Call us: (407) 567-0096
Open a ticket
Chat with us
USA flag German flag Spanish flag
BLOG Published on 2017/11/20 by Asitha De Silva in Tech-Tips

Azure AD Domain Services | Managing and Administration

This is the third article I’m writing about Azure AD Domain services, which is about how to do the day to day administration and management activities using domain services. Azure AD Domain services is where you can get Active directory as a service from Microsoft in Azure. Follow my previous posts for better understating about domain services.

Azure AD Domain services | What is new What is AAD Domain services, How domain services works and its architecture, features with benefits, about pricing, features for future and comparison with On-premise Active Directory

Azure AD Domain services | Implementing and configuring  - How to implement domain services and configurations such as Enable domain service, configuring virtual networks, configuring domain names, updating DNS and Enable Azure AD Domain Services password synchronization for cloud only Azure AD accounts and User accounts synced from On-premises AD

Azure AD Domain services is a manage service, you cannot expect the same operations behavior of On Premise active directory. But it can do activities such as Domain join, Kerberos and NTLM authentication, management of users and computers, Group policy deployment, password policy, Managing DNS and single sign on to applications with AD integration.

After implementing the domain services before administering, first you need to domain join the computer which you are installing the remote administration tools.

Adding VM to an Azure AD Domain services. 

First rule of domain services is all the computers should have access to the virtual network where domain services resides. After adding a VM to the virtual network which domain services resides, you can see Domain Services Domain controllers IP address are populated to the machines DNS. You have to restart the machine for this.

Then you can add the machine to the domain.

Provide a credentials which you have added to the group of AAD DC Administrators, make sure you have reset the password if cloud only users or change the sync settings if on premise syncing users.


Administering Azure AD Domain services

Domain services cannot managed via Remote desktop connections because you don’t have privileges to login to the domain controllers. But it can be managed using familiar Active Directory administrative tools such as the Active Directory Administrative Center (ADAC) or AD PowerShell.

Note – To install Remote administration tools first the client should be domain joined with the domain services.

  1. Login to the Domain-Joined machine
  2. Server manager - Add roles and FeaturesRemote Server Administration Tools and add AD DS and LDS Tools, DNS tools








  3. Confirm and install


  4. After completing, ADDS tools will be available in administrative tools




  5. To manage DNS, run the installed DNS console and type the domain name when prompted to Connect to DNS Server



Administering and deploying Group Polices

One of the main benefit about the managed domain services is to deploy Group Polices. There are two default OU’s for users and computers (AADDC Computers, AADDC Users), and default GPO’s also created for managing these OU’s. These GPO’s can be edited for your need. Also custom OU’s can be created with domain services, these activities require administrator group membership

  1. Before managing GPO’s, install the Group Policy management console,
    Server Manager – Add roles and features – features – Group policy management


  2. You can create custom group polices and link them to OU’s or edit the default policies by using the group policy management console


    Note about custom OU – you cannot move users from default AADDC Users OU to a custom OU. All the users syncing from Azure AD will be placed in this OU. Also when you create a user in a custom OU those objects will not be synced to Azure AD as well.


Some Use Cases with Azure AD Domain services

These are few use cases I found out in Microsoft Ignite contents, after implementing domain services it can be useful in following scenarios.

Manage Azure IAAS Virtual Machines

  • Domain- Join Azure IaaS virtual machines – Windows server and Linux
  • Use your corporate credentials to log in to VM’s – no need for manage local administrator accounts.
  • Use Group Policy to manage and secure domain joined VM’s

Move apps using LDAP bind authentication to Azure
An application uses a web-form to collect user credentials and authenticate users via LDAP bind to the directory. These apps can

  • Migrate and deploy the app in domain-joined Azure VM’s
  • End-users sign in using their existing corporate credentials
  • This app pattern is often used by organizations to grant access to vendors or partners to their applications

Move apps that connect to AD over LDAP/LDAPS to Azure
Access managed domain services over LDAP, or LDAP over SSL

  • From a app servers within the virtual network
  • Or over the internet using LDAP over SSL

LDAPS certificates can be issued Public certification authority or Self-signed certificates

Move Windows integrated authentications apps to Azure (Kerberos)
In example a server application uses an AD service account for its web front-end to authenticate access to a backend server.

  • Migrate and deploy the app in domain-joined Azure VM’s
  • Create custom OU’s and provision service accounts
  • Assign custom password policies (password never expire) to service account
  • Group managed service accounts work as well


Modernize legacy apps with Azure AD Application Proxy

  • Move IWA apps/websites to Azure IaaS VM’s joined to Domain services domain.
  • Deploy App Proxy connectors on Azure IaaS VM’s joined to Domain services domain.
  • Modernize app by delivering MFA and conditional access control
  • Use resource-based KCD to enable connectors to authenticate users.

Domain-joined HDInsight cluster

  • HD insights Hadoop cluster can be integrated with AAD Domain Services for secure Hadoop deployments
  • Feature currently in public preview


Windows Server Remote desktop deployments

  • Deploy domain-joined Remote Desktop VM’s for VDI in the cloud.
  • Use group policy to manage/secure Remote Desktop VM’s
  • Known issue – Remote desktop licensing server, licensing warnings. Fix is underway by MS


Disable Azure AD Domain services

If you are testing AAD Domain services, you can delete it after testing. Deletion will be permanent and cannot reverse back.

  • Domain controllers will be deleted and removed from Virtual Network
  • Data will be deleted permanently, including custom OUs, GPOs, custom DNS records, service principals, GMSAs on Domain services
  • Machines need to manually remove from domain, they will lost the trust relationship
  • Cannot login using corporate credentials you used in AAD DS, local Administrator can be used.
  • No impact to Azure Active directory

Login to the Azure Portal – Azure AD Domain services - Open the domain service – Overview – Delete

Hope this is useful

Cheers


Asitha De Silva


References

Microsoft Ignite 2017 content

Microsoft Technet

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-join-windows-vm-portal

Asitha De Silva

Consultant Cloud Solutions

Expert in architecting and implementing cloud-based infrastructure solutions.

Popular
Volume Activation Management Tool 3.1 – Implementing and Activating
By  Asitha De Silva  -   2015/12/13
Windows File Server 2016 | Map Network Drive for Users and Group Drive using GPO
By  Asitha De Silva  -   2017/12/28
Multiple Password Policies for Domain Users
By  Asitha De Silva  -   2019/11/16
Newsletter

To keep up with the news and updates related to our products, make sure to subscribe to our newsletter!

Copyright © 2025 Terminalworks. All Rights Reserved

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Cookie Policy. Privacy details