Settings Up Azure Active Directory Domain Services

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hi this is Jeff Daniels and welcome to another edition of master visual studio.net today we'll be doing some work in Azure setting up Azure Active Directory domain services this is a pretty interesting offering an azure that allows you to get the benefit of domain services for user authentication and domain management without having to spin up your own domain controls in the cloud or syncing to your on-premises Active Directory we'll be touching on a number of different azure offerings to pull this together and once we're done we'll have VMs on our domain with shared domain access across those machines now all this in under 10 minutes or less alright let's get started setting up Active Directory domain services okay we're over in the azure portal now and the first thing we like to do is what I'm gonna set up a test environment like this two things I'll do is set up a dashboard so if you just do new dashboard name it whatever you'd like just so you can kind of keep your resources in one spot that are easy to access you can have your regular dashboard and your additional dashboards you create and the second thing I'm gonna do is create a resource group to keep all this all the different pieces I'm gonna build during this managed within one group so when I'm done I can delete them all easily and not have to go and hunt and peck and find the different pieces that were created all across the account and we'll take a look too and see all the items that are in the resource group afterwards just to see everything that does get created for a situation like this so we'll create a new resource group called Active Directory domain services test and that should be created pretty quickly okay so here's the Active Directory domain services test resource group that we've created and the next thing we want to do is let's go ahead and create a new virtual network where this domain service is gonna actually reside in so we'll click on new virtual network and let's give this obvious name a DDS network we'll put it in a ten to sixteen namespace and we'll use an existing resource group that we created in the last step subnet just call this default subnet and make this at 1024 and they old pin it to our dashboard and let's create it so this is the and this is the default subnet where our VMs and things like that will reside in we're also going to go ahead and create a second subnet which is where the domain services are gonna function so what's going let's go in and create that right now we will go to subnets add a second one and this will be our domain services subnet and this will be 1001 and this all looks good all right so now we've got our second subnet created and let's go take a look at Active Directory so when you created your Azure account you've got a default Azure Active Directory created here if you look at under domain names you were probably giving some given something along the lines of your account dot on Microsoft comm that's going to be your domain name services that's your domain that you'll end up with for user accounts what I've done is I've added the second one for master visual studio.net and in order to do that it's fairly simple you would just add your domain name over here that and it'll prompt you to go over to your domain provider and add a TX or an MX record to verify that you do have ownership for that account once you do this will allow you to verify it so just delete that because I don't need that and then you'll come in here if you want this to be the domain name for your users on your account so if they're going to log in as Jeff at master visual studio.net to get into a virtual machine or to have access to the domain services you want to make this one the primary and that's pretty straightforward click on this if it's not the primary you'll have this enabled you'll be able to click on that button and that will make it your primary ok so now we've got these pieces let's get this next piece started because this is going to take a little while we're going to want to create a user account that's going to be the administrator account for our new domain so I could use mine I'm just gonna create a new one called John Smith Smith master visual studio okay so one of the things we'll need to do is in order for Active Directory this Azure Active Directory to take this user and sync their passwords over to Active Directory domain services this active directory has no way to give the new domain your existing credentials so what will happen is once we create the domain services we'll go over and the users will have to change their accounts that will generate the hashes that are used by Azure Active Directory and that will sync over to the Active Directory domain services now that sync process can take 15 maybe 20 minutes so that's one of the pieces we talked about where this is a little bit of a time-consuming process so that's why we want to copy this password we're gonna go change their password once the account is once the Active Directory domain is set up and that will propagate the password change over to the Directory domain services ok so now why don't we go ahead and get started on adding a new domain Azure ad domain services we'll go ahead and create that and here you can see what do we want to call the domain name and we want this domain name to be master visual studio.net and the subscription again put this in the resource group that we created for this the network let's go pick the test network that we've set up now the subnet make let's put this over on the second subnet that we created specifically for the domain services click OK administrator group let's pick our members we'll go add a member and we're gonna take the John Smith and take mine too okay so there's our members say okay here's our summary okay so let's go ahead and we'll click this okay once we do this probably gonna have about an hour or so to wait before this is actually created so we'll move on