Three times a week (Monday/Wednesday/Friday), John Savill tackles your most pressing IT questions.
Read through the FAQ archives, or send him your questions via email.
Today: Learn how to use Microsoft's Azure AD Domain Services for you organizations identity solution, whether you can add more domain controllers to Azure AD Domain Services, and how to use constrained delegation.
Q. If I use Azure AD Domain Services will GPOs replicate from my on-premises AD?
A. Azure AD is an identity solution enabling federation with cloud services via protocols like OAuth. Typically, Azure AD is populated with objects by replicating from an AD instance using Azure Ad Connect and running on Windows Server. Azure AD can be extended to enable Azure AD Domain Services (AAD DS); these emulate regular AD in the Azure virtual network to which the AAD DS is connected. This enables services on that virtual network to leverage Azure AD (via the AAD DS) as if it was regular AD enabling Kerberos authentication, LDAP binds, machine join and other scenarios where regular AD is required. This is beneficial as it means the regular AD does not have to be stretched to Azure.
Azure AD can have custom OUs created and custom GPOs created and linked to them however they cannot replicate from on-premises AD. If you wanted to replicate GPOs from AD you would need to export them from AD and then import them in (using the standard tools) to AAD DS.
Q. Can I add additional domain controllers to Azure AD Domain Services?
A. No. When Azure AD Domain Services is enabled, a pair of domain controllers is automatically created on the specified virtual network. These are managed by Azure and cannot be interacted with directly. It is not possible to add additional DCs to this managed AD environment.
Q. How can I use constrained delegation with an object when using Azure AD Domain Services?
A. Constrained delegation can be very useful when you need a machine to be able to pass on credential use to another remote service. However, to configure an account, you need to be a domain administrator and that is not possible with Azure AD Domain Services. Azure AD Domain Services does not allow anyone to be a domain administrator.
Fortunately, instead of using account delegation, you can use a more secure resource based delegation which will work with Azure AD Domain Services. You need Windows Server 2012 or above. It is considered more secure as now it is the remote resource that controls who has delegated access and does not require domain administrator privileges.
To use you get a variable to the computer (or user) that needs delegated access to a resource and then you apply those principals to the target resource as allowed to delegate.
$delegateAccount = Get-ADComputer -Identity computer.savilltech.net
Set-ADComputer targetmachine.savilltech.net -PrincipalsAllowedToDelegateToAccount $delegateAccount
You can also appropriate a user account by setting
$delegateAccount to a user via Get-ADUser. Basically the
$delegateAccount is the resource that needs to take the context of domain users and then use against the target machine, e.g. targetmachine.savilltech.net. Find more information about the entire set-up here.