Lets Get One Thing Straight | Azure AD Domain Services

Поделиться
HTML-код
  • Опубликовано: 23 ноя 2024

Комментарии • 303

  • @peppigue
    @peppigue 2 года назад +4

    Learning Azure without knowing the traditional on-prem stuff is a battle... I turned on AADDS to learn about it, quickly became an urgent learning experience about azure budgeting. A request from me as new to IT for orgs is more perspective on why/how various services are valuable. But I enjoy your channel, you definitely come across as both highly experienced in the field and understanding of how to present stuff. Thanks.

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      Thank you Petter! Check out my newest video and tell me if I gave you more of the why and how of the service I talk about or if I need to give you more of that.

  • @malcolmwalker2852
    @malcolmwalker2852 4 года назад +13

    Excellent video. Definitely cleared up a lot of misconceptions about Azure AD Domain Services.

  • @baabujatin
    @baabujatin 3 года назад +1

    Super... best thing is no bla-bla.. no gossip or talking stupid stuff... just very point to point... looking forward to check your other videos also.. thanks for the good work ...

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Welcome aboard! Please share all my videos with everyone 👍👍

  • @danpowell7421
    @danpowell7421 4 года назад +1

    The majority of people get these different services mixed up so thanks for fantasic explanation! Sometimes IT department I talk to regarding this just don't understand the differences.

    • @AzureAcademy
      @AzureAcademy  4 года назад +2

      Hopefully this video helps explain things for your customers...please share it with them.

  • @johningram2153
    @johningram2153 2 года назад +2

    Good video. Thanks for providing it. One detail, though: at about 4:30 you point at Azure AD and call it Active Directory. This wouldn’t be that big a deal, but a big point of the video is keeping those things straight. Clearly this whole problem is Microsoft’s fault. Bad naming of so many things.

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      Nice catch John and AGREED...too many things with the same/similar names and don't get me started on acronyms 😁

  • @fayasputhukkudi1067
    @fayasputhukkudi1067 2 года назад +1

    This was a much needed video for me. I was very confused between these three things, all I have experience with is Windows AD and I thought AAD was the cloud counterpart of it. Thank you for the video.

  • @MalonMateria
    @MalonMateria 2 года назад +2

    thank you for the best tutorial i've ever seen. Thanks for showing the exact steps with pictures every step of the way.

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      Have to help, check out the other stuff on the channel…lots of great stuff…and please share with everyone

  • @joneslt
    @joneslt 3 года назад +3

    Concise, to the point, clearly explained, this was excellent! I'm a fan!.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Awesome! Let me know what else you are interested in me making!

  • @sidzhang
    @sidzhang 4 года назад +2

    Sorry Dean, I am confused on several facts, can you point to me if I am wrong.
    1. While you are using AADDS, no matter if you have on-premises AD or not, you MUST reset AAD user password to trigger sync from AAD->AADDS, otherwise users will not show in AADDS.
    2. You MUST use Password Writeback feature, then reset password, then user can sync to AADDS(which is weird, it is not showing in MS doc).
    3. I thought the purpose of "Enable password synchronization" is to let you use your on-premises AD users and passwords in AADDS without any extra configuration, but I think I am wrong, this feature only ALLOWs you to do that, but you need extra steps to trigger the actual sync.

    • @AzureAcademy
      @AzureAcademy  4 года назад +2

      1. It is not that the users won’t sync...it is that their password hash won’t sync to AADDS
      2. Password write back is needed if you want to force the password reset from the Azure side. This is also a requirement for other things like Self-Service Password Reset...which I will have a video about soon
      3. No it doesn’t. AADDS doesn’t understand the pwd hash format that Azure AD does...which is why we needed the PowerShell script

    • @sidzhang
      @sidzhang 3 года назад +1

      @@AzureAcademy Thanks Dean.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      👍👍

  • @davidespano8674
    @davidespano8674 2 года назад +1

    This video is very useful thanks to the practical demonstrations of the differences between the Azure ADDS instance and the on-prem AD instance a thing that is not done in other videos available in the public domain. Thanks.

  • @masihqashqai9374
    @masihqashqai9374 2 года назад +2

    Your contents are incredibly good. They are concise yet unbelievably detailed. After each topic I feel my knowledge level elevated ten times. Can't thank you enough!

    • @AzureAcademy
      @AzureAcademy  2 года назад +2

      Awesome, thanks for letting me know!

  • @farhanasheiks893
    @farhanasheiks893 2 года назад +1

    Excellent explanation. I understand now the difference between active directory and azure adds

  • @Cmart6444
    @Cmart6444 Год назад +1

    Thanks Dean, you do an amazing job, but for me is still kind of dense info, I´ll do my best in learning all these stuff. Great, great, great video! just what I needed!

  • @akap8875
    @akap8875 Год назад +1

    So glad I stumbled across this today. Thanks for the amazing content!!

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      Thanks for watching! You say you stumbled across, if you don’t mind, can you tell me how so I can reach more people with all my free content, thanks!

  • @Cmart6444
    @Cmart6444 Год назад +1

    Hey Dean, nice of you using "Batman" profile stored in your AZ-AD example. whenever you have the chance, please ask him an autograph dedicaded to "Carlos", very, very, very nice your videos (I still recall those with "Star Wars" theme)

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      Thanks! You are going through a ton of my videos…keep it going and share with friends!

  • @amirbakhtiari4571
    @amirbakhtiari4571 2 года назад +1

    I was surprised about how easy you explain it!! Thanks

  • @navinjain7
    @navinjain7 4 года назад +2

    Thanks for the details , excellent stuff, A lot of time customers ask to remove on-prem AD and only use Azure AD , What should be the approach in this case ? How do we make it work for clients joined to on-prem ad ?

    • @AzureAcademy
      @AzureAcademy  4 года назад +2

      For clients going FWD you will want to check out my upcoming video on Device Identity
      I would ask some questions...
      1. Why do you want to get rid of AD?
      2. What do you use AD for today?
      3. How did you have to set up those things in AD, and what are the dependencies?
      4. What is the IT ops model going FWD?

  • @paulgee5998
    @paulgee5998 3 года назад +1

    Thanks for the explanations, looks like I have some more learning to do, I am am noob at this and its just shown me there is yet more I need to learn more about LOL

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Yup…we all have a lot to learn…it never ends
      🤔😉

  • @edthefixer2011
    @edthefixer2011 3 года назад +2

    Dean, so.... after going through a series of videos you published almost three years ago where you provide a great level of detail for the purpose of deploying DC in Azure that synchronize with your on-premises ADDS I got stuck in the last piece where my on-premises DC DNS is not doing what I intended following the videos for... in essence I want an easy way to deploy Windows Virtual Desktops.... it seems to me that after viewing this explanation I would be best benefited from deploying an instance of AADDS rather for this purpose (is mainly my lab for demo purposes) what's your take on this?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      AADDS can work for WVD but the larger question is if you will want to have the AADDS domain for anything else...or do you have expectations of being able to manage and change the domain...because as you know by now you can’t...you will have no rights in that domain beyond simple computer management of joined VMs and limited GPOs.
      If you can live with that...then AADDS is fine for WVD.
      But if you hope to extend your existing domain
      Or manage AADDS like your existing domain
      It will not work

  • @loganmancuso3791
    @loganmancuso3791 2 года назад +1

    amazing content, ive been a domain admin for years and im certified in azure but this helps elevate my understanding. Thank you!

