Joining windows azure machines to Azure Active directory (AAD) using AADDS



So my foray into the cloud world continues and I've been getting more and more involved in the windows server aspects of this. Now i know if we were truly doing proper full on cloud we wouldn't be using traditional servers we'd be using all PaaS components and we would be truly 'serverless'. However reality means that this isn't the case and a lot of our migrations to the cloud will involve retaining traditional style IaaS machines just running in a 'different datacentre' - in this case Azure.

The fact that we still need traditional servers means we need traditional tools and processes to manage them to a large degree which in windows world means you basically have to have active directory in some form or other. Now managing a fully fledged AD install is not something i want to take on - there are justifiably roles in large organisations just doing AD - we don't have resource or skillset for that. 

So what are our options here?

Well relatively recently (not sure of exact dates here) Azure AD (the PaaS offering for AD) was extended to add Azure AD domain services (AADDS) - stick with me on the whole multiple acronyms thing.

These domain services add a number of features that make it much easier to manage machines in a more traditional way without the headache of full AD installation and support.

So having said all that how do i activate this and make use of it and join a machine to my domain?

Well assuming you have Azure AD set up and configured........

First step is to visit the old ASM portal (https://manage.windowsazure.com) - unfortunately this functionality didn't escape to the new ARM portal (https://portal.azure.com) yet. I'm sure that it will be coming pretty soon though as the old portal is being phase out more and more every day.

Here in the old portal i click on the enable option for domain services - see pic below.




After a while (maybe 30 mins or so) an initial server will appear followed by a 2nd one a few minutes later. These servers are domain controllers in the traditional sense - however you have no access to them at all via RDP - there are essentially a PaaS component. (you can do stuff indirectly and I'll talk about that more in a later post).

Once you have these available you can move to the next stage.

The next stage is just making sure you have an account in Azure AD that is a domain administrator - you can check and add this in the new portal (it's only the activation of domain services that is in the old part). Just make sure you have an account created that has the right shown below.


At this point as long as the ASM network can talk to the network where your servers that you want to domain join are located - either via peering or some other method you should be able to join the machines in the normal way.

So that's just a case of accessing the server manager screen - clicking on workgroup


Then typing in the domain name you chose for Azure AD so xxxxxx.onmicrosoft.com


Then enter the credentials for your domain admin login in the form DOMAIN\user or user@xxxxx.onmicrosoft.com (either syntax will work)


Then the join works


And just a reboot is required


Job done - i can now log on with my domain account to manage the server and make use of domain services such as dns and group policy - both of which i'll write up shortly to expand a little more on what can be done.

If you're moving to Azure and still have to manage traditional stuff these steps are pretty much essential to have any chance of managing the estate. With AADDS we get the benefits of AD without the complexity.

1 comments:

  1. Nice one Rich.Waiting for your next post on making use of the group policy and dns via AADDS

    Cheers,
    Prudvi

    ReplyDelete