Learning Azure without knowing the traditional on-prem stuff is a battle... I turned on AADDS to learn about it, quickly became an urgent learning experience about azure budgeting. A request from me as new to IT for orgs is more perspective on why/how various services are valuable. But I enjoy your channel, you definitely come across as both highly experienced in the field and understanding of how to present stuff. Thanks.
Thank you Petter! Check out my newest video and tell me if I gave you more of the why and how of the service I talk about or if I need to give you more of that.
Super... best thing is no bla-bla.. no gossip or talking stupid stuff... just very point to point... looking forward to check your other videos also.. thanks for the good work ...
The majority of people get these different services mixed up so thanks for fantasic explanation! Sometimes IT department I talk to regarding this just don't understand the differences.
This was a much needed video for me. I was very confused between these three things, all I have experience with is Windows AD and I thought AAD was the cloud counterpart of it. Thank you for the video.
Your contents are incredibly good. They are concise yet unbelievably detailed. After each topic I feel my knowledge level elevated ten times. Can't thank you enough!
Hey Dean, nice of you using "Batman" profile stored in your AZ-AD example. whenever you have the chance, please ask him an autograph dedicaded to "Carlos", very, very, very nice your videos (I still recall those with "Star Wars" theme)
Good video. Thanks for providing it. One detail, though: at about 4:30 you point at Azure AD and call it Active Directory. This wouldn’t be that big a deal, but a big point of the video is keeping those things straight. Clearly this whole problem is Microsoft’s fault. Bad naming of so many things.
This video is very useful thanks to the practical demonstrations of the differences between the Azure ADDS instance and the on-prem AD instance a thing that is not done in other videos available in the public domain. Thanks.
Thanks Dean, you do an amazing job, but for me is still kind of dense info, I´ll do my best in learning all these stuff. Great, great, great video! just what I needed!
Thanks for the explanations, looks like I have some more learning to do, I am am noob at this and its just shown me there is yet more I need to learn more about LOL
you don't have enough followers! you're an expert and a fine professional in an azure. clearly done it all and seen it! you're a pleasure to watch and learn from! drop me a DM, 104 and avd qualified been in IT for 19 years love to collab in you tube from across the pond and have never done it! working at one of the largest MSP in the UK and the customers would love you!!
WOW…Thanks Matt! I appreciate the compliment and the thought of a collaboration…I am packed right now, getting ready for ignite which is Oct 12-14…so it will be a few weeks! 👍👍 Do you or your company have a channel?
Sorry Dean, I am confused on several facts, can you point to me if I am wrong. 1. While you are using AADDS, no matter if you have on-premises AD or not, you MUST reset AAD user password to trigger sync from AAD->AADDS, otherwise users will not show in AADDS. 2. You MUST use Password Writeback feature, then reset password, then user can sync to AADDS(which is weird, it is not showing in MS doc). 3. I thought the purpose of "Enable password synchronization" is to let you use your on-premises AD users and passwords in AADDS without any extra configuration, but I think I am wrong, this feature only ALLOWs you to do that, but you need extra steps to trigger the actual sync.
1. It is not that the users won’t sync...it is that their password hash won’t sync to AADDS 2. Password write back is needed if you want to force the password reset from the Azure side. This is also a requirement for other things like Self-Service Password Reset...which I will have a video about soon 3. No it doesn’t. AADDS doesn’t understand the pwd hash format that Azure AD does...which is why we needed the PowerShell script
I am the IT field now for 15 years and what I have come across, most technically people don't know the WHY only the HOW as indicated in the video. We want to know the WHY, why was the product developed what need did it try to cover?
Thanks for the details , excellent stuff, A lot of time customers ask to remove on-prem AD and only use Azure AD , What should be the approach in this case ? How do we make it work for clients joined to on-prem ad ?
For clients going FWD you will want to check out my upcoming video on Device Identity I would ask some questions... 1. Why do you want to get rid of AD? 2. What do you use AD for today? 3. How did you have to set up those things in AD, and what are the dependencies? 4. What is the IT ops model going FWD?
Excellent video, in less than 16 min you explained clearly AADDS. One question? If I need to use LDAP to sync all my users to a web app (Aris Connect) is it possible?
not a video specifically on GPOs in AADDS because it is almost exactly like normal GPOs...the difference is that you don't have access to the domain controller so you can't upload 3rd party or custom policies
That was the point of the video. It isn’t better in most cases and AADDS isn’t what a lot of people think it is. For most people in most scenarios you should build a VM and promote it to be a DC…
@@AzureAcademy Thank you i will be avoiding using it in any future projects. Just don't understand why Microsoft thought it would be a great idea to create Azure ADDS it in the first place when there was a perfectly reasonable solution already.
Because this is an Active Directory as a service. You don’t need to know anything about I using AD to run it and get the benefits of Kerberos and NTLM. It works great in many solutions…just not like a traditional AD that you manage.
Not sure why it isn’t enabled by default, perhaps Because it changes how you deal with passwords, and that is a security issue, and you should have to make a conscious choice when changing it
Since Azure AD DS is 'managed' how is the security portion managed? Is there a need to tie in any 'managed' AAD DS components to a tenant security stack? If elements of AAD DS are attacked and compromised what is the impact to user tenant, and how is user notified?
Great question, first you need to do normal Azure layer security…but as for AADDS…there is nothing to compromise, and even if you could there is t anything that I can think of that would hurt Azure. since you are NOT an admin so you have NO control over windows or Active Directory, so you can’t change things or install software. There is no direct link or connection from your AADDS to Azure AD…other than the managed sync of users and passwords, and password changes can only come from the Azure AD side into AADDS, not the other way. So there is no impact from AADDS to your Azure AD Tenant…does that answer your question?
@@AzureAcademy great info, basically there are 5 VMs in each tenant associated with AAD DS. It sounds like no need to tie these into tenant security stack.
The AADDS should be monitored, and follow all defender for cloud as well as Azure Advisor recommendations…secure network with NSG or Firewall etc. All the normal stuff ☺️
Hi, great video. is that possible to give us some advise to the right direction: I have build the server: Virtual networks, Virtual network gateways , Azure AD Domain Services, AZure VP. now how we can allow over 5000 computer join the domain, as most of the subnet allow only 255 devices to connect. I'm little confused, also I'm learning that
YES @Seth Zwicker, I cover services in public preview all the time...that way I can help folks like you learn about them early 😎 I have thought about this feature...but haven't gotten to it yet...thanks for the nudge. I will get on it 👍👍
Questions: 1. Why Azure keep asking customers to do PowerShell, can't azure do this themself, all the software belongs to azure, so WHY ???? 2. Can you use AADDS as your only domain service for Azure VM & Azure stuff {cloud only no on-prem} ???
1. That is not quite correct. Azure AD Connect is NOT in Azure, it is installed on your server, in your environment. Microsoft values privacy and doesn’t take action to force changes without your knowledge or consent. Changing how Password Hash Sync functions is a manual task in PowerShell so you can choose to do it. Also PowerShell and other forms of automation are the best ways of managing the cloud once you understand the process. Automation is King.
2. Yes you can use AADDS as your only domain controller in Azure. As for on prem...Technically you can setup things to make it work but it is not something I would recommended. The general purpose of AADDS is to solve the need of legacy authentication because you are cloud native.
@@AzureAcademy Can't Azure create a VM or Linux Base Azure connection software to act as a "AD/DNS/DHCP - passthrough for AADDS" ??? so we don't have to run an AD on-prem, and allow customers to move to cloud bit-by-bit ????
LOL year I understand what you mean. However you need to remember that AADDS is not intended to be a traditional AD running in the cloud. It is meant to provide legacy auth in the cloud so you don't need to manage traditional AD. All the other services you mentioned AD/DNS/DHCP in your Linux VM are addons to manage...and cloud services are supposed to be simple and managed by Azure for you. but I agree...we should make some kind of switch in the portal to enable this rather then a PowerShell script...I will provide this feedback to the AD team...thanks for the thought!
As I said in the video, you are NOT a domain admin with AADDS so your abilities are very limited. You can ONLY open ADUC if you are logged into a VM that is joined to the AADDS domain, with your user administration account.
No…Azure AD Domain Services cannot work unless you use Azure AD. However You don’t need on prem AD to make it work. But if you already have on prem users and you want those user names to be in AADDS then you need The on prem AD to sync with Azure AD using Azure AD Connect
Great video. Do you have the ability to utilize folder redirection with Azure AD Domain Services? Specifically wanting to redirect users files, etc...to cloud
Dean, thanks for another great episode, I have 3 questions. 1. If we have cloud-only users, we don't need to configure Hash Sync to login to AADDS-joined server, right? 2. If we talk about AD->AAD->AADDS scenario, after we did the PowerShell script on on-premises AAD Connect Server, now can we login to AADDS-joined servers? Or do we need to reset each user password again to trigger a sync? 3. Is the follow-up Password Writeback step a must or just an option, so that we can use AAD as the centralized location to change password, then it got synced to both on-premises AD and AADDS. Thanks.
