Get hands-on with Azure Active Directory Domain Services (AD DS)

Objective

The objectives of this lab are to:

• Better understand the features and capabilities of Azure AD Domain Services
• Review the look and feel of the Azure AD Domain Services related controls in Azure Portal
• Draw comparisons between the Windows Active Directory and Azure AD Domain Services features

Scenario

A key aspect of migrating on-premises applications to Azure is handling the identity needs of these applications. Directory-aware applications may rely on LDAP for read or write access to the corporate directory or rely on Windows Integrated Authentication (Kerberos or NTLM authentication) to authenticate end-users. Line of business applications running on Windows Server are typically deployed on domain joined machines, so they can be managed securely using Group Policy. In order to 'lift-and-shift' on-premises applications to the cloud, these dependencies on the corporate identity infrastructure need to be resolved.

Azure AD Domain Services provide managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication etc. that are fully compatible with Windows Server Active Directory. Azure AD Domain Services enable you to consume these domain services, without the need for you to deploy, manage and patch domain controllers in the cloud. In this lab we will see how some of these identity and authentication related requirements can be met using Azure AD Domain Services.

Estimated time to complete this lab:  60 minutes

Virtual Machines

1. TR23-DC

Exercise 1 : Set up your Azure Account

In this exercise you will:

• Set up your Azure Account

Scenario:  To perform this lab, you must have an Azure account set up that you can modify.  To set up up this account, use the promotional code visible in the Content tab of the lab interface.  This exercise will walk you through the steps for redeeming the code.

Note:  If you already have an Azure subscription (MSDN/Internal) that you can use for this hands-on lab, you can skip this exercise.

1. Obtain Microsoft Account
   You will need a Microsoft account (@outlook.com or @live.com, etc).  This account must NOT have an Azure subscription associated with it.  If you do not have an appropriate Microsoft account, please acquire one before continuing this lab. You can obtain an account from the following site:  http://www.microsoft.com/en-us/account.
   
2. Open Site (Azure Pass)
   Open the Edge or IE browser, and navigate to http://microsoftazurepass.com.
   
3. Submit Promo Code
   Choose from the country drop-down “United States”.  Enter the promotional code (given to you in the lab Content tab) in the Promo Code field.  Click on the Submit button.
   
4. Complete Account Request
   Click on the Sign in button to enter your MSA account (@outlook.com/@live.com etc.) Follow any additional instructions to complete the process.

Congratulations!

You have successfully:

• Set up your Azure Account

Click Continue to advance to the next exercise.

Exercise 2 : Enabling the Azure AD Domain Services in an Azure AD Tenant

In this exercise you will:

• Enable the Azure AD Domain Services in an Azure AD tenant

Scenario:  In this section, we will create a new Azure Active Directory and subsequently enable Domain Services. As a pre-requisite to the step, we will also create a security group called “AAD DC Administrators”. A VNET with the name ‘ADDSVNET’ is already created; the Domain Services should be connected to this virtual network.

1. Open Azure Classic Portal
   Navigate to the Azure classic portal:   https://manage.windowsazure.com.
   
2. Login to Azure
   Login to the Azure tenant using the credentials you established in Exercise 1.
   
3. Create a new virtual network
   On the left panel, select Networks, then click +NEW. In Network Services, Virtual Network, click Quick Create
4. Complete the configuration of network
   Name the new network ADDSVNET1 and then use all defaults to complete the creation.
5. Navigate to Active Directory Node
   Select the ACTIVE DIRECTORY node on the left pane.
   
6. Create New Active Directory Service
   Click on NEW at the left lower corner of the page and select APP SERVICES >> ACTIVE DIRECTORY >> DIRECTORY >> CUSTOM CREATE to create new Active Directory Service.
   
7. Configure Active Directory
   Provide a Directory Name and Domain Name same as ‘MicrosoftAliasmmdd’  -e.g. saroberts072.  Use a name that is unique in Azure.  Enter a Country or Reqion and then click the checkmark.
   
8. Select New Directory
   To create an Azure AD Group and User, select the newly created Azure AD Tenant Directory for which you would like to create Azure AD Group and User. 
   