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      Thanks for letting me know Logan!

  • @sidzhang
    @sidzhang 4 года назад +4

    Dean, thanks for another great episode, I have 3 questions.
    1. If we have cloud-only users, we don't need to configure Hash Sync to login to AADDS-joined server, right?
    2. If we talk about AD->AAD->AADDS scenario, after we did the PowerShell script on on-premises AAD Connect Server, now can we login to AADDS-joined servers? Or do we need to reset each user password again to trigger a sync?
    3. Is the follow-up Password Writeback step a must or just an option, so that we can use AAD as the centralized location to change password, then it got synced to both on-premises AD and AADDS.
    Thanks.

    • @AzureAcademy
      @AzureAcademy  4 года назад +4

      Thanks Ceng Xiye!
      3. Password write back is required for any traditional AD accounts
      2. The PowerShell script will setup AAD connect to sync the hash in the proper format but each user needs a password reset...at least in my testing
      1. Cloud only accounts with AADDS can be treated as if there is no AD environment.
      So cloud only accounts do not become AD accounts and don’t sync with AAD Connect.

  • @andreiflow5338
    @andreiflow5338 2 года назад +1

    Thank you! Question: Why isn't writeback just enabled by default or why are we able to turn it off? It seems AAD DS won't work at all without that?

    • @AzureAcademy
      @AzureAcademy  2 года назад +2

      Not sure why it isn’t enabled by default, perhaps Because it changes how you deal with passwords, and that is a security issue, and you should have to make a conscious choice when changing it

  • @twincam2013
    @twincam2013 3 года назад +2

    Fantastic video, very well explained! I have one question, how do you manage users in AADDS?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Thanks Twin Cam…the answer is You don’t…You manage them in Azure AD, then the changes sync to AADDS

  • @baMolk
    @baMolk 6 месяцев назад +1

    Thanks for useful information. How about joining servers to the Azure AD Domain from on-prm and AWS? Is that possible?

    • @AzureAcademy
      @AzureAcademy  6 месяцев назад +1

      Are you asking how to join the Entra ID Domain or cloud join the windows servers and AWS VM to Entra ID?

  • @sheldon6786
    @sheldon6786 3 года назад +1

    I am the IT field now for 15 years and what I have come across, most technically people don't know the WHY only the HOW as indicated in the video. We want to know the WHY, why was the product developed what need did it try to cover?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      The reason WHY was covered in the video Sheldon. It is to provide legacy Auth in the modern Auth world of the cloud, which wants to do OAuth and SAML.

  • @cloudpachehra1113
    @cloudpachehra1113 4 года назад +2

    As always... love the way you explain and its getting better with each video ...thanks 🤩🤩

  • @Southpaw07
    @Southpaw07 Год назад

    Another excellent video . TY Dean! very informative. just curious if there is a potential security concern enabling legacy password hash sync?

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      No, there is no concern generally speaking
      But you should have a look at the new Cloud Sync tool as well 👉ruclips.net/video/AF1mHC6KmSo/видео.html

  • @JacquesFrenchFryJordaan
    @JacquesFrenchFryJordaan 2 года назад +1

    This answered so many of my questions. Thank you for the clear explanation and guide! You have my like and subscribe!

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      Awesome! Thanks for watching ☺️

  • @BurnsLyons
    @BurnsLyons Год назад +1

    Great video. Do you have the ability to utilize folder redirection with Azure AD Domain Services? Specifically wanting to redirect users files, etc...to cloud

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      Thanks! Folder redirection as in FSLogix
      Or roaming profiles?
      You can easily do a file share but I don’t think you can do a DFS service

  • @adrianjablonski6260
    @adrianjablonski6260 3 года назад +1

    i love your videos !!! gretings from Netherlands !!!!

  • @jamierterrell1
    @jamierterrell1 3 года назад +2

    Do you have a video going over applying GPOs in AADDS? Thanks.

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      not a video specifically on GPOs in AADDS because it is almost exactly like normal GPOs...the difference is that you don't have access to the domain controller so you can't upload 3rd party or custom policies

    • @jamierterrell1
      @jamierterrell1 3 года назад +1

      @@AzureAcademy thank you sir. It looked very similar, was just looking for the gotchas. :-) Thanks again for all the awesome content.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      thanks!

  • @TenMinuteKQL
    @TenMinuteKQL Год назад +2

    Since Azure AD DS is 'managed' how is the security portion managed? Is there a need to tie in any 'managed' AAD DS components to a tenant security stack? If elements of AAD DS are attacked and compromised what is the impact to user tenant, and how is user notified?

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      Great question, first you need to do normal Azure layer security…but as for AADDS…there is nothing to compromise, and even if you could there is t anything that I can think of that would hurt Azure.
      since you are NOT an admin so you have NO control over windows or Active Directory, so you can’t change things or install software.
      There is no direct link or connection from your AADDS to Azure AD…other than the managed sync of users and passwords, and password changes can only come from the Azure AD side into AADDS, not the other way.
      So there is no impact from AADDS to your Azure AD Tenant…does that answer your question?

    • @TenMinuteKQL
      @TenMinuteKQL Год назад +1

      @@AzureAcademy great info, basically there are 5 VMs in each tenant associated with AAD DS. It sounds like no need to tie these into tenant security stack.

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      The AADDS should be monitored, and follow all defender for cloud as well as Azure Advisor recommendations…secure network with NSG or Firewall etc. All the normal stuff ☺️

  • @KyleWilcox
    @KyleWilcox 3 года назад +1

    Great explanation. I would rather not have to manage Domain Controllers anymore. Can I remove my current AD and connect my local servers to Azure AD Domain Services? I only have about 5 servers and running local AD just for that seems overkill. My client devices are already on Azure AD/Intune and don't need local AD.

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      Before you do...make sure you don’t have any thing that extends the AD Schema or creates custom containers in AD...you won’t gVe rights to do it in AzureAD DS.
      please verify that all your current GPOs are setup and working in AzureAD DS
      And remember you will not be an admin of AzureAD DS.
      If you live with all that, then it should be good for you.

