Azure - Hybrid AD Management

1. Introduction

Many organizations run a hybrid infrastructure that includes both cloud and on-premises application workloads. Legacy applications migrated to Azure as part of a lift and shift strategy may use traditional LDAP connections to provide identity information. To support this hybrid infrastructure, identity information from an on-premises AD DS environment can be synchronized to an Azure AD tenant. Azure AD DS then provides these legacy applications in Azure with an identity source, without the need to configure and manage application connectivity back to on-premises directory services.

To provide identity services, Azure creates an AD DS managed domain on a virtual network of your choice. Behind the scenes, a pair of Windows Server domain controllers is created that run on Azure VMs. You don't need to manage, configure, or update these domain controllers. The Azure platform manages the domain controllers as part of the Azure AD DS service.

The managed domain is configured to perform a one-way synchronization from Azure AD to provide access to a central set of users, groups, and credentials. You can create resources directly in the managed domain, but they aren't synchronized back to Azure AD. Applications, services, and VMs in Azure that connect to this virtual network can then use common AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication.

In a hybrid environment with an on-premises AD DS environment, Azure AD Connect synchronizes identity information with Azure AD, which is then synchronized to Azure AD DS.

2. Configure AD DS (Domain Controller) on Windows 2019

From the Server Manager Local Server, if Workgroup is showing as WORKGROUP then it is not part of domain.

From the Server Manager Dashboard, click on Add roles and features.

Click Next.

Select Role-based or feature-based installation and click Next.

Select the server by highlighting the row and select Next.

Select Active Directory Domain Services.

Click Add Features.

Select DNS Server.

Click Add Features.

Click Continue.

Click Next.

Click Next with default selection.

Click Next in the AD DS section.

Click Next.

On the confirmation window, select Restart destination server automatically if required.

Click Yes.

Click Install.

The installation will begin.

When the installation is complete, you need to now promote the server to a domain controller.

Click Promote this server to a domain controller (small hyperlink in the results window) or you can click on Close to promote the server later.

Or, if you clicked Close, click on the yellow exclamation mark in the upper-right section of the Server Manager Dashboard.

Select Add a new forest, type in a domain name that you want to use, then click Next.

Type in a password you want to use for DSRM, then click Next.

Click Next on the DNS Options page.

Click Next in the Additional Options page.

NetBIOS domain name will be populated automatically.

Click Next on the Paths sections.

Click Next on the Review Options screen.

Click Install on the Prerequisites Check page.

The installation (promotion process) will begin. The server will reboot during this process.

When the installation is complete, log back in (this time you will be logging into the server with domain credentials).

Enter username with domain name and click OK.

Let’s verify Active Directory is setup and our server is classified as a DC (domain controller).

Under Server Manager à Dashboard, we can see AD DS, DNS services are installed successfully.

Under Server Manager -> Local Server, we can see the Domain name added.

Open command prompt and type dsa.msc

We can see the domain root.

3. Add custom domain name using Azure AD

Every new Azure AD tenant comes with an initial domain name,

<domainname>.onmicrosoft.com.

You can't change or delete the initial domain name, but you can add your organization's names. Adding custom domain names helps you to create user names that are familiar to your users, such as [email protected].

Sign in to the Azure portal using a Global administrator account for the directory.

Click on Azure Active Directory under menu.

You can see the Default Directory, <domainname>.onmicrosfot.com

Click on the Custom domain names under Default Directory

Before you can add a custom domain name, create your domain name with a domain registrar. For an accredited domain registrar, see ICANN-Accredited Registrars.

Click on Add custom domain

In Custom domain name, enter your organization's new name.

In this example, kcloudspot.com. Select Add domain.

Important: You must include .com, .net, or any other top-level extension for this to work properly.

Note: In production we have to add custom domain to new directory instead of Default Directory. Steps to create your new directory: Create a new tenant for your organization.

The unverified domain is added. Select the custom domain name in this example kcloudspot.com.

The kcloudspot.com page appears showing your DNS information. Save this information. You need it later to create a TXT record to configure DNS.

After you add your custom domain name to Azure AD, you must return to your domain registrar and add the Azure AD DNS information from your copied TXT file. Creating this TXT record for your domain verifies ownership of your domain name.

Go back to your domain registrar and create a new TXT record for your domain based on your copied DNS information. Set the time to live (TTL) to 3600 seconds (60 minutes), and then save the record.

