In this video, I'm deploying Azure Active Directory domain services Hello everyone, this is Ciraltos and. I'm Travis in this video. I'm gonna walk through setting up Azure AD domain services There's a lot of confusion about Microsoft's different Active Directory services So if you're not sure what the difference is between Windows ad Azure AD or azure ad Domain services take a look at my video for details. I'll post the link above before we get started Please take a second to subscribe and don't be afraid to click that like button If you enjoy these videos it costs nothing and it really helps this channel a lot Let's get into it at a high level Azure ad Directory services is a Windows AD compatible PaaS offering in Azure It facilitates applications that require Windows ad without the need to deploy a domain controller in Azure Identities our source from Azure ad that includes identities that are synchronized from Windows ad to Azure ad with Azure ad Connect it has some limitations compared to Windows ad the schema cannot be extended user domains cannot be federated and LDAP is read-only in this video I'm gonna add Azure ad domain services to my existing tenant this Azure ad tenant has a mix of cloud only identities an identity source from Windows ad Identities at Windows a be replicate to Azure ad and identity is in Azure ad including those source from Windows ad synchronized to Azure ad domain services Windows ad is not a requirement for azure ad domain services without Windows AD Azure ad is the only source of the identities either way Azure ad is the source for azure ad domain services users and groups Let's move on to how same sign-on works with identity source from windows ad Same sign-on means users can use the same credentials across multiple directories. This is important So users don't have to keep track of multiple usernames and passwords As your AD domain services relies on legacy password hash format that supports NTLM and Kerberos authentication to authenticate the users The problem is until you deploy Azure ad domain services Azure AD does not store password hashes in a format that supports NTLM and Kerberos Azure AD also doesn't store passwords in a way that would allow it to generate those password hashes So by default the identities don't have a password value to allow users to log into the azure ad domain services The only way to generate a valid password hash is to change the user password after deploying Azure ad domain services That process creates the hash value needed for azure ad domain services Users will need a change in the password or passwords can be set to expire forcing a password change Newly created accounts will also have the legacy password hash created Either way cloud identities won't be able to login to Azure ad domain services Until their passwords have been updated This includes the azure ad global admin account that we're going to use to initially log into Azure ad domain services Same sign-on is different in hybrid environments that source from Windows ad Windows AD stores the password hash value but by default AD connect does not synchronize that value to Azure ad Keep in mind that this is a different hash value from the password hash Synchronization used to support same sign-on with Azure ad the hash Synchronization triggered with that checkbox when deploying AD connect. This is a different hash value Authenticating uses two Azure ad domain services requires synchronizing that legacy password hash value that supports ntlm kerberos This is enabled with a PowerShell command ran after deploying Azure ad domain services The script I use to enable legacy password hash synchronization is from Microsoft I'll include the link below all users and groups in Azure ad are synchronized to Azure ad domain services if using the default settings Synchronization can be scoped to if there's a reason to limit the user group synchronization Scoped synchronization is scoped based on a selected group in Azure ad only uses in that group will be synchronized to Azure ad domain services If the default synchronize all option is selected at deployment the only option to change the scope is to remove and redeploy azure ad domain services if you scope to a group during Deployment you can change the scope later on if your needs for synchronization change in the demo I'm gonna start out by creating a new VNet for Azure ad domain services The DNS server on the VNet has to point to Azure ad domain service my existing Vnet already has a domain controller Acting as the VNets DNS server, so I'm deploying a new beam that so that doesn't interfere with what I have in place already After that, I'll deploy Azure ad domain services and then I'll deploy a server into that new V net once that's done I'll configure password hash synchronization for both Azure ad and Windows ad once that's finished I should be able to join the server to the domain and login with both a Windows ID and an azure ad Source user account. Let's get started Here. I am at the azure portal And the first thing I'm going to do to get started is create the new v-net so I'll go to create resource and type in VNet And I'll create I'll give it a name. I'm just gonna call this a AADDS Vnet I'm gonna change the address space to 10.201 Ion't need to add ipv6 addresses The subscription will stay the same I'm gonna create a new resource group and I'm gonna add all my Azure Active Directory domain service resources into the same resource group This is fine for a demo. But you may want to consider best practices around naming for implementing this in production This could be around for a while in production and you want to make sure it's compliant with naming policies I'll set my location central us in this instance and the first subnet I'll leave it name default I have to change the address range though demand the address space I'll leave DDoS protection is basic and leave the service endpoint and firewall as it is and ok. Click create Okay, the v-net has been created now, let's go in and set up Azure Active Directory domain services so again, I'll start by creating a resource and type in Active Directory domain services Here it is And click create So I'm going to select an existing resource group That's going to be the same one I created the v-net in For the domain name? I'm already using Ciraltos.com for my windows AD. So I'm gonna add a subdomain of AADDS for Azure Active Directory domain services I'll leave the location as it is and I'm gonna leave it as a forest type of user notice that there's a resource that's in preview that does support trust relationships, but I'm sticking with User at this point next I'll go on to networking And I'm going to select the v-net, we just created I'm going to go into manage subnets And I'll create a subnet specifically for Azure Active Directory domain services And I can leave it as the 10.2 oh 1.1 subnet I'll leave everything else as is