Enable Azure AD Domain Services
Task 3: Enable Azure AD Domain Services
In this task, you enable Azure AD Domain Services for your directory. Perform the following configuration steps to enable Azure AD Domain Services for your directory.
- Navigate to the Azure classic portal (https://manage.windowsazure.com).
- Select the Active Directory node on the left pane.
Select the Azure AD tenant (directory) for which you would like to enable Azure AD Domain Services.
Click the Configure tab.
Scroll down to a section titled domain services.
Toggle the option titled Enable domain services for this directory to YES. You notice a few more configuration options for Azure AD Domain services appear on the page.
When you enable Azure AD Domain Services for your tenant, Azure AD generates and stores the Kerberos and NTLM credential hashes that are required for authenticating users.
Specify the DNS domain name of domain services.
- The default domain name of the directory (that is, ending with the .onmicrosoft.com domain suffix) is selected by default.
- The list contains all domains that have been configured for your Azure AD directory – including verified as well as unverified domains that you configure in the ‘Domains’ tab.
Additionally, you can also type a custom domain name. In this example, we have typed in a custom domain name 'contoso100.com'.
Ensure that the domain prefix of the domain name you specify (for example, 'contoso100' in the 'contoso100.com' domain name) is fewer than 15 characters. You cannot create an Azure AD Domain Services domain with a domain prefix longer than 15 characters.
Ensure that the DNS domain name you have chosen for the managed domain does not already exist in the virtual network. Specifically, check if:
- you already have a domain with the same DNS domain name on the virtual network.
- the virtual network you've selected has a VPN connection with your on-premises network and you have a domain with the same DNS domain name on your on-premises network.
- you have an existing cloud service with that name on the virtual network.
The next step is to select a virtual network in which you'd like Azure AD Domain Services to be available. Select the virtual network and dedicated subnet you created in the drop-down titled Connect domain services to this virtual network.
- Ensure that the virtual network you have specified belongs to an Azure region supported by Azure AD Domain Services. Refer to the Azure services by region page to know the Azure regions in which Azure AD Domain Services is available.
- Virtual networks belonging to a region where Azure AD Domain Services is not supported do not show up in the drop-down list.
- Use a dedicated subnet within the virtual network for Azure AD Domain Services. Ensure you do not select the gateway subnet. See networking considerations.
- Similarly, virtual networks that were created using Azure Resource Manager do not appear in the drop-down list. Resource Manager-based virtual networks are not currently supported by Azure AD Domain Services.
- To enable Azure AD Domain Services, click Save from the task pane at the bottom of the page.
The page displays a ‘Pending …’ state, while Azure AD Domain Services is being enabled for your directory.
Azure AD Domain Services provides high availability for your managed domain. After you enable Azure AD Domain Services, notice the IP addresses at which Domain Services are available on the virtual network show up one by one. The second IP address is displayed shortly, as soon the service enables high availability for your domain. When high availability is configured and active for your domain, you should see two IP addresses in the domain services section of the Configure tab.
After about 20-30 minutes, you see the first IP address at which Domain Services is available on your virtual network in the IP address field on the Configure page.
When high availability is operational for your domain, you see two IP addresses displayed on the page. Your managed domain is available on your selected virtual network at these two IP addresses. Note down the IP addresses so you can update the DNS settings for your virtual network. This step enables virtual machines on the virtual network to connect to the domain for operations such as domain join.
Depending on the size of your Azure AD tenant (number of users, groups etc.), synchronization to your managed domain takes a while. This synchronization process happens in the background. For large tenants with tens of thousands of objects, it may take a day or two for all users, group memberships, and credentials to be synchronized.
Task 4 - Update DNS settings for the Azure virtual network
The next configuration task is to update the DNS settings for the Azure virtual network.