Tag Archives: Azure Active Directory Domain Services

#Azure AD : All about Azure Active Directory


IT has moved from Datacenter Era to the Cloud Era. Focus of the organizations have been changed from one specific set of vendors to the open world of technology. Since Datacenter came in inception, Identity has played a vital role and always been used to treat as a backbone of IT. Now in the new era of multi-cloud environment, Identity is playing a centric role that itself is a new beginning of Identity that has been extended from IT backbone to user-experience oriented.

Microsoft had played a key role in datacenter era by Windows Server Active Directory and now again playing a crucial role in multi-cloud environment by offering Azure Active Directory. Microsoft Azure Active Directory in not only a directory service but it is a complete cloud service that can fulfill all your identity and authorization needs. However, you may find there are couple of things related to identity that can’t be fulfilled by native AAD features but it is continuously evolving.

In this era, organizations don’t need SME for everything but they need design SME who has board understanding of complete end-to end solution stack starting from infrastructure technologies to application technologies.

I have written a series of blog posts on Microsoft Azure AD and these posts mainly focus on how to do it or you can say step-by-step guides backed by real-time scenarios.

Microsoft Azure Active Directory

Azure AD Connect

SSO to SaaS

Application Proxy

Multi-factor Authentication

Self-service Password Management

Self-service group management

Access Panel/My Apps

Dynamic groups membership

Pricing, Licensing and Support

Conditional Access

Custom domain names

Company branding

Cloud App Discovery

Group-based licensing

Identity Protection Part I

Identity Protection Part II

Identity Protection Part III

Privileged Identity Management Part I

Privileged Identity Management Part II

Privileged Identity Management Part III

Azure Active Directory Domain Services Part I

Azure Active Directory Domain Services Part II

Azure Active Directory Domain Services Part III

Azure Active Directory Domain Services Part IV

Device Management – Azure AD Registering

Device Management – Azure AD Join

B2B Collaboration

B2B Licensing

B2C

Error – SSPR_0029: We are unable to reset your password due to an error in your on-premises configuration.

Above series of blog posts have covered most of the areas of Azure Active Directory. You can bookmark this blog post for any Azure AD need, I’ll try my level best to add new Azure AD related posts in this series.

Advertisements

#AzureAD : Azure Active Directory Domain Services Part IV


Part I, Part II and Part III of this post has covered Azure AD domain services fundamental, deployment, pricing and configuration. This post will cover how to use Azure AD DS, like join machine to the domain and AD/DNS management. Make sure your Azure AD DS VNet connects with rest of the Azure VNets, which are going to leverage this domain service. One more important consideration before moving further, use Azure AD DS DNS for all the VNets, which are going to connect with this domain service.

Let me show you, how to join Azure VMs to the Azure AD DS domain. Login to the Azure VM and check the DNS configuration to make sure that right DNS addresses have been assigned to the VM.

Open server manager to join this machine to the domain. (Note: I hope you followed the part III of this post and had reset your passwords for synchronization otherwise you may face credentials related error.)

Credentials must be used in two formats either domainname\username (insidemstech\aadadmin) or username@domainname (aadadmin@insidemstechaad.onmicrosoft.com).

Once joined, restart your machine.

Install RSAT (Remote server administration tool) to manage domain and dns of your Azure AD Domain Services.

Once rebooted, login with member of “AAD DC Administrators” group and play with your AD & DNS using native tools.

I hope you enjoyed this series of Azure AD Domain Services. Please feel free to share your experience through comments.

#AzureAD : Azure Active Directory Domain Services Part III


Part I & Part II of this post has covered fundamentals, deployment and pricing of Azure AD DS. Once, deployment completes then you can verify and finish the basic configuration.

To verify and complete the initial configuration, login to Azure Portal.

Go to the resource group, wherever you had deployed your domain services.

To verify the deployment configuration, click on Deployments.

Within deployments panel, you can see Domain Services and both the domain controllers.

Double click on any deployment name and review the configuration.

Select and open Azure AD Domain Services.

Click on view health to check the health of Azure AD Domain Services.

From the health, panel you can see the details like Back, last synchronization with Azure AD and alerts.

Now, complete Azure AD DS DNS configuration for Azure VNets. Click on “Configure DNS servers”.

In DNS servers panel, select custom in DNS servers and enter DNS server IP address as mentioned in Azure AD Domain Services and save the configuration.

Once, DNS configuration completes then you need to enable Azure AD DS password synchronization. For cloud only Azure AD tenants, ask your users to reset their password who wants to leverage Azure AD DS and wait for at least 30 min to an hour for synchronization to take place (Recommendation: Do it for all users). While for synced Azure AD tenants, you need to run a script in your forests for synchronization to take place. Follow this article for more details.

To view the deployment activity log, click on “Activity log” or “Related events” for specific deployment name under deployments.

To view the Activity log of Azure AD Domain Services, select the “Activity log” under Azure AD Domain Services.

Now, it is time to provide administrative access to the Azure AD DS administrator in your organization. Go to the Azure Active Directory portal.

