The news today is just SOOOO cool. Azure AD Domain Services is now Generally Available!
If you follow the blog, you already know about how this unique capability makes moving legacy applications into the cloud WAY easier. But you’ll probably be surprised to learn that more than 5700 customers have already turned on Azure AD Domain services in their tenant and are using it every day.
To give you a quick tour of the service and the improvements we’ve made during the public preview, I’ve asked Mahesh Unnikrishnan, the PM who leads this effort back to do another guest blog post. You’ll find it below.
I hope you’ll find this service valuable, and as always, we would love to receive any feedback or suggestions you have!
Alex Simons (Twitter: @Alex_A_Simons)
Director of Program Management
Microsoft Identity Division
I’m Mahesh Unnikrishnan, a Program Manager in the Identity division at Microsoft.
Late last year, we announced the public preview of Azure AD Domain Services. Since then, we’ve been working closely with customers to make sure they can get up and running and to learn from their feedback and suggestions. Then in May, we announced several exciting new features and improvements to the service including secure LDAP support, support for configuring DNS and custom OUs.
Since May we have continued to evolve the service and refine it based on your feedback.
So today, I’m thrilled to announce that Azure AD Domain Services is now Generally Available (GA)!
The Preview program was incredibly successful, with over 5700 Azure AD tenants testing the service and sharing their feedback. We’d like to thank all these customers for their time and for helping us evolve the service. Some of the features we’ve added this year based on your feedback include:
- Secure LDAP access to your managed domain, including over the internet (even from Amazon Web Services!)
- Enable ‘AAD DC Administrators’ to configure DNS on their managed domain.
- Enable ‘AAD DC Administrators’ to create custom organizational units (OUs).
A quick review – What is Azure AD Domain Services?
Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP, & Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory. You can consume these domain services without the need to deploy, manage, and patch domain controllers in the cloud. Azure AD Domain Services integrates with your existing Azure AD tenant so users can signin using their corporate credentials. Additionally, you can use existing groups and user accounts to secure access to resources, making the ‘lift-and-shift’ of on-premises resources to Azure Infrastructure Services way easier than in the past.
Azure AD Domain Services functionality works seamlessly regardless of whether your Azure AD tenant is cloud-only or synced with your on-premises Active Directory. For synced tenants, you do not need to deploy any additional software apart from your deployment of Azure AD Connect.
Setting up Azure AD Domain Services is simple. You simply toggle the service to ‘enabled’, pick a DNS domain name for your managed domain and select a virtual network where you’d like the managed domain to be available.
To get started with Azure AD Domain Services, click here.
New since our initial preview
We have quite a few enhancements and features since the service first went into preview late last year.
- Support for secure LDAP: You can access your managed domain using LDAPS (secure LDAP), including over the internet.
- Custom OU support: Users in the ‘AAD DC Administrators’ delegated group can create and administer a custom organizational unit on your managed domain.
- Configure managed DNS for your domain: Users in the ‘AAD DC Administrators’ delegated group can administer DNS on your managed domain using Windows Server DNS administration tools.
- Domain join for Linux: We’ve worked with RedHat to document how you can join a RedHat Linux VM to your managed domain.
- New and improved synchronization with your Azure AD tenant: We have re-designed the synchronization between your Azure AD tenant and your managed domain. For existing domains, this new improved synchronization has been rolled out automatically in a phased manner.
- The ‘password does not expire’ attribute: Some accounts had the ‘password-does-not-expire’ attribute set on them, for example, service accounts. The password policy was being enforced for these accounts in managed domains, resulting in their passwords expiring. Passwords for such accounts will not expire.
- Incorrect group display name for accounts created in Azure AD: The samAccountName attribute for groups created in Azure AD was not being set correctly in the managed domain. These were being set to GUIDs instead of valid samAccountName.
- SID history sync: The on-premises primary user and group SIDs will now be synchronized to your managed domain and set as the SidHistory attribute on corresponding users and groups. This cool feature helps you lift-and-shift your workloads to Azure without having to worry about re-ACLing them.
- Virtual network peering: The Azure networking team recently announced GA for virtual network peering. This awesome feature makes it easy to connect Domain Services to other virtual networks. You can connect a classic virtual network in which your managed domain is available to workloads deployed in resource manager virtual networks using network peering.
To help you get started, we have created a planning guide to help you design and plan your deployment of Azure AD Domain services. This guide includes:
- Networking considerations for AAD Domain Services
- Understanding synchronization in managed domains
- Deciding when to DIY This document helps you compare a managed domain to a do-it-yourself (DIY) AD domain in Azure virtual machines.
What can I do with Azure AD Domain Services?
You can use Azure AD Domain Services to lift-and-shift many on-premises applications to Azure. For more information, see this list of canonical deployment scenarios and use-cases.
It’s easy to get started with Azure AD Domain Services. Here are a few pointers to information that helps you kick the tires.
- If you don’t have an Azure subscription, get an Azure trial.
- Learn more about Azure AD Domain Services.
- Watch a recording of my Ignite session [BRK3252] on YouTube.
- Get started – create your Azure AD Domain Services managed domain.
- Contact us to share your feedback or for help with your deployment.
A sneak peek – what’s on the way?
We are already working on enhancements to the service based on your feedback. Some of the upcoming features and updates include:
- Support for Azure Resource Manager including the ability to enable the service in Resource Manager based virtual networks.
- A new management UI experience in the modern Azure portal (portal.azure.com).
We’re thrilled about the opportunity to evolve Azure AD Domain Services based on your feedback. We’d love for you to try out the service, deploy your workloads in production and share your feedback with us.
Principal Program Manager
Microsoft Identity Division