Join VMs to Azure Active Directory Domain Services

Need some group policy control? Join your VMs to the Azure Active Directory Domain Services

by | Jun 29, 2018 | General

Introduction

When working with VMs, you normally use an Active Directory to store your identities. You do so, in order to centrally manage all those identities. In the past you had your Windows Active Directory Domain Services, and (most likely) synced that up to the Azure Active Directory. All your on-premise identities were now available in the Azure Active Directory.

A couple of years ago, Microsoft introduced Azure Active Directory Domain Services (AADDS). This is a “kind of” lightweight domain controller that is synced with your Azure AD. Compared to the Windows ADDS, AADDS has limited feature set.

Domain Controller as a Service

Basically Azure ADDS is a “domain controller as a service.” This means that you do not have to take care of the domain infrastructure (schema, trusts, sites and services etc.). It will bring you the following features:

  • DNS Service
  • A managed active directory where you can:
    • Apply GPO’s to VMs
    • Use the same identities on your VMs that you use in the Azure AD
    • NTLM and Kerberos authentication
    • Use LDAP(S)

Advice

For a lot of applications, having this feature set is sufficient. For more advanced applications (that require schema extensions) or configurations that require a trust to another domain, the Azure ADDS solution is not sufficient at this moment.

Setting up AADDS

Setting up the Azure ADDS is quite easy. Just look in the market place for Azure Domain Service, and follow the wizard that follows.

Virtual Network (VNET)
The Azure ADDS is deployed within a VNET. As a step of the deployment wizard, you have to select your network (or create a new one). A subnet for Azure ADDS is required. Only ADDS is allowed to use this subnet; you cannot add any other resources in this subnet. Once the deployment is completed, you can navigate to the Azure ADDS resource and look for the DNS servers. VMs that you want to join to the Azure ADDS need to use these DNS servers.

Domain Administrator
Azure ADDS does not allow you to have Domain Administrator or Enterprise Administrator permissions. Microsoft takes care of the domain infrastructure, and therefore you don’t need to have these permissions. The deployment of Azure ADDS creates a group in the Azure AD called: “AAD DC Administrators”. Users that are part of this group have maximum permissions in the Azure ADDS.

Manage your domain and DNS

Managing your domain can be done just as the Windows Active Directory Domain Services. You can use the same tools for it. When you open “Active Directory Users and Computers” you will see a default domain setup with three additional OUs:

  • AADDC Computers– After you join a computer to the Azure ADDS domain, it will end up in this OU. You are able to move computer objects to other (newly) created OUs.
  • AADDC Users– In this OU you will find all the synchronized user objects from the Azure Active Directory. You are not able to move synchronized users.
  • AADDCDomainAdmin– In this OU you will find the Azure AD group that holds the Azure ADDS domain admins. You cannot move this group.

Group Policy Management
Just as for a regular Windows ADDS domain you can also apply GPOs for an Azure ADDS domain. With the regular tools (GPO editor in Windows) you can manage your domain policies. Almost all default Windows policies are already loaded. If a policy is not in there, you can import 3th party .ADM files.

DNS Management
DNS servers that are coming with the Azure ADDS domain are manageable. Just as the other ADDS components, you can manage this with the tooling that you are used to. When you open the DNS manager and connect to one of the domain controller computers (you can find the name in “Active Directory Users and Computers”) you will find the DNS zones that are hosted on the domain controllers. You can add additional zones and records.

Conclusion

Azure ADDS is a really powerful tool. Almost all things that you can do with a regular Windows ADDS domain can be done with Azure ADDS. If trusts are not required, and you don’t need to extend your schema, Azure ADDS might be a good solution for you. Currently Azure ADDS can only be deployed in one region at a time. From a disaster recovery perspective, this might be an issue. Keep in mind that the SLA of Azure ADDS is 99.9% – This is a higher SLA than most datacenter operators can deliver from their on-premise facilities.