9. Add User
   Click on USERS → ADD USER and enter the information as shown in the Alert icon and screenshot.  Click right arrow.
   • Type Of User - 'New user in your organization'
   • User Name - ‘SRVADMIN’
   
10. Add User - User Profile
    On the second page of the Add User user profile enter the information as shown in the Alert icon and screenshot.  Click right arrow.
    
    • First Name - ‘SRV’;
    • Last Name - ‘ADMIN’
    • Display Name - ‘SRVADMIN’
    • ROLE - ‘Global Admin’
    • Alternate Email Address - ‘Type your Microsoft email ID’
    
11. Create User
    Click on create to create the user.
    
12. Note Temporary Password
    Note the Temporary Password for future reference and click checkmark.
    
13. Add Group
    Click on GROUPS → ADD GROUP → Name ‘AAD DC Administrators’→ GROUP Type Security → Click on √ to create the Group.
    
14. Navigate to New Group
    Once AAD DC Administrators Group has been created, click on it to where you can add members.
15. Add Member to Group
    Click on ADD MEMBERS and add SRVADMIN as the member of ‘AAD DC Administrators’ group. Click checkmark.
    
16. Change User Password
    You have to change the temporary password first before you can use the account. For changing the password, connect to https://manage.windowsazure.com using In-private browser window and login using the credentials. You should be prompted to change the password.  You will see a screen stating that no subscriptions have been found.  This is expected behavior.
    
17. Navigate to New Azure AD Directory
    To enable Domain Services for newly created Azure AD, in the Windows Azure portal navigate to the ACTIVE DIRECTORY node and select the newly created Azure AD Tenant Directory for which you would like to enable Azure AD Domain Services.
    
18. Select Configure Tab
    Click on the CONFIGURE tab.
    
19. Enable Domain Services
    Scroll down to a section titled domain services.  Toggle the option titled ENABLE DOMAIN SERVICES FOR THIS DIRECTORY to YES.   Keep the default DNS domain name of domain services.  Select the virtual network “ADDSVNET1” in CONNECT DOMAIN SERVICES TO THIS VIRTUAL NETWORK.  Click SAVE.
    
20. Note IP Addresses
    Note down / copy the IP Address of the Domain Controller.  Note: It can take up to 20 minutes to enable the Domain Services and display the Domain Controller IP address.  At this time, you could jump to "Sync Objects from On-Premises Active Directory using AAD Connect" and come back later to complete the next step.
    
21. Navigate to Networks Node
    To configure the Network with the DNS Servers IP Addresses, select the NETWORKS node on the left pane.
    
22. Select Network
    In the VIRTUAL NETWORKS tab, select the virtual network in which you enabled Azure AD Domain Services to view its properties.
    
23. Select Configure Tab
    Click on the CONFIGURE tab.
    
24. Configure DNS IP Addresses
    In the dns servers section, enter the IP addresses of Azure AD Domain Services, as shown in the screenshot.  Ensure that you enter the IP address that was displayed in the Domain Services section on the CONFIGURE tab of your directory.  Click SAVE on the task pane at the bottom of the page in order to save the DNS server settings for this virtual network.  Click YES to confirm.
    

Congratulations!

You have successfully:

• Enabled the Azure AD Domain Services in an Azure AD tenant

Click Continue to advance to the next exercise.

Exercise 3 : Sync Objects from On-premises Active Directory using AAD Connect

In this exercise you will:

• Sync objects from On-premises Active Directory using AAD Connect

Scenario:  In this exercise we will create a new user account in the on-premises Active Directory domain (contoso.com), install the AAD Connect tool and sync the newly created user account to our Azure Active Directory.

1. Launch AD Users and Computers
   To create a new User Account in on-premises Active Directory, launch AD Users and Computers on the Server TR23-DC.
   
2. Create New User Account
   Create a new user account in the Users container.   For e.g., First Name:  Larry, Last Name:  Tusaud, Username:   LarryT, Password: P@ssw0rd, Password Never Expires).  Click Next then Finish.
   
3. Launch AADConnect Setup
   To install the AAD Connect tool on the TR23-DC server, navigate to C:\AADConnect and double-click on AzureADConnect.msi.  Click Run.
   
4. Advance Wizard
   On the Welcome screen, select the box agreeing to the licensing terms and click Continue.
   
5. Use Express Settings
   On the Express settings screen, click Use express settings.
   
6. Connect to Azure AD
   On the Connect to Azure AD screen, enter the username and password of the user which we created earlier in Exercise 2 (SRVAdmin).  Click Next.
   
