Microsoft Azure AZ-800 — Section 5: Create and manage AD DS security principals Part 5
44. Implement Azure AD DS
Now, on top of us having our own on-premise, Active Directory of AIDS Active Directory domain services that we’ve had, you know, since the year 2000 case since Active Directory has come out, we’ve always had an on-premise way of installing Active Directory on-premise and setting up domain controllers, configuring those domain controllers and all that and managing it all on-premise. Microsoft is now giving us the capability to host Active Directory in the cloud a couple of different ways. Obviously, one way would be you could set up a domain controller in the cloud to host a virtual machine out of the cloud, make it a domain controller and go from there. You can do what’s known as a VPN gateway to connect your on-premise out to Azure. And you could actually have that domain controller be part of your on-premise if you wanted it to. Or you can also use what’s called Express Route to connect your office to Azure directly, or if you wanted to just full blown, go to Azure Active Directory and not necessarily mix it with on-premise. You don’t have to. You can actually have Microsoft just host an actual Active Directory instance out in the cloud, and this what we call Azure Ads. All right.
So, it just do a little demonstrating there in and show you how that’s going to work.
So here I am on Portal Dot Azure .com, and I’m going to go to the little menu button here. I’m going to click all services, and I’m just going to do a search for Azure Active Directory domain services. And if you do that, you should be able to locate right here Azure Ad Domain Services.
OK, I’m just going to click on that. And we’re going to create an instance of Azure actor, director, domain services, So, we’re going to say create a domain services. All right, from there, we got to have a resource group I’ve actually already created a resource group called Azure ADB’s RG, but if you wanted to, you could just click create and you could create a new research group.
OK, so from there, I’m going to specify the domain name that I want to use. All right. I’ve already got examlabpractice.com. Involved with the hybrid deployment. All that, so, I don’t want to use that. This going to be separate.
So, I’m just going to call this exam lab practice dot local. All right. And that’s what we’re going to call it just for this demonstration. But if you did want to host, you know, an actual custom domain out in the cloud, you totally could. You could get rid of on-premise DCS if you wanted. There’s lots of ways you can handle this, but in my case, I’m just going to host it entirely in the cloud. Then to call it exam lab practice dot local.
OK. I am using the East U.S. region and then I’ve got the enterprise SKU. There is the stock keeping unit. As with all, most, all of Azure’s resources, they have different prices for the different options. And you can click right here. Help me choose if you click on that. It’ll it’ll pull you can pull up a document that kind of breaks down the pricing of all of it. All right.
So you can explore the pricing options, you can see some of the things you get here.
So standard zero to three thousand authentication load per hour three thousand ten Enterprise 10000 70000 premium.
So you’re talking about lots and lots of authentication there, and then it’s got the pricing of it. Fifteen cents per hour, 40 cents per hour dollars, 60 cents per hour or so on and so forth.
So you can kind of look through those different pricing models. But so, I’m going to go here and I’m going to choose standard and forest type is, for a user, a resource. This means I’m going to be hosting user accounts. And if you’re going to do resources just you’re going to be hosting resources. In other words, what you’re doing is setting up a domain that you’re going to you aren’t going to really store a bunch of user accounts and it just it admins and you might have a trust relationship with another domain and your users might be in a different domain and you’re going to grant permissions to those users and a different domain. In our case, we’re going to go with user.
OK.
So from there, I’m going to click next. And then this, are you get to set up a virtual network? OK, so what do you want to what do you want the virtual network to be called? It’s going to set up a vignette that is a virtual network, just default. They call it a D.D.S. vignette 10 dot one zero zero is the subnet that it configures, so you can alter that stuff if you want it to. You always want to make sure that all virtual networks are unique and you even want to. If you ever connect things to your on-premise network, you want to make sure that they’re unique from your on-premise network as well.
OK, so, If I’m using ten point one, for example, my on-premise network, I don’t want to use that. I want to use something different. All right.
So, I’m just going to stick with with what they’ve got there. All right. We’re going to click next. And administration tells you here that you’re going to use the settings, specify which users should be it administrator, privileges my global admins, which I am and members of the ad ADC Administrators Group says another group. We’re going to have privileges, and I can also add additional email addresses here to give admin rights as well. All right.
