Microsoft Entra Area Companies (Entra DS) offers you with the performance of managed area controllers in Azure. This lets you domain-join Home windows Server VMs, use Group Coverage, and handle DNS on a specifically ready vNet subnet with out deploying and patching your personal DC VMs.
This submit walks by way of:
• Making ready your digital community
• Deploying Entra DS
• Configuring DNS
• Becoming a member of a Home windows Server VM to the managed area
• Utilizing AD DS and Home windows Server DNS instruments from that VM
• An Azure subscription.
• A Microsoft Entra tenant with a customized DNS area verified (for instance, zava.assist). Entra DS makes use of this tradition area because the managed area identify.
• Permission to create useful resource teams, VNets, and Entra DS.
• Permission to handle Entra teams within the tenant (add directors/configure RBAC).
1. Create a brand new useful resource group in your chosen area to carry all Entra DS sources and VMs.
2. Create a digital community (for instance, zava-entra-dsvn) in that useful resource group (for instance, deal with area: 172.16.0.0/16 (or a variety that matches your setting).
3. Add a subnet devoted to the Entra DS area controllers (for instance, zava–entra-dc). This subnet will host the managed area controller sources created by Entra DS and also you gained’t truly deploy VMs there.
Essential Maintain this DC subnet separate out of your workload subnets. You should use NSGs, however keep away from blocking Entra DS administration visitors.
1. In the identical digital community, create a second subnet (for instance, zava-domain-vms) for domain-joined workloads equivalent to IIS VMs. This particular subnet is the place you’ll deploy the Home windows Server VM that joins the Entra DS area.
Within the Azure portal, create a brand new Microsoft Entra Area Companies managed area by performing the next steps:
1. Choose the useful resource group you created earlier.
2. Affirm the DNS area identify (for instance, zava.assist)—this comes out of your Entra tenant’s customized area.
3. Select the area (similar area because the digital community).
4. Maintain the default Enterprise SKU except you could have a selected want for one more.
5. On the Networking web page:
· Choose the digital community you created.
· Choose the DC subnet for the managed area controllers.
6. On the Administration web page word that the AAD DC Directors group (legacy identify proven within the portal) is successfully the Area Admins equal for the managed area. Any consumer you add to this group in Entra turns into a site admin in Entra DS.
7. Configure synchronization scope between Entra and Entra DS.
· All accounts (default) – synchronizes each cloud-only and synchronized customers.
· Cloud-only accounts – helpful whenever you’re already syncing on-prem identities and also you solely need particular cloud accounts in Entra DS.
8. Overview the Safety settings web page. By default:
· NTLMv1 disabled.
· You possibly can allow/disable NTLM password sync, or successfully disable NTLM completely.
· RC4 encryption disabled by default.
· Kerberos armoring enabled by default.
· LDAP signing and LDAP channel binding enabled by default.
9. Overview your configuration and create the Entra DS managed area. Notice after deployment, you can not change:
• The managed area DNS identify
• Subscription
• Useful resource group
• Digital community and subnet utilized by Entra DS
1. As soon as deployment completes, open the Entra DS useful resource and go to View well being.
2. Run the well being checks. If the diagnostic stories that the digital community DNS servers are not set to the Entra DS managed DC IPs, choose Repair to mechanically configure the VNet’s DNS servers.
· In Entra DS, word the DNS server IPs (for instance, 172.16.0.4 and 172.16.0.5).
· Within the digital community’s DNS settings, verify these IPs are configured as customized DNS servers.
Tip Any VM on this digital community that should be a part of the managed area should use these Entra DS DNS addresses.
1. Within the Entra admin middle, go to Teams > All teams and find AAD DC Directors.
2. Open the group and add your main admin account (for instance, prime@zava.assist) and add a devoted area admin–fashion account (for instance, provides.prime@zava.assist) to be the first administrator for the managed area.
Essential word: You’ll want to alter the password of any Entra account you need to use within the managed AD DS area after deploying Entra DS. This may configure password synchronization between Entra and Entra DS, permitting you to make use of the Entra account. Should you don’t change the password, you’ll be unable to make use of the account with Entra DS although it’ll operate usually in different components of Azure. This journeys lots of people up.
1. Within the Azure portal, create a brand new Home windows Server VM (for instance, an IIS server):
1. Place it within the similar useful resource group.
2. Choose the digital community you created earlier.
3. Connect it to the workload subnet (for instance, zava-domain-vms).
4. Configure a native administrator account (for instance, username prime with a powerful password).
2. On the Administration blade, word the choice “Login with Microsoft Entra ID”:
1. This permits direct Entra login to the VM however doesn’t be a part of the VM to the Entra DS area.
2. For this walkthrough, you’ll be a part of the VM to Entra DS utilizing traditional area be a part of so don’t must allow this feature.
3. Full the wizard and deploy the VM.
1. As soon as the VM is deployed, open the VM within the portal and choose Join > RDP.
1. Request a JIT RDP port opening if required.
2. Obtain the RDP file and open it with Distant Desktop Connection.
2. Check in with the native administrator account you configured when deploying the VM and never your Entra account.
3. Within the VM, open a command immediate and run:
ipconfig /all
1. Affirm that the DNS servers are the Entra DS managed IPs (for instance, 172.16.0.4 and 172.16.0.5).
If DNS is improper Double-check the VNet’s DNS settings and make sure the VM is connected to the proper digital community and subnet, then restart the VM.
1. On the VM, open Server Supervisor and choose Native Server.
2. Subsequent to Workgroup, choose the workgroup identify to open System Properties (Laptop Identify tab).
3. Choose Change… after which:
· Beneath Member of, choose Area.
· Enter the Entra DS area identify (for instance, zava.assist).
4. When prompted for credentials, use an account that’s a member of AAD DC Directors, equivalent to provides.prime@zava.assist, and enter the password.
5. Once you obtain the affirmation that the pc has joined the area, restart the VM.
1. After the VM restarts, reconnect by way of RDP utilizing the VM’s public IP and:
· Username: your area UPN (for instance, provides.prime@zava.assist).
· Password: the account’s password.
2. Affirm that you’re signed in as a area consumer within the Entra DS managed area.
1. Set up and open Lively Listing Customers and Computer systems (RSAT) on the VM.
· Browse the managed area construction.
· Discover containers equivalent to AADDC Computer systems, AADDC Customers, and teams like Area Admins that map again to Entra teams.
2. Create an organizational unit (OU), for instance IIS Servers, to include IIS VMs.
3. Open Group Coverage Administration and:
· Create a Group Coverage Object concentrating on the IIS Servers OU.
· Hyperlink and configure settings as required (hardening, IIS config, and so forth.).
4. Open the DNS Supervisor console on the VM, which now connects to the Entra DS–managed DNS servers.
5. Create a brand new Host (A) report, for instance:
· Identify: iis3
· FQDN: iis3.zava.assist
· IP deal with: the suitable inside deal with.
6. Open a command immediate and confirm DNS decision with:
nslookup iis3.zava.assist
• Affirm it returns the proper IP deal with.
Entra DS provides you acquainted AD capabilities—area be a part of, Group Coverage, and DNS—with out the overhead of operating and sustaining your personal DC VMs in Azure.
You will discover out extra at: https://be taught.microsoft.com/en-us/entra/identification/domain-services/overview
