How to deploy Azure Active Directory Domain Services (AD DS)
Today we will learn how to deploy Azure AD Domain services. So let’s go to the Azure portal and let’s get you started!
Step 1: Go to Azure AD Domain Services and create a new Azure AD Domain services!
Step 2: Now we can start te setup of ADDS, fill in your preferred domain name. You can leave the default which is the same as your Azure Active Directory name ending with .onmicrosoft.com, but I would recommend a public URL like in my case adds.2azure.nl.
If you choose to enable secure LDAP access to the managed domain over the internet, expect issues creating a public DNS record or obtaining a secure LDAP certificate from a public CA for the onmicrosoft.com domain name. Microsoft owns the domain and CAs will not issue certificates vouching for this domain.
Select the Subscription, Resource group and Location and go on the next step.
Step 3: Now lets add the Domain services to your preferred network. This can be the subnet with all your Azure IaaS machines, but it might be a separated subnet or even separated VNET (note: VNET peering is required with additional cost if you choose that option). So lets select your desired VNET or create a new one. For this manual I choose to create everything new.
Step 4: There is an AAD DC Administrators group created to manage this domain. Please select the users that will be admin for this managed AD DS environment.
For this manual I’ve chosen to add my self
Step 5: It might not be required to synchronize all identities to your Azure AD Domain Services. If you just want a selection of your users to be synchronized, change the setting to Scoped, and select the groups you want to synchronize from your Azure AD Tenant. This might also be groups synchronized from your on-premise AD if you have one synced.
Step 6: Let’s review what we’ve just selected, and let’s review the infographic at the bottom. This is important! What does it say? “By enabling Azure AD Domain Services for this directory, you consent to storing credential hashes required for NTLM and Kerberos authentication in Azure AD”.
This means that these hashes are not there yet before you hit the OK button, and they will not appear there automatically after you hit OK. It is important that all synced accounts will change their password before they will be able to use it in Azure ADDS. Also note, there is a delay of 20 minutes between Azure AD and ADDS. If you have an on-premise environment, count 10 minutes on top of that for domain controller synchronisation and AD Connect sync.
Step 7: After you hit OK it might take up to 30 minutes to deploy Azure AD DS. Wait until the status changes to Running. After that resume to step 8.
Step 8: From the ADDS management console you will get the following screen. You will need to change the DNS servers on your VNET/Subnets where you would require the AD DS services to be used. In this screen you can find the corresponding IP Addresses. Usually they end with x.x.x.4 and x.x.x.5. But verify this first.
Step 9: Make sure you changed your password in Azure AD. Now you can join machines to the Azure AD Domain Services.
Let me know if you run in to any problems, but I believe this should get you there.