Microsoft Entra Area Companies (Entra DS) supplies you with the performance of managed area controllers in Azure. This lets you domain-join Home windows Server VMs, use Group Coverage, and handle DNS on a specifically ready vNet subnet with out deploying and patching your individual DC VMs.
This put up walks by way of:
• Making ready your digital community
• Deploying Entra DS
• Configuring DNS
• Becoming a member of a Home windows Server VM to the managed area
• Utilizing AD DS and Home windows Server DNS instruments from that VM
• An Azure subscription.
• A Microsoft Entra tenant with a customized DNS area verified (for instance, zava.help). Entra DS makes use of this practice area because the managed area title.
• Permission to create useful resource teams, VNets, and Entra DS.
• Permission to handle Entra teams within the tenant (add directors/configure RBAC).
1. Create a brand new useful resource group in your chosen area to carry all Entra DS assets and VMs.
2. Create a digital community (for instance, zava-entra-dsvn) in that useful resource group (for instance, handle house: 172.16.0.0/16 (or a spread that matches your setting).
3. Add a subnet devoted to the Entra DS area controllers (for instance, zava–entra-dc). This subnet will host the managed area controller assets created by Entra DS and also you received’t truly deploy VMs there.
Necessary Hold this DC subnet separate out of your workload subnets. You should utilize NSGs, however keep away from blocking Entra DS administration site visitors.
1. In the identical digital community, create a second subnet (for instance, zava-domain-vms) for domain-joined workloads equivalent to IIS VMs. This particular subnet is the place you’ll deploy the Home windows Server VM that joins the Entra DS area.
Within the Azure portal, create a brand new Microsoft Entra Area Companies managed area by performing the next steps:
1. Choose the useful resource group you created earlier.
2. Affirm the DNS area title (for instance, zava.help)—this comes out of your Entra tenant’s customized area.
3. Select the area (identical area because the digital community).
4. Hold the default Enterprise SKU until you’ve a selected want for one more.
5. On the Networking web page:
· Choose the digital community you created.
· Choose the DC subnet for the managed area controllers.
6. On the Administration web page notice that the AAD DC Directors group (legacy title proven within the portal) is successfully the Area Admins equal for the managed area. Any consumer you add to this group in Entra turns into a website admin in Entra DS.
7. Configure synchronization scope between Entra and Entra DS.
· All accounts (default) – synchronizes each cloud-only and synchronized customers.
· Cloud-only accounts – helpful if you’re already syncing on-prem identities and also you solely need particular cloud accounts in Entra DS.
8. Assessment the Safety settings web page. By default:
· NTLMv1 disabled.
· You may allow/disable NTLM password sync, or successfully disable NTLM completely.
· RC4 encryption disabled by default.
· Kerberos armoring enabled by default.
· LDAP signing and LDAP channel binding enabled by default.
9. Assessment your configuration and create the Entra DS managed area. Observe after deployment, you can not change:
• The managed area DNS title
• Subscription
• Useful resource group
• Digital community and subnet utilized by Entra DS
1. As soon as deployment completes, open the Entra DS useful resource and go to View well being.
2. Run the well being checks. If the diagnostic experiences that the digital community DNS servers are not set to the Entra DS managed DC IPs, choose Repair to robotically configure the VNet’s DNS servers.
· In Entra DS, notice the DNS server IPs (for instance, 172.16.0.4 and 172.16.0.5).
· Within the digital community’s DNS settings, affirm these IPs are configured as customized DNS servers.
Tip Any VM on this digital community that should be part of the managed area should use these Entra DS DNS addresses.
1. Within the Entra admin middle, go to Teams > All teams and find AAD DC Directors.
2. Open the group and add your major admin account (for instance, prime@zava.help) and add a devoted area admin–type account (for instance, provides.prime@zava.help) to be the first administrator for the managed area.
Necessary notice: You’ll want to alter the password of any Entra account you need to use within the managed AD DS area after deploying Entra DS. This can configure password synchronization between Entra and Entra DS, permitting you to make use of the Entra account. If you happen to don’t change the password, you’ll be unable to make use of the account with Entra DS regardless that it can perform usually in different components of Azure. This journeys lots of people up.
1. Within the Azure portal, create a brand new Home windows Server VM (for instance, an IIS server):
1. Place it within the identical useful resource group.
2. Choose the digital community you created earlier.
3. Connect it to the workload subnet (for instance, zava-domain-vms).
4. Configure a native administrator account (for instance, username prime with a robust password).
2. On the Administration blade, notice the choice “Login with Microsoft Entra ID”:
1. This permits direct Entra login to the VM however doesn’t be part of the VM to the Entra DS area.
2. For this walkthrough, you’ll be part of the VM to Entra DS utilizing traditional area be part of so don’t have to allow this selection.
3. Full the wizard and deploy the VM.
1. As soon as the VM is deployed, open the VM within the portal and choose Join > RDP.
1. Request a JIT RDP port opening if required.
2. Obtain the RDP file and open it with Distant Desktop Connection.
2. Sign up with the native administrator account you configured when deploying the VM and never your Entra account.
3. Within the VM, open a command immediate and run:
ipconfig /all
1. Affirm that the DNS servers are the Entra DS managed IPs (for instance, 172.16.0.4 and 172.16.0.5).
If DNS is flawed Double-check the VNet’s DNS settings and make sure the VM is hooked up to the proper digital community and subnet, then restart the VM.
1. On the VM, open Server Supervisor and choose Native Server.
2. Subsequent to Workgroup, choose the workgroup title to open System Properties (Laptop Identify tab).
3. Choose Change… after which:
· Beneath Member of, choose Area.
· Enter the Entra DS area title (for instance, zava.help).
4. When prompted for credentials, use an account that’s a member of AAD DC Directors, equivalent to provides.prime@zava.help, and enter the password.
5. Whenever you obtain the affirmation that the pc has joined the area, restart the VM.
1. After the VM restarts, reconnect through RDP utilizing the VM’s public IP and:
· Username: your area UPN (for instance, provides.prime@zava.help).
· Password: the account’s password.
2. Affirm that you’re signed in as a area consumer within the Entra DS managed area.
1. Set up and open Lively Listing Customers and Computer systems (RSAT) on the VM.
· Browse the managed area construction.
· Discover containers equivalent to AADDC Computer systems, AADDC Customers, and teams like Area Admins that map again to Entra teams.
2. Create an organizational unit (OU), for instance IIS Servers, to comprise IIS VMs.
3. Open Group Coverage Administration and:
· Create a Group Coverage Object concentrating on the IIS Servers OU.
· Hyperlink and configure settings as required (hardening, IIS config, and so on.).
4. Open the DNS Supervisor console on the VM, which now connects to the Entra DS–managed DNS servers.
5. Create a brand new Host (A) report, for instance:
· Identify: iis3
· FQDN: iis3.zava.help
· IP handle: the suitable inner handle.
6. Open a command immediate and confirm DNS decision with:
nslookup iis3.zava.help
• Affirm it returns the proper IP handle.
Entra DS offers you acquainted AD capabilities—area be part of, Group Coverage, and DNS—with out the overhead of operating and sustaining your individual DC VMs in Azure.
You will discover out extra at: https://study.microsoft.com/en-us/entra/identification/domain-services/overview