Thanks Ceng Xiye! 3. Password write back is required for any traditional AD accounts 2. The PowerShell script will setup AAD connect to sync the hash in the proper format but each user needs a password reset...at least in my testing 1. Cloud only accounts with AADDS can be treated as if there is no AD environment. So cloud only accounts do not become AD accounts and don’t sync with AAD Connect.
@@AzureAcademy great thought...as soon as I saw this video pop up on my feed i said yep he def has the same type of conversations with people. the video was excellent, thanks for making it!
I feel the same, my friends told me that there is no such thing as AADDS, just AAD and AD. I said yes, there is a thing called AADDS, he said WTF? Who would name things like this, to confuse people? Hahahahah
I can't understand why there is so much confusion...Microsoft has always be crystal clear on names for all their products... 🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️ LOL
How can i change the region? The time settings are wrong for the connected servers. Furthermore i want to bind network shares like netlogon script. Is it possible?
To change the region where AAA DDS is deployed you need to delete the service and start from scratch. The time settings by default show up in UTC not in your local time zone. Network shares in group policy management should be possible I have never tried it.
Great explanation. I would rather not have to manage Domain Controllers anymore. Can I remove my current AD and connect my local servers to Azure AD Domain Services? I only have about 5 servers and running local AD just for that seems overkill. My client devices are already on Azure AD/Intune and don't need local AD.
Before you do...make sure you don’t have any thing that extends the AD Schema or creates custom containers in AD...you won’t gVe rights to do it in AzureAD DS. please verify that all your current GPOs are setup and working in AzureAD DS And remember you will not be an admin of AzureAD DS. If you live with all that, then it should be good for you.
Hey im currently watching your video on how to set up MSIX app attach, i have a Azure active directory in sync with azure active directory domain services. I made a group in Azure active directory, and now its visible in the OU AADDC Users, my 2 virtual machines are in the OU AADDC Computers. When i try to add my 2 computers to the group i made in azure active directory it says "insufficient rights to perform the operation" . I made a group inside AADDC Computers but i could not see the group in azure active directory. Any idea on how i can fix this?
We are wanting to remove our on-prem AD and take advantage of Azure Active Directory Domain Services. Is it possible to configure radius authentication utilizing AADDS without having an on premise AD? I have yet to find a solution without having to rely on third party services, etc.
It's confusing to me or not sure if if you already have password hash synchronisation enabled via Azure AD Connect do we still need to do steps related to this PS script that triggers a full password sync that includes legacy password hashes. If we enabled password sync in AD Connect it not doing that for some objects ? The Microsoft document also not mentioning what whis hole step is required.
Password Hash Sync is not the same thing as the script I called out. This is needed because the sync does not pass enough data to generate the kerb auth that Azure ADDS needs to setup your passwords. The docs do call out this step, and you can get to it right from the Azure AD DS service in the Azure Portal. Or am I misunderstanding what you are saying? 🤷♂️
@@AzureAcademy Ok i understood now that it is to enforce replication of additional data . Configuration is mentioned in DOCS but there is no explanation why is this needed.
It is needed because Azure AD Connect syncing to Azure AD does not pass the data that is needed by AzureAD DS from the initial sync. This is because AzureAD doesn’t need most of it. OAuth and Saml are very different than Kerberos. AzureAD DS needs that additional data so you can authenticate...does that help?
If there is a VPN connection between on prem and AADDS's VNet, Surely there will be a conflict of domain name right ? Is it possible to have a peered environment and still have an Hybrid AD structure ?
A conflict would only come if the names of The on prem and the AADDS domain have the same name…which is NOT recommended. You can use a sub domain name like AADDS.Domain.com then there’s is no conflict.
Sure, You could always use Azure AD by itself…but Azure AD DS requires Azure AD to work. Neither Azure AD nor Azure AD DS need on prem or a cloud VM with Active Directory to work.
Sort of…but that isn’t how domain controllers are intended to work. You should have a separate VM in azure that is also a domain controller so that they synchronize together
Dean, so.... after going through a series of videos you published almost three years ago where you provide a great level of detail for the purpose of deploying DC in Azure that synchronize with your on-premises ADDS I got stuck in the last piece where my on-premises DC DNS is not doing what I intended following the videos for... in essence I want an easy way to deploy Windows Virtual Desktops.... it seems to me that after viewing this explanation I would be best benefited from deploying an instance of AADDS rather for this purpose (is mainly my lab for demo purposes) what's your take on this?
AADDS can work for WVD but the larger question is if you will want to have the AADDS domain for anything else...or do you have expectations of being able to manage and change the domain...because as you know by now you can’t...you will have no rights in that domain beyond simple computer management of joined VMs and limited GPOs. If you can live with that...then AADDS is fine for WVD. But if you hope to extend your existing domain Or manage AADDS like your existing domain It will not work
Can someone who has onprem AD use this in the cloud too? I have a client who has onprem AD but we want to take it to the cloud. Also, can you use it to authenticate onpremise apps?
If you want to extend your onPrem AD to the cloud then build a new VM in Azure and promote it to be a domain controller. Azure AD Domain Services does not extend your on prem domain in to Azure.
Awesome vid, thanks. Question: Is it possible to domain join VMs to the managed domain if those VMs reside in AWS Gov, AWS Commercial, as well as Azure Gov? (Our managed domain is configured in our Azure Commercial account). Thanks for the great content sir!
Thanks! YES it is possible as long as the computers have line of sight to the domain controllers of AADDS and the proper DNS configuration so they can resolve your domain name you should be good to go!
Thanks for this very useful. Have a client that is cloud only. They now need to support legacy LDAPS, as connect goes from AD to AAD this won't work for them. As they don't don't have any on prem AD. Could I simply setup AADDS for them and site to site VPN for those few on prem services that need the legacy protocol? I don't want to build a full on prem AD if I can help it.
@@AzureAcademy company has grown due to the business sector they're in they need LDAP for managing onsite infrastructure. Networking equipment mostly and some legacy apps (really tried with OAuth not supported :'( ). No servers all of those are in the cloud. There is a business need for it. Having read more I think the AADDS will do the job, removes the headaches of AD on prem. Site to site VPN for access to it.
You will still need a site to site VPN to connect the Azure AD demain services world to your own prime networking equipment If you need secure LDAP or private/ encrypted communications, Which you would generally want in authentication. But of you are ok without it…it should work.
@@AzureAcademy awesome, thanks for confirming. Think I'm going to setup a tenant and get the process documented. Before I move it to prod. Also feel setting up a point to site VPN would benefit admins looking to administer the AADDS if ever needed. Thanks for the replies.
Does AADDS work with Windows Hello for Business for Azure files? For Active Directory and a file server on-prem I need to configure a Cloud Trust for Azure AD joined devices. Will I also need to do something like "Cloud trust" or it will work automatically? Thank you !
I have a typical O365\Azure set up for a small business. I would like to manage my workstations. From watching and reading it seems I don't need AADS. I would like to control my users updates and think I need to join PCs and use a GPO. Let me know your feedback?
To manage workstations for updates and use GPO can be done with Azure AD Domain Services or traditional Active Directory, either running on prem or on VMs in the cloud. The difference between them is the tools that you can manage with. In Azure AD Domain Serivces you cannot use Intune, since that requires hybrid join or cloud join and AADDS can't do that. Which means no Windows Autopilot, AutoPatch or Update rings but you CAN use windows updates. So think about what you want your management solution to look like, then find the tools you want to use and that will lead you to the environment you have to build to make it happen.
Managing updates on windows clients with AADDS means you can only use windows update or a 3rd party tool. Servers can use the Azure AutoManage service Watch this for more info 👉 ua-cam.com/video/GbSjkg8MZrE/v-deo.html
A worthy video. Thank you for making it! Question - I understand it's a one-way sync from on-perm AD to Azure AD with option to do password writeback to on-perm, but is it possible (workaround?) to do two-way sync between on-perm AD and Azure AD? So users/groups created in Azure AD can sync back to on-perm AD? If not, do you know if MS is planning to do add this feature in the near future?
slight correction...it is not exactly a 1 way sync from on prem AD to Azure, it depends on how you have Azure AD Connect setup, but if you meant create a group or user in Azure and have it "sync" that cloud only group to on prem AD...then you are correct, it does not work that way today...and I have not heard of it on an official road map.
@@AzureAcademy please read the docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization , it says One way: When you first deploy Azure AD DS, an automatic one-way synchronization is configured and started to replicate the objects from Azure AD. This one-way synchronization continues to run in the background to keep the Azure AD DS managed domain up-to-date with any changes from Azure AD. No synchronization occurs from Azure AD DS back to Azure AD.
