Azure AD Domain Services – What you can do, and what you can’t do

Martin Wüthrich Active Directory, Azure AD, Windows 10

Since Microsoft has Released Azure AD Domain Services, many questions are coming up, and the top one of them might be: Can I join my Windows 10 Client through the internet to my Domain and receive Group Policies? No, you can’t.
But besides this, there are other questions that remains to be answered, and I will try to do so.
The first thing is to explain, what is required to get the Azure AD Domain Services (AAD DS) up and running:
1. Create a group in Azure AD called “AAD DC Administrators”
2. Create a VNET in Azure if not already existent
3. Activate the AAD DS in the Azure Portal:
Active Azure AD Domain Services
4. Update DNS Settings for the specific VNET
And now, you are ready to go, for a more detailed explanation refer to this Microsoft Article.


Now you are able to:

  • Join Virtual Machines hosted on Azure IaaS to this Domain
  • Edit Group Policy for those Virtual Machines hosted in Azure and joined the Domain
  • Configure the DNS Zones on the Domain Controllers, which the Virtual Machines hosted in Azure are using
  • On those Virtual Machines, you can Login with your Synchronized On-Prem or with Azure AD Credentials
  • Create own Organizational Unit (OU) Structures (more Details on this Microsoft Description)
  • You can Join Linux Machines to you AAD DS (see this Article)

    • But you are not able to:

  • Join Windows 10 Devices to this Domain and receive Group Policies
  • Create multiple Domains for a Single Azure AD
  • Connect to the Domain Controllers which are used for AAD DS and operated as a Service by Microsoft
  • Run this Service for free (See AAD DS Pricing)
  • Create your own Group Polcies, this means you can only use the two GPOs that are created by Default

    • If everything is set up, and you want to join your first machine to your Azure AD Domain Services, make sure that you can ping your selected Domain Name. See this guide from Microsoft to Join a AAD DS Domain: Join a Windows Server virtual machine to a managed domain
    If you receiving the error, that your username and Password is incorrect when you are joining the Domain, check the following two Options:
    1. When using an Azure AD Account, change the password of the Account, by doing this, Azure AD can sync the hash of the Password to the AAD DS (outlined here)
    2. When using a synced On-Prem AD Account, make sure that password sync is enabled within Azure AD Connect, and the passwords are successfully synced

    Now let’s have a look how you can configure the Azure AD Domain Service, just install the Remote Server Administration Tools an a virtual machine that is joined to the AAD DS, and login with an AAD DS Admin onto this machine. Afterwards you can start your Management Tools and you are able to Manage the AAD DS, here is a view of the ADUC:
    AAD DS ADUC
    Here is the DNS Console:
    AAD DS DNS
    And this screenshot shows the Group Policy Management Console (gpmc.msc) for the Azure Active Directory Domain Services:
    AAD DS GPMC
    You can’t create any own GPOs, and you are not Domain Admin:
    AAD DS GPOs
    This is very solid and usable in certain circumstances where a Domain Controller is required to serve within Azure Infrastructure as a Service.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    Gravatar
    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out /  Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out /  Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out /  Change )

    Cancel

    Connecting to %s

    This site uses Akismet to reduce spam. Learn how your comment data is processed.