| title | description | services | author | manager | ms.assetid | ms.service | ms.subservice | ms.workload | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|
Enable Azure DS Domain Services using PowerShell | Microsoft Docs |
Learn how to configure and enable Azure Active Directory Domain Services using Azure AD PowerShell and Azure PowerShell. |
active-directory-ds |
iainfoulds |
daveba |
d4bc5583-6537-4cd9-bc4b-7712fdd9272a |
active-directory |
domain-services |
identity |
conceptual |
09/05/2019 |
iainfou |
Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. You consume these domain services without deploying, managing, and patching domain controllers yourself. Azure AD DS integrates with your existing Azure AD tenant. This integration lets users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources.
This article shows you how to enable Azure AD DS using PowerShell.
[!INCLUDE updated-for-az.md]
To complete this article, you need the following resources:
- Install and configure Azure PowerShell.
- If needed, follow the instructions to install the Azure PowerShell module and connect to your Azure subscription.
- Make sure that you sign in to your Azure subscription using the Connect-AzAccount cmdlet.
- Install and configure Azure AD PowerShell.
- If needed, follow the instructions to install the Azure AD PowerShell module and connect to Azure AD.
- Make sure that you sign in to your Azure AD tenant using the Connect-AzureAD cmdlet.
- You need global administrator privileges in your Azure AD tenant to enable Azure AD DS.
- You need Contributor privileges in your Azure subscription to create the required Azure AD DS resources.
Azure AD DS requires a service principal and an Azure AD group. These resources let the Azure AD DS managed domain synchronize data, and define which users have administrative permissions in the managed domain.
First, create an Azure AD service principal for Azure AD DS to communicate and authenticate itself. A specific application ID is used named Domain Controller Services with an ID of 2565bd9d-da50-47d4-8b85-4c97f669dc36. Don't change this application ID.
Create an Azure AD service principal using the New-AzureADServicePrincipal cmdlet:
New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"Now create an Azure AD group named AAD DC Administrators. Users added to this group are then granted permissions to perform administration tasks on the Azure AD DS managed domain.
Create the AAD DC Administrators group using the New-AzureADGroup cmdlet:
New-AzureADGroup -DisplayName "AAD DC Administrators" `
-Description "Delegated group to administer Azure AD Domain Services" `
-SecurityEnabled $true -MailEnabled $false `
-MailNickName "AADDCAdministrators"With the AAD DC Administrators group created, add a user to the group using the Add-AzureADGroupMember cmdlet. You first get the AAD DC Administrators group object ID using the Get-AzureADGroup cmdlet, then the desired user's object ID using the Get-AzureADUser cmdlet.
In the following example, the user object ID for the account with a UPN of [email protected]. Replace this user account with the UPN of the user you wish to add to the AAD DC Administrators group:
# First, retrieve the object ID of the newly created 'AAD DC Administrators' group.
$GroupObjectId = Get-AzureADGroup `
-Filter "DisplayName eq 'AAD DC Administrators'" | `
Select-Object ObjectId
# Now, retrieve the object ID of the user you'd like to add to the group.
$UserObjectId = Get-AzureADUser `
-Filter "UserPrincipalName eq '[email protected]'" | `
Select-Object ObjectId
# Add the user to the 'AAD DC Administrators' group.
Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectIdFirst, register the Azure AD Domain Services resource provider using the Register-AzResourceProvider cmdlet:
Register-AzResourceProvider -ProviderNamespace Microsoft.AADNext, create a resource group using the New-AzResourceGroup cmdlet. In the following example, the resource group is named myResourceGroup and is created in the westus region. Use your own name and desired region:
$ResourceGroupName = "myResourceGroup"
$AzureLocation = "westus"
# Create the resource group.
New-AzResourceGroup `
-Name $ResourceGroupName `
-Location $AzureLocationCreate the virtual network and subnets for Azure AD Domain Services. Two subnets are created - one for DomainServices, and one for Workloads. Azure AD DS is deployed into the dedicated DomainServices subnet. Don't deploy other applications or workloads into this subnet. Use the separate Workloads or other subnets for the rest of your VMs.
Create the subnets using the New-AzVirtualNetworkSubnetConfig cmdlet, then create the virtual network using the New-AzVirtualNetwork cmdlet.
$VnetName = "myVnet"
# Create the dedicated subnet for AAD Domain Services.
$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
-Name DomainServices `
-AddressPrefix 10.0.0.0/24
$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
-Name Workloads `
-AddressPrefix 10.0.1.0/24
# Create the virtual network in which you will enable Azure AD Domain Services.
$Vnet= New-AzVirtualNetwork `
-ResourceGroupName $ResourceGroupName `
-Location westus `
-Name $VnetName `
-AddressPrefix 10.0.0.0/16 `
-Subnet $AaddsSubnet,$WorkloadSubnetNow let's create an Azure AD DS managed domain. Set your Azure subscription ID, and then provide a name for the managed domain, such as contoso.com. You can get your subscription ID using the Get-AzSubscription cmdlet.
$AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID"
$ManagedDomainName = "contoso.com"
# Enable Azure AD Domain Services for the directory.
New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.AAD/DomainServices/$ManagedDomainName" `
-Location $AzureLocation `
-Properties @{"DomainName"=$ManagedDomainName; `
"SubnetId"="/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices"} `
-Force -VerboseIt takes a few minutes to create the resource and return control to the PowerShell prompt. The Azure AD DS managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. In the Azure portal, the Overview page for your Azure AD DS managed domain shows the current status throughout this deployment stage.
When the Azure portal shows that the Azure AD DS managed domain has finished provisioning, the following tasks need to be completed:
- Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication.
- To configure DNS, select your Azure AD DS managed domain in the portal. On the Overview window, you are prompted to automatically configure these DNS settings.
- Enable password synchronization to Azure AD Domain Services so end users can sign in to the managed domain using their corporate credentials.
The following complete PowerShell script combines all of the tasks shown in this article. Copy the script and save it to a file with a .ps1 extension. Run the script in a local PowerShell console or the Azure Cloud Shell.
Note
To enable Azure AD DS, you must be a global administrator for the Azure AD tenant. You also need at least Contributor privileges in the Azure subscription.
# Change the following values to match your deployment.
$AaddsAdminUserUpn = "[email protected]"
$ResourceGroupName = "myResourceGroup"
$VnetName = "myVnet"
$AzureLocation = "westus"
$AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID"
$ManagedDomainName = "contoso.com"
# Connect to your Azure AD directory.
Connect-AzureAD
# Login to your Azure subscription.
Connect-AzAccount
# Create the service principal for Azure AD Domain Services.
New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
# Create the delegated administration group for AAD Domain Services.
New-AzureADGroup -DisplayName "AAD DC Administrators" `
-Description "Delegated group to administer Azure AD Domain Services" `
-SecurityEnabled $true -MailEnabled $false `
-MailNickName "AADDCAdministrators"
# First, retrieve the object ID of the newly created 'AAD DC Administrators' group.
$GroupObjectId = Get-AzureADGroup `
-Filter "DisplayName eq 'AAD DC Administrators'" | `
Select-Object ObjectId
# Now, retrieve the object ID of the user you'd like to add to the group.
$UserObjectId = Get-AzureADUser `
-Filter "UserPrincipalName eq '$AaddsAdminUserUpn'" | `
Select-Object ObjectId
# Add the user to the 'AAD DC Administrators' group.
Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId
# Register the resource provider for Azure AD Domain Services with Resource Manager.
Register-AzResourceProvider -ProviderNamespace Microsoft.AAD
# Create the resource group.
New-AzResourceGroup `
-Name $ResourceGroupName `
-Location $AzureLocation
# Create the dedicated subnet for AAD Domain Services.
$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
-Name DomainServices `
-AddressPrefix 10.0.0.0/24
$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
-Name Workloads `
-AddressPrefix 10.0.1.0/24
# Create the virtual network in which you will enable Azure AD Domain Services.
$Vnet=New-AzVirtualNetwork `
-ResourceGroupName $ResourceGroupName `
-Location $AzureLocation `
-Name $VnetName `
-AddressPrefix 10.0.0.0/16 `
-Subnet $AaddsSubnet,$WorkloadSubnet
# Enable Azure AD Domain Services for the directory.
New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.AAD/DomainServices/$ManagedDomainName" `
-Location $AzureLocation `
-Properties @{"DomainName"=$ManagedDomainName; `
"SubnetId"="/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices"} `
-Force -VerboseIt takes a few minutes to create the resource and return control to the PowerShell prompt. The Azure AD DS managed domain continues to be provisioned in the background, and can take up to an hour to complete the deployment. In the Azure portal, the Overview page for your Azure AD DS managed domain shows the current status throughout this deployment stage.
When the Azure portal shows that the Azure AD DS managed domain has finished provisioning, the following tasks need to be completed:
- Update DNS settings for the virtual network so virtual machines can find the managed domain for domain join or authentication.
- To configure DNS, select your Azure AD DS managed domain in the portal. On the Overview window, you are prompted to automatically configure these DNS settings.
- Enable password synchronization to Azure AD Domain Services so end users can sign in to the managed domain using their corporate credentials.
To see the Azure AD DS managed domain in action, you can domain-join a Windows VM, configure secure LDAP, and configure password hash sync.