and click OK to create it Now select the new subnet we just created Notice the warning here that network security groups will automatically be created So you want to let Azure Active Directory domain services manage those security groups? will move on to administration so this AA DDC administrators, that would be equivalent to a domain admin group and Here if we go into manage group membership here. You can see the group membership these two accounts were added By default because they're global admin and this is actually was from a previous attempt. I did at installing Active Directory domain services This is not a global admin, but it is an account. I want to use for domain join so that was added in So that looks good. You can add others to this group if you'd like them to be domain admins as well So I'll just close out and go back And here's where you can set up notifications I'm gonna leave that as is and go to synchronization I'm gonna leave it as synchronizing all but you can change the scope if you'd like to I'll go to review and create That'll looks good and I'm gonna create Here, it's warning me that the following choices are final and can't be changed. And that's okay. So I'm gonna click OK This can take up to an hour to finish. So I'm gonna pause here and come back once it's done So the deployment of azure active directory domain services finished and here we can see it before I go into that I want to just point out something if I go into the Vnet that I created And go into DNS settings you can see it's set to default which is the azure provided DNS. So I'm going to go back and go into Active Directory domain services And you can see it's running. It has the status of running. I believe after the deployment is finished It will will go into a state of syncing the initial sync takes some time to finish So you want to wait until that's done and it has a status of running before you continue on The next item to take care of is to configure the DNS settings. So I do that by just going right here and click configure and what that will do is Configure the DNS settings on the V net to point to the new Active Directory domain servers DNS servers We can go back and take a look at that Right here Go back into DNS And now it's pointing at the two IP addresses of the azure ad domain services Okay, the next step is to create a server to put on that V net that we're going to use to join the domain I'll go into create resources Go to compute and select virtual machine, I'll select the existing resource group and In production I wouldn't put all of this in the same resource group, but for the demo, that's fine. I'll give the VM a name Change the region to the same region as the v-net. I created. I'm gonna select a different image And I'll go to Windows Server 2019 data center I'm gonna make this a spot instance. I have a whole video on spot incidences if you're interested in learning more But basically it's much cheaper, but Microsoft can shut it down in times of peak demand I'm gonna change the size. I Want something with two CPUs and eight gigs of RAM, otherwise testing can be a little sluggish if I go too small So I'll select that now I'll enter in the user name and password I'll leave the ports as it is and click on next to go to disks Here I'll select a standard hard drive Again, I don't need high-performance with this I'll go to networking out. This is the important part. I have to change it to The V net that I created so I have to V nuts VNets by default don't communicate with each other so I need to make sure I select the V net that I deployed Azure Active Directory domain services - And I'll select the default subnet I'll leave public IP addresses as is The rest can stay as is I'll go into management And it will auto shutdown this I'll select ten pm And also change the timezone And I do not need notifications this setting could potentially save me some money if I step away from this demo for a few days and Forget to shut this down Click on next go to advanced nothing in here. I'll leave tags as it is and create I'll pause here and come back. Once the virtual machine has been deployed The deployments finished now. I'm going to go to the resource and sign in Here I am at the virtual machine and I'll just copy the IP address to the clipboard and login to that virtual machine Next I'm going to open up a command prompt and take a look at the IP configuration So we can see here the IP address is on the 10.201 subnet it ends in .4 so that's the first IP address available in that subnet and Down here. You can see the DNS servers are set to Ten dot 201 dot 1.5 and 4 the 10.201.1 Subnet is a subnet that we deployed Azure Active Directory domain services to so that all makes sense and we should be able to join the domain Let's go in here and change I'll change the domain to aadds.ciraltos.com Now it's asking for the credentials of an account that has rights to add servers to that domain I'm going to enter the global admin account And I'll enter the password Ok, so that failed and to be honest that was expected Know, also, if you keep trying you get five attempts in two minutes, and then it locks out for 30 minutes Also, we have no way to manage the azure active directory domain services domain We don't have AD users and computers or anything to unlock an account So if you do lock this account up, you'll just have to wait for 30 minutes but why did this fell it's failed because Azure Active Directory domain services Requires the legacy password hash for ntlm kerberos authentication This account was sourced from Azure Active Directory So it's a cloud only account Azure Active Directory does not have a copy of that legacy password hash So it has nothing to sync to Azure Active Directory domain services because of that Azure Active Directory domain services Has an invalid password or no password at all? So I'm not going to be able to log in with this in order to get this to work I have to go back into Azure Active Directory From Azure Active Directory. I'm gonna go into users and find that user account and Reset the password Now that Azure Active Directory domain service has been installed Anytime a user changes a password. We're a new users created that legacy password Hash will be generated and synchronized with Azure Active Directory domain services now unfortunately The only way to force that to happen is to force everybody to change their password that's something to take into consideration You can't generate these without generating a new password So here what I did is I opened up an in private window and I went to porta.azure.com login Is that account and it's forcing me to change that to new password I'm just doing this so I don't have to deal with a temporary password So updated the password with my new password now I'm gonna go back to the server and try again to join that server to the domain Okay, that passwords been changed. Let's give it