Azure Active Directory Domain Service Setup Best Practices

Stephen Stark 26 Reputation points
2020-05-08T02:06:23.897+00:00

We have an instance of Azure Active Directory services that was created when we setup our Office365 instance using a domain we assigned (for example contoso.com). We would like to add Active Directory Domain Services to this instance so that we can join servers created in Azure to the domain. Is it best practice to create the Domain Services instance under a subdomain (for example aadds.contoso.com), or better to just create it under the root domain (contoso.com)?

Thanks in advance for any advice.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
0 comments
Accepted answer
  1. thgibard-MSFT 356 Reputation points
    2020-05-09T10:20:49.75+00:00

    OK perfect.

    Azure Active Directory Domain Services is just a standard Active Directory forest where you don't need to manage the servers. But you will have nearly the same possibilities as a standard Active Directory domain that you would have deployed locally inside your datacenter.

    However, Azure Active Directory and On-Prem ADDS are really different components. You will not for example be able to setup a trust between your Azure Active Directory and your AADDS. So, there is nothing logical to name your AADDS with a specific domain name that would be a sub domain. However, you should ask yourself the question about using AADDS OR deploying IAAS VM and deploy manually your Active Directory domain. Why you're needed an on-prem domain ? Maybe for some application that cannot be integrated directly through Azure Active Directory ? Is there any specific reason (just to be sure to understand your constraints).

    Anyway in both scenarios AADDS or manually deployd ADDS, you can chose a complet different domain. But if you need after to get your accounts populated in your Azure Active Directory - you will require standard Hybridation process with AAD Connect. So if the UPN extension does not correspond to the name you've choosen for Azure Active Directory and O365, you will need to modify the UPN Suffix. Something that a lof of companies are doing when going to O365.

    8003-002-add-a-new-upn-suffix.png

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. thgibard-MSFT 356 Reputation points
    2020-05-08T10:02:52.403+00:00

    Hello,

    I'm not sure I understand perfectly your use case. Let's double-check please.
    You've created an O365 Tenant with an Azure Active Directory. You've processed the association of a personal domain to this Azure Active Directory. For what I'm understanding, that's mean all your people and the accounts created are provisioned directly in Azure Active Directory - so it's not an Hybrid scenario with AAD Connect. Correct ?

    Now, you're speaking about an ADDS instance ? That's mean AD deployed on-prem and you want to populate the accounts from this AD on-prem to your same Azure Active Directory ? Also, I need to be sure you're speaking about ADDS deployed with on-prem Domain Controllers and not "Azure Active Directory Domain Services" which is again something else.

    Thanks in advance