  • @LoudyCan
    @LoudyCan Год назад +1

    Hi, great video. is that possible to give us some advise to the right direction: I have build the server: Virtual networks, Virtual network gateways
    , Azure AD Domain Services, AZure VP. now how we can allow over 5000 computer join the domain, as most of the subnet allow only 255 devices to connect. I'm little confused, also I'm learning that

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      Sorry…what is you question here? What do you need help with?

  • @Timmy-Hi5
    @Timmy-Hi5 4 года назад +1

    ​sharing always ... no worries... since you Guys are the funniest and the best of the best :)

  • @mattblaker1127
    @mattblaker1127 2 года назад +1

    you don't have enough followers! you're an expert and a fine professional in an azure. clearly done it all and seen it! you're a pleasure to watch and learn from! drop me a DM, 104 and avd qualified been in IT for 19 years love to collab in you tube from across the pond and have never done it! working at one of the largest MSP in the UK and the customers would love you!!

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      WOW…Thanks Matt! I appreciate the compliment and the thought of a collaboration…I am packed right now, getting ready for ignite which is Oct 12-14…so it will be a few weeks! 👍👍
      Do you or your company have a channel?

  • @sethzwicker3631
    @sethzwicker3631 4 года назад +1

    Can you do something on the new (Still in Preview) feature "Provision from Active Directory" feature and how it differs from ADConnect?

    • @AzureAcademy
      @AzureAcademy  4 года назад +1

      YES @Seth Zwicker, I cover services in public preview all the time...that way I can help folks like you learn about them early 😎 I have thought about this feature...but haven't gotten to it yet...thanks for the nudge. I will get on it 👍👍

  • @abhijithsnair3157
    @abhijithsnair3157 3 года назад +3

    Thanks a ton #AzureAcademy for the wonderful explanation. Keep up the good work! Impressed with all your hand actions haha!!

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      LOL thanks Abhijith! Happy to help 👍👍

  • @rashidamin1130
    @rashidamin1130 2 года назад +1

    How did you pull up ADUC in AD DS environment? Can we login to the domain controllers? How?

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      As I said in the video, you are NOT a domain admin with AADDS so your abilities are very limited. You can ONLY open ADUC if you are logged into a VM that is joined to the AADDS domain, with your user administration account.

  • @cocteau9
    @cocteau9 2 года назад +1

    One question remains: do we need AAD for AADDS or we can use AADDS with on-prem AD without AAD? If yes, would be nice to see how to set that up.

    • @AzureAcademy
      @AzureAcademy  2 года назад +2

      No…Azure AD Domain Services cannot work unless you use Azure AD.
      However You don’t need on prem AD to make it work. But if you already have on prem users and you want those user names to be in AADDS then you need The on prem AD to sync with Azure AD using Azure AD Connect

  • @godfreywalter3599
    @godfreywalter3599 3 года назад +1

    Excellent explanation. Thank you.. Just subscribed..

  • @hemang81
    @hemang81 3 года назад +1

    this is an awesome video, you are too good..!!

  • @kokkosbollful
    @kokkosbollful 2 года назад +1

    You are a cloud Hero, thanks a LOT

  • @ingediaingedia4368
    @ingediaingedia4368 3 года назад +1

    thanks a lot for this intro to those services, i loved it 👍👍👍

  • @partyyydude
    @partyyydude 3 года назад +2

    Excellent overview and demo, very helpful. Thank you!

  • @solunatrust
    @solunatrust 3 года назад +1

    Great video! Can you do a tut on one way external trust to on Prem using AD DS

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      Already done - ruclips.net/video/YcFr17yaRPQ/видео.html

    • @solunatrust
      @solunatrust 3 года назад +1

      @@AzureAcademy thank you and you earned my sub! Keep up the great work!

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      👍👍

  • @markbowd2039
    @markbowd2039 4 года назад +1

    Looking forward to another show !

  • @gianfmm
    @gianfmm 3 года назад +1

    Great vid. Can I create a VM in Azure as a backup DC to my on prem DC?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Sort of…but that isn’t how domain controllers are intended to work.
      You should have a separate VM in azure that is also a domain controller so that they synchronize together

  • @MrMayes11
    @MrMayes11 2 года назад +1

    We are wanting to remove our on-prem AD and take advantage of Azure Active Directory Domain Services. Is it possible to configure radius authentication utilizing AADDS without having an on premise AD? I have yet to find a solution without having to rely on third party services, etc.

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      I have not used Radius in ages…today you can do this with Azure AD
      👉 docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-radius

  • @sala7311
    @sala7311 3 года назад +1

    If there is a VPN connection between on prem and AADDS's VNet, Surely there will be a conflict of domain name right ? Is it possible to have a peered environment and still have an Hybrid AD structure ?

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      A conflict would only come if the names of The on prem and the AADDS domain have the same name…which is NOT recommended.
      You can use a sub domain name like
      AADDS.Domain.com then there’s is no conflict.

  • @mihirpatel3754
    @mihirpatel3754 4 года назад +2

    A worthy video. Thank you for making it! Question - I understand it's a one-way sync from on-perm AD to Azure AD with option to do password writeback to on-perm, but is it possible (workaround?) to do two-way sync between on-perm AD and Azure AD? So users/groups created in Azure AD can sync back to on-perm AD? If not, do you know if MS is planning to do add this feature in the near future?

    • @AzureAcademy
      @AzureAcademy  4 года назад +2

      slight correction...it is not exactly a 1 way sync from on prem AD to Azure, it depends on how you have Azure AD Connect setup, but if you meant create a group or user in Azure and have it "sync" that cloud only group to on prem AD...then you are correct, it does not work that way today...and I have not heard of it on an official road map.

    • @GlobalGlimpses00
      @GlobalGlimpses00 3 года назад +2

      @@AzureAcademy please read the docs.microsoft.com/en-us/azure/active-directory-domain-services/synchronization , it says One way:
      When you first deploy Azure AD DS, an automatic one-way synchronization is configured and started to replicate the objects from Azure AD. This one-way synchronization continues to run in the background to keep the Azure AD DS managed domain up-to-date with any changes from Azure AD. No synchronization occurs from Azure AD DS back to Azure AD.

    • @AzureAcademy
      @AzureAcademy  3 года назад +4

      There are 2 different syncs talked about in this thread.
      Azure AD Connect sync from "on prem" to Azure is a 1 way sync, meaning that you have to make changed in AD then sync them to Azure. You CANNOT create a "clould only" user in Azure and sync it to on prem
      Also in the Azure AD DS Sync.
      this is a 1 way sync from Azure to Azure AD Domain Services. All your users and groups need to be created in Azure AD...which will sync to Azure AD DS.
      So if you have on prem, Azure AD and Azure AD DS...then
      you would create or update a user in your on prem AD...which will sync to Azure AD
      Then the next separate sync from Azure AD will send that change to Azure AD DS

  • @ianwillis5292
    @ianwillis5292 3 года назад +1

    Awesome vid, thanks. Question: Is it possible to domain join VMs to the managed domain if those VMs reside in AWS Gov, AWS Commercial, as well as Azure Gov? (Our managed domain is configured in our Azure Commercial account). Thanks for the great content sir!

