Thursday, November 10, 2016

Enabling Azure AD Domain Services

One of the last remaining pieces of infrastructure that was required to either stay on premises or be virtualised was the Active Directory Domain Controller (DC). That is no longer the case as Microsoft has made its Directory Services as a Service available from Azure.

What that effectively now means is that you no longer need a dedicated box (physical or virtualised) for Active Directory, you can simply consume it as a service directly from Azure.

Given that this is a new Azure service there are some challenges. The main one is that Azure Active Directory Services is only available in the older Service Manager portal, not the newer Resource Manager model where everything should really be created these days. Azure Active Directory Services will be coming to the Resource Manager, however at the moment, we need to deploy it using the older Service Manager.

In preparation, I’ve used Azure AD Connect to synchronise users from an existing on-premises Active Directory to Office 365. This has also created accounts for those users in Azure AD. I’ve then added a paid Azure subscription to my free Office 365 Azure AD to enable all the services required.

Next, I created a Virtual Network in both Service Manager and Resource Manager. I then connected these together using a site to site VPN. The idea is that the Service Manager network will simply be used for Directory Services, while the Resource Manager network will hold all the other services such as member servers and so on.

Now, with the site to site VPN between Azure Service Manager (ASM) and Azure Resource Manager (ARM) in place, I navigate to the ASM portal.

image

Here I select my Active Directory option and then name of the Active Directory.

image

I select the Groups option at the top of the page and create a new security group called:

AAD DC Administrators

It is to create a group EXACTLY as it appears above.

Into this new security group add all the users from your AD that you want to be effectively Domain Administrators in Azure AD Domain Services.

image

Now select the Configure option at the top of the page.

image

Scroll down the page until you locate the Domain Services area as shown above.

Select the Yes option to enable the service.

image

You’ll also need to check that the DNS Domain and Virtual Network options are correct. in this case I’ve select the custom domain I have in Office 365 and synchronised from an on-premises AD.

Select Save at the bottom of the page to complete the configuration.

image

Azure will now hum away for about 35 minutes enabling the service for you.

image

When the enablement process is complete you should now see two IP addresses at the bottom of the domain services area as shown above.

You should update the virtual network on the ARM network to point to these DNS servers on the ASM network. You can think of it like the Domain Controller for the whole network is now on the ASM network which is reached by the ARM network across the VPN.

So let’s say you now spin up a member server on the ARM network. You add this member server to the domain as you would normally. When you do, you’ll be prompted for credentials to allow this. Here you’ll need to use a member of the security group AAD DC Administrators you created earlier. Apart from that everything is exactly the same as if there was a physical domain controller in the network.

image

So your next question is probably going to be about to manage this ‘DC as a service’? Easy. Simply add the AD management tools to any member server and as you can see from the above, the domain appears exactly like it would if there as an on-premises server on the network. If you go in and look a the domain controllers on the network you’ll two, as see above. They have a random GUID and obvious correlate to the two IP addresses provided by the Directory Service during configuration.

If you then elect to say, remove the on-premises domain controller you’ll have all your users and a fully functioning domain in Azure. You’ll have your AD now as service rather than requiring dedicated equipment, which is far more flexible as easier to manage. You’ll be able to manage your users, group policy and the like just as you could on premises, but now totally in the cloud.

At the moment there is some extra configuration because of the necessity of an ASM network for Directory Services but in time everything will move to ARM which will make it even easier to have your domain controllers as a service!

For more information on Azure AD Domain Services visit:

https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-getting-started/