{"id":2424,"date":"2016-12-02T15:00:32","date_gmt":"2016-12-02T13:00:32","guid":{"rendered":"http:\/\/blog.hosebei.ch\/?p=2424"},"modified":"2016-12-02T15:00:32","modified_gmt":"2016-12-02T13:00:32","slug":"azure-ad-domain-services-what-you-can-do-and-what-you-cant-do","status":"publish","type":"post","link":"https:\/\/blog.hosebei.ch\/?p=2424","title":{"rendered":"Azure AD Domain Services – What you can do, and what you can’t do"},"content":{"rendered":"

Since Microsoft has Released Azure AD Domain Services, many questions are coming up, and the top one of them might be: Can I join my Windows 10 Client through the internet to my Domain and receive Group Policies? No, you can’t.
\nBut besides this, there are other questions that remains to be answered, and I will try to do so.
\nThe first thing is to explain, what is required to get the Azure AD Domain Services (AAD DS) up and running:
\n1. Create a group in Azure AD called “AAD DC Administrators”
\n2. Create a VNET in Azure if not already existent
\n3. Activate the AAD DS in the Azure Portal:
\n\"Active<\/a>
\n4. Update DNS Settings for the specific VNET
\nAnd now, you are ready to go, for a more detailed explanation refer to this Microsoft Article<\/a>.<\/p>\n


\nNow you are able to:<\/p>\n

  • Join Virtual Machines hosted on Azure IaaS to this Domain<\/li>\n
  • Edit Group Policy for those Virtual Machines hosted in Azure and joined the Domain<\/li>\n
  • Configure the DNS Zones on the Domain Controllers, which the Virtual Machines hosted in Azure are using<\/li>\n
  • On those Virtual Machines, you can Login with your Synchronized On-Prem or with Azure AD Credentials<\/li>\n
  • Create own Organizational Unit (OU) Structures (more Details on this Microsoft Description<\/a>)<\/li>\n
  • You can Join Linux Machines to you AAD DS (see this Article<\/a>)<\/li>\n

    But you are not able to:<\/p>\n

  • Join Windows 10 Devices to this Domain and receive Group Policies<\/li>\n
  • Create multiple Domains for a Single Azure AD<\/li>\n
  • Connect to the Domain Controllers which are used for AAD DS and operated as a Service by Microsoft<\/li>\n
  • Run this Service for free (See AAD DS Pricing<\/a>)<\/li>\n
  • Create your own Group Polcies, this means you can only use the two GPOs that are created by Default<\/li>\n

    If everything is set up, and you want to join your first machine to your Azure AD Domain Services, make sure that you can ping your selected Domain Name. See this guide from Microsoft to Join a AAD DS Domain: Join a Windows Server virtual machine to a managed domain<\/a>
    \nIf you receiving the error, that your username and Password is incorrect when you are joining the Domain, check the following two Options:
    \n1. When using an Azure AD Account, change the password of the Account, by doing this, Azure AD can sync the hash of the Password to the AAD DS (outlined     here<\/a>)
    \n2. When using a synced On-Prem AD Account, make sure that password sync is enabled within Azure AD Connect, and the passwords are successfully synced<\/p>\n

    Now let’s have a look how you can configure the Azure AD Domain Service, just install the Remote Server Administration Tools an a virtual machine that is joined to the AAD DS, and login with an AAD DS Admin onto this machine. Afterwards you can start your Management Tools and you are able to Manage the AAD DS, here is a view of the ADUC:
    \n    \"AAD<\/a>
    \nHere is the DNS Console:
    \n    \"AAD<\/a>
    \nAnd this screenshot shows the Group Policy Management Console (gpmc.msc) for the Azure Active Directory Domain Services:
    \n    \"AAD<\/a>
    \nYou can’t create any own GPOs, and you are not Domain Admin:
    \n    \"AAD<\/a>
    \nThis is very solid and usable in certain circumstances where a Domain Controller is required to serve within Azure Infrastructure as a Service.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Since Microsoft has Released Azure AD Domain Services, many questions are coming up, and the top one of them might be: Can I join my Windows 10 Client through the internet to my Domain and receive Group Policies? No, you can’t. But besides this, there are other questions that remains to be answered, and I […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,7,43],"tags":[],"class_list":["post-2424","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-azure-ad","category-windows-10"],"_links":{"self":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts\/2424","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2424"}],"version-history":[{"count":0,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts\/2424\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}