7. Connect to AD DS
   On the Connect to AD DS screen, enter the username and password for an Enterprise Admin account (Username: Contoso\labadmin, Password: P@ssw0rd). Click Next.
   
8. Azure AD Signin Configuration
   Click Continue without any verified domains and click Next.
   
9. Confirm Ready to Configure
   On the Ready to configure screen, select the checkbox Start the synchronization process as soon as configuration completes and click Install.
   
10. Complete Wizard
    Click Exit.
    
11. Switch to Azure
    Navigate to the Azure classic portal:  https://manage.windowsazure.com.  If necessary, login to the Azure tenant using given credentials (see Azure Credentials section of lab interface Content tab).
    
12. Navigate to New Directory
    Select the ACTIVE DIRECTORY node on the left pane.  Select the newly created Azure AD Tenant Directory.
    
13. Verify User Sync
    Select USERS and verify that the newly created user account is successfully synced to Azure AD.
    

Congratulations!

You have successfully:

• Synced objects from On-premises Active Directory using AAD Connect

Click Continue to advance to the next exercise.

Exercise 4 : Create and Join a VM Hosted in an Azure VNET to the Azure AD Domain Services

In this exercise you will:

• Create and Join a VM hosted in an Azure VNET to the Azure AD Domain Services

Scenario:   In this exercise we will create a new Windows Server 2012 R2 virtual machine from Azure Gallery and join the machine to Azure AD Domain Services. We will also use this machine for the subsequent exercise, for which we need to install the Active Directory management tools on the server.

1. Create New VM
   To create a Windows Server 2012 R2 Virtual Machine from Azure Gallery, go to https://manage.windowsazure.com Portal, click on the VIRTUAL MACHINES node on the left pane, then click  CREATE A VIRTUAL MACHINE> NEW > COMPUTE > VIRTUAL MACHINE > FROM GALLERY.
   
2. Select Image
   Choose Windows Server 2012 R2 Datacenter image and click right arrow.
   
3. Virtual Machine Configuration (Name/Credentials)
   Give a unique name to the virtual machine.  For e.g., you can use <your_alias>SRV01.  Enter a username and password that will be used to login to the machine (for e.g., you can use  Username: LocalAdmin, Password:  P@ssw0rd!1).  Click right arrow.
   
4. Virtual Machine Configuration (VNET)
   Choose the VNET called “ADDSVNET1” from the drop down menu under Region/Virtual Network.  Click right arrow.
   
5. Complete Wizard
   Click checkmark to create the virtual machine.  Note:  This process could take up to 5 mins.
   
6. Login to New VM
   Login to the virtual machine SRV01 using the following credentials:  User Name: LocalADMIN, Password:  P@ssw0rd!1.  If you do not know how to do this, see the Knowledge icon.
   In the Azure Portal navigate to the Virtual Machines node and select the new VM.  On the Dashboard tab, click Connect, click Save As and save the .rdp file to the desktop.  Navigate to the desktop and double-click the .rdp file.  Click Connect and enter the credentials to log in.  Click Yes.
   
7. Join VM to Azure AD Domain Services
   From the Start Screen, open Server Manager and navigate to Local Server.  Click on WORKGROUP and click Change.  Select Domain under the Member of section and type in your respective Azure AD Domain.  Click OK.  When prompted pass on the domain user credential.   Note: This user should be member of the group “AAD DC Administrators” group.
   
8. Confirm Join
   Click OK twice and click Close.  When prompted to reboot, choose Restart Later.
   
9. Allow Remote Connections
   Go to System Properties and click on the Remote tab.  Click Select Users under “Allow Remote Connections to this Computer”.  Select the domain user which is a member of the “AAD DC Administrators” group and click OK three times.  This step will enable the user to connect to the machine over an RDP session in subsequent steps.
   IMPORTANT:  It is important to enable Remote Desktop connections for the domain user for it to be able to connect over RDP.
   
10. Connect to VM as Domain User
    If still connected to the VM, log off.  Login to the VM using the domain user credentials.  When prompted, click Yes.
    
11. Launch PowerShell (as Admin)
    Launch a PowerShell prompt using Run as administrator.  Enter administrator credentials.
    