There are 2 different syncs talked about in this thread. Azure AD Connect sync from "on prem" to Azure is a 1 way sync, meaning that you have to make changed in AD then sync them to Azure. You CANNOT create a "clould only" user in Azure and sync it to on prem Also in the Azure AD DS Sync. this is a 1 way sync from Azure to Azure AD Domain Services. All your users and groups need to be created in Azure AD...which will sync to Azure AD DS. So if you have on prem, Azure AD and Azure AD DS...then you would create or update a user in your on prem AD...which will sync to Azure AD Then the next separate sync from Azure AD will send that change to Azure AD DS
I'm trying right now to map resource that was replicated to Azure File Shares (storage account) via Azure File Sync to a computer added to local ad with ACL enforcement from ADDS. I want to be able to map those resources with ACL enforcement but not rely on local on prem authentication. This is for DR scenario. I deployed Azure Active Directory Domain Services, enabled "Identity-based access for file shares", added synced users via Azure AD connect to Storage File Data SMB Share Contributor role. All security groups from local AD that are responsible for access to specific directories are also synced. Mapping is working with ACLs enforcement on computer added to ADDS but not working for a computer added to local AD. I suspect that this computer need to have access to ADDS subnet to utilise Kerberos and LDAP so I'm considering VPN to Azure. I guessing that subnet and vnet that computer will have allocated will also need to have route to ADDS subnet. Do I missing something ? If that will be enough ? I want to avoid rejoining computer from local on prem Active Directory to AADDS and I understand that I don't need to add Azure Storage account to on-prem because in this situation authentication will be done by local AD and in situation when it will be not available ACL enforcement will not work so we don't want this step in the process right ?
The issue is that you have 2 different domains. In order to use the AzureAD DS authentication to storage you need authentication to the AzureAD DS domain It is designed to work if you are joined to that domain not your on prem one 😩🤷🏼♂️
You can do the same thing with authentication to your traditional domain as well...which would work as I believe you want it to. Also for DR...flipping from AD to AzureAD DS won’t work because as I point out...these are 2 unrelated, disconnected, and separate Domains. How are you planning AzureAD DS could help in DR?
Can you sync two AADDS services located in two different regions to the same Azure Directory? I have to build two sites with WVD, one in the UK and one in AU.
No you cannot. AADDS doesn’t have a regional DR either. The general idea is that DR would be redeploy in another region... not the best plan if you think of it like a traditional AD... but remember it isn’t
I have a customer that plans to migrate from their current hybrid AD/ Azure AD environment to Azure ADDS. One thing that is setting off alarms is the inability to get Azure ADDS VMs to enroll in Intune or any other 3rd party Endpoint Management service as the VMs don't show up in Azure AD. Do you know if there is a way to get them to show up?
With AADDS I don’t think you can do Hybrid Join. You have to edit certain policies that I’m not sure you have access to in a managed domain environment. Further…WHY would you want to give up a domain you can fully manage to one you can’t…what do you need it for instead of going 100% Azure AD?
@@AzureAcademy because my customer's IT department is 4 people and they're trying to off load as much of the maintenance tasks as possible. Your answer is what I've concluded as well and will steer the customer away from going the Azure ADDS route and get them to setup DC VMs within Azure.
I am the new IT guy for a company of ~200 employees in multiple locations around the USA. This company currently has no on-premise domain controller, all computers are on a simple Workgroup. They are actively using Office 365. I'd like to have the ability to manage users as one would in a typical on-premise AD for the local office and especially satellite offices. I understand this can be accomplished with site-to-site vpn. Can this also be accomplished with Azure AD or AzureADDS or a combination of the two?
So you have multiple things here. 1. Connectivity to multiple on prem locations 2. Want to have a domain but not manage it 3. Using office 365 and AzureAD The question here is why…? What is your goal in the VPN?
I'm more confused now. I've seen the debate on building your WVD environment with an Azure DC or with AD DS, but not both. My take has always been that one you have to manage, but is the less expensive traditional approach and the other is managed for you at a higher price. What am I missing on replying both?
So I am clear on what you are asking...is you question which solution is cheaper...because I would say a small VM running in Azure, depending on size, can be cheaper then Azure AD Domain Services...it will definitely be cheaper if you only have 1 domain controller...so IF cost is your ONLY concern that’s the way to go. IF however the managed service aspect of Azure AD DS does cost more...but it is a self managed service...which also has value because you don’t need an expensive AD admin to run it for you...
My point in this video was to address people who think Azure AD DS is just a managed service Domain Controller...and I can user it to extend my domain into Azure...that’s not how it works.
WVD doesn’t care as long as there is a domain for your session hosts to join...but you need to know that Azure AD DS is NOT an extension of your existing domain...and the other “limitations” of the managed service...then if it is still right for you...it will work great! Hope this helps 👍👍
@@AzureAcademy sorry for the confusion. I am pretty clear on the advantages and disadvantages of both options, DC with AD and AD DS. This video lead me to think you are suggesting both within the same WVD environment. Looking for clarity on that... thanks!
NO...Definitely NOT for WVD pick one or the other for your environment. and I am not just talking about WVD. If you have an AD on Prem my best recommendation would be to put another domain controller in the cloud and set up a new AD Site for it with its own subnet. If you DO NOT have AD today...and you don't want to manage AD, then Azure AD DS can be a good solution.
Very insightful! Any thoughts on GPOs within Azure ADDS? Had massive issues getting those to work, even though they should work according to documentation..
@Vlad Mihai, Azure ADDS GPOs are achieved in a similar fashion to traditional ADDS, so if you are familiar with Group Policy Management in the traditional since you should not have too many issues! The only thing to note is that any user accounts flowing into Azure ADDS from Azure AD, is that these will reside in the "AADDC Users" OU and cannot be moved or separated into other OUs. To apply a GPO to a subset of users just link your GPO to the "AADDC Users" OU and use GPO Security Filtering to limit the application to specific users if required. On a side note: I had a requirement to reuse some of our GPOs from ADDS in Azure ADDS, but as outlined by Dean in the video there is no link between ADDS and Azure ADDS, but GPOs can be exported from ADDS and easily imported to Azure ADDS, so there isn't a need to start from scratch if you need the same GPO in both environments. @@AzureAcademy Dean, thanks again for the great content.
Thanks @Michael Feeney, and he is correct @Vlad Mihai. You do use AD Group Policy manager to do the GPO work in AADDS, but there are more hoops to jump through just to get into it. Joining a VM to the AADDS domain directly before you can manage it, for example. vs. a traditional AD domain where I can just present creds from another domain...can't do that in AADDS. I have also had some on prem policies that I wanted to add but could not...since I can get to the domain controller to modify the admx/adml files or add new ones. etc. the point I wanted to emphasize is that the purpose of AADDS is NOT to be your AD running in the cloud with all the traditional features and controls you can have with a domain controller directly...it is intended for adding legacy authentication to the world of Azure so don't expect too much more, but in general if you need legacy auth and can live with the limitations of the cloud service then it should work great for you!
Can we use azure ad services to administrate devices like mac linux and win and how much we can can we encrypt devices authentication group policy's for linux and mac too patch management etc
If you are thinking to use AADDS as a traditional Active Directory like an on prem domain controller to manage mac & linux...the answer is NO. HOWEVER...You can have your systems joined to Azure AD and manage them with Microsoft Endpoint Configuration Manage (Intune) as a MDM solution. I will have a video on this soon.
Hi so can we also set all GPOs with the AADDS? Currently i use a DC and thought about to change it into a PaaS. Could you please make more videos about it?
I would NOT change to Azure AD DS if you don’t have to. You are NOT an Admin and you cannot do most of what you do in Active Directory. Some GPOs can’t be done in Azure AD DS, like FSLogix. Because you can’t add the .admx or .adml files to the domain controllers.
I really appreciated the explanations. AAD DS is a bit deceiving in that some functions behave the same as on-premise AD DS. I spent a good hour and a half on trying to create subnets in Sites and Services. The video really focused on User Identity which was great and helpful. Regarding computers creation to be managed by WVD, are the GPO configurations limited too? I tried to "hide" the D:\ drive in a AAD DS GPO as the D:\ drive is ephemeral. I didn't want my users to even see the drive letter in order to prevent potential data loss. Additionally, I created a File Server in my vNet to share QuickBooks files for my WVD environment users. I am unable to create "Mapped" drives using GPO in AAD DS to WVD computers joined as session hosts. I can map drives manually inside the session via command prompt and PowerShell but Windows explorer doesn't recognize the network drive letters. The AAD DS GPO doesn't add the driver letter to the user either. Would you know if there is a better practice for mapping file shares in WVD and AAD DS?
Yeah GPO can’t do everything here. FSLogix for example...you can’t do it through GPO because you can’t import the ADML & AMDX files on the DC...because you have no rights. AADDS is a very limited solution compared to how people usually want to manage AD... So unless you are a 100% born in the cloud company and only need legacy Auth or any old AD for WVD I would not recommend it.
