{"id":20595,"date":"2017-09-27T21:16:38","date_gmt":"2017-09-27T20:16:38","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=20595"},"modified":"2017-09-28T12:42:22","modified_gmt":"2017-09-28T11:42:22","slug":"azure-ad-domain-services","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=20595","title":{"rendered":"Azure AD Domain Services"},"content":{"rendered":"<p>&nbsp;<\/p>\n<h2>Options when Moving to The Cloud<\/h2>\n<ul>\n<li>Switch to using SaaS versions of the s\/w<\/li>\n<li>Rewrite the app<\/li>\n<li>Lift and shift: the focus today.<\/li>\n<\/ul>\n<h2>How Organizations Handle AD Requirements Today<\/h2>\n<ul>\n<li>They set up site-site VPN and deploy additional domain controllers in the cloud.<\/li>\n<li>They deploy another domain\/forest in the cloud and provision a trust, e.g. ADFS.<\/li>\n<\/ul>\n<h2>Imagine a Simpler Alternative<\/h2>\n<ul>\n<li>Simpler<\/li>\n<li>Compatible<\/li>\n<li>Available<\/li>\n<li>Cost-effective<\/li>\n<\/ul>\n<h2>Introducing Azure AD Domain Services<\/h2>\n<ol>\n<li>You provision a VNet.<\/li>\n<li>Then you activate Azure AD Domain Services in Azure AD on that VNet<\/li>\n<li>You can manage the domain using RSAT.<\/li>\n<li>You can optionally sync your Windows Server AD with Azure AD to share accounts\/groups.<\/li>\n<\/ol>\n<h2>Managed Domains<\/h2>\n<ul>\n<li>Domain controllers are patched automatically.<\/li>\n<li>Secure locked down domain, complaint with AD deployment best practices<\/li>\n<li>You get 2 DCs, so fault tolerant<\/li>\n<li>Automatic health detection and remediation. If a DC fails, a new one is provisioned.<\/li>\n<li>Automatic backups for disaster recovery.<\/li>\n<li>No need to monitor replication \u2013 done as part of the managed service.<\/li>\n<\/ul>\n<h2>Sync<\/h2>\n<p>If you deploy sync, e.g. Azure AD Connect, then it flows as follows: Windows Server AD &lt;-&gt; Azure AD &lt;-&gt; Azure AD Domain Services<\/p>\n<h2>Features<\/h2>\n<ul>\n<li>SIDs are reused. This means things like file servers can be lifted and shifted to Azure without re-ACLing your workloads.<\/li>\n<li>OUs<\/li>\n<li>DNS<\/li>\n<\/ul>\n<h2>Pricing<\/h2>\n<p>Based on the number of objects in the directory. Micro-pricing.<\/p>\n<h2>Decisions<\/h2>\n<p><a href=\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2017\/09\/27-09-2017-16-13-Office-Lens.jpg\"><img loading=\"lazy\" decoding=\"async\" style=\"border: 0px currentcolor; margin-right: auto; margin-left: auto; float: none; display: block; background-image: none;\" title=\"27-09-2017 16-13 Office Lens\" src=\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2017\/09\/27-09-2017-16-13-Office-Lens_thumb.jpg\" alt=\"27-09-2017 16-13 Office Lens\" width=\"600\" height=\"240\" border=\"0\" \/><\/a><\/p>\n<h2>New Features<\/h2>\n<ul>\n<li>Azure Portal AD Experience is GA<\/li>\n<li>ARM virtual network join is GA<\/li>\n<\/ul>\n<h2>Demo<\/h2>\n<p>He creates an AADS domain. THere are two OUs by default:<\/p>\n<ul>\n<li>AADC Users<\/li>\n<li>AADC Computers<\/li>\n<\/ul>\n<p>Back to the PowerPoint<\/p>\n<h2>Notes<\/h2>\n<ul>\n<li>You cannot deploy AADDS in the classic Azure portal any more.<\/li>\n<li>The classic deployment model will be retired \u2013 the ARM deployment is better and more secure.<\/li>\n<li>The classic VNet support is ending (for new domains) soon.<\/li>\n<li>Existing deployments will continue to be supported<\/li>\n<\/ul>\n<h2>Questions<\/h2>\n<ul>\n<li>Is there GPO sync? No. This is a different domain, so there is no replication of GPO from on prem to AADDS<\/li>\n<li>Can you add another DC to this domain? No. There will be (in the future) the ability to add more AADDS \u201cDCs\u201d in other VNets.<\/li>\n<li>What happens if a region goes down? The entire domain goes down now \u2013 but when they have additional DC support this will solve the problem<\/li>\n<li>Is there support in CSP? No, but it\u2019s being worked on.<\/li>\n<\/ul>\n<h2>Manage Azure IaaS VMs<\/h2>\n<p>You can join these machines to AADDS. You can push GPO from AADDS. You\u2019ll sign into the VMs using AADDS user accounts\/passwords.<\/p>\n<h2>GPO<\/h2>\n<p>Members of AADDC Administrators can create OUs. You can target GPO to OUs.<\/p>\n<h2>Move Servers to the Cloud<\/h2>\n<p>Sync users\/passwords\/SIDs to the cloud, and then lift\/shift applications\/VMs to the cloud. THe SIDs are in sync so you don\u2019t need to change permissions, and there\u2019s a domain already for the VMs to join without creating DC VMs.