So, I’m going to click next to that and then says, All right. Azure Ad Domain Services provides a one way synchronization from Azure Active Directory to manage domain. In addition, only certain attributes are synchronized down to the managed domain, along with groups, group membership and password.
So, they’re basically saying just going to synchronize everything or you can say scoped, and you can all make it where it’ll synchronize only specific groups that you want to use. All right.
So what does that exactly mean? It’s connecting. It can connect your Azure ad domain services with Azure Ad. Those are separate things.
OK. That’s the thing you got to get in your head. Azure ad domain services or you should call it Azure Ads is separate from Azure AD, and you’re basically wanting to connect. If you want it to synchronize these, you can say all, or if you only want to do a super specific groups, you can do specific groups. By default, it’s going to set up a group called Ad DC Administrators, and that’s going to synchronize.
OK, so that is ultimately what that’s going to do. I’m going to say, all right, we’re going to click next. All right. And then you can kind of tweak some of the levels of encryption you want to listen to. And this you want to have an older encryption or only newer encryption as you can. You can set all of that up if you want. All right. Want to support the newest version of Kerberos, strengthening Kerberos or using the older style of Kerberos? You can. I’m going to click next and I’m going to do tags, clicker view and create. And it’s in the process of validating. And as soon as it gets in and validating, we should be able to go ahead and click, create something, go ahead and do that and to pull the trigger and click to create and tells you the following choices are final and won’t be able to be changed afterwards. The DNS name, subscription resource group, virtual network, subnet forest type, all of that stuff.
So there’s anything that you need to change. You can. You can alter that now. Actually, I think I’m going to call my exam my practice name to call it Azure. I’m going to put exam lab practice on Azure. Instead of the word local, because local kind of sounds like an on prem name, I’m going to just call it Dot Azur.
OK, so now we’ll click next through here shouldn’t have to change anything else, and it’s going to go through the validation and we’re going to click, create and click, OK, we pull the trigger.
Now, let me kind of warn you that this can take over and hour an hour to actually configure to finalize.
So be ready to wait a while.
OK, probably over an hour. And I’m going to go in. Paul’s a recording in let it run through.
OK, so the deployment is done again. It takes about an hour on average for that to go through. And so now I should be able to click the menu button, go to resource groups. From there, we’ll go to Azure. It’s our G. And as you can see, I’ve got some different resources here that have been deployed, a load balancer that’s being used, a public IP address, network interfaces security group, the virtual network and namely, the most important thing that we care about right now is this Azure 80 services resource. If we click on that, that is the actual Azure Active Directory Domain Services resource and it’s now ready to roll and I’m officially ready to now. If I was to set up a virtual machine, I can join that to this exam. Lab practice Dot Azure, Azure adds.
45. Join a Windows Server to Azure AD DS
Now that I have Azure ads installed, it’s now time to join a server to Azure Ads.
Now, if you wanted to assign to join a on-premise server to this to the cloud, you very well could. If you have a VPN gateway connected to Azure directly, which would connect your on-premise network directly into Azure or express route, you could do that as well. In my case, I’m actually going to set up a Windows Server virtual machine and we’re going to join that, Azure adds instance using that virtual machine.
So, I already have a resource group and my resource group is called the Azure Adesoji, and I have a instance of Azure Ads called Exam One Practice Dot Azure, and I’m going to click to create a virtual machine. I’m going to choose a I’m just going to choose Windows Server 2019 really doesn’t matter. You could. You could go with twenty twenty two or whatever. I’m going to go with that one.
OK, I’m going to give it a name, and I’ll just call it server. Aye, aye, Dean. The a demo. All right. For lack of a better name. Just call it call the Veeam that not going to go with any availability options security. I’m not going to get into any of this stuff right here right now. I’m just going to go with the default size and I’m going to set the administrative credentials here. And I’m just going to call this the LP admin and I’m going to put the password in.
OK, from there, we got inbound port, some allow RTP. And then I’m going to click next, I’m just going to go with a standard hard disk drive, not going to do solid state.
