Microsoft Entra Area Providers (Entra DS) gives you with the performance of managed area controllers in Azure. This lets you domain-join Home windows Server VMs, use Group Coverage, and handle DNS on a specifically ready vNet subnet with out deploying and patching your individual DC VMs.
This put up walks by way of:
• Getting ready your digital community
• Deploying Entra DS
• Configuring DNS
• Becoming a member of a Home windows Server VM to the managed area
• Utilizing AD DS and Home windows Server DNS instruments from that VM
• An Azure subscription.
• A Microsoft Entra tenant with a customized DNS area verified (for instance, zava.help). Entra DS makes use of this tradition area because the managed area identify.
• Permission to create useful resource teams, VNets, and Entra DS.
• Permission to handle Entra teams within the tenant (add directors/configure RBAC).
1. Create a brand new useful resource group in your chosen area to carry all Entra DS assets and VMs.
2. Create a digital community (for instance, zava-entra-dsvn) in that useful resource group (for instance, deal with area: 172.16.0.0/16 (or a spread that matches your setting).
3. Add a subnet devoted to the Entra DS area controllers (for instance, zava–entra-dc). This subnet will host the managed area controller assets created by Entra DS and also you received’t really deploy VMs there.
Essential Maintain this DC subnet separate out of your workload subnets. You need to use NSGs, however keep away from blocking Entra DS administration site visitors.
1. In the identical digital community, create a second subnet (for instance, zava-domain-vms) for domain-joined workloads corresponding to IIS VMs. This particular subnet is the place you’ll deploy the Home windows Server VM that joins the Entra DS area.
Within the Azure portal, create a brand new Microsoft Entra Area Providers managed area by performing the next steps:
1. Choose the useful resource group you created earlier.
2. Verify the DNS area identify (for instance, zava.help)—this comes out of your Entra tenant’s customized area.
3. Select the area (identical area because the digital community).
4. Maintain the default Enterprise SKU until you’ve gotten a selected want for an additional.
5. On the Networking web page:
· Choose the digital community you created.
· Choose the DC subnet for the managed area controllers.
6. On the Administration web page be aware that the AAD DC Directors group (legacy identify proven within the portal) is successfully the Area Admins equal for the managed area. Any consumer you add to this group in Entra turns into a website admin in Entra DS.
7. Configure synchronization scope between Entra and Entra DS.
· All accounts (default) – synchronizes each cloud-only and synchronized customers.
· Cloud-only accounts – helpful while you’re already syncing on-prem identities and also you solely need particular cloud accounts in Entra DS.
8. Evaluation the Safety settings web page. By default:
· NTLMv1 disabled.
· You possibly can allow/disable NTLM password sync, or successfully disable NTLM solely.
· RC4 encryption disabled by default.
· Kerberos armoring enabled by default.
· LDAP signing and LDAP channel binding enabled by default.
9. Evaluation your configuration and create the Entra DS managed area. Observe after deployment, you can’t change:
• The managed area DNS identify
• Subscription
• Useful resource group
• Digital community and subnet utilized by Entra DS
1. As soon as deployment completes, open the Entra DS useful resource and go to View well being.
2. Run the well being checks. If the diagnostic studies that the digital community DNS servers are not set to the Entra DS managed DC IPs, choose Repair to mechanically configure the VNet’s DNS servers.
· In Entra DS, be aware the DNS server IPs (for instance, 172.16.0.4 and 172.16.0.5).
· Within the digital community’s DNS settings, affirm these IPs are configured as customized DNS servers.
Tip Any VM on this digital community that should be part of the managed area should use these Entra DS DNS addresses.
1. Within the Entra admin heart, go to Teams > All teams and find AAD DC Directors.
2. Open the group and add your main admin account (for instance, prime@zava.help) and add a devoted area admin–fashion account (for instance, provides.prime@zava.help) to be the first administrator for the managed area.
Essential be aware: You’ll want to vary the password of any Entra account you need to use within the managed AD DS area after deploying Entra DS. It will configure password synchronization between Entra and Entra DS, permitting you to make use of the Entra account. When you don’t change the password, you’ll be unable to make use of the account with Entra DS regardless that it would operate usually in different elements of Azure. This journeys lots of people up.
1. Within the Azure portal, create a brand new Home windows Server VM (for instance, an IIS server):
1. Place it within the identical useful resource group.
2. Choose the digital community you created earlier.
3. Connect it to the workload subnet (for instance, zava-domain-vms).
4. Configure a native administrator account (for instance, username prime with a robust password).
2. On the Administration blade, be aware the choice “Login with Microsoft Entra ID”:
1. This permits direct Entra login to the VM however doesn’t be part of the VM to the Entra DS area.
2. For this walkthrough, you’ll be part of the VM to Entra DS utilizing traditional area be part of so don’t must allow this feature.
3. Full the wizard and deploy the VM.
1. As soon as the VM is deployed, open the VM within the portal and choose Join > RDP.
1. Request a JIT RDP port opening if required.
2. Obtain the RDP file and open it with Distant Desktop Connection.
2. Sign up with the native administrator account you configured when deploying the VM and never your Entra account.
3. Within the VM, open a command immediate and run:
ipconfig /all
1. Verify that the DNS servers are the Entra DS managed IPs (for instance, 172.16.0.4 and 172.16.0.5).
If DNS is mistaken Double-check the VNet’s DNS settings and make sure the VM is connected to the proper digital community and subnet, then restart the VM.
1. On the VM, open Server Supervisor and choose Native Server.
2. Subsequent to Workgroup, choose the workgroup identify to open System Properties (Laptop Identify tab).
3. Choose Change… after which:
· Underneath Member of, choose Area.
· Enter the Entra DS area identify (for instance, zava.help).
4. When prompted for credentials, use an account that’s a member of AAD DC Directors, corresponding to provides.prime@zava.help, and enter the password.
5. Whenever you obtain the affirmation that the pc has joined the area, restart the VM.
1. After the VM restarts, reconnect by way of RDP utilizing the VM’s public IP and:
· Username: your area UPN (for instance, provides.prime@zava.help).
· Password: the account’s password.
2. Verify that you’re signed in as a area consumer within the Entra DS managed area.
1. Set up and open Energetic Listing Customers and Computer systems (RSAT) on the VM.
· Browse the managed area construction.
· Discover containers corresponding to AADDC Computer systems, AADDC Customers, and teams like Area Admins that map again to Entra teams.
2. Create an organizational unit (OU), for instance IIS Servers, to include IIS VMs.
3. Open Group Coverage Administration and:
· Create a Group Coverage Object focusing on the IIS Servers OU.
· Hyperlink and configure settings as required (hardening, IIS config, and many others.).
4. Open the DNS Supervisor console on the VM, which now connects to the Entra DS–managed DNS servers.
5. Create a brand new Host (A) report, for instance:
· Identify: iis3
· FQDN: iis3.zava.help
· IP deal with: the suitable inner deal with.
6. Open a command immediate and confirm DNS decision with:
nslookup iis3.zava.help
• Verify it returns the proper IP deal with.
Entra DS provides you acquainted AD capabilities—area be part of, Group Coverage, and DNS—with out the overhead of working and sustaining your individual DC VMs in Azure.
Yow will discover out extra at: https://study.microsoft.com/en-us/entra/identification/domain-services/overview
