Azure AD DS now to promote VM to be a DC

Adam Dudley 1 Reputation point
2020-05-26T04:44:17.777+00:00

I have a Azure AD with all users setup and no servers on-site and no onsite domain everything is in Microsoft 365.

I have Azure Premium for all users.

I now have a need due to an application that the business has purchased to have a domain controller on-site for authentication.

I have set up Azure AD DS and installed a VM in Azure and I am able to join this VM to the Azure domain as a member server.

When I try to promote the server to a Domain Controller I am not able to as I am not a member of Domain Admins or Enterprise Admins and I am not able to add myself to these groups.

How can I promote a server to a Domain Controller even if it is Read-Only so that I can authenticate users locally to the new application?

I do not want to create a local domain and use Azure AD Connect to sync passwords I want the details to come from Azure..

Anyone got any ideas on how I can achieve this?

Microsoft Entra
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-05-26T11:20:56.61+00:00

    @Adam Dudley , The Domain Controllers present in the Azure AD DS service cannot be extended and connected to on-prem DCs. In Azure AD DS Service you have limited access to these backend DCs.

    There is a way available to create a hybrid setup like DCs in Azure and DCs in on-prem all connected together. How you do that is by creating a Azure VM and installing the Domain Controller role on that and then extending the network to connect to your on-prem datacenter, by either using Express Route or Site-To-Site vpn. In this setup, you DC sitting on the Azure VM can be connected to your DCs sitting in on-prem Datacenters, and replicate among themselves, but the point to note here is that, your DC sitting on the Azure VM cannot pull objects from Azure AD. The reason for this is the server engine i.e Azure AD Connect server, only allows objects to sync from On-Prem DCs to Azure AD and not the other way.

    Also another point to note is Azure AD DS is the only service that can sync from AAD to its DCs which are running in the backend. Apart from Azure AD DS service there is no other way to extend Azure AD's directory to other Domain Controllers sitting on-prem.

    Hope this helps. Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

    1 person found this answer helpful.
  2. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-05-26T04:59:32.133+00:00

    @Adam Dudley , Thank you for reaching out and sharing the details. When you enable Azure AD Domain Services on Azure, since Azure AD DS is a PaaS offering, we do create two Domain Controllers in the backend for you. Thats the reason, when you spin up a VM and connect it to the same vnet as that of the Azure AD DS, you are able to domain join it. The domain join actually happens to those backend DCs where you wont have access to.

    The way we recommend to operate with Azure AD DS is, spin up a VM, domain join it, and then install the RSAT tools to manage your AD.

    Now, in your case, you wont need a separate DC if you already have created the Azure AD DS domain, as there are two backend DCs running and available for you. The only thing that you would have to work on is to understand what your application needs from AD and what protocol does it work on.

    If it works on LDAP and needs LDAPs to be configured, you can do that easily. You can find the steps mentioned here.

    Secondly, if you application works on Kerberos, just install the application on a domain joined (to the Azure AD DS instance) WebServer or VM and your application should be up and running.

    Hope this helps. Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

  3. Sam Cogan 10,157 Reputation points MVP
    2020-05-26T08:54:21.083+00:00

    You cannot add additional domain controllers to an Azure AD DS setup, it is designed so that the only domain controllers are those created by Microsoft. Your permissions in this domain are limited to prevent this. For your on premises application to access the domain controller you really have two options:

    The simplest solution is to setup a VPN or ExpressRoute connection between your on-premises network and the vNet containing your AAD DS instance, this should then allow the application to access the AAD DS domain controllers directly. This does mean you will need an internet connection at all times.

    If you must have an on-premises domain controller then you have an issue, because it is not possible to sync from AAD to AD (except for AAD DS) so you cannot take your existing AAD setup and sync it to an on-premises DC. You will either need to create a new domain on-premises that does not have your AAD users in it, or you will need to completely reverse your current setup and populate your users in your on-premises AD and sync these to AAD.

    0 comments