Azure
Using Azure Active Directory Domain Services as a Domain Controller
November 16, 2015
0

As part of my series of articles on a lightweight Sitecore infrastructure, I’m going to show how to configure an Azure Active Directory and enable Domain Services as a free and high-available alternative to creating a Domain Controller infrastructure.

Azure Active Directory and Domain Services

Azure Active Directory is Azure’s cloud-based extension of your local on-premise directory. Up until recently, Azure AD could act as a federation service between your cloud applications and your local directory but it wasn’t a fully fledged Active Directory.

With the introduction of Domain Services, Azure Active Directory can now function as Domain Controller for your Azure infrastructure, allowing you to domain-join VM’s, apply group policies, and importantly also supports LDAP which we can use to integrate Sitecore with.

Note. There are still limitations compared to on-premise Active Directory, specifically that there is no support for nested OU’s. There is one fixed Users OU and one Computers OU.

Creating an Azure Active Directory

First we need to create a new Azure Active Directory

  1. Start by navigating to the Azure portal, https://portal.azure.com/, and signing in.
  2. From here choose Browse – Active Directory. This will take you back to the previous Azure Portal, https://manage.windowsazure.com.
  3. From here, choose New – App Services – Active Directory – Directory – Custom Create:
  4. Choose the directory name, domain, and location. This won’t be a B2C domain as we’ll be using it for Content Author authentication:
  5. After completing this form, your directory will be created:

Creating a domain administrator

We’ll need a domain administrator later and this isn’t really described in the documentation.

  1. Navigate to Users and create a new user:
  2. Assign the user the Global Admin rights:
  3. Complete the form to create the user and get the temporary password:
  4. After this, your user is ready

Enabling Azure Active Directory Services

The Directory Services are an additional set of services in Azure Active Directory. This is the part that enables aspects such as domain join, LDAP and more. Enabling this in effect creates a set of domain controllers and as such, you first need to create a network in which the domain controllers will reside. Note. you’ll never see the domain controllers VM’s so there no management involved.

The steps needed to enable the Directory Services are as follows:

  1. Navigate to your domain – tab Groups.
  2. Create an administrators group called “AAD DC Administrators. The naming is specific as this creates a special group which is automatically added to the Administrators group on servers which are joined to the domain. You can find more information here: https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-ds-getting-started/
  3. Add the previously created domain administrator to the group:
  4. Configure a Virtual Network. Note make sure that the network is in an Azure region that supports Domain Services:

    https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-ds-getting-started-vnet/

  5. Navigate to Configure and enable Domain Services and enable the services.. This is needed for LDAP support and Domain Join. Note that you choose the Virtual Network created previously:

    https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-ds-getting-started-enableaadds/

  6. After saving the settings, it may take 20-30 minutes before the Domain Services are active. You will recognize progress when the ‘Pending …’ disappears and IP addresses appear:

  7. After this, navigate back to the Virtual Network created previously and configure the DNS settings for the network and set them to the IP addresses listed on the Domain Services configuration page:

    https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-ds-getting-started-dns/

  8. The last step is to change the password of the Domain Admin created earlier. This can be done by logging on with the user at http://myapps.microsoft.com/. This will cause the password hash to be stored in the Azure Directory Services.

    https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-ds-getting-started-password-sync/

With that, your domain is ready for use and now supports domain-join and LDAP.