Forum Discussion
AAD DS creation
Hi,
We do have on prem AD, which syncs to Azure AD for users and groups, and services in cloud.
We do have multiple Azure subscriptions on Landing zone. I have few questions
- Which subscription should I create AAD DS on ? Same as AAD or different ?
- Can we use the existing domain ?
- Can we expand AAD DS on multiple subscription and virtual networks ?
- Will the new AAD DS cater only for the subscription and vnet we specify ?
Whole idea is , to be able to login to VMs using Azure credentials in Azure in different subscriptions.
Can we manage to login via AZ AD logins to VMs without AAD domain services, how ?
Please share your experience.
BR,
Binod
3 Replies
- Which subscription should I create AAD DS on ? Same as AAD or different? Prefer to create a Dedicated subscription for Identity and host all your AD DS
- Can we use the existing domain? Yes, that is better so that you don't create a domain sprawl create a read-only AD DS in the dedicated identity subscription.
- Can we expand AAD DS on multiple subscription and virtual networks? Yes you can but don't scale in Mutiple subscriptions keep them in one single subscription and create resource groups per region this will ensure that all the IAM users provided access on Identity subscription.
- Will the new AAD DS cater only for the subscription and vnet we specify ? Maybe not can u elabroate it
- If you have a Identity dedicated azure subscription landing zone then that s the one I would recommend deploying Entra Domain Services (formerly Azure AD Domain Services) on.
Yes you can use an existing domain name space, however there are some caveats to doing so. If you want the Entra Domain Services resources to be able to interact with existing onpremise active directory resources that use the same domain name space you'll have to manually recreate DNS records in the Entra Domain Services DNS for all of your onpremise active directory resources. So instead you could use a subdomain, for instance if your existing domain is contoso.com, you can use ds.contoso.com for your Entra Domain Services environment and then you can setup conditional forwards between your Entra Domain Service environment and your Active Directory environment so that they can resolve eachother's DNS. Even if you use a different domain from your user accounts (such as ds.contoso.com), the users themselves would be able to login with their username as it is currently displayed in Azure (email address removed for privacy reasons).
Entra Domain Services can't have endpoints added to additional subscriptions or virtual networks, but you can peer the virtual network that Entra Domain Services is deployed in to other virtual networks on other subscriptions so that they are able to authenticate against Entra Domain Services.
For servers/resources to use Entra Domain Services you have to specify it as the DNS for those resources, so only the virtual networks (or individual VMs) that have the Entra Domain Services IPs set as the DNS servers will use it for DNS & authentication.
