1
00:00:00,740 --> 00:00:01,900
In this demonstration,

2
00:00:01,900 --> 00:00:06,120
we're going to finish our configuration of Azure AD Domain Services. You'll

3
00:00:06,120 --> 00:00:10,830
remember in the previous module I did a demo in which we deployed an Azure AD

4
00:00:10,830 --> 00:00:15,560
Domain Services instance called aaddstimw.info.

5
00:00:15,560 --> 00:00:18,440
And what we can do here is, what we'll have to do actually,

6
00:00:18,440 --> 00:00:20,490
is finish setting up the environment here.

7
00:00:20,490 --> 00:00:23,490
If we click View Health, everything's running and okay,

8
00:00:23,490 --> 00:00:26,660
but you might have noticed, let me go back to Overview, that we've

9
00:00:26,660 --> 00:00:30,120
got some configuration issues. I know exactly what those issues

10
00:00:30,120 --> 00:00:31,840
are, and you'll learn in just a second.

11
00:00:31,840 --> 00:00:35,970
So let's click this banner and run some diagnostics, and we can see the

12
00:00:35,970 --> 00:00:41,920
problem is the DNS records. We need to update the virtual network on which

13
00:00:41,920 --> 00:00:46,720
this Azure AD Domain Service instance is placed, so that its DNS server

14
00:00:46,720 --> 00:00:50,530
settings point to the two virtual machines that are managed by this

15
00:00:50,530 --> 00:00:52,230
service, our domain controllers.

16
00:00:52,230 --> 00:00:54,610
Let's click Fix, and see what happens here.

17
00:00:54,610 --> 00:00:58,430
Are these just instructions? I'd be interested to see if Azure is

18
00:00:58,430 --> 00:01:01,550
actually making changes to that virtual network.

19
00:01:01,550 --> 00:01:03,730
Let's just jump over there and take a look. Well,

20
00:01:03,730 --> 00:01:06,760
if we head on over to that virtual network and take a

21
00:01:06,760 --> 00:01:09,430
look at our DNS servers property,

22
00:01:09,430 --> 00:01:12,860
we can see that that Fix button actually did make the change.

23
00:01:12,860 --> 00:01:16,940
This is important, because what this configuration does, it

24
00:01:16,940 --> 00:01:21,360
injects those DNS server addresses into any virtual machines

25
00:01:21,360 --> 00:01:22,860
we deploy in this environment.

26
00:01:22,860 --> 00:01:28,260
This means now we can go to a Windows Server virtual machine that's on or peered

27
00:01:28,260 --> 00:01:32,440
to that managed domain's virtual network and we can join it to the managed

28
00:01:32,440 --> 00:01:36,350
domain and begin to work is if we were locally, but of course we're all in

29
00:01:36,350 --> 00:01:40,440
Azure. So we can do an RDP connection, which I've actually done from this

30
00:01:40,440 --> 00:01:42,880
server, so let me bring that up. And we can,

31
00:01:42,880 --> 00:01:46,160
once we're on that server, join the managed domain,

32
00:01:46,160 --> 00:01:49,300
which is what I'm going to do next with good, old‑fashioned Control

33
00:01:49,300 --> 00:01:51,750
Panel here. I'm going to search for join domain,

34
00:01:51,750 --> 00:01:55,110
join a domain here, we'll go to Change, and the domain,

35
00:01:55,110 --> 00:02:00,080
the managed domain I have is aaddstimw.info.

36
00:02:00,080 --> 00:02:03,240
Okay, we type the name of the managed domain, click OK, we'll

37
00:02:03,240 --> 00:02:05,270
be prompted for a domain administrator.

38
00:02:05,270 --> 00:02:08,410
Now this is going to be a managed domain administrator.

39
00:02:08,410 --> 00:02:12,280
If I come over to the portal here and go and look at our Groups in Azure

40
00:02:12,280 --> 00:02:17,730
Active Directory, remember that we have the AAD DC Azure AD group that the

41
00:02:17,730 --> 00:02:20,890
managed domain created for us here in our tenant.

42
00:02:20,890 --> 00:02:24,210
And the way you delegate your domain administrators for your

43
00:02:24,210 --> 00:02:27,180
managed domains is to populate them in this group.

44
00:02:27,180 --> 00:02:32,030
So I have myself, my Tim account, as well as this Melissa account here.

