at the bottom. This is important! What does it say? “By enabling Microsoft Entra Domain Services for this directory, you consent to storing credential hashes required for NTLM and Kerberos authentication in Entra ID”.

This means that these hashes are not there yet before you hit the OK button, and they will not appear there automatically after you hit OK. It is important that all synced accounts will change their password before they will be able to use it in Azure ADDS. Also note, there is a delay of 20 minutes between Azure AD and ADDS. If you have an on-premise environment, count 10 minutes on top of that for domain controller synchronisation and AD Connect sync.

Step 7: After you hit OK it might take up to 30 minutes to deploy Microsoft Entra DS. Wait until the status changes to Running. After that resume to step 8.

Step 8: From the MEDS management console you will get the following screen. You will need to change the DNS servers on your VNET/Subnets where you would require the ME DS services to be used. In this screen you can find the corresponding IP Addresses. Usually they end with x.x.x.4 and x.x.x.5. But verify this first.

Step 9: Make sure you changed your password in Microsoft Entra ID. Now you can join machines to the Microsoft Entra Domain Services.

Password Sync limitations:

Learning by hard, although I cannot find anything in the documentation, if you want to sync identities from Entra ID to Microsoft Entra Domain Services you cannot use passwords that are longer than 16 characters.

Let me know if you run in to any problems, but I believe this should get you there.

Add a Comment

Your email address will not be published. Required fields are marked *