Latest posts by David O´Brien (see all)
- Join an Azure VM to Azure Active Directory Domain Services - Mon, Aug 5 2019
- Deploying Azure Active Directory Domain Services - Tue, Jul 30 2019
- How to create an Azure AD admin login alert - Fri, Apr 19 2019
If you put your hands up at the last question, there's great news—Azure has something for you: Azure Active Directory Domain Services (AADDS), not to be mistaken for Azure Active Directory (AAD).
AADDS is an almost-feature-complete Active Directory with a few limitations, mainly:
- no domain admin privileges
- unable to extend AAD schema
- single virtual network (VNet) and single region only
- no failover to other regions for disaster recovery (DR)
- unable to join VM-based domain controllers to domains
- no direct access to domain controllers
- only one AADDS per Azure tenant
The most critical limitation in my opinion is the fact that AADDS is single-region only, and you can only have one per tenant, so unless your workloads' functionality doesn't rely on Active Directory, or you do not require a test AADDS instance, you're good.
For the latter, you can obviously create a new AAD tenant and test with that. For the former, well, don't rely on Active Directory. (I know, legacy…) Microsoft has documented a few more points to consider whether AADDS is right for you here.
Assuming all the above sounds okay to you, and you should seriously consider this service because a lot of the AAD-managing overhead just disappears, then how you do deploy AADDS?
Prerequisites for Azure Active Directory Domain Services ^
First, check that you are deploying the service into a supported region. In any of the supported regions, we will need to deploy a VNet because AADDS needs a dedicated subnet.
In your Azure PowerShell, follow these steps to put the prerequisites in place. This assumes you are deploying AADDS into a new resource group and a new VNet in the australiaeast region. Make sure that if this doesn't fit your use case, you change these values.
New-AzResourceGroup -Name aadds -Location australiaeast
New-AzVirtualNetwork -Name aadds -AddressPrefix 10.0.0.0/8 ResourceGroupName aadds -Location australiaeast
$vnetConfig = Get-AzVirtualNetwork -Name aadds -ResourceGroupName aadds
$subnetConfig = Add-AzVirtualNetworkSubnetConfig -Name aadds AddressPrefix 10.0.0.0/27 -VirtualNetwork $vnetConfig
$vnetConfig | Set-AzVirtualNetwork
With this created, we can now deploy AADDS.
Create a new AADDS deployment ^
The next steps we will complete in the Azure console because there is no Azure PowerShell support for deploying or configuring AADDS. There is Azure Resource Manager (ARM) template support, but we will keep it light for this article and stick to the portal.
Browse to your resource group and click the add button.
Search for directory services, click the tile here, and select create. In the next step, you will configure the basic settings for this domain.
Make sure you configure the right DNS name for your domain. In the next step, you will select the VNet and subnet or network you already created previously.
For the next two steps, you will just accept the defaults for this tutorial. The wizard will create a new AAD group called AAD DC Administrators, and to manage the domain going forward, you will need to be a member of this group.
You can configure this now or also later on. Leave the synchronization scope at All for now. However, you will not be able to change this setting once you deploy the domain. If you want to change the scope to only certain groups and users, you will have to delete the domain and redeploy it.
Check the summary screen, and if it all looks alright, hit OK. The deployment can take up to 60 minutes. So go and have a tea or 12.