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Thanks! YES it is possible as long as the computers have line of sight to the domain controllers of AADDS and the proper DNS configuration so they can resolve your domain name you should be good to go!

  • @alienzooband
    @alienzooband 3 года назад +1

    awesome video dude! Thanks heaps

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Happy to help Chris.., what else are you interested in?

  • @Rybek
    @Rybek 3 года назад +1

    It's confusing to me or not sure if if you already have password hash synchronisation enabled via Azure AD Connect do we
    still need to do steps related to this PS script that triggers a full password sync that includes legacy password hashes. If we enabled password sync in AD Connect it not doing that for some objects ? The Microsoft document also not mentioning what whis hole step is required.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Password Hash Sync is not the same thing as the script I called out. This is needed because the sync does not pass enough data to generate the kerb auth that Azure ADDS needs to setup your passwords. The docs do call out this step, and you can get to it right from the Azure AD DS service in the Azure Portal. Or am I misunderstanding what you are saying? 🤷‍♂️

    • @Rybek
      @Rybek 3 года назад +1

      @@AzureAcademy Ok i understood now that it is to enforce replication of additional data . Configuration is mentioned in DOCS but there is no explanation why is this needed.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      It is needed because Azure AD Connect syncing to Azure AD does not pass the data that is needed by AzureAD DS from the initial sync. This is because AzureAD doesn’t need most of it. OAuth and Saml are very different than Kerberos.
      AzureAD DS needs that additional data so you can authenticate...does that help?

  • @kdimail
    @kdimail 3 года назад +1

    Can I make a regular domain joining with Azure ADDS and NOT sync with existing ADDS?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Yes you can join the Azure AD Domain Services domain...it does not have to be connected to an on prem Active Directory.

  • @sidzhang
    @sidzhang 3 года назад +1

    Dean, one quick question.
    Technically, do you think on-premises VMs can join AADDS domain via VPN/ER?
    I know AADDS is cloud-only, it's not extension of on-premises domain, but technically is it feasible?
    Thanks

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      I have never tried it...but I assume that IF the VPN gets you line of sight to AADDS and all the correct ports are open then you should be able to authenticate...

  • @efraimwolpin4161
    @efraimwolpin4161 3 года назад +1

    Fantastic Video. really help out

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Glad you liked it! Please pass it on to your Social Media

  • @mariusth6661
    @mariusth6661 3 года назад +1

    How can i change the region? The time settings are wrong for the connected servers. Furthermore i want to bind network shares like netlogon script. Is it possible?

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      To change the region where AAA DDS is deployed you need to delete the service and start from scratch.
      The time settings by default show up in UTC not in your local time zone. Network shares in group policy management should be possible I have never tried it.

  • @JimmyArbelaez
    @JimmyArbelaez Год назад +1

    I have a typical O365\Azure set up for a small business. I would like to manage my workstations. From watching and reading it seems I don't need AADS. I would like to control my users updates and think I need to join PCs and use a GPO. Let me know your feedback?

    • @AzureAcademy
      @AzureAcademy  Год назад +2

      To manage workstations for updates and use GPO can be done with Azure AD Domain Services or traditional Active Directory, either running on prem or on VMs in the cloud.
      The difference between them is the tools that you can manage with.
      In Azure AD Domain Serivces you cannot use Intune, since that requires hybrid join or cloud join and AADDS can't do that. Which means no Windows Autopilot, AutoPatch or Update rings but you CAN use windows updates.
      So think about what you want your management solution to look like, then find the tools you want to use and that will lead you to the environment you have to build to make it happen.

    • @JimmyArbelaez
      @JimmyArbelaez Год назад +1

      @@AzureAcademy We are totally in the cloud with no on premise.

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      Then no Intune for you, AADDS can’t support Hybrid Join so what tools are you going to manage your VMs with?

    • @JimmyArbelaez
      @JimmyArbelaez Год назад +1

      @@AzureAcademy I need to manage updates.

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      Managing updates on windows clients with AADDS means you can only use windows update or a 3rd party tool.
      Servers can use the Azure AutoManage service
      Watch this for more info 👉 ruclips.net/video/GbSjkg8MZrE/видео.html

  • @nielsvanderschaeghe751
    @nielsvanderschaeghe751 3 года назад +1

    Hey im currently watching your video on how to set up MSIX app attach, i have a Azure active directory in sync with azure active directory domain services. I made a group in Azure active directory, and now its visible in the OU AADDC Users, my 2 virtual machines are in the OU AADDC Computers. When i try to add my 2 computers to the group i made in azure active directory it says "insufficient rights to perform the operation" . I made a group inside AADDC Computers but i could not see the group in azure active directory. Any idea on how i can fix this?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      MSIX and AzureAD Donna Services is not a supported solution. At the moment…you can’t fix it.

  • @ajitmohanraj
    @ajitmohanraj 3 года назад +2

    very very nicely explained - thank you !

  • @vladiesc
    @vladiesc 4 года назад +1

    Very insightful! Any thoughts on GPOs within Azure ADDS? Had massive issues getting those to work, even though they should work according to documentation..

    • @AzureAcademy
      @AzureAcademy  4 года назад +1

      Yeah...the default policy is already in place so that is your best hope. Remember you don’t really control this environment

    • @feeneymi
      @feeneymi 4 года назад +1

      ​@Vlad Mihai, Azure ADDS GPOs are achieved in a similar fashion to traditional ADDS, so if you are familiar with Group Policy Management in the traditional since you should not have too many issues!
      The only thing to note is that any user accounts flowing into Azure ADDS from Azure AD, is that these will reside in the "AADDC Users" OU and cannot be moved or separated into other OUs. To apply a GPO to a subset of users just link your GPO to the "AADDC Users" OU and use GPO Security Filtering to limit the application to specific users if required.
      On a side note: I had a requirement to reuse some of our GPOs from ADDS in Azure ADDS, but as outlined by Dean in the video there is no link between ADDS and Azure ADDS, but GPOs can be exported from ADDS and easily imported to Azure ADDS, so there isn't a need to start from scratch if you need the same GPO in both environments.
      @@AzureAcademy Dean, thanks again for the great content.