another try It is so now, I'm part of the domain And I'm going to restart this and I'll be back when it finishes Okay, I'm going to log into that computer again and this time I'm logging in as my global admin account So, let's see if that works and that worked so I logged in with the global admin account Which is also a I guess would be equivalent to a domain admin in the Azure Active Directory domain services domain I'm going to add the Active Directory tools I'm also going into remote desktop settings and I'm going to add another group to allow connection to this So this group is called wvdprofiles that's for Windows virtual desktop I'm not doing anything with Windows virtual desktop in this video or on this machine It's just a group I have with a couple test users and I'd like to point out that that group exists on my Windows Active Directory domain So that group was replicated from Windows Active Directory to Azure Active Directory And then from Azure Active Directory to Azure Active Directory domain services So I'm gonna add that And while the tools are installing I'm going to try to log in again with a user account that's in that group Okay, so I got a credential did not work what you expected I expected that because by default AD Connect does not replicate the legacy hashes for ntlm and Kerberos So I have to force that manually so I'm gonna do that next But before I go on to that, let's go look into Active Directory. I Just want to point out if I go into Active Directory users and computers and Look at ad DC users here. These are all the users coming from Azure Active Directory So those login via sighs those are all accounts that I have set up on my Windows Active Directory domain And if I go into the properties You can see under account the UPN is set to ciraltos.com and I can't change it so once you have a computer join to the Azure Active Directory domain You can manage it pretty similarly to how you'd manage a Windows Active Directory domain using the same tools Okay, so at this point, we've got a virtual machine joined to the domain and We were able to login with a global admin account that was sourced from Azure Active Directory for the next step We won't allow accounts that are sourced from Windows ad To log into that Azure Active Directory domain services domain in order to do that. We have to allow those Legacy password hashes for ntlm and Kerberos to replicate from Windows ad To Azure ad and then to Azure ad domain services to do that Microsoft has a script and I'll leave a link to this page below So what it does is it as a forceful password sync to ad Connect and then the script will force a full password Replication so I'm going to hop over to the computer with AD Connect running And I'm going to start running through these commands. So the first thing I need to do is open up AD connect sync and go to connectors And you can see I have two connectors here the first one listed here is the Windows Azure Active Directory connector and if I go in and do a properties I Can copy that name Then I'll just cancel out so that is for Windows Azure Active Directory So here is where they want that so I'll just paste that in and Then the next it's asking for the ad connector And I could type that in but I just like to make sure I've got the exact same And then I'll paste that in So, let me run this and The module I need is installed on this computer because it has ad connect running And I've added this. I'm just going to get the connector You'll notice here I have forceful passwords think I have that because I've already deployed Azure Active Directory Domain services a couple times actually, so that's in there already, but I'm just going to step through this anyway If you run this coming and after you go through this you should see that forceful password sink as well So this is going to create the configuration parameter and then update the connector Now there's a slight chance this will error out on mine since I already have that. Nope Let me just run this one again just to make sure it's still there. I don't see it in there, but I'm pretty sure just ran off the screen since I removed it and recreated it Actually here the C value $C is assigned to the connector so if I run that again and Then look at global parameters And there it is so the value is there just kind of trailed off from that previous screen So the next step is to stop and start password synchronization So let's run that and now password synchronization has started so at this point all existing passwords because Windows AD does have the ntlm and Kerberos legacy password hash, so this will kick off replication of that information from windows AD to Azure Active Directory From there Azure Active Directory will then replicate that to Azure Active Directory domain services so within a few minutes Maybe I'll give it a half-an-hour. We should be able to log in that machine with a user sourced from Windows AD Okay, it's been about five ten minutes or so. I'm going to give it a try So I'm connecting to the same machine. I'm going to change the name This is an account that came from Windows Active Directory Okay, and look at that Let's just check out the IP address make sure I'm on the right computer Yep, I'm still on that 10.201.0.4. I guess I could do hostname as well So that's the machine so what I did here let's see after deploying Azure Active Directory domain services I deployed a server and then I changed the password on the global admin account and I had to do that because Azure Active Directory does not have the ntlm or Kerberos legacy password hash after you install Azure Active Directory domain services Azure Active Directory will then start creating that but it only crates it if the user changes their password or When a new user is created after I change that password that replicated to Azure Active Directory domain services And then I was able to add this server to the domain and once it was added I could login to the server as that global admin next I ran the script on the server with AD connect that adds the forceful password sync parameter and Then I restarted a password sync on the ad connector So with users sourced from Windows ad you don't need to reset the password You just have to create that password sync in order for that password hash to move over I also added the Active Directory tools to this server and we can use those tools to configure and manage Azure Active Directory domain services That does it for the demo. I hope you found this information useful Don't forget to subscribe and like also remember that azure ad domain service is not a free service And you cannot shut it down when you're not using it to avoid charges You will need to delete Azure AD Domain Services to stop those charges. Thanks for watching
This isn't one of my favorite features, spinbup tiny vm to control Gpos and then boom no need for AD on prem at least for small to mid size bizes