Category Archives: Azure AD DS

Installing AD Admin Tools to manage Azure AD DS

04 Thursday Jun 2020

Posted by in Azure AD DS

Leave a comment

Tags

In this article we will set up an Azure VM connected to Azure AD DS managed domain and install the tool set required for Azure AD DS administration.

By default,  deploying  Azure AD DS will create a virtual network “aadds-vnet” and subnet “aadds-subnet”

mgmt1

The address space for the aadds-subnet will be 10.1.0.0/24

mgmt2

For the new Azure VM to be provisioned in virtual network “aadds-vnet” create a new Address space 10.2.0.0/24

mgmt3

Create a new subnet “aaddsmgmt-subnet”

mgmt4

In the new subnet deploy a new Azure virtual machine named “AZ-ADDSMGMT01” and join the virtual machine to the domain “idynamics.com.au”

mgmt5

Install the AD DS and AD LDS Tools from the Server Manager and from there should be able to explore Azure AD DS managed domain

mgmt6

Azure Network Peering

31 Sunday May 2020

Posted by in Azure, Azure AD DS

3 Comments

Tags

, ,

In the article we set up Azure AD DS managed domain and the deployed configuration set up the managed domain in its own virtual network and subnet as per below:

aadsDeploymentTopology

Azure Virtual Network Peering allows seamless connectivity between different Azure Virtual Network(s) (Azure VNet). Typical use case for using virtual network peering might include the following:

“There is an existing Azure VNet containing SubNets and Virtual Machines and a new Azure AD DS managed domain is provisioned in a separate virtual network. The Virtual Machines need to be a member of Azure AD DS managed domain and this can be done through Azure Virtual Network peering.”

We will consider the following deployment example:

Peering1

The following articles will detail how to setup the above lab:

Choose the default virtual network created in Azure AD DS instance and select Peerings

Peering2

Peering3

Select “+Add”

Peering4

A two-way peering link needs to be created between the two virtual networks and this is highlighted in the information section underAdd peering

Peering5

Peering6

The statuses of two peering links can be viewed under Notifications

Peering7

And once successful a Peering Status of Connected is shown on individual virtual network(s)

Peering8

Peering9

With the above what we have accomplished so far is to allow the following virtual network’s to communicate

Peering10

iDynamics-VNet has no information about the DNS servers and this needs to be updated/configured manually. The IP Addresses of Azure AD DS domain controllers can be obtained from aadds-vnet virtual network

Peering11

Enter the above highlighted IP Addresses to the DNS servers custom settings for iDynamics-VNet

Peering12

Connectivity to various virtual machines within iDynamics-VNet will be controlled through a managed jump box:

Peering13

Establish RDP connection to AZ-MGMT01

Peering14

Peering15

Once connected to the AZ-MGMT01 should be able to ping Azure AD DS managed domain “idynamics.com.au”. The Public IP address in the screen snap shot below will be different this is because the virtual machine is was in a status of Stopped(deallocated) so a new Public IP Address was assigned when the virtual machine was started again.

Peering18

Deploying Azure AD DS

29 Friday May 2020

Posted by in Azure, Azure AD, Azure AD DS

2 Comments

Tags

,

In the article   we looked at comparison of Active Directory offering between On-Premises and cloud. This article will walk through deployment of Azure AD DS.

  • Logon to AzurePortal and select “Azure AD Domain Services”

AzureADDS1

  • Choose “Create Azure AD Domain Services”

AzureADDS3

  • Choose and existing Resource Group or Create a New one if required,
  • Enter a DNS domain name keeping in mind the following condition(s):
    • If the default built-in domain name of directory with a suffix of “. onmicorosoft.com” is used then cannot create a digital certificate to secure the connection with this default domain.
    • Non-routable domain suffixes are not to be used such as “*.local”
    • Domain prefix cannot be longer than 15 characters.
    • DNS domain name for managed domain shouldn’t already exist in the virtual network or in on-premises network if Azure managed domain has a VPN connection to on-premises network.

AzureADDS4

The default Forest type is set to “User”. This type of forest synchronizes all objects from Azure AD, including the user accounts created in on-premises AD DS environment. A Resource forest synchronizes users and groups created directly in Azure AD only.

  • The next step of the wizard automatically creates a VNet and an associated subnet

AzureADDS5

AzureADDS6

AzureADDS7

The above highlighted text for synchronization is important. In the context of moving user accounts from on-premises AD DS to Azure AD DS the synchronization path was shown here

AzureADDS8

AzureADDS9

  • Once deployment is complete the topology can be viewed by going to adds-vnet > Diagram

AzureADDS10

The following topology diagram will be generated and the highlighted sections indicate Virtual Network, SubNet and Network Security Group (NSG).

AzureADDS11

  • The Overview tab of the provisioned managed domain will indicate Required Configuration step to update DNS settings

AzureADDS12

Prior to Configuration the DNS Servers settings for adds-vnet will be:

AzureADDS13

After Configuration

AzureADDS14

AzureADDS15

The above steps will complete deployment of Azure AD DS in the next article we will join Azure VM’s create here to his managed domain and in the process learn about Azure Virtual network peering.

Comparing Windows AD DS, Azure AD and Azure AD DS

29 Friday May 2020

Posted by in Azure, Azure AD, Azure AD DS, Uncategorized

2 Comments

Tags

,

Windows AD DS:

Provides authentication and authorization to on-premise applications, resources. Access to various resources can be streamlined through Group Policy some examples of implementing GPO for user’s rights assignment are detailed in the article here.

Authentication Protocol: Kerberos and NTLM

AD Database access: Through LDAP query

Creation of Domain Trusts: Allowed

On-Premise Windows Server AD offers 5 core services:

  • Active Directory Domain Services (ADDS)
  • Active Directory Certificate Services (ADCS)
  • Active Directory Rights Management Services (ADRMS)
  • Active Directory Lightweight Directory Services (ADLDS)
  • Active Directory Federation Services (ADFS)

Windows ADDS provides a hierarchical data storage for various objects in the network users, computers, groups, printers etc. The objects are placed within various Organizational Units (OUs). For example the following screen snap shot demonstrates a way of organizing On-Premises ADDS

capture1

 

Azure Active Directory (Azure AD):

While allowing to create users and groups Azure AD provides a flat structure without Organizational Units (OUs) or Group Policy Objects (GPOs).

  • Azure AD does have a domain name
  • Provides no trusts between domains
  • Supports Web based authentication OAuth 2.0, SAML 2.0 and Open ID Connect
  • Use of HTTP/HTTPS to provide identity services
  • Querying Azure AD done through REST API end point called AD Graph API

Azure Active Directory Domain Services (Azure AD DS):

Cloud based PaaS offering providing managed domain services, group policy, Kerberos / NTLM authentication that is compatible with on-premises Windows AD DS.  The following will additional features of Azure AD DS:

  • Integration with Azure AD
  • Cannot extend the schema
  • No Domain / Forest trust
  • Read-Only LDAP

The following screen snap shots show how identity information is synchronized in cloud-only and hybrid models.

Cloud-Only:

capture2

Hybrid Model:

capture3