Important: You can register as many domain names as you want. However, each domain gets its own TXT record from Azure AD. Be careful when you enter the TXT file information at the domain registrar. If you enter the wrong or duplicate information by mistake, you'll have to wait until the TTL times out (60 minutes) before you can try again.

Amazon is my domain registrar and adding record set under AWS Route 53.

On the kcloudspot.com page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD.

You can see the domain verified status.

Domain name verification is succeeded.

After you've verified your custom domain name, you can delete your verification TXT or MX file.

Make the kcloudspot.com as primary domain name, choose Make primary.

Click Yes.

We can see the success message of making domain name primary.

We can see the status of domain name changed to Verified.

4. Add user using Azure Active Directory

Search for and select Azure Active Directory from any page.

Select Users. We can only one user who is account owner.

Select New user.

On the User page, enter information for this user:

User name. Required. The user name of the new user. For example, [email protected].

Name: azureadconnect

Select Password as Auto-generated password and copy the initial password.

Choose Create.

We can see the user created successfully.

5. Assign administrator role to user using Azure Active Directory

If a user in your organization needs permission to manage Azure Active Directory (Azure AD) resources, you must assign the user an appropriate role in Azure AD, based on the actions the user needs permission to perform.

Select azureadconnect user created in previous step.

We can see the Profile page of azureadconnect user.

On the azureadconnect – Profile page, select Assigned roles.

Select Add assignment.

Select the Global administrator role to assign to azureadconnect, and then choose Add.

Global administrator role is added successfully.

Sign-in to Azure Portal as azureadconnect user to verify.

Need to change the password when login for the first time. Choose Sign in.

We can see azureadconnect user logged in to Azure Portal successfully.

6. Installation of Azure AD Connect

Login to on-premises Active Directory Domain Service (AD DS) as local administrator.

Open command prompt and enter command: dsa.msc

We can see Active Directory Users and Computers management console.

Create a new user azureadsync which will be used to invoke synchronization services.

Enter User logon name as azureadsync, choose Next.

Enter Password, Confirm password and choose Next.

Choose Finish

We can see azureadsync user created successfully.

To assign permission choose Properties of azureadsync user.

Under Member Of tab choose Add..

Add Enterprise Admins group and choose Apply, choose OK.

Open browser and type: https://www.microsoft.com/en-us/download/details.aspx?id=47594

Choose Download.

Run AzureADConnect installer downloaded in previous step.

Choose Run.

Agree the license terms and choose Continue.

Express Settings: On this page, click Customize to start a customized settings installation.

Required Components: When you install the synchronization services, you can leave the optional configuration section unchecked and Azure AD Connect sets up everything automatically. It sets up a SQL Server 2012 Express LocalDB instance, create the appropriate groups, and assign permissions.

Choose Install.

Installing the dependency software’s.

User Sign-in: After installing the required components, you are asked to select your user’s single sign-on method as Password Hash Synchronization.

Choose Next.

Connect to Azure AD: On the Connect to Azure AD screen, enter a global admin account and password. 

This account is only used to create a service account in Azure AD and is not used after the wizard has completed.

Choose Next.

If your global admin account has MFA enabled, then you need to provide the password again in the sign-in popup and complete the MFA challenge. The challenge could be a providing a verification code or a phone call.

If you receive an error and have problems with connectivity, then see Troubleshoot connectivity problems.

Connect Directories: To connect to your Active Directory Domain Service, Azure AD Connect needs the forest name and credentials of an account with sufficient permissions.

Select FOREST and choose Add Directory.

After entering the forest name and clicking Add Directory, a pop-up dialog appears and prompts you with the following options:

Select account option as Create new AD account and enter Enterprise Admin Credentials.

Choose OK.

Enterprise Admin and Domain Admin accounts not supported

As of build 1.4.18.0 it is no longer supported to use an Enterprise Admin or a Domain Admin account as the AD DS Connector account. If you attempt to enter an account that is an enterprise admin or domain admin when specifying use existing account, you will receive the following error:

“Using an Enterprise or Domain administrator account for your AD forest account is not allowed. Let Azure AD Connect create the account for you or specify a synchronization account with the correct permissions. <Learn More>”

We can see the directory configured successfully. Choose Next.

Azure AD sign-in configuration: This page allows you to review the UPN domains present in on-premises AD DS and which have been verified in Azure AD. This page also allows you to configure the attribute to use for the userPrincipalName.

Choose Next.

