Lets Get One Thing Straight | Azure AD Domain Services

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey how you doing i'm just reading through  some comments and uh a lot of people asking   about their on-prem domains and how to extend that  into azure using things like hybrid domains and   azure ad domain services so i think  we need to get one thing straight   i'm Dean Cefola and this is the azure academy so  the first thing we need to do is take these three   separate things and we need to give a basic  understanding of what they are and how they   work now you've been using active directory for  neuron forever at this point but your key value   propositions out of active directory is ntlm and  kerberos authentication group policy management   ldap dns resolution all that good stuff even  though we call it azure active directory it's not   an active directory in the same sense as ad  is meaning that it's not a directory structure   there's no hierarchy there's no ous that stuff  just isn't there today it's also not based on ntlm   and kerberos auth this uses oauth and saml there's  no gpos and it's really there as an identity   service so in that sense they are the same thing  because ad was our identity service on-prem azure   ad is the identity provider in the cloud let's  get to the hero of today's video azure ad domain   services now i have found that this service is  extremely misunderstood in what it is how it does   and how it works with ad and azure ad so what is  azure ad domain services well it is a traditional   type domain controller but done as a cloud pass  service the beauty of that unlike your regular   domain controllers you don't have to manage it it  pretty much just takes care of itself and provides   for you ntlm kerberos ldap dns and this is where  the problem comes in because most people when they   think about extending their active directory into  the cloud they're thinking about it traditionally   taking a domain controller that they have on-prem  that's got their domain they have 80 sites and   services and we're going to put up another  one in the cloud in a different azure ad site   called azure it's going to have its own ip address  range and that's how you traditionally extend ad   into azure azure ad domain services is nothing  like that whatsoever azure ad domain services is a   completely separate independent microsoft managed  forest and domain it is not connected to your   active directory in any way shape or form it is  not an extension of a.d it is not a different site   in your ad forest and what this means is that  it is not an extension of your domain at all let   me put it this way it's kind of like if i have a  domain called ms azure academy let's say that you   also created in your own lab ms azureacademy.com  as a domain now can you technically do this yes   you can there's nothing stopping you it's your  lab it's your domain controller but when you put   those things on the internet now you're going to  have a problem because all of the records globally   resolve to me but let's skip past that for a  second and just think about it as my domain   and your domain and they're called the same thing  i cannot manage your domain you can't manage my   domain that's what azure ad domain services is  it's a completely independent microsoft managed   domain that may or may not have the same name  as your own domain but it's not yours to control   you are not an enterprise admin you are not a  domain admin and you are most certainly not a   schema admin you have a little more rights than  just the standard user but not much so with all   these downsides why in the world would you  want to use this thing well there are some   very clear use cases first would be if you don't  have an on-prem active directory but you still   need ntlm and kerberos this is a great use case  for that because you don't have to manage it all   you have to do is click the button and deploy it  and then reap the benefits it's also one of the   ways you can implement windows virtual desktop  it integrates very nicely with ad authentication   to an azure file share and like i mentioned  before it integrates very nicely with azure ad   it's simply there so that you can do all of your  legacy authentication in a modern authentication   world speaking of authentication let's talk  about our users you already know that you have   active directory and you have a domain controller  which stay in sync using this lovely tool azure ad   connect that's how your identities end up in the  cloud and they have the same password that they   have on prem so let's turn this whole thing for  just a moment and we're going to now look at the   azure ad domain services side of this equation so  we have now our users let's say batman sitting up   here in azure when we build azure ad domain  services there is a managed azure ad connect   sync that happens between azure and azure ad  domain services so batman will sink over into   the azure add ds domain and therein lies the  problem because when batman ends up there you   will never be able to log in why because when  azure ad connect does its magic and syncs our   password hashes into azure they're not stored in  a format that is ntlm kerberos compatible so sorry   batman but you don't have a password and this same  thing happens to your administrators in your azure   add ds domain in order to log in you have to  force a password reset which you can just do on   demand or set an expiration for your password  so that people have to go in and change them   when the passwords are reset now we will have  a hash that we can sync over to azure ad domain   services and now you can log in if you want  to master the azure cloud you can start right   now by clicking the subscribe button and the  notification bell so you don't miss anything   so let's set up azure ad domain services here we  are in my azure active directory you can see that   