Creating Azure AD Domain - azure-active-directory

I'm creating an instance of Azure AD Domain Services and following the steps found here:
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started
In the section about DNS it states:
Network name conflicts: Ensure that the DNS domain name you have chosen for the managed domain does not already exist in the virtual network. Specifically, check whether:
You already have an Active Directory domain with the same DNS domain name on the virtual network.
The virtual network where you plan to enable the managed domain has a VPN connection with your on-premises network. In this scenario, ensure you don't have a domain with the same DNS domain name on your on-premises network.
You have an existing cloud service with that name on the virtual network.
I'm not quite sure I understand the restriction here, my Azure Active Directory has a custom domain of [mydomain].com. Is this saying I cannot use the [mydomain].com domain for the DNS entry when creating an "Azure AD Domain Services" instance?

The documentation is talking about Active Directory, not Azure Active Directory.
If you already have an AD domain setup on VMs in the same VNET or have a VPN connection to an on-premises network with an AD domain with the same domain name, you will run into conflicts as AAD DS will also register the domain.
If you are only using Azure AD without a connection to on-prem AD, you are fine.

Related

Identity authentication over smb for Azure file share

I have mounted an azure file share on an azure VM using access keys ,the VM is not doman joined with the azure active directory instance.Please let me know if below scenario's will work out:-
If i apply acl's on the folders and sub folders will the acl's be
enforced in the mounted drive on the VM?
Will AZURE RBAC apply if someone tries to upload a file from the VM?
Note:- The Azure VM is on a VNET which has access to azure active directory.
Any information/answer/suggestion on the above questions would be greatly appreciated.
ACLs can exist for domain or non-domain accounts. Having a machine that is not domain joined, can obviously not set domain ACLs. So in that case local-server ACLs is all you can hope to get.
If another server mounts the share, and there is not another local user account + SID mapping, then there is no way these ACLs have any meaning on the second machine. But they will be enforced.
So that one will work albeit questionable in terms of usefulness.
RBAC is really a management plane construct. Meant to govern who can manage which Azure resource --> not access which data planes. Now in the case of AD / AAD DS support for Azure file shares, the team has decided to "stretch" the meaning of RBAC to govern share-level ACLs via Kerberos (where normal RBAC is OAuth only!)
Enough of the backend: What this basically means, is that there can be no support for local server accounts.
THese accounts only exist on a local server, not in AAD and certainly not DIRSYNC'ed from on-prem AD into AAD. So that means RBAC cannot work for local accounts, only for domain accounts.
I'm unclear what your scenario is.
A user coming into the server with some sort of local user credential?
Then creating/copying a file into a mounted Azure file share to that VM? --> That can work because there is no RBAC and since this is all happening through that single server that has that local user account, ACLs for these local accounts work natively.
A user coming into the server with a domain cred? --> will not work as the server isn't domain joined.
A user coming in with a local-server account and then using the Azure file share not via SMB mount but by going to the Azur file share directly: Cannot work because it's not a domain account and non-dimain accounts cannot work against Azure file shares. You'd use the srtorage access key to mount the file share to the VM, then you have access and leave auth. to the server with the set of local accounts.
Before you enable Azure AD over SMB for Azure file shares, make sure you have completed the following prerequisites:
Select or create an Azure AD tenant.
You can use a new or existing tenant for Azure AD authentication over SMB. The tenant and the file share that you want to access must be associated with the same subscription.
To create a new Azure AD tenant, you can Add an Azure AD tenant and an Azure AD subscription. If you have an existing Azure AD tenant but want to create a new tenant for use with Azure file shares, see Create an Azure Active Directory tenant.
Enable Azure AD Domain Services on the Azure AD tenant.
To support authentication with Azure AD credentials, you must enable Azure AD Domain Services for your Azure AD tenant. If you aren't the administrator of the Azure AD tenant, contact the administrator and follow the step-by-step guidance to Enable Azure Active Directory Domain Services using the Azure portal.
It typically takes about 15 minutes for an Azure AD DS deployment to complete. Verify that the health status of Azure AD DS shows Running, with password hash synchronization enabled, before proceeding to the next step.
Domain-join an Azure VM with Azure AD DS.
To access a file share by using Azure AD credentials from a VM, your VM must be domain-joined to Azure AD DS. For more information about how to domain-join a VM, see Join a Windows Server virtual machine to a managed domain.
Note:Azure AD DS authentication over SMB with Azure file shares is supported only on Azure VMs running on OS versions above Windows 7 or Windows Server 2008 R2.
Select or create an Azure file share.
Select a new or existing file share that's associated with the same subscription as your Azure AD tenant. For information about creating a new file share, see Create a file share in Azure Files. For optimal performance, we recommend that your file share be in the same region as the VM from which you plan to access the share.
Verify Azure Files connectivity by mounting Azure file shares using your storage account key.
To verify that your VM and file share are properly configured, try mounting the file share using your storage account key. For more information, see Mount an Azure file share and access the share in Windows.

Is it possible to join a local windows machine (on premises) to a Windows Server VM that is hosted on Azure Cloud?