Review every domain marked Not Added and Not Verified. Make sure those domains you use have been verified in Azure AD. Click the Refresh symbol when you have verified your domains. For more information, see add and verify the domain

UserPrincipalName - The attribute userPrincipalName is the attribute users use when they sign in to Azure AD and Office 365. The domains used, also known as the UPN-suffix, should be verified in Azure AD before the users are synchronized. Microsoft recommends to keep the default attribute userPrincipalName. If this attribute is non-routable and cannot be verified, then it is possible to select another attribute. You can for example select email as the attribute holding the sign-in ID. Using another attribute than userPrincipalName is known as Alternate ID. The Alternate ID attribute value must follow the RFC822 standard. An Alternate ID can be used with password hash sync, pass-through authentication, and federation. The attribute must not be defined in Active Directory as multi-valued, even if it only has a single value. For more information on the Alternate ID, see the Frequently asked questions topic.

Domain and OU filtering: By default all domains and OUs are synchronized. If there are some domains or OUs you do not want to synchronize to Azure AD, you can unselect these domains and OUs.

Choose Next.

This page in the wizard is configuring domain-based and OU-based filtering. If you plan to make changes, then see domain-based filtering and ou-based filtering before you make these changes. Some OUs are essential for the functionality and should not be unselected.

If you use OU-based filtering with Azure AD Connect version before 1.1.524.0, new OUs added later are synchronized by default. If you want the behavior that new OUs should not be synchronized, then you can configure it after the wizard has completed with ou-based filtering. For Azure AD Connect version 1.1.524.0 or after, you can indicate whether you want new OUs to be synchronized or not.

If you plan to use group-based filtering, then make sure the OU with the group is included and not filtered with OU-filtering. OU filtering is evaluated before group-based filtering.

It is also possible that some domains are not reachable due to firewall restrictions. These domains are unselected by default and have a warning.

Uniquely identifying your users: select all default values and choose Next.

Filter users and devices: The filtering on groups feature allows you to sync only a small subset of objects for a pilot. To use this feature, create a group for this purpose in your on-premises Active Directory. Then add users and groups that should be synchronized to Azure AD as direct members. You can later add and remove users to this group to maintain the list of objects that should be present in Azure AD. All objects you want to synchronize must be a direct member of the group. Users, groups, contacts, and computers/devices must all be direct members. Nested group membership is not resolved. When you add a group as a member, only the group itself is added and not its members.

Choose Next.

Optional features: This screen allows you to select the optional features for your specific scenarios.

Choose Next.

Ready to configure: Select Start the synchronization process when configuration completes.

Choose Install.

It is possible to setup a new sync server in parallel with staging mode. It is only supported to have one sync server exporting to one directory in the cloud. But if you want to move from another server, for example one running DirSync, then you can enable Azure AD Connect in staging mode. When enabled, the sync engine import and synchronize data as normal, but it does not export anything to Azure AD or AD.

The features password sync and password writeback are disabled while in staging mode.

While in staging mode, it is possible to make required changes to the sync engine and review what is about to be exported. When the configuration looks good, run the installation wizard again and disable staging mode. Data is now exported to Azure AD from this server. Make sure to disable the other server at the same time so only one server is actively exporting.

For more information, see Staging mode.

Configuring: Creating the Azure Active Directory Synchronization Account

In the configuration process Azure AD Connect will create a service account in Azure for synchronization.

Configuration complete: choose Exit.

Sign-in to Azure Portal and go to Default Directory à Users.

We can see all the on-premises users are showing up in Azure Portal.

Sign-in to Azure Portal and go to Default Directory à Groups.

We can see all the on-premises groups are showing up in Azure Portal.

7. Installation of Azure AD Domain Services

Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. You consume these domain services without deploying, managing, and patching domain controllers yourself. Azure AD DS integrates with your existing Azure AD tenant. This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources.

Prerequisites:

1. An active Azure subscription. If you don't have an Azure subscription, create an account
2. An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
3. If needed, create an Azure Active Directory tenant or associate an Azure subscription with your account. You need global administrator privileges in your Azure AD tenant to enable Azure AD DS.
4. You need Contributor privileges in your Azure subscription to create the required Azure AD DS resources.

Important: After you create an Azure AD DS managed domain, you can't then move the instance to a different resource group, virtual network, subscription, etc. Take care to select the most appropriate subscription, resource group, region, and virtual network when you deploy the Azure AD DS instance.