to some of the other steps in the meantime but this is by far the most time-consuming part of this process okay we're back at the azure dashboard now that we've created and it looks like our domain services we're gonna pin that to the dashboard says that that was created let's go take a look at that okay so yes it was created and no it's not ready we're probably about halfway through during that last pause was about a half hour or so and we've probably got another half hour to go we're gonna continue to see that this is deploying for a little while and then once we're done we'll once that's done we'll come in and see that it allows us to do things like set up the DNS resolution for this domain for the domain services so in the meantime that's okay at least we've got that and that's on our dashboard now once this does come back up we're gonna want to do something with these domain services so why don't we go ahead and create a virtual machine or two that we can add on to our domain once it's ready so we'll go over to virtual machines click on add and in this case I'm just going to add in two windows machines so we're gonna take a Windows 2016 data center call this yes and not that it matters much as far as cost goes because these will be deleted pretty quickly but I'm just gonna make them standard hard drives put in your credentials now this is the administrator account if you haven't worked much with these virtual machines in Azure we're setting up the admin account for that specific virtual machine so this machine won't be on a domain when we first created so this will be the administrative account to get into the domain to Remote Desktop and I'm sorry to get into the computer to Remote Desktop in and do any configuration that we want to do prior to adding it to the domain and we'll use our existing resource group if you do have a Windows license and you're gonna have this machine up for a while great check this box and save yourself some money and for a size we literally need the smallest box as possible here we're just going to spin these up for an example and then and then trash okay so we use managed disks we'll put it on the network we'll put it in the default subnet let's make sure we don't have the domain services subnet selected so we want the default subnet we'll get a new IP get a new network service group and we don't even need boot Diagnostics on this this will be a pretty short-lived VM okay so we'll go ahead and create this machine looks like that's deploying and while that's deploying let's go make another one so we'll just have to that can communicate with each other add them both to the domain so we're gonna walk through these same steps again bm2 and we'll just put this in the same resource group and you'll see as we're really starting to build up a lot of pieces here for this demonstration or for different workloads you might do in Azure it really does make a lot of sense to group these into resource groups just just to be able to find and either clear out or manage the resources more effectively so here we're just taking the smallest machine again no availability set we'll just reuse that first Network security group sorry this one just take the first one say new IP address default subnet no boot Diagnostics and we're good great so now we've got those two machines that are out there that are being spun out for us and once those are ready I'm guessing those will still be ready before our domain services are ready but once those are all set up we'll go in and do a little bit of pre configuration before we want to add these machines to the network anyways and then at that point we should be pretty close to having our domain services ready so we'll check back in just a minute okay we're back at the azure dashboard and as you can see we've got our our network set up we've got V m1 is running the m2 is running and if we go over here to our Active Directory domain services and we click on that you can see we've got a different screen now where this is actually completed and it's up and running and it tells you here you've got a few a couple required steps that you need to do to finish configuring this and the first one is we want to set up our DNS entries for this new domain service so these two IP addresses here we want to use those as our DNS servers so we'll just copy the first one click on configure DNS servers we're not going to use the azure provided DNS servers we're going to use our domain service so we'll do the first one here is for the if we scroll back over which don't think it'd allow me to we'll see that they were too they gave us a 1.4 and a 1.5 so these two are now going to be our DNS servers so we'll save that and again these two IP addresses came from right here so if you just copy these click on configure and then fill those in these are if we want to take additional steps to sink our Active Directory domain services within on-premises so that would certainly be another route you could go and there's an ad there's this other tool over here called Active Directory Connect as your ad Connect right here to sync with on-prem we're not going to do that but there is one other thing that it's mentioning that I want to point out to you so for cloud only which is what we're doing here there's still one more step before our user passwords will be enabled and synced across from Active Directory as your Active Directory over to domain services and like I mentioned that is the step of changing your password so that once it's changed Active Directory sees that and it syncs it over to domain services so in order to do that I'm going to create a new incognito tab and we're going to do this for earlier in this process we had an Azure Active Directory user that we created J Smith which is right here and for this user we're gonna go change their password so that it'll sync over to domain services and then we can login with that account once we add these VMs to the domain and we'll actually use this account also to add these VMs on to the domain ok so the address