So now that you understand how to install Active Directory on your onsite network, it’s time to see how to configure your Azure Active Directory (Azure AD). One big misconception is that Azure AD is set up and configured the same way that your onsite Active Directory is set up. The advantage of Azure AD is that there is no installation unless you decide to add another instance of Azure AD to your tenant. As soon as you set up your Azure subscription, Azure AD is ready to go.
So, before we begin setting up your Azure AD, let’s take a look at some of the features that Azure AD delivers. The following features are just some of the features available in Azure AD:
Simple Deployment You can easily set up Azure AD for your Azure AD directory. Managed users include cloud- only user accounts and user accounts synchronized from an on- premises directory.
Azure Devices You have the ability to easily join computers to the Azure network. You can even set up Azure so that the Windows clients can automatically join the Azure environment.
Setting Domain Names You have the ability to create custom domain names (for example, WillPanek.com) that are either verified or unverified with the Azure AD Custom Domain Name Wizard. You can also create domain names using the Microsoft suffix of onmicrosoft.com. If you want, you can create an Azure name of WillPanek .onmicrosoft.com. You have a lot of flexibility when creating Azure names for your organization.
Group Policy Support You have the ability to create and use built- in GPOs for both the user and computer containers. This gives you the ability to enforce company compliances for security policies. You can create custom GPOs that can be assigned to organizational units (OUs), and this in turn will help you manage and enforce company policies.
For example, you can set up a GPO so that your users will use folder redirection. Folder redirection allows a user to place a file in one folder but it gets redirected to another (this includes OneDrive).
To use a Group Policy to redirect OneDrive, you need the OneDrive sync to be at least build 18.111.0603.0004 or later. You can see the OneDrive build number on the About tab of the OneDrive settings.
The Group Policy object (GPO) for “OneDrive Known Folder Move” won’t work if you have already set up a Windows Folder Redirection policy to redirect a user’s Documents, Pictures, or Desktop folders to a storage location other than OneDrive. If you have done this, you must first remove the Redirection GPO that has already been created. The redirection for OneDrive doesn’t affect the Music and Videos folders, so you can keep them redirected with the Windows GPO that is already created.
Azure AD Integration One of the nice advantages of Azure is that you do not need to manage or configure Azure AD replication. Azure user accounts, group membership, or even user hashes are automatically replicated between your onsite Active Directory and Azure AD. Azure AD tenant information is automatically replicated and synchronized to your onsite or Azure AD environments.
DNS Support You have the ability to set up, configure, and integrate DNS with your Azure network. DNS is a hostname resolution service, and Azure allows you to easily configure DNS with many of the same DNS administration tools that you are familiar with.
High Availability One of the most important requirements for any IT department is the ability to keep their network up and running. Some organizations require minimum downtime requirements. This means that your organization can only be down for a certain amount of time per year. Azure AD offers an organization the ability to set up high availability for your Azure environment.
This feature guarantees higher service resiliency and uptime. With built-i n health monitoring, Azure offers automatic failure recovery by spinning up a new instance to take over for any failed instances. This feature provides automatic and continued services for your organization’s Azure network.
Management Tools Support You have the ability to use the same tools that you are familiar with for managing your current domains. You can use the Active Directory Administrative Center and Active Directory PowerShell utilities when managing your Azure AD.
Azure AD Questions and Answers
The following section contains questions and answers about features and functionality of Azure AD. This section was taken directly from Microsoft’s website (http://docs .microsoft.com/en- us/azure/active- directory- domain- services/faqs). I recommend that you visit this page often for updates about features and services.
Q. Can I create multiple managed domains for a single Azure AD directory?
Answer: No. You can only create a single managed domain serviced by Azure AD Domain Services for a single Azure AD directory.
Q. Can I enable Azure AD Domain Services in an Azure Resource Manager virtual network?
Answer: Yes. Azure AD Domain Services can be enabled in an Azure Resource Manager virtual network. Classic Azure virtual networks are no longer supported for creating new managed domains.
Q. Can I migrate my existing managed domain from a classic virtual network to a Resource Manager virtual network?
Answer: Not currently. Microsoft will deliver a mechanism to migrate your existing managed domain from a classic virtual network to a Resource Manager virtual network in the future.
Q. Can I enable Azure AD Domain Services in an Azure CSP (Cloud Solution Provider) subscription?
Answer: Yes.
Q. Can I enable Azure AD Domain Services in a federated Azure AD directory? I do not synchronize password hashes to Azure AD. Can I enable Azure AD Domain Services for this directory?
Answer: No. Azure AD Domain Services needs access to the password hashes of user accounts, to authenticate users via NTLM or Kerberos. In a federated directory, password hashes are not stored in the Azure AD directory. Therefore, Azure AD Domain Services does not work with such Azure AD directories.
Q. Can I make Azure AD Domain Services available in multiple virtual networks within my subscription?
Answer: The service itself does not directly support this scenario. Your managed domain is available in only one virtual network at a time. However, you may configure connectivity between multiple virtual networks to expose Azure AD Domain Services to other virtual networks.
