Bind to an Azure AD Domain Services managed domain using secure LDAP (LDAPS)
Before you begin
Task 5: Bind to the managed domain over LDAP using LDP.exe
You can use the LDP.exe tool, which is included in the Remote Server Administration tools package to bind and search over LDAP.
First, open LDP and connect to the managed domain. Click Connection and click Connect... in the menu. Specify the DNS domain name of the managed domain. Specify the port to use for connections. For LDAP connections, use port 389. For LDAPS connections, use port 636. Click OK button to connect to the managed domain.
Next, bind to the managed domain. Click Connection and click Bind... in the menu. Provide the credentials of a user account belonging to the 'AAD DC Administrators' group.
Select View, and then select Tree in the menu. Leave the Base DN field blank, and click OK. Navigate to the container that you want to search, right-click the container, and select Search.
- Users and groups synchronized from Azure AD are stored in the AADDC Users organizational unit. The search path for this organizational unit looks like
- Computer accounts for computers joined to the managed domain are stored in the AADDC Computers organizational unit. The search path for this organizational unit looks like
More information - LDAP query basics
Task 6: Lock down secure LDAP access to your managed domain over the internet
If you have not enabled LDAPS access to the managed domain over the internet, skip this configuration task.
Before you begin this task, complete the steps outlined in Task 3.
When you enable LDAPS access over the internet to your managed domain, it creates a security threat. The managed domain is reachable from the internet at the port used for secure LDAP (that is, port 636). You can choose to restrict access to the managed domain to specific known IP addresses. Create a network security group (NSG) and associate it with the subnet where you have enabled Azure AD Domain Services.
The sample NSG in the following table locks down secure LDAP access over the internet. The rules in the NSG allow inbound secure LDAP access over TCP port 636 only from a specified set of IP addresses. The default 'DenyAll' rule applies to all other inbound traffic from the internet. The NSG rule to allow LDAPS access over the internet from specified IP addresses has a higher priority than the DenyAll NSG rule.
More information - Network security groups.
- Azure AD Domain Services - Getting Started guide
- Administer an Azure AD Domain Services managed domain
- LDAP query basics
- Administer Group Policy on an Azure AD Domain Services managed domain
- Network security groups
- Create a Network Security Group
We'd love to hear your thoughts. Choose the type you'd like to provide:
Our feedback system is built on GitHub Issues. Read more on our blog.