12. Add RSAT-ADDS-Tools
    Position the cursor in the PowerShell window and then click the Type Text icon to the left of the Done button in the lab interface.  This will auto-type the following command:  Add-WindowsFeature -Name RSAT-ADDS-Tools.  Press Enter.
    

    Add-WindowsFeature -Name RSAT-ADDS-Tools

13. Add GPMC
    Position the cursor in the PowerShell window and then click the Type Text icon to the left of the Done button in the lab interface.  This will auto-type the following command:  Add-WindowsFeature -Name GPMC.  Press Enter.

    Add-WindowsFeature -Name GPMC

14. Close PowerShell
    Close PowerShell.
    

Congratulations!

You have successfully:

• Created and Joined a VM hosted in an Azure VNET to the Azure AD Domain Services

Click Continue to advance to the next exercise.

Exercise 5 : Apply Group Policy Settings to a Machine Joined to Azure AD DS

In this exercise you will:

• Apply Group Policy settings to a machine joined to Azure AD DS

Scenario:  In this exercise we will browse through the settings in the built-in GPOs, modify a User Policy and apply it to Azure AD domain users. We will need the Group Policy Management Console (GPMC) to complete the steps in this exercise.

1. Run GPMC
   Right-click Start.  Click Run and type GPMC.msc.  Press Enter or click OK.  This should open the Group Policy Management Console (GPMC).
   
2. View Group Policy Objects
   Once you expand “Group Policy Objects”, you should be able to see the Built-in GPOs.  The “AADDC Computers GPO” is linked to the AADDC Computers OU and the “AADDC Users GPO” is linked to the AADDC Users OU.    IMPORTANT:  You will not be able to edit the “Default Domain Controllers Policy” and “Default Domain Policy”, neither will you be able to create a new GPO.
   
3. Edit AADDC Users GPO
   Right-click on “AADDC Users GPO” and click EDIT.  This should open the GPO in editable mode within Group Policy Management Editor.  Expand User Configuration to view all the available User specific settings.
   
4. Configure Desktop Wallpaper
   To set a desktop wallpaper for all users, expand User Configuration > Policies> Administrative Templates > Desktop > Desktop.  Double-click Desktop Wallpaper in the right-hand pane and select Enable; provide the UNC path to the JPG file and click OK.
   Desktop Wallpaper UNC Path: 
   
   C:\Windows\Web\Wallpaper\Windows\img0.jpg
   
5. Force GPUpdate
   Open a CMD prompt and type GPUpdate /force to update the group policy settings.
   
6. Log-off and Log Back In
   Log-off and log back in. You should see brown desktop wallpaper.
   

Congratulations!

You have successfully:

• Applied Group Policy settings to a machine joined to Azure AD DS

Click Continue to advance to the next exercise.

Exercise 6 : Run LDAP Query and Test Kerberos Authentication Against Azure AD DS

In this exercise you will:

• Run LDAP query and test Kerberos Authentication against Azure AD DS

Scenario:  In this exercise we will run some standard Ldap queries and verify that Kerberos tickets are issued to the user and client machine by Azure AD Domain Services.

1. Launch LDP.exe
   Right Click Start > Run.  Type Ldp.exe and press Enter or click OK.
   
2. Connect
   Click Connection > Connect > OK.
   
3. Bind
   Click Connection > Bind > OK.
   
4. View BaseDN Tree
   Click View > Tree > Select BaseDN (e.g., DC=testadds0206, DC=onmicrosoft, DC=com).  Click OK.
   
5. Browse Tree
   Expand the tree in the left-hand pane and browse through the objects.  Close LDP.exe.
   
6. Launch PowerShell
   Launch a PowerShell prompt.
   
7. View Kerberos Tickets
   Type Klist Tickets and press Enter.   View the list of Kerberos Tickets issued to the user/machine, if any.  Type Dir \\.onmicrosoft.com\Sysvol\ and press Enter.
   
8. Force New Ticket
   Type Dir \\.onmicrosoft.com\Sysvol\ and presss Enter.
   
9. View Kerberos Tickets
   Type Klist Tickets and press Enter.   Now you should see a Kerberos Ticket issued for CIFS access.
   

Congratulations!

You have successfully:

• Run LDAP query and test Kerberos Authentication against Azure AD DS

Click Continue to close and finalize this lab.