    • @diabilliq
      @diabilliq 4 года назад +1

      the tl;dr is its a giant cluster to do anything in GP with AADDS

    • @AzureAcademy
      @AzureAcademy  4 года назад +1

      LOL...yeah...it can be a challenge 🤦‍♂️

    • @AzureAcademy
      @AzureAcademy  4 года назад +3

      Thanks @Michael Feeney, and he is correct @Vlad Mihai. You do use AD Group Policy manager to do the GPO work in AADDS, but there are more hoops to jump through just to get into it. Joining a VM to the AADDS domain directly before you can manage it, for example. vs. a traditional AD domain where I can just present creds from another domain...can't do that in AADDS. I have also had some on prem policies that I wanted to add but could not...since I can get to the domain controller to modify the admx/adml files or add new ones. etc.
      the point I wanted to emphasize is that the purpose of AADDS is NOT to be your AD running in the cloud with all the traditional features and controls you can have with a domain controller directly...it is intended for adding legacy authentication to the world of Azure so don't expect too much more, but in general if you need legacy auth and can live with the limitations of the cloud service then it should work great for you!

  • @patriklemos420
    @patriklemos420 2 года назад +1

    Great video! can i add users from aad ds to on premises security group? considering a connection between my on premises AD and AAD DS.

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      hey Patrik, no you can't, Azure cannot sync that way...only into Azure AD DS

    • @patriklemos420
      @patriklemos420 2 года назад +1

      @@AzureAcademy Even if my on premises AD is already synced with my Azure AD tenant via (Azure AD Connect)? I appreciate your help in advance.

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      Nope…AADDS only accepts user/group syncs in 1 direction

  • @gizmo9987
    @gizmo9987 3 года назад +1

    I am the new IT guy for a company of ~200 employees in multiple locations around the USA. This company currently has no on-premise domain controller, all computers are on a simple Workgroup. They are actively using Office 365. I'd like to have the ability to manage users as one would in a typical on-premise AD for the local office and especially satellite offices. I understand this can be accomplished with site-to-site vpn. Can this also be accomplished with Azure AD or AzureADDS or a combination of the two?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      So you have multiple things here.
      1. Connectivity to multiple on prem locations
      2. Want to have a domain but not manage it
      3. Using office 365 and AzureAD
      The question here is why…?
      What is your goal in the VPN?

  • @Illuminaughty1942
    @Illuminaughty1942 3 года назад +1

    Wish I found this guy earlier. Damn good quality vids

  • @LiamGlanfield
    @LiamGlanfield 2 года назад +1

    Thanks for this very useful. Have a client that is cloud only. They now need to support legacy LDAPS, as connect goes from AD to AAD this won't work for them. As they don't don't have any on prem AD. Could I simply setup AADDS for them and site to site VPN for those few on prem services that need the legacy protocol? I don't want to build a full on prem AD if I can help it.

    • @AzureAcademy
      @AzureAcademy  2 года назад +2

      Thanks for watching!
      1. If they are cloud only why do they need LDAP?
      2. Where are the client devices or other services that need to access LDAP?

    • @LiamGlanfield
      @LiamGlanfield 2 года назад +1

      @@AzureAcademy company has grown due to the business sector they're in they need LDAP for managing onsite infrastructure. Networking equipment mostly and some legacy apps (really tried with OAuth not supported :'( ). No servers all of those are in the cloud. There is a business need for it. Having read more I think the AADDS will do the job, removes the headaches of AD on prem. Site to site VPN for access to it.

    • @AzureAcademy
      @AzureAcademy  2 года назад +2

      You will still need a site to site VPN to connect the Azure AD demain services world to your own prime networking equipment If you need secure LDAP or private/ encrypted communications, Which you would generally want in authentication. But of you are ok without it…it should work.

    • @LiamGlanfield
      @LiamGlanfield 2 года назад +1

      @@AzureAcademy awesome, thanks for confirming. Think I'm going to setup a tenant and get the process documented. Before I move it to prod. Also feel setting up a point to site VPN would benefit admins looking to administer the AADDS if ever needed. Thanks for the replies.

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      👍

  • @intellitechsonsite
    @intellitechsonsite 3 года назад +1

    I'm more confused now. I've seen the debate on building your WVD environment with an Azure DC or with AD DS, but not both. My take has always been that one you have to manage, but is the less expensive traditional approach and the other is managed for you at a higher price. What am I missing on replying both?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      So I am clear on what you are asking...is you question which solution is cheaper...because I would say a small VM running in Azure, depending on size, can be cheaper then Azure AD Domain Services...it will definitely be cheaper if you only have 1 domain controller...so IF cost is your ONLY concern that’s the way to go. IF however the managed service aspect of
      Azure AD DS does cost more...but it is a self managed service...which also has value because you don’t need an expensive AD admin to run it for you...

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      My point in this video was to address people who think Azure AD DS is just a managed service Domain Controller...and I can user it to extend my domain into Azure...that’s not how it works.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      WVD doesn’t care as long as there is a domain for your session hosts to join...but you need to know that Azure AD DS is NOT an extension of your existing domain...and the other “limitations” of the managed service...then if it is still right for you...it will work great!
      Hope this helps 👍👍

    • @intellitechsonsite
      @intellitechsonsite 3 года назад +1

      @@AzureAcademy sorry for the confusion. I am pretty clear on the advantages and disadvantages of both options, DC with AD and AD DS. This video lead me to think you are suggesting both within the same WVD environment. Looking for clarity on that... thanks!

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      NO...Definitely NOT for WVD pick one or the other for your environment.
      and I am not just talking about WVD. If you have an AD on Prem my best recommendation would be to put another domain controller in the cloud and set up a new AD Site for it with its own subnet.
      If you DO NOT have AD today...and you don't want to manage AD, then Azure AD DS can be a good solution.

  • @jpmuga
    @jpmuga 3 года назад +1

    Can someone who has onprem AD use this in the cloud too? I have a client who has onprem AD but we want to take it to the cloud. Also, can you use it to authenticate onpremise apps?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      If you want to extend your onPrem AD to the cloud then build a new VM in Azure and promote it to be a domain controller.
      Azure AD Domain Services does not extend your on prem domain in to Azure.

  • @freddy5849
    @freddy5849 2 года назад +1

    Does AADDS work with Windows Hello for Business for Azure files? For Active Directory and a file server on-prem I need to configure a Cloud Trust for Azure AD joined devices. Will I also need to do something like "Cloud trust" or it will work automatically? Thank you !

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      I have not seen support in AADDS for windows hello. Also I haven’t seen windows hello support for Azure Files Authentication

  • @Thorsun
    @Thorsun Год назад +1

    I have a customer that plans to migrate from their current hybrid AD/ Azure AD environment to Azure ADDS. One thing that is setting off alarms is the inability to get Azure ADDS VMs to enroll in Intune or any other 3rd party Endpoint Management service as the VMs don't show up in Azure AD. Do you know if there is a way to get them to show up?