<\/p>\n<h2>LDAP over SSL<\/h2>\n<p>I missed most of this. I think you can access applications using LDAP over SSL via the Internet.<\/p>\n<h2>Move Server Applications To Azure<\/h2>\n<p>User AADDS to provision and manage service accounts.<\/p>\n<h2>Kerberos Constrained Delegation<\/h2>\n<p>Cannot work with AADDS using old methods &#8211;\u00a0 You don\u2019t have the privileges. The solution is to use PowerShell to implement resource-based KCD.<\/p>\n<h2>Modernize Legacy Apps with Application Proxy<\/h2>\n<p>You can get users to sign in via AAD and MFA into legacy apps. A token is given to the app to authorize the user.<\/p>\n<h2>SharePoint Lift and Shift<\/h2>\n<p>A new group called AAD DC Service Accounts. Add the SharePoint Profile sync user account to this group.<\/p>\n<h2>Domain Joined HDIsnight Cluster<\/h2>\n<p>You can \u201cKerber-ize\u201d a HD cluster to increase security. This is in preview at the moment.<\/p>\n<h2>Remote Desktop Deployments<\/h2>\n<p>Domain-join the farm to AADDS. The licensing server is a problem at the moment \u2013 this will be fixed soon. Until then, it works, but you\u2019ll get licensing warnings.<\/p>\n<h2>Questions<\/h2>\n<ul>\n<li>Schema extensions? Not supported but on the roadmap.<\/li>\n<li>Logging? Everything is logged but you have to go through support to get at them at the moment. They want to work on self-service logging.<\/li>\n<li>There is no trust option today. They are working on the concept of a resource domain \u2013 maybe before end of the year.<\/li>\n<li>Data at rest, in ARM, is encrypted. The keys (1 set per domain) are managed by MS. MS has no admin credentials \u2013 there\u2019s an audited process for them to obtain access for support. The NTLM hashes are encrypted.<\/li>\n<\/ul>\n<h2>Deciding When to DIY Your Own AD Deployment<\/h2>\n<p><a href=\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2017\/09\/27-09-2017-16-39-Office-Lens.jpg\"><img loading=\"lazy\" decoding=\"async\" style=\"border: 0px currentcolor; margin-right: auto; margin-left: auto; float: none; display: block; background-image: none;\" title=\"27-09-2017 16-39 Office Lens\" src=\"https:\/\/aidanfinn.com\/wp-content\/uploads\/2017\/09\/27-09-2017-16-39-Office-Lens_thumb.jpg\" alt=\"27-09-2017 16-39 Office Lens\" width=\"600\" height=\"288\" border=\"0\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h2>Features Being Considered<\/h2>\n<ul>\n<li>Cloud solution provider support \u2013 maybe early 2018.<\/li>\n<li>Support for a single managed domain to space multiple virtual networks<\/li>\n<li>Manage resource forests<\/li>\n<li>Schema extensions \u2013 they\u2019ll start with the common ones, and then add support for custom extensions.<\/li>\n<li>Support for LDAP writes &#8211; some apps require this<\/li>\n<\/ul>\n<p>Any questions\/feedback to <a href=\"mailto:aaddsfb@microsoft.com\">aaddsfb@microsoft.com<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; Options when Moving to The Cloud Switch to using SaaS versions of the s\/w Rewrite the app Lift and shift: the focus today. How Organizations Handle AD Requirements Today They set up site-site VPN and deploy additional domain controllers in the cloud. They deploy another domain\/forest in the cloud and provision a trust, e.g. &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=20595\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Azure AD Domain Services&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":19530,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[14],"tags":[169,170,155,211,176,177,203],"class_list":["post-20595","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-eventnotes","tag-active-directory","tag-azure","tag-azure-ad","tag-azure-ad-domain-services","tag-eventnotes","tag-events","tag-ignite"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aidanfinn.com\/wp-content\/uploads\/2016\/05\/AzureADLogo_52B0BEF61.png","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/20595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=20595"}],"version-history":[{"count":4,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/20595\/revisions"}],"predecessor-version":[{"id":20608,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/20595\/revisions\/20608"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/media\/19530"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=20595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=20595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=20595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}