Figured out my issue and it was related to SMB. The network drives were mapping in DOS or PowerShell, just not visible in Explorer. Everyday in Azure is a great day to learn something new.
Usually that happens because you used “run as Admin” when you opened the cmd or PS Technically that is a different user context and YOU would not see it in explorer because YOU didn’t map the drive that admin did.
Dean, one quick question. Technically, do you think on-premises VMs can join AADDS domain via VPN/ER? I know AADDS is cloud-only, it's not extension of on-premises domain, but technically is it feasible? Thanks
I have never tried it...but I assume that IF the VPN gets you line of sight to AADDS and all the correct ports are open then you should be able to authenticate...
Thank you for this video. if I create a cloud only user (not on-prem/AADC) in Azure and I created AADDS, will that cloud users password be synced to AADDS or will a reset still need to happen and what about new cloud only users going forward?
The principal is the same. The user being synced into AADDS need a password reset or the script that I showed in order to sync the password over to AADDS in a way that will allow for the Kerberos authentication
@@AzureAcademy even if there was no on-prem with AADC What about in these two scenarios 1. I have Azure cloud only user and I created AADDS after, would I need a password reset? 2. What if I create AADDS, then I create a fresh azure AD user, do I need a password reset? Is it the reset function whether any different scenario is what provides the password to AADDS?
No, not exactly. It depends on why you want a DC and how you will get to it from Azure and On Prem…if you have an on prem ☺️. So what are you trying to do?
Ok, I have watched this 3 times and still a touch fuzzy. I get the premise but not the application of it. Are there any other use cases for this besides WVD (assuming that WVD cant work with traditional domain controllers) ? Aren't there other identity providers that could tie into your traditional DCs? OKTA, DUO identity provider, ect?
Azure Virtual Desktop can use traditional DCs, AADDS or Azure AD Join. Azure Files storage, netapp storage and any Kerberos Auth needed for other apps can all use AADDS as well. AADDS is not an identity layer like Duo, ADFS or Okta, it is a total AD environment
@@AzureAcademy Thanks. So the only reason to use azure domain services is when you have all cloud environment and don't want to spin up a domain controller in the cloud if you need Kerb Ldap, ect. If you already have a prem DC and plan on keeping at least one on site, AADDS is no use to you?
Great, very informative video. I need some help, We have azure with a domain xyz.com, I set up my ADDS as abc.com. When I try to join a personal computer, it doesn't give me the option to join abc.com, it takes me to xyz.com by default. How can I change it and choose abc.com?
Thanks Ravi! The issue sounds like DNS. If the VMs are located in Azure and you want to join abc.com you need to set the virtual network DNS servers. They need to be configured with the IP addresses of the AADDS servers Then they will find that domain. Oh and by the way, If The virtual network where the VMAs are located is not the same network as a AADDS then you will need to set up a peering connection with forwarding in both directions
@@AzureAcademy thank you! I got that. I could fix DNS issue for all the VMs inside azure but I was asking about a personal laptop. How do I join it since it’s on public network.
@@AzureAcademy Alright but these personal laptops are not on the Azure network. And the Azure ADDS DNS are configured using private IPs. Can it be done without connecting personal laptops to Azure network?
There must be on the same network…so since you have physical laptops, and virtual servers in 2 different places you will need a client VPN on the laptops so they can reach the AADDS network
Great video dean, much needed for this ongoing confusion , one small question if you name both the exact domain name and you have vpn connectivity with on prem where you have the original Ad domain and on azure domain services with same domain, will this cause some kind of conflict for example for domain joined machines or anything like that? Or it will resolve only on dns ip and each one will be seperate
Also if you have all syncing like you did on the video, you will always need to modify users from azure ad on prem since its connected with azure ad connect, or when adding new users we can add in azure ad as new cloud only users or add them on prem and force the powershell to run it on all services?
Then you will have an issue in routing. The systems connecting over the network would not know which AD environment to communicate with...this is not recommended, but is something that people try to do anyway because they misunderstand AADDS
there are multiple scenarios here...But YES, if you have on prem users syncing AND you wanted to create new "cloud only" users...they would also sync to Azure AD DS but understand that they won't sync back to your on prem AD
@@AzureAcademy thanks dean for your clarification and giving the time to respond to each comment, you are a legend for going the extra mile thanks a lot 😊
Excellent video. Definitely cleared up a lot of misconceptions about Azure AD Domain Services.
Thanks Malcolm!
Learning Azure without knowing the traditional on-prem stuff is a battle... I turned on AADDS to learn about it, quickly became an urgent learning experience about azure budgeting. A request from me as new to IT for orgs is more perspective on why/how various services are valuable. But I enjoy your channel, you definitely come across as both highly experienced in the field and understanding of how to present stuff. Thanks.
Thank you Petter! Check out my newest video and tell me if I gave you more of the why and how of the service I talk about or if I need to give you more of that.
Super... best thing is no bla-bla.. no gossip or talking stupid stuff... just very point to point... looking forward to check your other videos also.. thanks for the good work ...
Welcome aboard! Please share all my videos with everyone 👍👍
The majority of people get these different services mixed up so thanks for fantasic explanation! Sometimes IT department I talk to regarding this just don't understand the differences.
Hopefully this video helps explain things for your customers...please share it with them.
This was a much needed video for me. I was very confused between these three things, all I have experience with is Windows AD and I thought AAD was the cloud counterpart of it. Thank you for the video.
Awesome!
thank you for the best tutorial i've ever seen. Thanks for showing the exact steps with pictures every step of the way.
Have to help, check out the other stuff on the channel…lots of great stuff…and please share with everyone
Your contents are incredibly good. They are concise yet unbelievably detailed. After each topic I feel my knowledge level elevated ten times. Can't thank you enough!
Awesome, thanks for letting me know!
Concise, to the point, clearly explained, this was excellent! I'm a fan!.
Awesome! Let me know what else you are interested in me making!
Hey Dean, nice of you using "Batman" profile stored in your AZ-AD example. whenever you have the chance, please ask him an autograph dedicaded to "Carlos", very, very, very nice your videos (I still recall those with "Star Wars" theme)
Thanks! You are going through a ton of my videos…keep it going and share with friends!
Good video. Thanks for providing it. One detail, though: at about 4:30 you point at Azure AD and call it Active Directory. This wouldn’t be that big a deal, but a big point of the video is keeping those things straight. Clearly this whole problem is Microsoft’s fault. Bad naming of so many things.
Nice catch John and AGREED...too many things with the same/similar names and don't get me started on acronyms 😁
This video is very useful thanks to the practical demonstrations of the differences between the Azure ADDS instance and the on-prem AD instance a thing that is not done in other videos available in the public domain. Thanks.
Thanks Davide!
Thanks Dean, you do an amazing job, but for me is still kind of dense info, I´ll do my best in learning all these stuff. Great, great, great video! just what I needed!
Great to hear! Keep it up!
Excellent explanation. I understand now the difference between active directory and azure adds
Awesome!
Thanks a ton #AzureAcademy for the wonderful explanation. Keep up the good work! Impressed with all your hand actions haha!!
LOL thanks Abhijith! Happy to help 👍👍
amazing content, ive been a domain admin for years and im certified in azure but this helps elevate my understanding. Thank you!
Thanks for letting me know Logan!
I was surprised about how easy you explain it!! Thanks
Thanks Amir ☺️
As always... love the way you explain and its getting better with each video ...thanks 🤩🤩
Thanks! 👍👍
Wish I found this guy earlier. Damn good quality vids
Thanks Michael!
So glad I stumbled across this today. Thanks for the amazing content!!
Thanks for watching! You say you stumbled across, if you don’t mind, can you tell me how so I can reach more people with all my free content, thanks!
This answered so many of my questions. Thank you for the clear explanation and guide! You have my like and subscribe!
Awesome! Thanks for watching ☺️
i love your videos !!! gretings from Netherlands !!!!
Thanks Adrian!
sharing always ... no worries... since you Guys are the funniest and the best of the best :)
Thanks Tim
🤪
Thanks for the explanations, looks like I have some more learning to do, I am am noob at this and its just shown me there is yet more I need to learn more about LOL
Yup…we all have a lot to learn…it never ends
🤔😉
you don't have enough followers! you're an expert and a fine professional in an azure. clearly done it all and seen it! you're a pleasure to watch and learn from! drop me a DM, 104 and avd qualified been in IT for 19 years love to collab in you tube from across the pond and have never done it! working at one of the largest MSP in the UK and the customers would love you!!
WOW…Thanks Matt! I appreciate the compliment and the thought of a collaboration…I am packed right now, getting ready for ignite which is Oct 12-14…so it will be a few weeks! 👍👍
Do you or your company have a channel?
Sorry Dean, I am confused on several facts, can you point to me if I am wrong.