I am setting up a Windows Server VM on Azure cloud and configure Active Directory Domain Services and Group Policy Objects. I am trying to join a local computer (on premise) to that Server and to apply the group policy that I configured on Windows Server VM. Would this be possible, or do I really need a on premises active directory server to join a local computer ?
It's possible, you can deploy ADDS server role, join domains and many other things on Azure as what you can do on-premise. In this case, you have to do three steps:
Deploy a P2S or S2S VPN connection to make sure the connectivity between on-premise and Azure side. Refer to VPN Gateway.
Deploy a DNS server and DC on Azure VM. Set the custom DNS servers on the Azure VNet as your custom DNS server private IP address and also make sure the DNS query on the local computer could resolve the DC Server. You could deploy the DNS server in Azure VNet before setting up a VPN connection so that the virtual network connection setting gets the update on all connections.
Once the VPN is set up, you could join the domain.
Alternatively, you could use Azure AD to create an Active Directory domain in the cloud and connect it to your on-premises Active Directory domain. Azure AD Connect integrates your on-premises directories with Azure AD. In this scenario, you could have an on-premises Active Directory domain first.
Moreover, you could refer to this article to choose a solution for integrating on-premises Active Directory with Azure.

Question related to Azure Domain Services and on-premise domain

I have an on-premise domain called "mydomain.com". I'm wanting to extend this domain to Azure via active directory domain services. When setting the ADDS in azure, should I use a different domain name such as "azure.mydomain.com" or use the same one as my on-premise "mydomain.com"?
Also, does this configuration require a VPN connection via the gateway or can on-premise domains be extended to Azure over the public internet?
Another question relates to if the free Azure AD is needed for this type of deployment or do you have to use Azure Domain Services in addition to the free Azure AD provided by the tenent?
The following link from Microsoft docs highlights under "Network name conflicts" section that same domain name as on-prem domain name should NOT be used as it would cause conflict;
For more details follow the MS doc link below;
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
I have an on-premise domain called "mydomain.com". I'm wanting to
extend this domain to Azure via active directory domain services. When
setting the ADDS in azure, should I use a different domain name such
as "azure.mydomain.com" or use the same one as my on-premise
"mydomain.com"?
Azure AD Domain Services provides managed domain services seamlessly regardless of whether your Azure AD tenant is cloud-only or synced with your on-premises Active Directory.
For the domain name in AADDS, you have many choices:
Built-in domain name: By default, the wizard specifies the default/built-in domain name of the directory (with a .onmicrosoft.com suffix) for you.
Custom domain names: You can also type in a custom domain name.
Non-routable domain suffixes: We generally recommend avoiding a non-routable domain name suffix.
Domain prefix restrictions: The prefix of your specified domain name (for example, contoso100 in the contoso100.com domain name) must contain 15 or fewer characters.
Network name conflicts: Ensure that the DNS domain name you have chosen for the managed domain does not already exist in the virtual network.
If you just want to extend your on-premise domain to the Azure, you don't need to use AADDS to make this, you could just use Azure AD Connect to sync your on-premise domain to the Azure. Because if you want to use AADDS, you also need to sync the on-premise to the azure.
Also, does this configuration require a VPN connection via the gateway
or can on-premise domains be extended to Azure over the public
internet?
The process of configuration doesn't require a VPN connection, it just uses the Azure AD Connect to do the synchronization.
Another question relates to if the free Azure AD is needed for this
type of deployment or do you have to use Azure Domain Services in
addition to the free Azure AD provided by the tenent?
The AADDS needs a subscription when you configure it, there is no requirement about the AAD.

Azure AD Directory Services Domain Name Guideline

When configuring Azure AD directory services, we would like to use the name "xxx.com". "xxx.com" is not publicly owned by us and we cannot acquire it.
Does anyone foresee any issues with us using this name when configuring the DNS domain name for AD directory services or should we only specify a domain name that we can control public DNS records for?
Also should the domain we specify match one of the custom domains that we have added to custom domain list in Azure AD?
I suppose "xxx.com" you mentioned is the initial domain name in the form of domainname.onmicrosoft.com which is also the primary domain name. The initial domain name cannot be changed or deleted, but you can add your custom domain name to Azure AD as well.
You can select any custom domain name which can be verified in Azure AD. The domain you specify should match one of the custom domains that you have added to custom domain list in Azure AD. Also, If you want to add a third-level domain name such as domainname.contoso.com to your directory, you should first add and verify the second-level domain, such as contoso.com. The subdomain will be automatically verified by Azure AD.
If you plan to federate your on-premises Windows Server AD with Azure
AD, then you need to select the I plan to configure this domain for
single sign-on with my local Active Directory checkbox when you run
the Azure AD Connect tool to synchronize your directories. You also
need to register the same domain name you select for federating with
your on-premises directory in the Azure AD Domain step in the wizard.
Reference: Add a custom domain name to Azure Active Directory

How does ADFS communicate with AD?

How does Active Directory Federation Service (ADFS) connects to a classic on-premise Active Directory Domain Service or simply known as (AD)?
Is it via the protocol HTTP?
AD FS connects to AD as a "standard" active directory supplicant for Username/Password or Certificate Authentication, and as a Kerberos relying party for Kerberos authentication. This means that it uses a variety of protocols to authenticate clients and retrieve user information. Most primarily, Kerberos is used for authentication and LDAP is used for user attribute retrieval.
The full list of ports used for AD Directory Services is quite long, and can be found at Service overview and network port requirements for Windows - Active Directory.
Generally, the AD and AD FS servers are considered to be on the same security level. ADFS Proxies (which are essentially layer-7 firewalls in their own right) are used in the DMZ to provide insulation between active directory and a potential attacker.

Resources