1 00:00:01,540 --> 00:00:06,210 Alright, let me close that RDP session, and let's come back to our portal again. 2 00:00:06,210 --> 00:00:10,670 And what I want to do here is head on over to my Virtual networks list, and 3 00:00:10,670 --> 00:00:15,070 this cloud‑vnet, actually we're going to go to another one I created called 4 00:00:15,070 --> 00:00:20,030 aadds, boy, that's a tongue twister, vnet. It's got an address space of 5 00:00:20,030 --> 00:00:25,010 172.17/16, and I have just two subnets here. 6 00:00:25,010 --> 00:00:29,050 This is going to be my testbed for Azure AD Domain Services. 7 00:00:29,050 --> 00:00:32,480 But if I do a search in the Azure portal for Azure AD Domain 8 00:00:32,480 --> 00:00:34,640 Services and head on over to that blade, 9 00:00:34,640 --> 00:00:36,900 let's create our managed domain. 10 00:00:36,900 --> 00:00:41,200 I'm going to place this in my cloud‑rg resource group, and I'm going 11 00:00:41,200 --> 00:00:46,790 to call this aaddstimw.info as my domain name. 12 00:00:46,790 --> 00:00:51,910 Now the Forest type defaults to User, but you can also use the Resource option. 13 00:00:51,910 --> 00:00:56,330 What's going on here is that you would use the resource option if you had 14 00:00:56,330 --> 00:01:01,470 resources in your Azure VNet and you wanted to include local Active Directory 15 00:01:01,470 --> 00:01:04,510 users and groups on those access control lists. 16 00:01:04,510 --> 00:01:07,490 What would happen is that you would have a unidirectional 17 00:01:07,490 --> 00:01:11,210 forest trust from your managed domain in the cloud to 18 00:01:11,210 --> 00:01:12,750 your on‑premises environment. 19 00:01:12,750 --> 00:01:17,450 But the most common scenario is, as I explained before for application migration, 20 00:01:17,450 --> 00:01:21,450 so we're going to leave User here, and we'll click Next. We supply 21 00:01:21,450 --> 00:01:25,010 the name of the virtual network and the subnet. I already popped that 22 00:01:25,010 --> 00:01:27,810 in. It tells us here that a network security group will be 23 00:01:27,810 --> 00:01:31,830 automatically created and associated to the subnet to protect these 24 00:01:31,830 --> 00:01:33,470 managed domain controllers. 25 00:01:33,470 --> 00:01:37,320 We have our AAD DC administrators who has 26 00:01:37,320 --> 00:01:40,570 administrative privileges in the managed domain. 27 00:01:40,570 --> 00:01:42,560 Let's click Manage group membership, 28 00:01:42,560 --> 00:01:45,570 Add members, and I'm just going to add myself right now. 29 00:01:45,570 --> 00:01:47,430 There's my Tim account, Select. 30 00:01:47,430 --> 00:01:47,960 Alright, 31 00:01:47,960 --> 00:01:52,320 let me close. I'll leave the default notifications, All Global 32 00:01:52,320 --> 00:01:56,230 Administrators, as well as the AAD DC Administrators group. 33 00:01:56,230 --> 00:01:58,530 How do we want synchronization to happen? 34 00:01:58,530 --> 00:02:02,760 Notice that it's a one‑way synchronization from Azure Active Directory to 35 00:02:02,760 --> 00:02:06,960 the managed domain. In the next module, I'll configure that second hop, or 36 00:02:06,960 --> 00:02:11,090 really, it's the first hop where we use Azure AD Connect to replicate 37 00:02:11,090 --> 00:02:16,630 local identities up into Azure, and then you've got one way from Azure AD 38 00:02:16,630 --> 00:02:18,150 into the managed domain. 39 00:02:18,150 --> 00:02:22,190 Do you want to bring everybody or do you want to scope that synchronization? 40 00:02:22,190 --> 00:02:26,390 I'm going to do everybody because my Azure AD isn't particularly large. 41 00:02:26,390 --> 00:02:27,410 Let me click Next. 42 00:02:27,410 --> 00:02:29,030 We have some options here, 43 00:02:29,030 --> 00:02:32,430 including some important ones like making sure that password 44 00:02:32,430 --> 00:02:35,180 synchronization from on‑premises is enabled. 45 00:02:35,180 --> 00:02:36,360 I'm going to click Next. 46 00:02:36,360 --> 00:02:40,970 We've got our taxonomic tags. We'll validate our deployment choices against 47 00:02:40,970 --> 00:02:43,860 the Azure Resource Manager schema, and then we'll create. 48 00:02:43,860 --> 00:02:46,040 Now let's take a look at this warning together. 49 00:02:46,040 --> 00:02:48,230 It says the following choices are final. 50 00:02:48,230 --> 00:02:52,020 So basically, everything we selected, it's essentially a tattoo 51 00:02:52,020 --> 00:02:56,020 operation that if we decide that we made a mistake somewhere in the 52 00:02:56,020 --> 00:02:58,270 mix, we're going to have to wipe and reload. 53 00:02:58,270 --> 00:02:59,390 Let me click OK. 54 00:02:59,390 --> 00:03:03,270 And this will normally take upwards to an hour. And I'm going to let this go. 55 00:03:03,270 --> 00:03:06,690 You don't have to wait for it to complete, fortunately. What I will do in 56 00:03:06,690 --> 00:03:10,400 the meantime just to get us started is show you if we browse over to the 57 00:03:10,400 --> 00:03:13,160 Azure AD Domain Services blade in the portal, 58 00:03:13,160 --> 00:03:17,260 we can take a look, even though the resource is being created, and it 59 00:03:17,260 --> 00:03:20,230 says, this operation will take a while. Eventually, 60 00:03:20,230 --> 00:03:21,960 we'll have additional instructions, 61 00:03:21,960 --> 00:03:25,890 particularly instructions on how to configure DNS in our 62 00:03:25,890 --> 00:03:29,740 virtual network to point to the two managed domain controllers 63 00:03:29,740 --> 00:03:31,640 that you get as part of this service. 64 00:03:31,640 --> 00:03:35,370 And you notice here, there's some related docs links, which are useful, and we 65 00:03:35,370 --> 00:03:39,110 can see some Azure control plane options here under Settings. 66 00:03:39,110 --> 00:03:46,000 I'm actually going to end the demo here, and we'll complete the Azure AD DS configuration in the next module.