Azure AD Domain Service – Scratch to Expert
Download this PDF file and read thoroughly . I have tried to explain from beginning and you will find step by step guidance to setup Azure AD domain service .
CLICK HERE TO DOWNLOAD PDF FILE
THE JOURNEY :
Azure AD Domain Service , is an offering from Microsoft to gain advantages of Domain specific feature like LDAP/Kerberos/OU/Group Policy within Azure but without creating VM or managing VM . Confused ?? Don’t be . Let me explain this story from the beginning .
So I would like to start from ADDS . ADDS is a windows server operating system based feature/role which give option to build Forest along with Domains . Domain is a logical security boundary created by the Domain Controller where we have installed ADDS role . Within domain we get option to apply Group Policy which is the industry leading way to authorize people . Where Kerberos manage authorization . So to install ADDS we should have a physical/Virtual system and need to install OS first then ADDS role . Forest is a collection of multiple Domain .
Now instead of creating VM top of Hyper-V, we can create this VM in Azure and forget about physical hardware management , but still you have manage VM or application availability .
So you can install ADDS in azure VM and provision domain environment in azure . It will be AD in Azure . Apart from that we have Azure AD . Which is a PaaS and help us to provide authentication and authorization to cloud App (Office 365 , azure etc) . But use of Azure AD is limited and it’s not a replacement of ADDS . In-fact the purpose of Azure AD is completely different then ADDS . ADDS is to create domain/forest to manage user and computers where Azure to is to provide authentication to cloud app . It work based of RBAC and OAuth where as ADDS work based on LDAP and Kerberos protocol .
Now , let’s focus on Azure AD Domain Service : Azure AD DS itself a service in azure . But unlike Azure AD it’s not limited to cloud based application . In back ground Azure ADDS provision 2 VM in AV set and those VM is responsible for provisioning Domain and DNS . But as of now its limited to single Domain and Single Forest environment .
Basically the main use of Azure ADDS is Lift and Shift of LDAP application to Azure .
Q. Is ADDS and Azure AD DS same ?
Ans . Working principle is almost same but traditional ADDS is more capable . Azure AD DS is limited to few scenario , where migrating LDAP based application is most imp .
Q. Is Azure AD DS replacement of ADDS ?
Ans. As of now NO .
Q. Can Azure AD DS and ADDS work together ?
Ans. Yes but in very limited case . Both are not dependent at all , Both the service can function independently but there is no direct connection between this two service . ADDS can send user details to Azure AD DS via Azure AD .
Q. Can I build forest trust between this two environment ?
Ans. No .
Q. Can I create multi domain – multi forest scenario in Azure AD DS ?
Ans. No . As of now .
Q. How can I manage VM responsible for Azure AD DS or how RDP will work over here ?
Ans. First of all we cant take RDP of VM’s – are responsible for Azure AD DS . Only possible way is Remote Server Administration Tool .
This document is a step by step guidance to create Azure AD Domain Service from the scratch . I have divided this document into multiple part where in first part I will talk about prerequisite and how to set up that one . If you are into brown field then you can skip few step but if you are working in a green field environment then follow this document from start .
NutShell of this entire practical :
- We should have public custom domain(domainname.com/in/org etc) with domain DNS access .
- Should have access of Azure AD . Add the custom domain in azure ad custom domain segment and verify that custom domain and make it primary .
- Assuming we have an On-Prem domain environment with the same name (contoso.com).
- Open azure portal and search for Azure AD Domain Service .
- Provide the same domain name (contoso.com) and select appropriate V-Net and select ADDS admin group . We have to make sure that at least one global user is assigned as a owner of this group .
- It may take 3-4 hours to provision Azure AD Domain Service completely .
- Once we have AZ AD DS is ready then we will get DC/DNS info in the preview page .
- Then we need to provision a VM in AZ ADDS network or connected any network, this VM is to manage AZ ADDS . We will install Remote server assistance in this VM and use that feature to manage ad components of AZ ADDS.
- Then we need to setup a VM as a sync server or a VM where we will install AD connect and sync the user to Azure AD .
- Then AZ AD will sync this users to AZ ADDS . Now those user can use any application that required LDAP etc…