Back in October 2015, Microsoft Identity division had announced the Azure AD Domain Services Preview, and I’ve written a blog post about this new feature here: https://spanougakis.com/2015/10/15/azure-active-directory-domain-services-your-domain-controller-as-a-service/
So the time has come and this feature is available today globally. In the meantime, they had already announced, in May this year, a cool set of enhancements:
Following yesterday’s announcement of the GA, these enhancements became even better:
- Secure LDAP access to your managed domain, including over the internet (even from Amazon Web Services)
- Enable “AAD DC Administrators” to configure DNS on their managed domain.
- Enable “AAD DC Administrators” to create custom organizational units (OUs).
So let’s take a look at these new features, as they are described in the original announcement of the AzureAD team here: https://blogs.technet.microsoft.com/enterprisemobility/2016/10/12/azuread-domain-services-is-now-ga-lift-and-shift-to-the-cloud-just-got-way-easier/
For your convenience, I’ve copied the original text here, because it contains a lot of useful articles and guides that you should check.
- Support for secure LDAP: You can access your managed domain using LDAPS (secure LDAP), including over the internet.
- Custom OU support: Users in the ‘AAD DC Administrators’ delegated group can create and administer a custom organizational unit on your managed domain.
- Configure managed DNS for your domain: Users in the ‘AAD DC Administrators’ delegated group can administer DNS on your managed domain using Windows Server DNS administration tools.
- Domain join for Linux: The AzureAD team has co-operated with RedHat to document how you can join a RedHat Linux VM to your managed domain.
- New and improved synchronization with your Azure AD tenant: Re-design of the synchronization between your Azure AD tenant and your managed domain. For existing domains, this new improved synchronization has been rolled out automatically in a phased manner.
- The ‘password does not expire’ attribute: Some accounts had the ‘password-does-not-expire’ attribute set on them, for example, service accounts. The password policy was being enforced for these accounts in managed domains, resulting in their passwords expiring. Passwords for such accounts will not expire.
- Incorrect group display name for accounts created in Azure AD: The samAccountName attribute for groups created in Azure AD was not being set correctly in the managed domain. These were being set to GUIDs instead of valid samAccountName.
- SID history sync: The on-premises primary user and group SIDs will now be synchronized to your managed domain and set as the SidHistory attribute on corresponding users and groups. This cool feature helps you move your workloads to Azure without having to worry about re-ACLing them.
- Virtual network peering: The Azure networking team recently announced GA for virtual network peering. This awesome feature makes it easy to connect Domain Services to other virtual networks. You can connect a classic virtual network in which your managed domain is available to workloads deployed in resource manager virtual networks using network peering.
Well, I can guarantee you that you’ll spend some hours if you want to explore all these new features, as I did.
One of the best enhancements (personal opinion) is the ability to create custom OUs. If you really want to test it, please follow the guide here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-admin-guide-create-ou/
Through the official announcement of the GA, we have some idea of what is on the way:
- Support for Azure Resource Manager including the ability to enable the service in Resource Manager based virtual networks.
- A new management UI experience in the modern Azure portal (portal.azure.com).
So I strongly suggest that you take a look at the official announcement, and we’ll explore together through this blog post all these new exciting features:
Thanks for your time!