![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 28.000000000000004%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAB%3C/text%3E%3C/svg%3E)
1,984 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello @AllanBrowne-9995 ,
You can use contoso.com as internal Domain name of the AAD domain services instance (also called managed domain name) as well. You just need to use a custom domain name which is routable over the internet and you have ownership of the same so that you can get a certificate from public CA and create a ldap.{domain}.{com} record in the public DNS for the same. Please use the details provided in advanced setup for managed domain.
As you mentioned that you have hybrid onprem/azure environment , you already have Azure AD connect for syncing the users from on-prem to Azure and once you enable AAD domain services managed domain then you will need to force sync the password hash again so that NTML/Kerberos hashes get generated and synced to Azure AD and then within the Azure AD domain services managed domain . This is a required step if you would like your users to be able to use same password to access the secure LDAP . If you are using a AD connect hybrid setup without Password hash sync you may have to enable it . If the version of your Azure AD connect is lower than 1.1.614.0 then you would need to update it and enable Password Hash sync in order to have this working so that NTLM/Kereros hash for on-prem user's passwords are generated and synced to the cloud. Please follow the article for Password hash sync in AAD domain Services managed domain to understand the same in detail.
A DNS entry with Ldap.domain.com (if managed domain name is domain.com) needs to be created as explained in the article for configuring Secure LDAP . also all the clients whoever will access the managed domain using LDP or any other LDAP compliant tool would need to have the certificate installed on their local machines.
I hope this explanation clarifies your queries, should you have any other query feel free to let us know and we will be happy to help . I have included some links in the answer and I assume you have already seen some of them . Please check them for deeper understanding and if there are any residual questions , feel free to ask. If the information provided in the post is helpful , please do accept the post as answer so that it will help other members of the community .
Thank you.