1. While you are using AADDS, no matter if you have on-premises AD or not, you MUST reset AAD user password to trigger sync from AAD->AADDS, otherwise users will not show in AADDS.
2. You MUST use Password Writeback feature, then reset password, then user can sync to AADDS(which is weird, it is not showing in MS doc).
3. I thought the purpose of "Enable password synchronization" is to let you use your on-premises AD users and passwords in AADDS without any extra configuration, but I think I am wrong, this feature only ALLOWs you to do that, but you need extra steps to trigger the actual sync.
1. It is not that the users won’t sync...it is that their password hash won’t sync to AADDS
2. Password write back is needed if you want to force the password reset from the Azure side. This is also a requirement for other things like Self-Service Password Reset...which I will have a video about soon
3. No it doesn’t. AADDS doesn’t understand the pwd hash format that Azure AD does...which is why we needed the PowerShell script
@@AzureAcademy Thanks Dean.
👍👍
Excellent overview and demo, very helpful. Thank you!
👍👍
Looking forward to another show !
👍 hope you enjoy it 👍
You are a cloud Hero, thanks a LOT
Happy to help!
I am the IT field now for 15 years and what I have come across, most technically people don't know the WHY only the HOW as indicated in the video. We want to know the WHY, why was the product developed what need did it try to cover?
The reason WHY was covered in the video Sheldon. It is to provide legacy Auth in the modern Auth world of the cloud, which wants to do OAuth and SAML.
this is an awesome video, you are too good..!!
LOL thanks!
thanks a lot for this intro to those services, i loved it 👍👍👍
👍👍
awesome video dude! Thanks heaps
Happy to help Chris.., what else are you interested in?
Fantastic video, very well explained! I have one question, how do you manage users in AADDS?
Thanks Twin Cam…the answer is You don’t…You manage them in Azure AD, then the changes sync to AADDS
Thanks for the details , excellent stuff, A lot of time customers ask to remove on-prem AD and only use Azure AD , What should be the approach in this case ? How do we make it work for clients joined to on-prem ad ?
For clients going FWD you will want to check out my upcoming video on Device Identity
I would ask some questions...
1. Why do you want to get rid of AD?
2. What do you use AD for today?
3. How did you have to set up those things in AD, and what are the dependencies?
4. What is the IT ops model going FWD?
very very nicely explained - thank you !
👍👍
Excellent video, in less than 16 min you explained clearly AADDS.
One question? If I need to use LDAP to sync all my users to a web app (Aris Connect) is it possible?
I don’t think so because of limited LDAP
Thank you !!! that was excellent explanation !
Awesome!
Fantastic Video. really help out
Glad you liked it! Please pass it on to your Social Media
Excellent explanation. Thank you.. Just subscribed..
Thanks for joining The Azure Academy!
@@AzureAcademy 🤝🏽🤝🏽
👍
Do you have a video going over applying GPOs in AADDS? Thanks.
not a video specifically on GPOs in AADDS because it is almost exactly like normal GPOs...the difference is that you don't have access to the domain controller so you can't upload 3rd party or custom policies
@@AzureAcademy thank you sir. It looked very similar, was just looking for the gotchas. :-) Thanks again for all the awesome content.
thanks!
Wow what a video just one word AWESOME !!
Thank you so much 😀
@@AzureAcademy also lot of people do notice but often don't say it as the focus is so much on content is the VIDEO EDITING NEXT LEVEL !!
I am always trying to learn how to use these tools to tell better stories Thanks for noticing TheOtherSide.
@@AzureAcademy you are doing an awesome job !!
Thanks!
I really don't see how this is better then creating a couple of DC's as vms
That was the point of the video. It isn’t better in most cases and AADDS isn’t what a lot of people think it is. For most people in most scenarios you should build a VM and promote it to be a DC…
@@AzureAcademy Thank you i will be avoiding using it in any future projects. Just don't understand why Microsoft thought it would be a great idea to create Azure ADDS it in the first place when there was a perfectly reasonable solution already.
Because this is an Active Directory as a service. You don’t need to know anything about I using AD to run it and get the benefits of Kerberos and NTLM. It works great in many solutions…just not like a traditional AD that you manage.
Brilliant video 😊
👍👍
Brilliant, just what i needed.
Happy to help...please share the Azure Academy with everyone so I can help more folks like you!
Thank you! Question: Why isn't writeback just enabled by default or why are we able to turn it off? It seems AAD DS won't work at all without that?
Not sure why it isn’t enabled by default, perhaps Because it changes how you deal with passwords, and that is a security issue, and you should have to make a conscious choice when changing it
Since Azure AD DS is 'managed' how is the security portion managed? Is there a need to tie in any 'managed' AAD DS components to a tenant security stack? If elements of AAD DS are attacked and compromised what is the impact to user tenant, and how is user notified?
Great question, first you need to do normal Azure layer security…but as for AADDS…there is nothing to compromise, and even if you could there is t anything that I can think of that would hurt Azure.
since you are NOT an admin so you have NO control over windows or Active Directory, so you can’t change things or install software.
There is no direct link or connection from your AADDS to Azure AD…other than the managed sync of users and passwords, and password changes can only come from the Azure AD side into AADDS, not the other way.
So there is no impact from AADDS to your Azure AD Tenant…does that answer your question?
@@AzureAcademy great info, basically there are 5 VMs in each tenant associated with AAD DS. It sounds like no need to tie these into tenant security stack.
The AADDS should be monitored, and follow all defender for cloud as well as Azure Advisor recommendations…secure network with NSG or Firewall etc. All the normal stuff ☺️
How to communicate on premise to azure ad
To connect Azure to on prem you need an express route or a VPN
excellent video and very infomative. great work.
👍👍
Great video and helping me learn the azure jungle
Happy to help
Thanks for useful information. How about joining servers to the Azure AD Domain from on-prm and AWS? Is that possible?
Are you asking how to join the Entra ID Domain or cloud join the windows servers and AWS VM to Entra ID?
Hi, great video. is that possible to give us some advise to the right direction: I have build the server: Virtual networks, Virtual network gateways
, Azure AD Domain Services, AZure VP. now how we can allow over 5000 computer join the domain, as most of the subnet allow only 255 devices to connect. I'm little confused, also I'm learning that
Sorry…what is you question here? What do you need help with?
Another excellent video . TY Dean! very informative. just curious if there is a potential security concern enabling legacy password hash sync?
No, there is no concern generally speaking
But you should have a look at the new Cloud Sync tool as well 👉ua-cam.com/video/AF1mHC6KmSo/v-deo.html
great video !!!! thank
Glad you liked it! Please pass it on to your Social Media
Can you do something on the new (Still in Preview) feature "Provision from Active Directory" feature and how it differs from ADConnect?
YES @Seth Zwicker, I cover services in public preview all the time...that way I can help folks like you learn about them early 😎 I have thought about this feature...but haven't gotten to it yet...thanks for the nudge. I will get on it 👍👍
Questions:
1. Why Azure keep asking customers to do PowerShell, can't azure do this themself, all the software belongs to azure, so WHY ????
2. Can you use AADDS as your only domain service for Azure VM & Azure stuff {cloud only no on-prem} ???
1. That is not quite correct. Azure AD Connect is NOT in Azure, it is installed on your server, in your environment. Microsoft values privacy and doesn’t take action to force changes without your knowledge or consent. Changing how Password Hash Sync functions is a manual task in PowerShell so you can choose to do it.
Also PowerShell and other forms of automation are the best ways of managing the cloud once you understand the process. Automation is King.
2. Yes you can use AADDS as your only domain controller in Azure. As for on prem...Technically you can setup things to make it work but it is not something I would recommended.
The general purpose of AADDS is to solve the need of legacy authentication because you are cloud native.
@@AzureAcademy Can't Azure create a VM or Linux Base Azure connection software to act as a "AD/DNS/DHCP - passthrough for AADDS" ??? so we don't have to run an AD on-prem, and allow customers to move to cloud bit-by-bit ????
LOL year I understand what you mean. However you need to remember that AADDS is not intended to be a traditional AD running in the cloud. It is meant to provide legacy auth in the cloud so you don't need to manage traditional AD. All the other services you mentioned AD/DNS/DHCP in your Linux VM are addons to manage...and cloud services are supposed to be simple and managed by Azure for you.
but I agree...we should make some kind of switch in the portal to enable this rather then a PowerShell script...I will provide this feedback to the AD team...thanks for the thought!
How did you pull up ADUC in AD DS environment? Can we login to the domain controllers? How?
As I said in the video, you are NOT a domain admin with AADDS so your abilities are very limited. You can ONLY open ADUC if you are logged into a VM that is joined to the AADDS domain, with your user administration account.
One question remains: do we need AAD for AADDS or we can use AADDS with on-prem AD without AAD? If yes, would be nice to see how to set that up.
No…Azure AD Domain Services cannot work unless you use Azure AD.