i've got azure ad connect already syncing and i  am a global administrator so i'll start by going   to the global search up there at the very top and  we'll type in domain services and we'll click on   azure ad domain services and once we get to this  blade we'll just click to add a new instance of   azure id domain services and first thing of course  we need is a subscription and resource group   and now we have our domain name now you can  leave it as your exact domain name matching   what you already have on pram and in azure ad but  just to keep it simple i'm gonna make my domain aadds.msureacademy.com no matter what we call it  there's still two completely separate independent   forests so the next thing of course is our  region and you want something as close to the   rest of your stuff as possible and then we have  our sku you can click on the link way over there   to find out more about each sku and what they  offer to sum it up from a technical standpoint   standard is just normal azure ad domain services  whereas premium and enterprise will give you the   option for adding a resource domain which is the  next button below it and we hit next and this is   where we set up our network at the very top it of  course suggests a new network for this and you can   do that if you want to but i want to show you some  other options if you have an existing network or   subnet that you want this to use and i've got  two of them here one labeled bad and one good   if i click on the bad one you see that we've  got red all over the place because it's not in   a ip address range that azure ad domain services  requires and then if we go back and select good   because it isn't a good range we are good to go so  we'll hit next next we have the administration tab   and here's where we're going to set up a new group  in azure ad that is called aadc administrators   so that's our admin group for azure id domain  services even though you're not like a domain   admin like i mentioned earlier and if you click  on the link here to manage your group membership   and then at the top here you can select the add  members and then up here you can select just like   a standard user picker whatever group or user  membership you want to add then the next section   here is for notifications i suggest leaving  those alone but you can do whatever you like here   now we're on the synchronization tab by default  it's going to sync everything that is every user   and group in your azure active directory if you  want something different you can just change the   tab here to scoped and then right under that you  have a synchronization scope just click to select   which groups you want to add i'm okay with syncing  all of my users and groups so i'll just change   that back to all and we'll click next and then  azure's going to go ahead and validate everything   that we have just selected and then your create  button will be highlighted when you click on it   now we're going to get this little pop-up  because there's a few things you need to know   and this is just telling you that you better  be really sure that these settings are all okay   because none of these items are going to be able  to be changed once you spin this up of course you   could always delete it and reprovision if you  needed to but we'll click ok to that and then   like any other resource it is going to provision  so when it's all done you'll see this screen   where azure ad is now reporting healthy but we're  not done yet there's a couple other things we have   to set up so we have to now configure our dns  settings just like a standard domain controller   so if you scroll down just a little bit you'll  see a configure dns button and if you click that   it'll take care of doing all that for you  the way it does it is by taking the virtual   network where your azure ad domain services vms  are set up and just configures that to use custom   dns pointing directly at our two new domain  controllers that are part of our service   now we have to get our users configured so  just below that you can see a link that we'll   right click on and open in a new tab and this is  how we can get our password hashes in azure ad   to go over into azure id domain services and we're  going to use our azure ad connect in order to   make this happen so if you scroll down here to the  enable synchronization for password hashes section   click the copy button and now we'll pop over  to the server where i have azure ad connect   installed and we'll open up powershell copy in  your code and open azure ad connect so at the top   we'll go to the connectors tab and then you want  to select on the first connector and that will   have a type of windows azure active directory  and then we want to copy the name exactly   because we'll need that for powershell at the  very top we've got a variable and then we'll plop   that right into the first variable go back into  azure ad connect take our second connector which   should be the type of active directory domain  services doing an exact copy of the name again   back to powershell and paste it as our second  variable and then what i like to do is to run that   section just at the top with the import module  commands just so i get that stuff out of the way   followed briefly by selecting the rest of the code  and then running that as a separate command now   we'll pop over back into azure active directory  and go to our groups because we have a new group   the azure ad dc administrators and if we go there  and go to our members there's the people that we   assigned now let me go to superman and do a  password reset but oh we've got a problem we   cannot do a password reset because in order to do  that we need to have password right back enabled   so back to our domain controller and we'll open up  the azure ad connect tool so we can configure it   once it's open click configure and then we want  to click on the customize