Q. Can I enable Azure AD Domain Services using PowerShell?
Answer: Yes. Enable Azure AD Domain Services using PowerShell.
Q. Can I enable Azure AD Domain Services using a Resource Manager Template?
Answer: No, it is not currently possible to enable Azure AD Domain Services using a template. Instead use PowerShell.
Q. Can I add domain controllers to an Azure AD Domain Services managed domain?
Answer: No. The domain provided by Azure AD Domain Services is a managed domain. You do not need to provision, configure, or otherwise manage domain controllers for this domain— these management activities are provided as a service by Microsoft. Therefore, you cannot add additional domain controllers (read- write or read- only) for the managed domain.
Q. Can guest users invited to my directory use Azure AD Domain Services?
Answer: No. Guest users invited to your Azure AD directory using the Azure AD B2B invite process are synchronized into your Azure AD Domain Services managed domain. However, passwords for these users are not stored in your Azure AD directory.
Q. Can I connect to the domain controller for my managed domain using Remote Desktop?
Answer: No. You do not have permissions to connect to domain controllers for the managed domain via Remote Desktop. Members of the ‘AAD DC Administrators’ group can administer the managed domain using AD administration tools such as the Active Directory Administration Center (ADAC) or AD PowerShell. These tools are installed using the ‘Remote Server Administration Tools’ feature on a Windows server joined to the managed domain.
Q. I’ve enabled Azure AD Domain Services. What user account do I use to domain join machines to this domain?
Answer: Members of the administrative group ‘AAD DC Administrators’ can domain- join machines. Additionally, members of this group are granted remote desktop access to machines that have been joined to the domain.
Q. Do I have domain administrator privileges for the managed domain provided by Azure AD Domain Services?
Answer: No. You are not granted administrative privileges on the managed domain. Both ‘Domain Administrator’ and ‘Enterprise Administrator’ privileges are not available for you to use within the domain. Members of the domain administrator or enterprise administrator groups in your on- premises Active Directory are also not granted domain/enterprise administrator privileges on the managed domain.
Q. Can I modify group memberships using LDAP or other AD administrative tools on managed domains?
Answer: No. Group memberships cannot be modified on domains serviced by Azure AD Domain Services. The same applies for user attributes. You may however change group memberships or user attributes either in Azure AD or on your on- premises domain. Such changes are automatically synchronized to Azure AD Domain Services.
Q. How long does it take for changes I make to my Azure AD directory to be visible in my managed domain?
Answer: Changes made in your Azure AD directory using either the Azure AD UI or PowerShell are synchronized to your managed domain. This synchronization process runs in the background. Once initial synchronization is complete, it typically takes about 20 minutes for changes made in Azure AD to be reflected in your managed domain.
Q. Can I extend the schema of the managed domain provided by Azure AD Domain Services?
Answer: No. The schema is administered by Microsoft for the managed domain. Schema extensions are not supported by Azure AD Domain Services.
Q. Can I modify or add DNS records in my managed domain?
Answer: Yes. Members of the ‘AAD DC Administrators’ group are granted ‘DNS Administrator’ privileges, to modify DNS records in the managed domain. They can use the DNS Manager console on a machine running Windows Server joined to the managed domain, to manage DNS. To use the DNS Manager console, install ‘DNS Server Tools’, which is part of the ‘Remote Server Administration Tools’ optional feature on the server. More information on utilities for administering, monitoring, and troubleshooting DNS is available on TechNet.
Q. What is the password lifetime policy on a managed domain?
Answer: The default password lifetime on an Azure AD Domain Services managed domain is 90 days. This password lifetime is not synchronized with the password lifetime configured in Azure AD. Therefore, you may have a situation where users’ passwords expire in your managed domain, but are still valid in Azure AD. In such scenarios, users need to change their password in Azure AD and the new password will synchronize to your managed domain.
Additionally, the ‘password- does- not- expire’ and ‘user- must- change- password- at- next- logon’ attributes for user accounts are not synchronized to your managed domain.
Q. Does Azure AD Domain Services provide AD account lockout protection?
Answer: Yes. Five invalid password attempts within 2 minutes on the managed domain cause a user account to be locked out for 30 minutes. After 30 minutes, the user account is automatically unlocked. Invalid password attempts on the managed domain do not lock out the user account in Azure AD. The user account is locked out only within your Azure AD Domain Services managed domain.
Q. Can I failover Azure AD Domain Services to another region for a DR event?
Answer: No. Azure AD Domain Services does not currently provide a geo-r edundant deployment model. It is limited to a single virtual network in an Azure region. If you want to utilize multiple Azure regions, you need to run your Active Directory Domain Controllers on Azure IaaS VMs.
Q. Can I get Azure AD Domain Services as part of Enterprise Mobility Suite (EMS)? Do I need Azure AD Premium to use Azure AD Domain Services?
Answer: No. Azure AD Domain Services is a pay-a s- you- go Azure service and is not part of EMS. Azure AD Domain Services can be used with all editions of Azure AD (Free, Basic, and, Premium). You are billed on an hourly basis, depending on usage.