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      With AADDS I don’t think you can do Hybrid Join. You have to edit certain policies that I’m not sure you have access to in a managed domain environment.
      Further…WHY would you want to give up a domain you can fully manage to one you can’t…what do you need it for instead of going 100% Azure AD?

    • @Thorsun
      @Thorsun Год назад +1

      @@AzureAcademy because my customer's IT department is 4 people and they're trying to off load as much of the maintenance tasks as possible. Your answer is what I've concluded as well and will steer the customer away from going the Azure ADDS route and get them to setup DC VMs within Azure.

    • @AzureAcademy
      @AzureAcademy  Год назад +1

      Cool

  • @stevenzsigoszki4535
    @stevenzsigoszki4535 3 года назад +1

    Can you sync two AADDS services located in two different regions to the same Azure Directory? I have to build two sites with WVD, one in the UK and one in AU.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      No you cannot. AADDS doesn’t have a regional DR either. The general idea is that DR would be redeploy in another region... not the best plan if you think of it like a traditional AD... but remember it isn’t

  • @nileshpancholi8285
    @nileshpancholi8285 3 года назад +1

    excellent video and very infomative. great work.

  • @ramisohail
    @ramisohail 3 года назад +1

    Great video dean, much needed for this ongoing confusion , one small question if you name both the exact domain name and you have vpn connectivity with on prem where you have the original Ad domain and on azure domain services with same domain, will this cause some kind of conflict for example for domain joined machines or anything like that? Or it will resolve only on dns ip and each one will be seperate

    • @ramisohail
      @ramisohail 3 года назад +1

      Also if you have all syncing like you did on the video, you will always need to modify users from azure ad on prem since its connected with azure ad connect, or when adding new users we can add in azure ad as new cloud only users or add them on prem and force the powershell to run it on all services?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Then you will have an issue in routing. The systems connecting over the network would not know which AD environment to communicate with...this is not recommended, but is something that people try to do anyway because they misunderstand AADDS

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      there are multiple scenarios here...But YES, if you have on prem users syncing AND you wanted to create new "cloud only" users...they would also sync to Azure AD DS
      but understand that they won't sync back to your on prem AD

    • @ramisohail
      @ramisohail 3 года назад +1

      @@AzureAcademy thanks dean for your clarification and giving the time to respond to each comment, you are a legend for going the extra mile thanks a lot 😊

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      thanks!

  • @fbifido2
    @fbifido2 4 года назад +2

    Questions:
    1. Why Azure keep asking customers to do PowerShell, can't azure do this themself, all the software belongs to azure, so WHY ????
    2. Can you use AADDS as your only domain service for Azure VM & Azure stuff {cloud only no on-prem} ???

    • @AzureAcademy
      @AzureAcademy  4 года назад +2

      1. That is not quite correct. Azure AD Connect is NOT in Azure, it is installed on your server, in your environment. Microsoft values privacy and doesn’t take action to force changes without your knowledge or consent. Changing how Password Hash Sync functions is a manual task in PowerShell so you can choose to do it.
      Also PowerShell and other forms of automation are the best ways of managing the cloud once you understand the process. Automation is King.

    • @AzureAcademy
      @AzureAcademy  4 года назад +2

      2. Yes you can use AADDS as your only domain controller in Azure. As for on prem...Technically you can setup things to make it work but it is not something I would recommended.
      The general purpose of AADDS is to solve the need of legacy authentication because you are cloud native.

    • @fbifido2
      @fbifido2 4 года назад +1

      @@AzureAcademy Can't Azure create a VM or Linux Base Azure connection software to act as a "AD/DNS/DHCP - passthrough for AADDS" ??? so we don't have to run an AD on-prem, and allow customers to move to cloud bit-by-bit ????

    • @AzureAcademy
      @AzureAcademy  4 года назад +1

      LOL year I understand what you mean. However you need to remember that AADDS is not intended to be a traditional AD running in the cloud. It is meant to provide legacy auth in the cloud so you don't need to manage traditional AD. All the other services you mentioned AD/DNS/DHCP in your Linux VM are addons to manage...and cloud services are supposed to be simple and managed by Azure for you.
      but I agree...we should make some kind of switch in the portal to enable this rather then a PowerShell script...I will provide this feedback to the AD team...thanks for the thought!

  • @ajdinzutic
    @ajdinzutic 3 года назад +1

    Hi so can we also set all GPOs with the AADDS? Currently i use a DC and thought about to change it into a PaaS. Could you please make more videos about it?

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      I would NOT change to Azure AD DS if you don’t have to. You are NOT an Admin and you cannot do most of what you do in Active Directory. Some GPOs can’t be done in Azure AD DS, like FSLogix. Because you can’t add the .admx or .adml files to the domain controllers.

    • @ajdinzutic
      @ajdinzutic 3 года назад +1

      @@AzureAcademy thanks! So always have a DC on for WVD :)

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      👍👍

  • @fbifido2
    @fbifido2 Год назад +1

    Can one use both AAD & AADDS, no on-prem or cloud-VM AD?

    • @AzureAcademy
      @AzureAcademy  Год назад +3

      Sure, You could always use Azure AD by itself…but Azure AD DS requires Azure AD to work.
      Neither Azure AD nor Azure AD DS need on prem or a cloud VM with Active Directory to work.

  • @550891
    @550891 3 года назад +2

    Thank you !!! that was excellent explanation !

  • @stormlight1553
    @stormlight1553 3 года назад +1

    Ok, I have watched this 3 times and still a touch fuzzy. I get the premise but not the application of it. Are there any other use cases for this besides WVD (assuming that WVD cant work with traditional domain controllers) ? Aren't there other identity providers that could tie into your traditional DCs? OKTA, DUO identity provider, ect?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Azure Virtual Desktop can use traditional DCs, AADDS or Azure AD Join.
      Azure Files storage, netapp storage and any Kerberos Auth needed for other apps can all use AADDS as well.
      AADDS is not an identity layer like Duo, ADFS or Okta, it is a total AD environment

    • @stormlight1553
      @stormlight1553 3 года назад +1

      @@AzureAcademy Thanks. So the only reason to use azure domain services is when you have all cloud environment and don't want to spin up a domain controller in the cloud if you need Kerb Ldap, ect. If you already have a prem DC and plan on keeping at least one on site, AADDS is no use to you?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      My thinking exactly ☺️

  • @prinzo.worldwide
    @prinzo.worldwide 2 года назад

    Great video and helping me learn the azure jungle

  • @say2merohit
    @say2merohit 2 года назад +1

    Wow what a video just one word AWESOME !!

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      Thank you so much 😀

    • @say2merohit
      @say2merohit 2 года назад +1

      @@AzureAcademy also lot of people do notice but often don't say it as the focus is so much on content is the VIDEO EDITING NEXT LEVEL !!