However You don’t need on prem AD to make it work. But if you already have on prem users and you want those user names to be in AADDS then you need The on prem AD to sync with Azure AD using Azure AD Connect
Great video. Do you have the ability to utilize folder redirection with Azure AD Domain Services? Specifically wanting to redirect users files, etc...to cloud
Thanks! Folder redirection as in FSLogix
Or roaming profiles?
You can easily do a file share but I don’t think you can do a DFS service
Dean, thanks for another great episode, I have 3 questions.
1. If we have cloud-only users, we don't need to configure Hash Sync to login to AADDS-joined server, right?
2. If we talk about AD->AAD->AADDS scenario, after we did the PowerShell script on on-premises AAD Connect Server, now can we login to AADDS-joined servers? Or do we need to reset each user password again to trigger a sync?
3. Is the follow-up Password Writeback step a must or just an option, so that we can use AAD as the centralized location to change password, then it got synced to both on-premises AD and AADDS.
Thanks.
Thanks Ceng Xiye!
3. Password write back is required for any traditional AD accounts
2. The PowerShell script will setup AAD connect to sync the hash in the proper format but each user needs a password reset...at least in my testing
1. Cloud only accounts with AADDS can be treated as if there is no AD environment.
So cloud only accounts do not become AD accounts and don’t sync with AAD Connect.
Great explanation, thank you
👍👍
Appreciate you sharing this information
Happy to help!
i say the line "azuread is not active directory" so much that my wife laughs at me for it now
LOL yup I know the feeling...that's why I made the video, so when people ask I can send it to them and move on 😁
@@AzureAcademy great thought...as soon as I saw this video pop up on my feed i said yep he def has the same type of conversations with people. the video was excellent, thanks for making it!
Thanks @Bill Farrell
I feel the same, my friends told me that there is no such thing as AADDS, just AAD and AD. I said yes, there is a thing called AADDS, he said WTF? Who would name things like this, to confuse people? Hahahahah
I can't understand why there is so much confusion...Microsoft has always be crystal clear on names for all their products... 🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️🤦♂️
LOL
How can i change the region? The time settings are wrong for the connected servers. Furthermore i want to bind network shares like netlogon script. Is it possible?
To change the region where AAA DDS is deployed you need to delete the service and start from scratch.
The time settings by default show up in UTC not in your local time zone. Network shares in group policy management should be possible I have never tried it.
Can I make a regular domain joining with Azure ADDS and NOT sync with existing ADDS?
Yes you can join the Azure AD Domain Services domain...it does not have to be connected to an on prem Active Directory.
Great explanation. I would rather not have to manage Domain Controllers anymore. Can I remove my current AD and connect my local servers to Azure AD Domain Services? I only have about 5 servers and running local AD just for that seems overkill. My client devices are already on Azure AD/Intune and don't need local AD.
Before you do...make sure you don’t have any thing that extends the AD Schema or creates custom containers in AD...you won’t gVe rights to do it in AzureAD DS.
please verify that all your current GPOs are setup and working in AzureAD DS
And remember you will not be an admin of AzureAD DS.
If you live with all that, then it should be good for you.
Hey im currently watching your video on how to set up MSIX app attach, i have a Azure active directory in sync with azure active directory domain services. I made a group in Azure active directory, and now its visible in the OU AADDC Users, my 2 virtual machines are in the OU AADDC Computers. When i try to add my 2 computers to the group i made in azure active directory it says "insufficient rights to perform the operation" . I made a group inside AADDC Computers but i could not see the group in azure active directory. Any idea on how i can fix this?
MSIX and AzureAD Donna Services is not a supported solution. At the moment…you can’t fix it.
Great video! Can you do a tut on one way external trust to on Prem using AD DS
Already done - ua-cam.com/video/YcFr17yaRPQ/v-deo.html
@@AzureAcademy thank you and you earned my sub! Keep up the great work!
👍👍
We are wanting to remove our on-prem AD and take advantage of Azure Active Directory Domain Services. Is it possible to configure radius authentication utilizing AADDS without having an on premise AD? I have yet to find a solution without having to rely on third party services, etc.
I have not used Radius in ages…today you can do this with Azure AD
👉 docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-radius
Obrigado!
👍👍
Excellent as ever
👍👍
It's confusing to me or not sure if if you already have password hash synchronisation enabled via Azure AD Connect do we
still need to do steps related to this PS script that triggers a full password sync that includes legacy password hashes. If we enabled password sync in AD Connect it not doing that for some objects ? The Microsoft document also not mentioning what whis hole step is required.
Password Hash Sync is not the same thing as the script I called out. This is needed because the sync does not pass enough data to generate the kerb auth that Azure ADDS needs to setup your passwords. The docs do call out this step, and you can get to it right from the Azure AD DS service in the Azure Portal. Or am I misunderstanding what you are saying? 🤷♂️
@@AzureAcademy Ok i understood now that it is to enforce replication of additional data . Configuration is mentioned in DOCS but there is no explanation why is this needed.
It is needed because Azure AD Connect syncing to Azure AD does not pass the data that is needed by AzureAD DS from the initial sync. This is because AzureAD doesn’t need most of it. OAuth and Saml are very different than Kerberos.
AzureAD DS needs that additional data so you can authenticate...does that help?
If there is a VPN connection between on prem and AADDS's VNet, Surely there will be a conflict of domain name right ? Is it possible to have a peered environment and still have an Hybrid AD structure ?
A conflict would only come if the names of The on prem and the AADDS domain have the same name…which is NOT recommended.
You can use a sub domain name like
AADDS.Domain.com then there’s is no conflict.
Can one use both AAD & AADDS, no on-prem or cloud-VM AD?
Sure, You could always use Azure AD by itself…but Azure AD DS requires Azure AD to work.
Neither Azure AD nor Azure AD DS need on prem or a cloud VM with Active Directory to work.
Great vid. Can I create a VM in Azure as a backup DC to my on prem DC?
Sort of…but that isn’t how domain controllers are intended to work.
You should have a separate VM in azure that is also a domain controller so that they synchronize together
Dean, so.... after going through a series of videos you published almost three years ago where you provide a great level of detail for the purpose of deploying DC in Azure that synchronize with your on-premises ADDS I got stuck in the last piece where my on-premises DC DNS is not doing what I intended following the videos for... in essence I want an easy way to deploy Windows Virtual Desktops.... it seems to me that after viewing this explanation I would be best benefited from deploying an instance of AADDS rather for this purpose (is mainly my lab for demo purposes) what's your take on this?
AADDS can work for WVD but the larger question is if you will want to have the AADDS domain for anything else...or do you have expectations of being able to manage and change the domain...because as you know by now you can’t...you will have no rights in that domain beyond simple computer management of joined VMs and limited GPOs.
If you can live with that...then AADDS is fine for WVD.
But if you hope to extend your existing domain
Or manage AADDS like your existing domain
It will not work
Can someone who has onprem AD use this in the cloud too? I have a client who has onprem AD but we want to take it to the cloud. Also, can you use it to authenticate onpremise apps?
If you want to extend your onPrem AD to the cloud then build a new VM in Azure and promote it to be a domain controller.
Azure AD Domain Services does not extend your on prem domain in to Azure.
Hey Batman /me thinks you don't even know what is going to happen in 2022....🤣🤣🤣🤣First Walter then Goldilocks taking over the Planet Azure 😁😁😁
Keep’em guessing, that’s my strategy 🤪🤦♂️
Awesome vid, thanks. Question: Is it possible to domain join VMs to the managed domain if those VMs reside in AWS Gov, AWS Commercial, as well as Azure Gov? (Our managed domain is configured in our Azure Commercial account). Thanks for the great content sir!
Thanks! YES it is possible as long as the computers have line of sight to the domain controllers of AADDS and the proper DNS configuration so they can resolve your domain name you should be good to go!
Thanks for this very useful. Have a client that is cloud only. They now need to support legacy LDAPS, as connect goes from AD to AAD this won't work for them. As they don't don't have any on prem AD. Could I simply setup AADDS for them and site to site VPN for those few on prem services that need the legacy protocol? I don't want to build a full on prem AD if I can help it.
Thanks for watching!
1. If they are cloud only why do they need LDAP?
2. Where are the client devices or other services that need to access LDAP?
@@AzureAcademy company has grown due to the business sector they're in they need LDAP for managing onsite infrastructure. Networking equipment mostly and some legacy apps (really tried with OAuth not supported :'( ). No servers all of those are in the cloud. There is a business need for it. Having read more I think the AADDS will do the job, removes the headaches of AD on prem. Site to site VPN for access to it.
You will still need a site to site VPN to connect the Azure AD demain services world to your own prime networking equipment If you need secure LDAP or private/ encrypted communications, Which you would generally want in authentication. But of you are ok without it…it should work.