On the Azure portal menu or from the Home page, select Create a resource.

Enter Domain Services into the search bar, then choose Azure AD Domain Services from the search suggestions.

On the Azure AD Domain Services page, select Create. The Enable Azure AD Domain Services wizard is launched.

Select the Azure Subscription in which you would like to create the managed domain.

Select the Resource group to which the managed domain should belong. Choose to Create new or select an existing resource group.

When you create an Azure AD DS instance, you specify a DNS name. There are some considerations when you choose this DNS name:

·        Built-in domain name: By default, the built-in domain name of the directory is used (a .onmicrosoft.com suffix). If you wish to enable secure LDAP access to the managed domain over the internet, you can't create a digital certificate to secure the connection with this default domain. Microsoft owns the .onmicrosoft.com domain, so a Certificate Authority (CA) won't issue a certificate.

·        Custom domain names: The most common approach is to specify a custom domain name, typically one that you already own and is routable. When you use a routable, custom domain, traffic can correctly flow as needed to support your applications.

·        Non-routable domain suffixes: We generally recommend that you avoid a non-routable domain name suffix, such as contoso.local. The .local suffix isn't routable and can cause issues with DNS resolution.

Complete the fields in the Basics window of the Azure portal to create an Azure AD DS instance:

Enter a DNS domain name for your managed domain, taking into consideration the previous points.

Choose the Azure Location in which the managed domain should be created. If you choose a region that supports Availability Zones, the Azure AD DS resources are distributed across zones for additional redundancy.

The SKU determines the performance, backup frequency, and maximum number of forest trusts you can create. You can change the SKU after the managed domain has been created if your business demands or requirements change. For more information, see Azure AD DS SKU concepts.

Select the Standard SKU.

A forest is a logical construct used by Active Directory Domain Services to group one or more domains. By default, an Azure AD DS managed domain is created as a User forest. This type of forest synchronizes all objects from Azure AD, including any user accounts created in an on-premises AD DS environment. A Resource forest only synchronizes users and groups created directly in Azure AD. Resource forests are currently in preview. For more information on Resource forests, including why you may use one and how to create forest trusts with on-premises AD DS domains, see Azure AD DS resource forests overview.

Choose Next.

Choose Next.

Select Scoped under Synchronization.

Select groups which you want to synchronize from Azure Active Directory to the managed domain.

Choose Add groups and select the groups.

Choose Next.

Validating the configuration.

To create the managed domain, select Create.

A note is displayed that certain configuration options such as DNS name or virtual network can't be changed once the Azure AD DS managed has been created. To continue, select OK.

The process of provisioning your managed domain can take up to an hour. A notification is displayed in the portal that shows the progress of your Azure AD DS deployment. Select the notification to see detailed progress for the deployment.

The page will load with updates on the deployment process, including the creation of new resources in your directory.

Choose Go to resource.

The Overview tab shows that the managed domain is currently Deploying. You can't configure the managed domain until it's fully provisioned.

When the managed domain is fully provisioned, the Overview tab shows the domain status as Running.

The managed domain is associated with your Azure AD tenant. During the provisioning process, Azure AD DS creates two Enterprise Applications named Domain Controller Services and AzureActiveDirectoryDomainControllerServices in the Azure AD tenant. These Enterprise Applications are needed to service your managed domain. Don't delete these applications.

With Azure AD DS successfully deployed, now configure the virtual network to allow other connected VMs and applications to use the managed domain. To provide this connectivity, update the DNS server settings for your virtual network to point to the two IP addresses where Azure AD DS is deployed.

To update the DNS server settings for the virtual network, select the Configure button. The DNS settings are automatically configured for your virtual network.

Note: If you selected an existing virtual network in the previous steps, any VMs connected to the network only get the new DNS settings after a restart. You can restart VMs using the Azure portal, Azure PowerShell, or the Azure CLI.

We can see the notification saying DNS settings saved for virtual network.

The addresses listed are the domain controllers for use in the virtual network. In this example, those addresses are 10.2.3.4 and 10.2.3.5. You can later find these IP addresses on the Properties tab.

Go to the VNET in which DNS is deployed and choose DNS servers.

We can see the Custom DNS server is selected automatically.

To configure DNS for other VNETs: Choose DNS servers of VNET à select Custom

Enter the IP address: 10.2.3.4, 10.2.3.5

Choose Save.

We can see the notification saying DNS settings are for VNET is saved.

--The End--