synchronization options   and then hit next put in the appropriate username  and password click next and on the connect your   directories screen we'll just click next there as  well as a domain and ou filtering and here in the   optional features is where you'll find that little  checkbox for password right back now what is that   going to do we've already set up the password  hash synchronization with our powershell from   azure into azure ad domain services this is going  to go the other way now we've got password changes   that'll happen in the cloud in azure and that will  be synchronized back to our domain controllers   whether on-prem or in the cloud so we'll click  next and on the single sign-on screen you could   already have that enabled or not doesn't matter  just click next and then you can go ahead and   click configure to finish everything out and when  you're done just hit the exit button now we're   back in azure we can finally click on that reset  password button and azure will now let us do that   so i'll put in a temporary password of change me  and then we will go to a private browsing window   and log in with superman will provide change me as  my current password as well as a new password and   we are logged in so now that our users are done  let's take a look around azure ad domain services   and see what we've got so i've got two different  azure ad users and computers open over on the left   is azure av domain services and on the right is  my traditional domain controller so right away you   can see that the ou structure is not the same at  all and you may be thinking of course they're not   the same the domain names are different but like  i told you before it doesn't matter whether it   is exactly the same name as your current domain  environment or a completely different name or   even one that appears like a subdomain name like  mine does they are completely separate independent   forests and looking over at the domain controllers  container you see of course that we have   two different sets of domain controllers and  you can see that the sites are different as well   more about that in a second but let me right  click on an ou on both sides and you can see on   the right side where i am a domain admin i've got  the ability to create anything new that i want to   but even though i'm logged on on the left with  superman who is my azure add dc admin i don't   have the rights to create anything if you looked  at active directory sites and services again on   the right we have my traditional domain and over  there on the left azure ad domain services and   they are very different once again and notice that  the site from either one of them does not appear   in the scope of the other they are completely  disconnected separate independent no way are   they ever going to talk to each other environments  and this is not an extension of my existing domain   into azure and just to prove the point once and  for all i have rebuilt my azure ad domain services   environment and it is now named exactly like my  regular domain ms azureacademy.com and as you can   see it is still a completely separate independent  domain and forest that is not communicating at all   with my on-prem a.d it is only the user accounts  that can be synced from one environment into the   other the two domains do not communicate at all  so i hope that this has cleared up for you the   purpose of azure ad domain services and how it  can benefit you as you're building out something   like windows virtual desktop or integrating with  azure files or any other azure ad application that   requires ntlm and kerberos and keep an eye out  for some future videos on hybrid join as well as   azure ad join in getting us prepared for windows  virtual desktop being able to use those features   so make sure that you click subscribe like comment  share all the buttons that are doing all the good   stuff and you want to check out our latest video  right over there so that you can be sure to stay   on top of everything going on in azure as well  as this one right down here that the youtube   machine overlords have picked out just for you  and we will catch you next time happy learning
Info
Channel: Azure Academy
Views: 17,087
Rating: undefined out of 5
Keywords: Lets Get One Thing Straight | Azure AD Domain Services, Azure AD Domain Services, Lets Get One Thing Straight, Azure AD DS, Azure Active Directory Domain Services, deploy azure ad domain services, azure ad domain services vs domain controller, Active directory domain services, Hybrid Domain, Azure Academy, The Azure Academy, Azure AD, Azure Active Directory, Azure AD Join, Azure Hybrid Join, Cloud PC, PC Cloud, yt:cc=on, Windows 10 setup, Azure Virtual Desktop, AVD, aVD Setup
Id: OWGVoJMdIRc
Channel Id: undefined
Length: 16min 21sec (981 seconds)
Published: Sun Dec 13 2020
Related Videos
Deploy Azure AD Domain Service and Join a Server to the Domain
Travis Roberts
53K
Don't Talk to the Police
Regent University School of Law
16M
Windows Virtual Desktop Real-world Demos, Pricing and ROI Numbers, Experience Shares and Guidance
Xerillion
27K
Single Sign On | What it is How it works Why you need it
Azure Academy
7.8K
Special Lecture: F-22 Flight Controls
MIT OpenCourseWare
2.2M
The SECRET to FSLogix | Windows Virtual Desktop
Azure Academy
15K
Azure Active Directory (AD, AAD) Tutorial | Identity and Access Management Service
Adam Marczak - Azure for Everyone
296K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Picking which Azure AD Synchronization Technology! AAD Connect vs Cloud Sync
John Savill's Technical Training
11K
How To Speak by Patrick Winston
MIT OpenCourseWare
5.1M
Windows 365 How IT Works
Azure Academy
20K
How to easily deploy Windows Virtual Desktop using the Azure Portal
ITProTV
41K
Active Directory, Azure Active Directory and Azure AD Domain Services Explained
Travis Roberts
41K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.