@@AzureAcademy awesome, thanks for confirming. Think I'm going to setup a tenant and get the process documented. Before I move it to prod. Also feel setting up a point to site VPN would benefit admins looking to administer the AADDS if ever needed. Thanks for the replies.
👍
Great video! can i add users from aad ds to on premises security group? considering a connection between my on premises AD and AAD DS.
hey Patrik, no you can't, Azure cannot sync that way...only into Azure AD DS
@@AzureAcademy Even if my on premises AD is already synced with my Azure AD tenant via (Azure AD Connect)? I appreciate your help in advance.
Nope…AADDS only accepts user/group syncs in 1 direction
Does AADDS work with Windows Hello for Business for Azure files? For Active Directory and a file server on-prem I need to configure a Cloud Trust for Azure AD joined devices. Will I also need to do something like "Cloud trust" or it will work automatically? Thank you !
I have not seen support in AADDS for windows hello. Also I haven’t seen windows hello support for Azure Files Authentication
I have a typical O365\Azure set up for a small business. I would like to manage my workstations. From watching and reading it seems I don't need AADS. I would like to control my users updates and think I need to join PCs and use a GPO. Let me know your feedback?
To manage workstations for updates and use GPO can be done with Azure AD Domain Services or traditional Active Directory, either running on prem or on VMs in the cloud.
The difference between them is the tools that you can manage with.
In Azure AD Domain Serivces you cannot use Intune, since that requires hybrid join or cloud join and AADDS can't do that. Which means no Windows Autopilot, AutoPatch or Update rings but you CAN use windows updates.
So think about what you want your management solution to look like, then find the tools you want to use and that will lead you to the environment you have to build to make it happen.
@@AzureAcademy We are totally in the cloud with no on premise.
Then no Intune for you, AADDS can’t support Hybrid Join so what tools are you going to manage your VMs with?
@@AzureAcademy I need to manage updates.
Managing updates on windows clients with AADDS means you can only use windows update or a 3rd party tool.
Servers can use the Azure AutoManage service
Watch this for more info 👉 ua-cam.com/video/GbSjkg8MZrE/v-deo.html
A worthy video. Thank you for making it! Question - I understand it's a one-way sync from on-perm AD to Azure AD with option to do password writeback to on-perm, but is it possible (workaround?) to do two-way sync between on-perm AD and Azure AD? So users/groups created in Azure AD can sync back to on-perm AD? If not, do you know if MS is planning to do add this feature in the near future?
slight correction...it is not exactly a 1 way sync from on prem AD to Azure, it depends on how you have Azure AD Connect setup, but if you meant create a group or user in Azure and have it "sync" that cloud only group to on prem AD...then you are correct, it does not work that way today...and I have not heard of it on an official road map.
@@AzureAcademy please read the docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization , it says One way:
When you first deploy Azure AD DS, an automatic one-way synchronization is configured and started to replicate the objects from Azure AD. This one-way synchronization continues to run in the background to keep the Azure AD DS managed domain up-to-date with any changes from Azure AD. No synchronization occurs from Azure AD DS back to Azure AD.
There are 2 different syncs talked about in this thread.
Azure AD Connect sync from "on prem" to Azure is a 1 way sync, meaning that you have to make changed in AD then sync them to Azure. You CANNOT create a "clould only" user in Azure and sync it to on prem
Also in the Azure AD DS Sync.
this is a 1 way sync from Azure to Azure AD Domain Services. All your users and groups need to be created in Azure AD...which will sync to Azure AD DS.
So if you have on prem, Azure AD and Azure AD DS...then
you would create or update a user in your on prem AD...which will sync to Azure AD
Then the next separate sync from Azure AD will send that change to Azure AD DS
this was really good
Thanks Paul, let me know what else you are interested in so I can create it
I'm trying right now to map resource that was replicated to Azure File Shares (storage account) via Azure File Sync to a computer added to local ad with ACL enforcement from ADDS. I want to be able to map those resources with ACL enforcement but not rely on local on prem authentication. This is for DR scenario. I deployed Azure Active Directory Domain Services, enabled "Identity-based access for file shares", added synced users via Azure AD connect to Storage File Data SMB Share Contributor role. All security groups from local AD that are responsible for access to specific directories are also synced. Mapping is working with ACLs enforcement on computer added to ADDS but not working for a computer added to local AD. I suspect that this computer need to have access to ADDS subnet to utilise Kerberos and LDAP so I'm considering VPN to Azure. I guessing that subnet and vnet that computer will have allocated will also need to have route to ADDS subnet. Do I missing something ? If that will be enough ? I want to avoid rejoining computer from local on prem Active Directory to AADDS and I understand that I don't need to add Azure Storage account to on-prem because in this situation authentication will be done by local AD and in situation when it will be not available ACL enforcement will not work so we don't want this step in the process right ?
The issue is that you have 2 different domains. In order to use the AzureAD DS authentication to storage you need authentication to the AzureAD DS domain
It is designed to work if you are joined to that domain not your on prem one 😩🤷🏼♂️
You can do the same thing with authentication to your traditional domain as well...which would work as I believe you want it to.
Also for DR...flipping from AD to AzureAD DS won’t work because as I point out...these are 2 unrelated, disconnected, and separate Domains.
How are you planning AzureAD DS could help in DR?
Can you sync two AADDS services located in two different regions to the same Azure Directory? I have to build two sites with WVD, one in the UK and one in AU.
No you cannot. AADDS doesn’t have a regional DR either. The general idea is that DR would be redeploy in another region... not the best plan if you think of it like a traditional AD... but remember it isn’t
I have a customer that plans to migrate from their current hybrid AD/ Azure AD environment to Azure ADDS. One thing that is setting off alarms is the inability to get Azure ADDS VMs to enroll in Intune or any other 3rd party Endpoint Management service as the VMs don't show up in Azure AD. Do you know if there is a way to get them to show up?
With AADDS I don’t think you can do Hybrid Join. You have to edit certain policies that I’m not sure you have access to in a managed domain environment.
Further…WHY would you want to give up a domain you can fully manage to one you can’t…what do you need it for instead of going 100% Azure AD?
@@AzureAcademy because my customer's IT department is 4 people and they're trying to off load as much of the maintenance tasks as possible. Your answer is what I've concluded as well and will steer the customer away from going the Azure ADDS route and get them to setup DC VMs within Azure.
Cool
I am the new IT guy for a company of ~200 employees in multiple locations around the USA. This company currently has no on-premise domain controller, all computers are on a simple Workgroup. They are actively using Office 365. I'd like to have the ability to manage users as one would in a typical on-premise AD for the local office and especially satellite offices. I understand this can be accomplished with site-to-site vpn. Can this also be accomplished with Azure AD or AzureADDS or a combination of the two?
So you have multiple things here.
1. Connectivity to multiple on prem locations
2. Want to have a domain but not manage it
3. Using office 365 and AzureAD
The question here is why…?
What is your goal in the VPN?
I'm more confused now. I've seen the debate on building your WVD environment with an Azure DC or with AD DS, but not both. My take has always been that one you have to manage, but is the less expensive traditional approach and the other is managed for you at a higher price. What am I missing on replying both?
So I am clear on what you are asking...is you question which solution is cheaper...because I would say a small VM running in Azure, depending on size, can be cheaper then Azure AD Domain Services...it will definitely be cheaper if you only have 1 domain controller...so IF cost is your ONLY concern that’s the way to go. IF however the managed service aspect of
Azure AD DS does cost more...but it is a self managed service...which also has value because you don’t need an expensive AD admin to run it for you...
My point in this video was to address people who think Azure AD DS is just a managed service Domain Controller...and I can user it to extend my domain into Azure...that’s not how it works.
WVD doesn’t care as long as there is a domain for your session hosts to join...but you need to know that Azure AD DS is NOT an extension of your existing domain...and the other “limitations” of the managed service...then if it is still right for you...it will work great!
Hope this helps 👍👍
@@AzureAcademy sorry for the confusion. I am pretty clear on the advantages and disadvantages of both options, DC with AD and AD DS. This video lead me to think you are suggesting both within the same WVD environment. Looking for clarity on that... thanks!
NO...Definitely NOT for WVD pick one or the other for your environment.
and I am not just talking about WVD. If you have an AD on Prem my best recommendation would be to put another domain controller in the cloud and set up a new AD Site for it with its own subnet.
If you DO NOT have AD today...and you don't want to manage AD, then Azure AD DS can be a good solution.
Very insightful! Any thoughts on GPOs within Azure ADDS? Had massive issues getting those to work, even though they should work according to documentation..
Yeah...the default policy is already in place so that is your best hope. Remember you don’t really control this environment
@Vlad Mihai, Azure ADDS GPOs are achieved in a similar fashion to traditional ADDS, so if you are familiar with Group Policy Management in the traditional since you should not have too many issues!