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      I am always trying to learn how to use these tools to tell better stories Thanks for noticing TheOtherSide.

    • @say2merohit
      @say2merohit 2 года назад +1

      @@AzureAcademy you are doing an awesome job !!

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      Thanks!

  • @Random8181
    @Random8181 2 года назад +1

    I really don't see how this is better then creating a couple of DC's as vms

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      That was the point of the video. It isn’t better in most cases and AADDS isn’t what a lot of people think it is. For most people in most scenarios you should build a VM and promote it to be a DC…

    • @Random8181
      @Random8181 2 года назад +1

      @@AzureAcademy Thank you i will be avoiding using it in any future projects. Just don't understand why Microsoft thought it would be a great idea to create Azure ADDS it in the first place when there was a perfectly reasonable solution already.

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      Because this is an Active Directory as a service. You don’t need to know anything about I using AD to run it and get the benefits of Kerberos and NTLM. It works great in many solutions…just not like a traditional AD that you manage.

  • @ldkdinesh
    @ldkdinesh 3 года назад +1

    Brilliant video 😊

  • @bkrich
    @bkrich 3 года назад +1

    Thank you for this video.
    if I create a cloud only user (not on-prem/AADC) in Azure and I created AADDS, will that cloud users password be synced to AADDS or will a reset still need to happen and what about new cloud only users going forward?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      The principal is the same. The user being synced into AADDS need a password reset or the script that I showed in order to sync the password over to AADDS in a way that will allow for the Kerberos authentication

    • @bkrich
      @bkrich 3 года назад +1

      @@AzureAcademy even if there was no on-prem with AADC
      What about in these two scenarios
      1. I have Azure cloud only user and I created AADDS after, would I need a password reset?
      2. What if I create AADDS, then I create a fresh azure AD user, do I need a password reset?
      Is it the reset function whether any different scenario is what provides the password to AADDS?

    • @AzureAcademy
      @AzureAcademy  3 года назад +3

      If AADDS already exists then you create a new cloud user, they won’t need a reset because the sync is already happening

    • @bkrich
      @bkrich 3 года назад +1

      @@AzureAcademy thank you!

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      👍👍

  • @evangainer562
    @evangainer562 3 года назад +1

    If I don't have an on prem AD DC, am I able to just us Azure AD with AADDS?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Yes you can. If you haven’t had a traditional Active Directory until now... why do you want one?

  • @naturevibezz
    @naturevibezz 3 года назад +1

    hey, Can I connect my local systems to Azure AD Domain Services and then OU's, group policies etc.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      You can as long as you have network connectivity…just like any other AD in the cloud.
      You need a client or site to site VPN

    • @naturevibezz
      @naturevibezz 3 года назад +1

      @@AzureAcademy So I need to install a DC in azure?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      No, not exactly. It depends on why you want a DC and how you will get to it from Azure and On Prem…if you have an on prem ☺️. So what are you trying to do?

    • @naturevibezz
      @naturevibezz 3 года назад +1

      @@AzureAcademy What I all needed was Microsoft intune and Mdm.

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      To use intune and MDM you don’t need a domain controller at all. You can use Azure AD Join.

  • @TravelIndiaSolo
    @TravelIndiaSolo 3 года назад +1

    Great, very informative video.
    I need some help,
    We have azure with a domain xyz.com, I set up my ADDS as abc.com.
    When I try to join a personal computer, it doesn't give me the option to join abc.com, it takes me to xyz.com by default.
    How can I change it and choose abc.com?

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      Thanks Ravi! The issue sounds like DNS.
      If the VMs are located in Azure and you want to join abc.com you need to set the virtual network DNS servers. They need to be configured with the IP addresses of the AADDS servers
      Then they will find that domain.
      Oh and by the way,
      If The virtual network where the VMAs are located is not the same network as a AADDS then you will need to set up a peering connection with forwarding in both directions

    • @TravelIndiaSolo
      @TravelIndiaSolo 3 года назад +1

      @@AzureAcademy thank you! I got that. I could fix DNS issue for all the VMs inside azure but I was asking about a personal laptop.
      How do I join it since it’s on public network.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      The fix is the same for personal laptops as well.
      Your DNS needs to be configured to point at the AADDS domain controllers.

    • @TravelIndiaSolo
      @TravelIndiaSolo 3 года назад +1

      @@AzureAcademy Alright but these personal laptops are not on the Azure network. And the Azure ADDS DNS are configured using private IPs. Can it be done without connecting personal laptops to Azure network?

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      There must be on the same network…so since you have physical laptops, and virtual servers in 2 different places you will need a client VPN on the laptops so they can reach the AADDS network

  • @owaisaziz8537
    @owaisaziz8537 3 года назад +1

    Can we use azure ad services to administrate devices like mac linux and win and how much we can can we encrypt devices authentication group policy's for linux and mac too patch management etc

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      If you are thinking to use AADDS as a traditional Active Directory like an on prem domain controller to manage mac & linux...the answer is NO.
      HOWEVER...You can have your systems joined to Azure AD and manage them with Microsoft Endpoint Configuration Manage (Intune) as a MDM solution.
      I will have a video on this soon.

    • @owaisaziz8537
      @owaisaziz8537 3 года назад +1

      @@AzureAcademy many thanks

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      👍👍

  • @mandeepbains5735
    @mandeepbains5735 3 года назад +1

    Great explanation, thank you

  • @bantononabike
    @bantononabike 3 года назад +1

    Brilliant, just what i needed.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Happy to help...please share the Azure Academy with everyone so I can help more folks like you!

  • @omprakash-oc4to
    @omprakash-oc4to 2 года назад +2

    How to communicate on premise to azure ad

    • @AzureAcademy
      @AzureAcademy  2 года назад +1

      To connect Azure to on prem you need an express route or a VPN

  • @tamimthaher2405
    @tamimthaher2405 3 года назад +1

    great video !!!! thank

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Glad you liked it! Please pass it on to your Social Media

  • @onexl001
    @onexl001 4 года назад +1

    Appreciate you sharing this information

  • @MERKJONES
    @MERKJONES 4 года назад +1

    Can AADDS extend NTLM auth to the cloud? We have some legacy web apps that are doing NTLM/Kerberos, and I've deployed a number of InTune managed machines off domain (gotta upgrade my DCs at some point for offline domain join). Wondering if this can solve my problems there. The users aren't getting logged in automagically to those sites like our Intranet page. I feel like: Yes, but I want to be certain.

    • @AzureAcademy
      @AzureAcademy  4 года назад +2

      Yes...but it depends on the app. If you have an existing domain that would be your best bet. However if you are looking to get out of the traditional domain, and still need NTLM then AADDS can help. You should also look into AAD Joining your VMs to Azure if you haven’t already...I will have a video soon on all the different join states.

