1
00:00:00,740 --> 00:00:05,050
Azure AD Domain Services is an often misunderstood product

2
00:00:05,050 --> 00:00:07,640
that has specialized use cases as well.

3
00:00:07,640 --> 00:00:10,450
When I first heard of Azure AD Domain Services,

4
00:00:10,450 --> 00:00:15,280
I mistakenly thought this must be a cloud‑hosted AD DS forest,

5
00:00:15,280 --> 00:00:18,730
so we could decommission our local Active Directory forest

6
00:00:18,730 --> 00:00:20,700
or domain and just run it in the cloud.

7
00:00:20,700 --> 00:00:21,440
Well, guess what?

8
00:00:21,440 --> 00:00:26,090
This is not that. It's not. What we've got with Azure AD Domain

9
00:00:26,090 --> 00:00:30,410
Services is a platform for legacy application migration.

10
00:00:30,410 --> 00:00:34,380
You have line‑of‑business applications that run in your local Active

11
00:00:34,380 --> 00:00:38,360
Directory, and we call them legacy because instead of using token‑based

12
00:00:38,360 --> 00:00:41,990
identity federation REST APIs and web services,

13
00:00:41,990 --> 00:00:44,770
we're using things like LDAP binding,

14
00:00:44,770 --> 00:00:47,930
we're using Group Policy objects for server management

15
00:00:47,930 --> 00:00:50,510
because we're running these services on VMs,

16
00:00:50,510 --> 00:00:53,880
these applications on VMs. And importantly, we need to

17
00:00:53,880 --> 00:00:57,040
support Kerberos and NTLM authentication.

18
00:00:57,040 --> 00:01:00,640
Those are not cloud compatible protocols by any stretch.

19
00:01:00,640 --> 00:01:04,550
So here's the pattern. With Azure AD Domain Services, if you want to

20
00:01:04,550 --> 00:01:09,190
give your local Active Directory users single sign‑on or just in the

21
00:01:09,190 --> 00:01:12,340
name of migrating local Active Directory users,

22
00:01:12,340 --> 00:01:15,920
you're going to have to set up account synchronization with Azure AD

23
00:01:15,920 --> 00:01:19,800
Connect into your Azure Active Directory tenant. Then, you'll need to

24
00:01:19,800 --> 00:01:22,880
deploy an instance of Azure AD Domain Services.

25
00:01:22,880 --> 00:01:27,590
Now note that this is a managed domain and not a managed forest. You

26
00:01:27,590 --> 00:01:31,970
don't get forest‑wide scope, so you can't extend the schema like you can

27
00:01:31,970 --> 00:01:35,680
with your local forest. It's a managed domain, and that resource is

28
00:01:35,680 --> 00:01:39,470
embedded into your virtual network. It's actually running on a couple of

29
00:01:39,470 --> 00:01:42,950
VMs that are abstracting, the domain controller VMs that are being

30
00:01:42,950 --> 00:01:44,140
abstracted away from you.

31
00:01:44,140 --> 00:01:48,380
This is a platform as a service. And then the idea is the

32
00:01:48,380 --> 00:01:52,690
identities that are surfaced in your managed domain will come

33
00:01:52,690 --> 00:01:55,260
from Azure AD. So as you can see,

34
00:01:55,260 --> 00:01:59,720
you've got local accounts being replicated into Azure AD, those accounts

35
00:01:59,720 --> 00:02:02,550
being surfaced into your managed domain. And then yes,

36
00:02:02,550 --> 00:02:03,060
indeed,

37
00:02:03,060 --> 00:02:08,010
the idea is you can migrate your workload VMs into the Azure virtual network,

38
00:02:08,010 --> 00:02:12,170
and you can do all of your legacy stuff with Group Policy management, and

39
00:02:12,170 --> 00:02:16,990
LDAP, and Kerberos, and NTLM sign‑ins, and this, that, and the other. That's

40
00:02:16,990 --> 00:02:22,320
the basic what's it of Azure AD Domain Services. High‑level deployment steps

41
00:02:22,320 --> 00:02:26,400
set up in Azure AD Connect account synchronization, this is assuming that you

42
00:02:26,400 --> 00:02:31,200
do want to surface those local AD accounts and not just go cloud only. Then,

43
00:02:31,200 --> 00:02:31,750
as I said,

44
00:02:31,750 --> 00:02:36,140
deploy the managed domain to a virtual network. You'll need to update the DNS

45
00:02:36,140 --> 00:02:40,260
settings and the VNet to point to those two managed domain controllers, and

46
00:02:40,260 --> 00:02:44,800
then you will have to do a bit of work to enable user accounts for Azure AD

47
00:02:44,800 --> 00:02:47,280
DS. And there's some guidance on this.

48
00:02:47,280 --> 00:02:49,510
We don't need to get that deep into the weeds.

49
00:02:49,510 --> 00:02:53,090
I give you some links in the exercise files that basically has to do

50
00:02:53,090 --> 00:02:57,430
with the fact that we need to get the NTLM Kerberos compatible

51
00:02:57,430 --> 00:03:01,930
password hashes into your managed domain. And Azure AD is a REST

52
00:03:01,930 --> 00:03:05,260
API. It's a web service that doesn't have anything to do with those

53
00:03:05,260 --> 00:03:06,710
legacy password hashes.

54
00:03:06,710 --> 00:03:09,000
So there's some, like I said, a little bit of work.

55
00:03:09,000 --> 00:03:11,790
The steps are different, depending upon whether you're doing

56
00:03:11,790 --> 00:03:19,000
cloud first or staying only in Azure AD versus account synchronization with Azure AD Connect.