to do this is is at microsoft.com that's actually my Apps Microsoft com and you'll see when you first come over it sets it up to my current account that I'm not into as your on we will sign up from that and we will log in with J Smith master visual studio.net and I save this password over here so this was the temporary password that was generated and the first time that you log in it'll actually prompt you to change this which is perfect because we want to change our password for this user so that it'll sync over so I'll sign in and it says I need to update my password so we'll put in the temporary one and then we'll give it a you know a new password okay update password and sign it now this is another case we really got to be patient because if you try to log into the domain anytime within the next 10-15 minutes it's very likely it's not gonna sink over there and you're gonna start looking for what went wrong somewhere but it really is a just be patient scenario here where you just have to wait it out and eventually it'll propagate over it is a little bit of a slow process sign up from that and pretty sure it logged me out of this no there we go alright so I'm still here with these two accounts so now we've gone ahead and changed our account passwords so that we'll need to sync over to domain services that'll take a little bit of time but let's go take a look at the VMS that we have so if we go over to vm one and we'll connect to it so once you download the connection profile for this remote desktop you can go in and change some of this I'm just going to change the display to bring it out of full screen so it's easier for us to see and that all looks good and again this was the account that we created when we made the VM this is not the domain account all right so here's our new machine first thing I want to do after I close that is to go over we'll take a look at our server so if we wanted to add this to the domain account to the Active Directory domain services now we can click on this and I want to show you this because I don't think the password information has propagated over yet so you may see this and I just want to prepare you for that so you don't think something John Ron if you do see this error so if I go to the domain okay now you're obviously not gonna put that and you're gonna put in the on Microsoft com or whatever the different domain you use when you configured your Active Directory domain services so let's see what this says ok so this tells me that the it can't be contacted and when that happens that tells me that the domain services have spun up and they're running however this machine was already up and running and had acquired all its its routing and DNS prior to prior to those services being ready so if we come over here and we restart this one say it's planned and at the same time why don't we go over to our second virtual machine and do the same thing we'll restart that we can do that from right here okay so I'm gonna connect back over to that first virtual machine now and really what we tried what we trying to show here is that there's a couple issues you may run into along the way but that aren't really issues we just have to we're gonna do the server restart which should get us back on the domain once we got through that first error where it couldn't find it after a restart it should be there when the second one is I'm guessing my credentials still haven't propagated over so even once it does find the domain we still may have an issue actually adding this VM to the domain until that happens so let's take a look at that all right so we'll go over to the local server tab once again and we'll click on workgroup and we want to change this to be in our domain great so after the reboot now we can see that we've actually got our Active Directory domain services up and running and it was able to find them and now it's asking for the account that will have the privileges to add this to the domain this this VM so how they said I want to use that J Smiths and master and I would not be surprised if it told me that the password is wrong here and generally with that what that's telling me now is it still has not propagated over so don't do not fear it'll be there soon what you don't want to do is start changing things to figure out why it's not working very likely in this case that it's only because it hasn't propagated over so we're gonna give it a few more minutes and then we'll try again alright so we've waited a little longer let's take another look to see if we're all set to join this VM to the domain now there we go so absolutely patience is your friend on this one I had parked this for about another 45 minutes for that to propagate it usually doesn't take that long I've seen it take mostly about 15 to 20 minutes but really be just so you guys know if you're seeing that pass whatever don't start resetting a password again try to change it again it's only gonna slow down the process it will propagate over it just takes a little bit of time so we'll say okay and we're gonna need to do a reboot on this machine all right I'm just going to go over and connect to this second machine now and we'll go add that one to the domain you now the let's see so we'll go over to local services this is great we'll click on work root now at this point this one should have propagated over the same way and been ready so master visual studio.net remember to leave off the dot-com or dot net off of that and make sure you type in your password correctly all right second machine added to the domain making a little more progress this one's going to restart and I jump back over to our first machine now and it should be on the domain we're logging in with a local user account not as a domain account and there's just a couple things I want to look at real quick just to show you before we use a domain account so if we go to tools computer manager that's a 1 cor machine so it's going to be a little slow and if we go over to groups administrators you'll see all the domain admins have been