The only thing to note is that any user accounts flowing into Azure ADDS from Azure AD, is that these will reside in the "AADDC Users" OU and cannot be moved or separated into other OUs. To apply a GPO to a subset of users just link your GPO to the "AADDC Users" OU and use GPO Security Filtering to limit the application to specific users if required.
On a side note: I had a requirement to reuse some of our GPOs from ADDS in Azure ADDS, but as outlined by Dean in the video there is no link between ADDS and Azure ADDS, but GPOs can be exported from ADDS and easily imported to Azure ADDS, so there isn't a need to start from scratch if you need the same GPO in both environments.
@@AzureAcademy Dean, thanks again for the great content.
the tl;dr is its a giant cluster to do anything in GP with AADDS
LOL...yeah...it can be a challenge 🤦♂️
Thanks @Michael Feeney, and he is correct @Vlad Mihai. You do use AD Group Policy manager to do the GPO work in AADDS, but there are more hoops to jump through just to get into it. Joining a VM to the AADDS domain directly before you can manage it, for example. vs. a traditional AD domain where I can just present creds from another domain...can't do that in AADDS. I have also had some on prem policies that I wanted to add but could not...since I can get to the domain controller to modify the admx/adml files or add new ones. etc.
the point I wanted to emphasize is that the purpose of AADDS is NOT to be your AD running in the cloud with all the traditional features and controls you can have with a domain controller directly...it is intended for adding legacy authentication to the world of Azure so don't expect too much more, but in general if you need legacy auth and can live with the limitations of the cloud service then it should work great for you!
Can we use azure ad services to administrate devices like mac linux and win and how much we can can we encrypt devices authentication group policy's for linux and mac too patch management etc
If you are thinking to use AADDS as a traditional Active Directory like an on prem domain controller to manage mac & linux...the answer is NO.
HOWEVER...You can have your systems joined to Azure AD and manage them with Microsoft Endpoint Configuration Manage (Intune) as a MDM solution.
I will have a video on this soon.
@@AzureAcademy many thanks
👍👍
If I don't have an on prem AD DC, am I able to just us Azure AD with AADDS?
Yes you can. If you haven’t had a traditional Active Directory until now... why do you want one?
Hi so can we also set all GPOs with the AADDS? Currently i use a DC and thought about to change it into a PaaS. Could you please make more videos about it?
I would NOT change to Azure AD DS if you don’t have to. You are NOT an Admin and you cannot do most of what you do in Active Directory. Some GPOs can’t be done in Azure AD DS, like FSLogix. Because you can’t add the .admx or .adml files to the domain controllers.
@@AzureAcademy thanks! So always have a DC on for WVD :)
👍👍
I really appreciated the explanations. AAD DS is a bit deceiving in that some functions behave the same as on-premise AD DS. I spent a good hour and a half on trying to create subnets in Sites and Services. The video really focused on User Identity which was great and helpful. Regarding computers creation to be managed by WVD, are the GPO configurations limited too? I tried to "hide" the D:\ drive in a AAD DS GPO as the D:\ drive is ephemeral. I didn't want my users to even see the drive letter in order to prevent potential data loss. Additionally, I created a File Server in my vNet to share QuickBooks files for my WVD environment users. I am unable to create "Mapped" drives using GPO in AAD DS to WVD computers joined as session hosts. I can map drives manually inside the session via command prompt and PowerShell but Windows explorer doesn't recognize the network drive letters. The AAD DS GPO doesn't add the driver letter to the user either. Would you know if there is a better practice for mapping file shares in WVD and AAD DS?
Yeah GPO can’t do everything here. FSLogix for example...you can’t do it through GPO because you can’t import the ADML & AMDX files on the DC...because you have no rights.
AADDS is a very limited solution compared to how people usually want to manage AD...
So unless you are a 100% born in the cloud company and only need legacy Auth or any old AD for WVD I would not recommend it.
Figured out my issue and it was related to SMB. The network drives were mapping in DOS or PowerShell, just not visible in Explorer. Everyday in Azure is a great day to learn something new.
@@AzureAcademy Learning everyday. In the meantime I'm looking forward to the day AADDS gets integrated with Intune
Usually that happens because you used “run as Admin” when you opened the cmd or PS
Technically that is a different user context and YOU would not see it in explorer because YOU didn’t map the drive that admin did.
I hear ya...but I am look fwd to when we don’t need a DC at all and can be fully Azure AD Joined
Dean, one quick question.
Technically, do you think on-premises VMs can join AADDS domain via VPN/ER?
I know AADDS is cloud-only, it's not extension of on-premises domain, but technically is it feasible?
Thanks
I have never tried it...but I assume that IF the VPN gets you line of sight to AADDS and all the correct ports are open then you should be able to authenticate...
Thank you for this video.
if I create a cloud only user (not on-prem/AADC) in Azure and I created AADDS, will that cloud users password be synced to AADDS or will a reset still need to happen and what about new cloud only users going forward?
The principal is the same. The user being synced into AADDS need a password reset or the script that I showed in order to sync the password over to AADDS in a way that will allow for the Kerberos authentication
@@AzureAcademy even if there was no on-prem with AADC
What about in these two scenarios
1. I have Azure cloud only user and I created AADDS after, would I need a password reset?
2. What if I create AADDS, then I create a fresh azure AD user, do I need a password reset?
Is it the reset function whether any different scenario is what provides the password to AADDS?
If AADDS already exists then you create a new cloud user, they won’t need a reset because the sync is already happening
@@AzureAcademy thank you!
👍👍
hey, Can I connect my local systems to Azure AD Domain Services and then OU's, group policies etc.
You can as long as you have network connectivity…just like any other AD in the cloud.
You need a client or site to site VPN
@@AzureAcademy So I need to install a DC in azure?
No, not exactly. It depends on why you want a DC and how you will get to it from Azure and On Prem…if you have an on prem ☺️. So what are you trying to do?
@@AzureAcademy What I all needed was Microsoft intune and Mdm.
To use intune and MDM you don’t need a domain controller at all. You can use Azure AD Join.
Ok, I have watched this 3 times and still a touch fuzzy. I get the premise but not the application of it. Are there any other use cases for this besides WVD (assuming that WVD cant work with traditional domain controllers) ? Aren't there other identity providers that could tie into your traditional DCs? OKTA, DUO identity provider, ect?
Azure Virtual Desktop can use traditional DCs, AADDS or Azure AD Join.
Azure Files storage, netapp storage and any Kerberos Auth needed for other apps can all use AADDS as well.
AADDS is not an identity layer like Duo, ADFS or Okta, it is a total AD environment
@@AzureAcademy Thanks. So the only reason to use azure domain services is when you have all cloud environment and don't want to spin up a domain controller in the cloud if you need Kerb Ldap, ect. If you already have a prem DC and plan on keeping at least one on site, AADDS is no use to you?
My thinking exactly ☺️
Great, very informative video.
I need some help,
We have azure with a domain xyz.com, I set up my ADDS as abc.com.
When I try to join a personal computer, it doesn't give me the option to join abc.com, it takes me to xyz.com by default.
How can I change it and choose abc.com?
Thanks Ravi! The issue sounds like DNS.
If the VMs are located in Azure and you want to join abc.com you need to set the virtual network DNS servers. They need to be configured with the IP addresses of the AADDS servers
Then they will find that domain.
Oh and by the way,
If The virtual network where the VMAs are located is not the same network as a AADDS then you will need to set up a peering connection with forwarding in both directions
@@AzureAcademy thank you! I got that. I could fix DNS issue for all the VMs inside azure but I was asking about a personal laptop.
How do I join it since it’s on public network.
The fix is the same for personal laptops as well.
Your DNS needs to be configured to point at the AADDS domain controllers.
@@AzureAcademy Alright but these personal laptops are not on the Azure network. And the Azure ADDS DNS are configured using private IPs. Can it be done without connecting personal laptops to Azure network?
There must be on the same network…so since you have physical laptops, and virtual servers in 2 different places you will need a client VPN on the laptops so they can reach the AADDS network
Great video dean, much needed for this ongoing confusion , one small question if you name both the exact domain name and you have vpn connectivity with on prem where you have the original Ad domain and on azure domain services with same domain, will this cause some kind of conflict for example for domain joined machines or anything like that? Or it will resolve only on dns ip and each one will be seperate
Also if you have all syncing like you did on the video, you will always need to modify users from azure ad on prem since its connected with azure ad connect, or when adding new users we can add in azure ad as new cloud only users or add them on prem and force the powershell to run it on all services?
Then you will have an issue in routing. The systems connecting over the network would not know which AD environment to communicate with...this is not recommended, but is something that people try to do anyway because they misunderstand AADDS
there are multiple scenarios here...But YES, if you have on prem users syncing AND you wanted to create new "cloud only" users...they would also sync to Azure AD DS
but understand that they won't sync back to your on prem AD
@@AzureAcademy thanks dean for your clarification and giving the time to respond to each comment, you are a legend for going the extra mile thanks a lot 😊
thanks!