Now I’m going to do with any encryption for networking. I’m going to make sure it’s assigned to the vignette that the Azure 80 instances connected to which is this one here. I’m not going to change anything else there. Going to click next. All right, and not going to miss any of the monitoring stuff right now. Although, you know, I like the auto shut down, shut it off at seven p.m, which is cool. Not going to mess with the advanced settings tags. I’m going to click, review and create, and we’re officially ready to pull the trigger on creating the vena.
Sorry, the virtual machine.
So now the virtual machine is in the process of creating one thing want to warn you about. And that is that our our resource group, if we go back to it, if we go back to research groups and go to Azure Adesoji, it has a network security group object attached to the subnet where the virtual machine is connected now. If you’re not familiar with MSG Network Security Group is, I don’t want to say it’s a firewall. It’s known as packet filtering, and it’s going to do the same kind of thing that a firewall will do it. It controls whether traffic can flow in or out.
Now I’ve got to allow RTP inbound if I’m going to be able to connect to this and you’ll find that by default, unless you’ve added a rule, there’s not a rule that’s going to allow RDP in.
So, I’m going to click on that, OK? And I’m actually already added a rule to allow it right here, and this would allow traffic to flow in. But I’m also going to show you the process of doing that.
So, if I click on inbound security roles, I can click Add OK, and also a source that means anywhere on the internet. It doesn’t matter what port report it uses any destination. If you wanted to point directly to the to the server here you could. But I’m going to say any. And then the service is going to tie to Destination Port 389, which is already P. And then I’m going to say allow in, then your priority. Give it a name, allow RTP in the you would click add on that.
OK, and that’s it. That’s exactly how I added this right here. Of course, it is going to warn you that it’s a good idea to support to set up a VPN instead of allowing already directly because of hackers. But I’m not getting into configuring VPNs and all that stuff right now. That’s not what this lesson is about.
OK.
So ultimately, it’s just I wanted to add that that already, people.
OK, so at this point, I’m now officially ready to connect to my VM officially. If you notice the pop up that popped up on my machine up here in the upper right so that it was done.
So now what I’m going to do is go over here to the resource group, scroll down and it may take a moment to appear right here, but eventually the virtual machine will appear and there it is, right there. I just clicked refresh to get it to do that, so, I’m going to click on that and I’m now ready to click Connect RTP. I’m going to tell it to download the file and then I’m going to click on the file to connect to it.
OK, I clicked it, put in my credentials. I’m going to click. Yes, and it’s now officially connecting into the server.
OK, so, I’m now in server manager and here we are over here on local server. And notice I’m joined to a workgroup. I want to join to my domain. I’m going to hit change. I’m going to go to domain. I’m going to say exam lab practice, start Azure and then we’re going to click OK, and it’s just going to work right? OK, wrong. It’s not going to work. And let me tell you why it’s not going to work because we need there’s an additional step we need to deal with for the INS.
OK, so, I’m just going to click OK and get out of that. All right. And we’re going to jump back over into our Azure services and fix this problem. All right, so over here on my portal light, Tom, I’m over here to my resources, I’m going to click on the resource group Azure AIDS RG and I’m going to scroll down and we’re going to go to the exam lab practice Dot Azure instance of Azure AIDS. We’ll go there and if we scroll down a little bit here. You’re going to notice that there are some additional tasks that need to be completed. All right. In fact, it even warns you right here, it says configuration issues for your managed domain services were detected.
So, we’ll click on that and we’re going to click run. And it’s going to tell you right here, you’re missing some DNS stuff, right? So wants me to configure DNS DNS server settings for managed domains. Need to be configured for your virtual networks? OK, So, we’re going to say fix this all right. Do you want to go ahead and fix those DNS issues and it’s going to go ahead and configure that? All right. And so at that point, our DNS records are now officially created.
Now back into our server, we’ll click on workgroup here, and we’re going to click Change Domain and we’re going to put in the exam lab practice dot azure domain and no error this time.
So then we just got to put our credentials in in order to join the domain.
So what credentials are we going to put in? You’re actually going to put in your global admin credentials for your Azure ad environment so that it can authenticate you.
