Administer an Azure Active Directory Domain Services managed domain
This article shows you how to administer an Azure Active Directory (AD) Domain Services managed domain.
Before you begin
To perform the tasks listed in this article, you need:
- A valid Azure subscription.
- An Azure AD directory - either synchronized with an on-premises directory or a cloud-only directory.
- Azure AD Domain Services must be enabled for the Azure AD directory. If you haven't done so, follow all the tasks outlined in the Getting Started guide.
- A domain-joined virtual machine from which you administer the Azure AD Domain Services managed domain. If you don't have such a virtual machine, follow all the tasks outlined in the article titled Join a Windows virtual machine to a managed domain.
- You need the credentials of a user account belonging to the 'AAD DC Administrators' group in your directory, to administer your managed domain.
Administrative tasks you can perform on a managed domain
Members of the 'AAD DC Administrators' group are granted privileges on the managed domain that enable them to perform tasks such as:
- Join machines to the managed domain.
- Configure the built-in GPO for the 'AADDC Computers' and 'AADDC Users' containers in the managed domain.
- Administer DNS on the managed domain.
- Create and administer custom Organizational Units (OUs) on the managed domain.
- Gain administrative access to computers joined to the managed domain.
Administrative privileges you do not have on a managed domain
The domain is managed by Microsoft, including activities such as patching, monitoring and, performing backups. Therefore, the domain is locked down and you do not have privileges to perform certain administrative tasks on the domain. Some examples of tasks you cannot perform are below.
- You are not granted Domain Administrator or Enterprise Administrator privileges for the managed domain.
- You cannot extend the schema of the managed domain.
- You cannot connect to domain controllers for the managed domain using Remote Desktop.
- You cannot add domain controllers to the managed domain.
Task 1 - Provision a domain-joined Windows Server virtual machine to remotely administer the managed domain
Azure AD Domain Services managed domains can be managed using familiar Active Directory administrative tools such as the Active Directory Administrative Center (ADAC) or AD PowerShell. Tenant administrators do not have privileges to connect to domain controllers on the managed domain via Remote Desktop. Therefore, members of the 'AAD DC Administrators' group can administer managed domains remotely using AD administrative tools from a Windows Server/client computer that is joined to the managed domain. AD administrative tools can be installed as part of the Remote Server Administration Tools (RSAT) optional feature on Windows Server and client machines joined to the managed domain.
The first step is to set up a Windows Server virtual machine that is joined to the managed domain. For instructions, refer to the article titled join a Windows Server virtual machine to an Azure AD Domain Services managed domain.
Remotely administer the managed domain from a client computer (for example, Windows 10)
The instructions in this article use a Windows Server virtual machine to administer the AAD-DS managed domain. However, you can also choose to use a Windows client (for example, Windows 10) virtual machine to do so.
You can install Remote Server Administration Tools (RSAT) on a Windows client virtual machine by following the instructions on TechNet.
Task 2 - Install Active Directory administration tools on the virtual machine
Perform the following steps to install the Active Directory Administration tools on the domain joined virtual machine. See Technet for more information on installing and using Remote Server Administration Tools.
- Navigate to the Azure portal. Click All resources on the left-hand panel. Locate and click the virtual machine you created in Task 1.
Click the Connect button on the Overview tab. A Remote Desktop Protocol (.rdp) file is created and downloaded.
- To connect to your VM, open the downloaded RDP file. If prompted, click Connect. At the login prompt, use the credentials of a user belonging to the 'AAD DC Administrators' group. For example, we use 'firstname.lastname@example.org' in our case. You may receive a certificate warning during the sign-in process. Click Yes or Continue to proceed with the connection.
From the Start screen, open Server Manager. Click Add Roles and Features in the central pane of the Server Manager window.
On the Before You Begin page of the Add Roles and Features Wizard, click Next.
On the Installation Type page, leave the Role-based or feature-based installation option checked and click Next.
On the Server Selection page, select the current virtual machine from the server pool, and click Next.
- On the Server Roles page, click Next. We skip this page since we are not installing any roles on the server.
On the Features page, click to expand the Remote Server Administration Tools node and then click to expand the Role Administration Tools node. Select AD DS and AD LDS Tools feature from the list of role administration tools.
On the Confirmation page, click Install to install the AD and AD LDS tools feature on the virtual machine. When feature installation completes successfully, click Close to exit the Add Roles and Features wizard.
Task 3 - Connect to and explore the managed domain
Now that the AD Administrative Tools are installed on the domain joined virtual machine, we can use these tools to explore and administer the managed domain.
You need to be a member of the 'AAD DC Administrators' group, to administer the managed domain.
From the Start screen, click Administrative Tools. You should see the AD administrative tools installed on the virtual machine.
Click Active Directory Administrative Center.
To explore the domain, click the domain name in the left pane (for example, 'contoso100.com'). Notice two containers called 'AADDC Computers' and 'AADDC Users' respectively.
Click the container called AADDC Users to see all users and groups belonging to the managed domain. You should see user accounts and groups from your Azure AD tenant show up in this container. Notice in this example, a user account for the user called 'bob' and a group called 'AAD DC Administrators' are available in this container.
Click the container called AADDC Computers to see the computers joined to this managed domain. You should see an entry for the current virtual machine, which is joined to the domain. Computer accounts for all computers that are joined to the Azure AD Domain Services managed domain are stored in this 'AADDC Computers' container.