45
00:02:32,030 --> 00:02:36,250
Now, another thing to keep in mind is that if you try to join the domain,

46
00:02:36,250 --> 00:02:38,080
let me try it right now as a matter of fact,

47
00:02:38,080 --> 00:02:42,780
melissa@timw.info, let me pop in her password,

48
00:02:42,780 --> 00:02:46,210
her Azure AD password. Right, yes, you see this error? It says The

49
00:02:46,210 --> 00:02:49,900
referenced account is currently locked out and may not be logged on to.

50
00:02:49,900 --> 00:02:54,040
This is to be expected, because remember that the final config step here

51
00:02:54,040 --> 00:02:58,970
is to ensure that you've got your NTLM legacy password hashes

52
00:02:58,970 --> 00:03:01,710
synchronized over to the managed domain.

53
00:03:01,710 --> 00:03:05,570
And for cloud accounts, the way to do that is to change the account

54
00:03:05,570 --> 00:03:09,260
password, and I've done that. I've signed in as Melissa, and I changed

55
00:03:09,260 --> 00:03:12,960
her cloud password, and we're good to go. Now, for synchronized

56
00:03:12,960 --> 00:03:16,410
accounts, you'll want to run a PowerShell script on your Azure AD

57
00:03:16,410 --> 00:03:21,250
Connect server. I give you a link to the appropriate Microsoft doc in

58
00:03:21,250 --> 00:03:22,650
the exercise files.

59
00:03:22,650 --> 00:03:26,240
But the problem with that is for this Melissa cloud account,

60
00:03:26,240 --> 00:03:30,760
I changed her password and now I have to wait 20 minutes for that replication,

61
00:03:30,760 --> 00:03:35,380
for that password hash generation that's compatible with the managed domain, to

62
00:03:35,380 --> 00:03:39,920
then replicate over to the managed domain, at which time I'll be able to join

63
00:03:39,920 --> 00:03:43,450
the domain and then sign in as Melissa, let's say.

64
00:03:43,450 --> 00:03:47,400
Also, I can manage the managed domain using my typical

65
00:03:47,400 --> 00:03:51,240
administration tools. So I can use Server Manager, and I can

66
00:03:51,240 --> 00:03:54,200
do an Add Roles and Features exercise,

67
00:03:54,200 --> 00:03:57,260
which you've probably done many times, to install the

68
00:03:57,260 --> 00:03:59,260
remote server administration tools.

69
00:03:59,260 --> 00:04:00,460
I've already done that.

70
00:04:00,460 --> 00:04:05,210
And, again, this is one of the value propositions of Azure AD Domain Services.

71
00:04:05,210 --> 00:04:11,640
You get this hosted domain where you can use LDAP and Kerberos NTLM, hence

72
00:04:11,640 --> 00:04:15,730
the need for the legacy hashes and group policy‑based configuration

73
00:04:15,730 --> 00:04:18,530
management. And eventually, after that 20‑minute wait,

74
00:04:18,530 --> 00:04:24,300
we get welcome to the aaddstimw.info domain, and let me restart

75
00:04:24,300 --> 00:04:27,550
the server and sign in with the Melissa account.

76
00:04:27,550 --> 00:04:28,400
We'll do that now.

77
00:04:28,400 --> 00:04:32,000
Alright, I've restarted and signed in as Melissa. You can see in my

78
00:04:32,000 --> 00:04:35,890
PowerShell session I've run whoami. So I'm signed into the managed

79
00:04:35,890 --> 00:04:40,060
domain as the melissa identity, and she is an Azure Active Directory

80
00:04:40,060 --> 00:04:44,880
account who also is one of the AAD DC administrators. The name of this

81
00:04:44,880 --> 00:04:47,600
box is aadvm, and as you can see,

82
00:04:47,600 --> 00:04:50,090
I've loaded the administration tools on the server,

83
00:04:50,090 --> 00:04:55,150
so I'm connected to the aaddstim managed domain, and you can see a bunch of

84
00:04:55,150 --> 00:04:59,260
OUs that you don't normally see in a local Active Directory.

85
00:04:59,260 --> 00:05:05,860
We have AADDC Computers, and here is this box; we have AADDC Users, boy,

86
00:05:05,860 --> 00:05:09,900
what a tongue twister that is, and here is where we have our Azure Active

87
00:05:09,900 --> 00:05:13,830
Directory users including, remember, some of those directory synchronized

88
00:05:13,830 --> 00:05:18,100
identities like Brett Gordon, remember that account? So the notion now is

89
00:05:18,100 --> 00:05:23,150
traditionally we would let those accounts happen in our Azure Active Directory

90
00:05:23,150 --> 00:05:31,000
tenant. We're going to do more work with Azure AD Domain Services in the next lesson when we get into Group Policy.