[Azure Active Directory] Domain Services

Posted by Florent Appointaire on June 12, 2017
No ratings yet.

 Azure Active Directory Domain Services Logo

In October 2016, Microsoft released in GA Azure Active Directory Domain Services:

This new service gives you the possibility to have a domain controller on Azure, managed by Microsoft team. You’ll be able to join computers to the domain.

Regarding the price of this service, it depends on the number of objects. You can find more information here:

Of course, this service has some limitations, but you can do the following:

  • Join computers to the domain
  • Configure GPO
  • Manage DNS
  • Create OU
  • Give rights to computers

Be careful, if you want to install components like SCCM, Exchange, etc, it’ll not be possible because you can’t extend the schema, etc.

We will see how to activate this functionality. Be careful, when I’m writing this post, it’s only available on ASM (old portal). We will see how to use it with VMs that have been deployed on ARM.


Microsoft Azure - Networks - Virtual Networks

Add peering - AZSpon-VNet

AZSpon-VNet - Peerings - Connected

  • An Azure AD
  • By default, you’re not an administrator of the domain. You must create a group, named AAD DC Administrators that will give you an admin access to join a computer to the domain, etc. Add users that must be the admin in this group:

Add Group - AAD DC Administrators

Microsoft Azure - aad dc administrators - Members

Service activation

Go in your Azure AD, to the Configure tab and search domain service. Activate it and choose a DNS name (verified or not), then choose a Classic VNet where servers will be connected:

Microsoft Azure Configuration

The deployment is starting and can take until 30 minutes:


When the deployment is finished, you will see the first IP address of your Active Directory server. The second will appear later (for high availability):

domain services - IP address

Modify your virtual networks specifying as DNS, the IP address of your AD:

AZSpon-VNet - DNS servers

Deploy a VM on this network.

As you can see, we have a message that explains that at this moment, our users can’t connect to the domain because we need to activate the password synchronization. Here, you’ve 2 choices:

  • Cloud Only: if you manage you users from the Cloud
  • Synced: if you use Azure AD Connect to manage your users

I’m using the Cloud Only part so I’ll explain this last. You must be sure that your users can reset their password autonomous. This is in the configurations of Azure AD, Users enabled for password reset:

user password reset policy

This step must be done before users try to connect to a computer.

Go to your profile and update your password:

Microsoft - Profile - Change password

It will update your password in Azure AD DS. 20 minutes later, you can use your user to join a computer to the domain.

Join the domain

Now that my VM is running on Azure, I’ll join him to my domain.

This is a classic step, it’s why I’ll not describe it:

System Properties - Computer Name/Domain Changes - Windows Security

System Properties - Computer Name/Domain Changes

Computer Management - Administrators - General

Now that my server is joined to the domain, I’ll install RSAT, to administer my domain by creating OU, GPO, etc…

Add Roles and Features Wizard - Confirm installation selection

With consoles launched:

Console - AADDC Computers GPO

This new functionality is very interesting for a small company that don’t want to manage their Active Directory but that they need it. Only small negative point for me, you must change the password before login to a computer with your domain account.

Related materials:

Views All Time
Views Today
Return to all posts

Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 2
Interforest Migration in Windows Server 2016 with Active Directory Migration Tool (ADMT) 3.2. Part 1

Please rate this

The following two tabs change content below.

Latest posts by Florent Appointaire (see all)

One Response to “[Azure Active Directory] Domain Services”

  1. […] list and your script, running regularly on schedule, detects new entry there, creates user in AAD based on template, provisions Exchange Online mailbox, adds this user to relevant groups and […]

Leave a Reply

You must be logged in to post a comment.