So, in my case, that would be Jay-Z, Jay-Z at exam, lab practice, .com and my password.
Now I would like to warn you of something this probably not going to work for you, either. You’re going to if you try this out, you’re going to get an error message.
Now the reason you’re getting an error message is because by default, Active Directory Azure Active Directory Domain Services does not have the ability to synchronize in password hashes from. Your Azure ad, there is a way to trigger this, and it’s kind of crazy, you would almost think there would be another way, but unfortunately there’s not as of right now, you have to do a password reset. And any user that is going to authenticate and access resources like, for example, on the server once it joins. They also need to do a password reset.
So users would need to a password reset in order for that to happen.
So real quick, let me show you how we can do a password reset.
Now to reset my password, here I am on Portal Dot Astrakhan. I’m just going to click my profile when I go to view account. Right here to Pastor Blade. And then I’m just going to change my password now. And just like that, my passwords now changed, let me warn you, for users to change their password, you must make sure that you have. Self-service password reset enabled in your tenant. All right. Which? To do that, you go to Portal Dot astronaut Tom. Click menu button, go to Azure Active Directory.
OK, and go to Password Reset and turn this on for all of your users, and then they can reset their password. If you do not turn this on, users cannot reset passwords. All users that are going to connect to the server need to have their password reset.
Now, be careful when you go and try to joins that computer. If you try to join the computer multiple times, it can lock your password out. If you haven’t done this and it’ll make you wait 30 minutes before you can try again.
So be careful trying to join the domain multiple times. But after you’ve reset your password, you should now be able to join it to the domain.
OK, so here we go. Put the password in. And we’re now officially joined to the exam when practiced on Azure Domain, and that is how you can join a server to the domain, next thing you do is just restart and you’re ready to log on.
Now, after the reboot, you need to log back on like you normally would.
OK, and you’ve got to grant your administrator privileges to log on to the domain, so you’re still going to log on just like you normally would after the reboot.
OK. You’re going to go start. You’re going to go to Settings, just do a quick search on the word remote. Remote settings and then go down there to assist select users that can remotely access the PC.
So, we’re going to go there. We’re going to click Add and we’re going to put in the user. In my case, that would be Jessie exam lab practice. Com is going to require me to authenticate again using my global admin credentials.
So, I’m going to put those in again. All right. And then I can now add that account. Click OK. And the next thing is, I’m going to sign out and resign back in. All right, so going to hit Connect RTP, download the file, click on the file connect and then here we go. Except this time we are going to change what we are selecting.
OK, so let’s try this. Say more choices. Use a different account. At Examlabpractice.com. Put the credentials in. There we go. Does help if you don’t type of stuff. And there we go. We’re now officially authenticating to the domain. And we now have the ability to use the server just like if this was an on-premise server, we’re connected. But the only difference is we’re connected to Azure Active Directory domain services that are stored out in the cloud. And so really neat. We can we get access to that and the next thing you could actually do if you wanted to, you could install the remote server admin tools by going into server manager, admirals and features, and you would have the admin tools that would help you administer Azure Active Directory domain services.
46. Giving admin rights over to a user for Azure AD DS
Once you have Azure AIDS configured, the next step would be to make sure that you give yourself privileges.
Now, of course, if you know Active Directory Active Directory users groups for giving out rights to your users as opposed to Azure AD, which of course focuses more on roles. But Active Directory is going to use a group to handle this, and the group is called the AA, the DC Administrators Group.
OK? So to get here, you’re going to go to Portal Dot Ashcombe, click the menu, go to Azure Active Directory and then click on groups. And that will bring you here. And then you’re going to go into this group and you’re going to go to members and you’re going to add yourself as a member or whoever you would like to add. In my case, I’m going to add myself, so, I’m just going to go down here and find my account, which is John Christopher Jack at six a.m. I practice .com. I’m going to select that, and I’ve officially added myself as a member of the group. All right. And at that point, I do now have admin rights.
So keep in mind, it may take a moment. You may have to refresh your browser for a few times, but eventually you should see your account name inside this group and you’ve now officially given admin rights over to this user to the Azure Active Directory Domain Services.