Look for “AAD DC Administrators” group under all groups.

Add any members, to whom you would like to provide administrative access on Azure AD Domain Services.

You can use just-in-time access to provide administrative access of Azure AD Domain Services.

#AzureAD : Azure Active Directory Domain Services Part II


Azure Active Directory Domain Services Part I covers fundamental of Azure AD Domain services. Now, this post will cover how to enable/configure AD DS and its pricing/licensing.

To configure, login to the Azure portal.

Click on create a resource and search for Azure AD Domain Services.

From the Azure AD Domain Services portal, click on create.

Define basic settings. Set you DNS domain name in 15 characters and avoid non-routable domain such as insidemstech.local instead use name such as insidemstech1.com.

(Note: I am trying to use insidemstch.local to do some research but you should avoid non-routable domain.)

Set virtual network. (Best practice: Create a new dedicated subnet for AD DS)

Select “Create mew to define a subnet”.

Define your virtual network and click on create.

Once configured, click on Ok.

Here select administrators who are supposed to manage domain services. You can manage group membership later as well.

Review the configuration from summary tab and click on OK to start the deployment process.

This deployment process will take approximately 20-30 minutes for each domain controller. Once completed successfully, you will be able to see resources inside resource group.

Now, let see the pricing of Azure AD DS services. Microsoft has made it very simple based on the number of users and there is no up-front cost for this service.

Tier/Number of directory objects Price /Hour Price /Month
< 25,000 ~ 0.15 ~ 109.50
25,001 – 1,00,000 ~ 0.40 ~ 292.00
1,00,000 – 5,00,000 ~ 1.60 ~ 1,168.00
> 5,00,000 Contact Microsoft (wapteams@microosft.com)

Azure AD DS count all objects part of this domain that includes users, groups and domain-joined computers.

Like most of the services, Microsoft offers 99.9% SLA for user authentication belongs to managed domain, DNS lookup for records and LDAP bind to the root DSE.

#AzureAD : Azure Active Directory Domain Services Part I


Microsoft Azure cloud services are growing rapidly. Many organizations are using hybrid models and planning to move applications to the cloud as much as possible. One of the biggest hurdle in moving existing applications are identity and security. Most of the existing applications are controlled and managed by Windows server Active Directory, DNS and Group policies. At large, applications can be categorized under two umbrellas I.e. enterprise applications and line-of-business applications. Most of these enterprise applications and line-of-business applications leverage domain joined machines controlled by group policies and AD for identity needs. Now-a-days most of the enterprise applications are available in SAAS model and can leverage cloud identity for authentication and authorization, while line-of-business application can’t be rewritten overnight to support new technologies such as SAML, Open Id, OAuth etc. due to multiple reasons. Therefore, access to the domain controller from Microsoft Azure IaaS becomes a last option. Organizations achieve this goal in three ways:

  • By connecting Azure network with On-premises AD domain services.
  • By setting up a replica of existing AD domain/forest on Microsoft Azure IaaS using virtual machines.
  • By deploying a new AD domain/forest with trust between existing on-premises domain/forest and newly deployed domain/forest on MS Azure IaaS.

To resolve these issues, Microsoft has taken a leap into the directory services offerings. Microsoft Azure AD DS is managed active directory domain service provided by Microsoft Azure. It is an extension of on-premises active directory available in the cloud and managed by Microsoft. Azure AD DS doesn’t require any additional setup to sync with on-premises directory services.

It simply leverages your Azure Active Directory to connect with on-premises active directory. Once, you enable this service and link with your Azure VNet then your workloads/apps can connect to this domain services. As it is like your traditional domain controllers, deployed and managed by Microsoft therefore you can use all traditional authentication methods such as Windows Integrated authentication, NTLM, Kerberos etc. You can access these domain services by traditional AD management tools such as Active Directory Administrative Center but you don’t have to worry about the patching, management, replication, availability, backup etc. As, it is just a service therefore you will not be provided domain administrator and enterprise administrator privileges on this domain.

This service can be deployed/leveraged in two ways.

  • For hybrid organizations: In this scenario, Azure AD sync with on-premises directory services and Azure AD DS leverages user identities, their passwords and group memberships. Password sync is mandatory for hybrid organizations to leverage Azure AD DS. It is needed to authenticate users via NTLM and Kerberos authentication methods.

Courtesy: Microsoft

  • For Cloud-only organizations: In this scenario, organization doesn’t have any on-premises directory setup. AD DS leverage cloud native Azure AD tenant for all user identities, their password, and group memberships.

Courtesy: Microsoft

With the help of this service, on-premise applications can be lifted and shifted easily to the clouds. Azure AD DS deploy two domain controllers per tenant to maintain high availability of the services. It also provides automatic health detection and remediation. Azure AD DS offers LDAP bind, LDAP read and secure LDAP (including over internet). It maintains synced on-premises SIDHistory in your managed domains. Like your on-premises domain services, you can also manage your DNS and Group policies in a traditional way.