    • @MERKJONES
      @MERKJONES 4 года назад +1

      @@AzureAcademy perfect. Yeah we have an existing domain already in place... Don't get mad but it has no SLD (i didn't do this lol). OK cool, it's just some simple web application using NTLM like an intranet or dashboard. I'll play around with different scoping while also getting the web team to switch to OAUTH. Thanks!!

    • @AzureAcademy
      @AzureAcademy  4 года назад +2

      🤣 WHAT NO SLD!!!! LOL 🤣

    • @MERKJONES
      @MERKJONES 4 года назад +1

      @@AzureAcademy I'm dying on the inside because of it. Someone before me set it up as SLD for some bizarre reason.

    • @AzureAcademy
      @AzureAcademy  4 года назад +1

      LOL yeah...do they at least have dual UPNs into Azure?

  • @Rybek
    @Rybek 3 года назад +1

    I'm trying right now to map resource that was replicated to Azure File Shares (storage account) via Azure File Sync to a computer added to local ad with ACL enforcement from ADDS. I want to be able to map those resources with ACL enforcement but not rely on local on prem authentication. This is for DR scenario. I deployed Azure Active Directory Domain Services, enabled "Identity-based access for file shares", added synced users via Azure AD connect to Storage File Data SMB Share Contributor role. All security groups from local AD that are responsible for access to specific directories are also synced. Mapping is working with ACLs enforcement on computer added to ADDS but not working for a computer added to local AD. I suspect that this computer need to have access to ADDS subnet to utilise Kerberos and LDAP so I'm considering VPN to Azure. I guessing that subnet and vnet that computer will have allocated will also need to have route to ADDS subnet. Do I missing something ? If that will be enough ? I want to avoid rejoining computer from local on prem Active Directory to AADDS and I understand that I don't need to add Azure Storage account to on-prem because in this situation authentication will be done by local AD and in situation when it will be not available ACL enforcement will not work so we don't want this step in the process right ?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      The issue is that you have 2 different domains. In order to use the AzureAD DS authentication to storage you need authentication to the AzureAD DS domain
      It is designed to work if you are joined to that domain not your on prem one 😩🤷🏼‍♂️

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      You can do the same thing with authentication to your traditional domain as well...which would work as I believe you want it to.
      Also for DR...flipping from AD to AzureAD DS won’t work because as I point out...these are 2 unrelated, disconnected, and separate Domains.
      How are you planning AzureAD DS could help in DR?

  • @jimparsons8485
    @jimparsons8485 3 года назад +1

    I really appreciated the explanations. AAD DS is a bit deceiving in that some functions behave the same as on-premise AD DS. I spent a good hour and a half on trying to create subnets in Sites and Services. The video really focused on User Identity which was great and helpful. Regarding computers creation to be managed by WVD, are the GPO configurations limited too? I tried to "hide" the D:\ drive in a AAD DS GPO as the D:\ drive is ephemeral. I didn't want my users to even see the drive letter in order to prevent potential data loss. Additionally, I created a File Server in my vNet to share QuickBooks files for my WVD environment users. I am unable to create "Mapped" drives using GPO in AAD DS to WVD computers joined as session hosts. I can map drives manually inside the session via command prompt and PowerShell but Windows explorer doesn't recognize the network drive letters. The AAD DS GPO doesn't add the driver letter to the user either. Would you know if there is a better practice for mapping file shares in WVD and AAD DS?

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      Yeah GPO can’t do everything here. FSLogix for example...you can’t do it through GPO because you can’t import the ADML & AMDX files on the DC...because you have no rights.
      AADDS is a very limited solution compared to how people usually want to manage AD...
      So unless you are a 100% born in the cloud company and only need legacy Auth or any old AD for WVD I would not recommend it.

    • @jimparsons8485
      @jimparsons8485 3 года назад +1

      Figured out my issue and it was related to SMB. The network drives were mapping in DOS or PowerShell, just not visible in Explorer. Everyday in Azure is a great day to learn something new.

    • @jimparsons8485
      @jimparsons8485 3 года назад +1

      @@AzureAcademy Learning everyday. In the meantime I'm looking forward to the day AADDS gets integrated with Intune

    • @AzureAcademy
      @AzureAcademy  3 года назад +2

      Usually that happens because you used “run as Admin” when you opened the cmd or PS
      Technically that is a different user context and YOU would not see it in explorer because YOU didn’t map the drive that admin did.

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      I hear ya...but I am look fwd to when we don’t need a DC at all and can be fully Azure AD Joined

  • @ctxshekhar7979
    @ctxshekhar7979 2 года назад +1

    Hey Dean, On Azure AD DS, we can't create new users accounts ?

    • @AzureAcademy
      @AzureAcademy  2 года назад +2

      Nope! You have to create Azure AD accounts…then they get synced into Azure AD DS

    • @ctxshekhar7979
      @ctxshekhar7979 2 года назад +1

      @@AzureAcademy so basically we can't add the user into domain admins group ?. Correct me if iam wrong

    • @AzureAcademy
      @AzureAcademy  2 года назад +2

      Correct. You do not have admin rights in AADDS no domain, enterprise or schema admin rights.

  • @thomazdan
    @thomazdan 2 года назад +1

    Obrigado!

  • @ororosso9615
    @ororosso9615 4 года назад +1

    simple question, is it possible to add my win2016 on-prem server to azure ad service?

    • @AzureAcademy
      @AzureAcademy  4 года назад +1

      simple answer @oro rosso...MAYBE 🤣😁🤦‍♂️
      can you explain more on your question for me? HOW do you want to join your on prem server to Azure AD? do you mean something like Hybrid join? I have a video coming soon on Device Identity that should help you answer that question. If it is something else, let me know 😎

    • @ororosso9615
      @ororosso9615 4 года назад +1

      @@AzureAcademy thx for answer imagine an hp proliant with w2016 connected via vpn to azure, can i join it the azure ad service? or i must join it to on-prem domain ?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      You can join to Azure AD in 3 ways, Register, Hybrid or Full Azure AD Join. Each one has benefits and requirements. I would generally think that a server would be Hybrid Joined. My Device Identity video will go into a lot more detail...should be live in 2 weeks.

    • @ororosso9615
      @ororosso9615 3 года назад +1

      @@AzureAcademy thx, great!

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      👍👍

  • @gboyega
    @gboyega 4 года назад +1

    Excellent as ever

  • @samsahimi
    @samsahimi 3 года назад +1

    So let me get this straight, Azure AD is the same as my on premise AD?

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      No Azure AD is definitely no like Active Directory.
      Check out my Azure AD overview to learn exactly what it is. ruclips.net/video/pN8o0owHfI0/видео.html

    • @AzureAcademy
      @AzureAcademy  3 года назад +1

      Yeah well…🤷🏼‍♂️