added to the administrator group and my account has been added to the domain managers group what we have what we don't have in the administrators group is and again here I'm trying to add the Active Directory domain services administrators group to this and in order to do that it needs to search through the master visual studio.net domain and in order to do that I need to put in my domain user credentials this way oh actually it already has the domain okay we say fine now and the account that we're looking for that gets automatically created is this one right here Azure Active Directory domain controller administrators this is the domain services account that gets created so we want that in the admin group and then what we want to do and this is on our first VM so we will disconnect as our local user and we'll connect with our domain user account which is going to be this one and notice here that I'm using the format of J Smith at master visual studio.net as opposed to the master visual studio.net our master visual studio / J Smith and then we should be able to put in our password and connect to the machine so by putting that Active Directory account into the administrators group that allowed us to also be able to remote desktop with these accounts so take just a minute for these to come up down here okay one final piece here that we want to do we've got both the machines added to the domain that's great we want to go in and be able to work with active Active Directory and domain services but we don't have a domain controller so what we need to do there is now that we've logged in with an administrator account on the machine and an Active Directory administrator account we're gonna come in and go to add a new feature for this machine so we're just going to roll some features go all the way down to features and since we don't have a regular domain controller we need to go in and add remote server administration tools and we want to add this Active Directory domain services and Active Directory LDS tools ok and installation is completed there I paused that that was a probably took about two minutes there to complete that installation but if we close that and we go over to tools here we go Active Directory administration administrative center so now we can remotely administer all these Active Directory domain services directly from one of our machines even without having our own domain controller so nice little benefit there we can close that we can go look at all the users that are in this using computers so if we go in and look at our domain and we look at our users there's John Smith's there's my account that's the Active Directory administrator group now one note here that I'd like to point out is we're not going to be adding a new group here or new users here if you want to add them you add them this is kind of a one-way sync so if you want to add them you add them through the azure portal under as your direct has your Active Directory and add user add group and when you do that it works fairly similar to what we just saw where it's going to take you know 15 20 minutes to propagate over the new groups may take a little longer but about that much time but you're not going to add them through this interface this is really for going in and reviewing okay what computers are on the domain we can see both of our computers are there that we've added here's our users and then you can add additional groups through the azure portal and then put users in those groups so everybody obviously isn't coming in as a as an administrator so tap being said the last thing I'd like to show you is let me just disconnect from this back at our portal and if we go look at our resource group this is everything we've got added by doing this you can see it created two network cards for the director for the domain services along with a load balancer a public IP address for that here's our Active Directory domain services network that we created we've got two virtual machines his machine one and it's disk that we're going to face an IP and its network security group second machine that disk network interface IP and here is our domain so very quickly if you wanted to get rid of all that click all this or just actually delete the resource group and you could remove all that in one fell swoop which is another reason why you're really aside from what we did today think about using resource groups it really helps keep things a little bit cleaner but that's it so we've got the domain it's up there it's validating users we can add additional users that way and now you don't have a bunch of virtual machines with local service accounts or local user accounts across you know five ten different VMs there is another whole piece to this where you can sync this with your on-prem Active Directory you can absolutely do that that's kind of outside the scope what we're talking about today but it absolutely is a option with this feature also so that's it I hope you found this to be helpful and a nice introduction to how to set this up probably the main thing to keep in mind here is it does take time for a lot of these services to be set up and don't lose hope if it looks like it's not working at the passwords just haven't propagated over or the groups haven't or it's taken a long time for the domain services to spin up that's just part of this process okay it took us a little while to get there but we ended up with a New Ager Active Directory domain service up and running with a couple VMS on it and to use it I was able to connect and authenticate against that service I hope you found this helpful if you have any questions or comments please feel free to drop those below or you can reach me directly at Jeff at master visual studio.net and we'll see you in the next video you

Info

Channel: MasterVisualStudio

Views: 150,988

Rating: 4.9042783 out of 5

Keywords: Azure, Active Directory Domain Services, MasterVisualStudio

Id: 5tJ5Uz2GlsQ

Channel Id: undefined

Length: 33min 23sec (2003 seconds)

Published: Tue Nov 14 2017