Forum Discussion
AAD DS creation
Hi, We do have on prem AD, which syncs to Azure AD for users and groups, and services in cloud. We do have multiple Azure subscriptions on Landing zone. I have few questions Which subscr...
If you have a Identity dedicated azure subscription landing zone then that s the one I would recommend deploying Entra Domain Services (formerly Azure AD Domain Services) on.
Yes you can use an existing domain name space, however there are some caveats to doing so. If you want the Entra Domain Services resources to be able to interact with existing onpremise active directory resources that use the same domain name space you'll have to manually recreate DNS records in the Entra Domain Services DNS for all of your onpremise active directory resources. So instead you could use a subdomain, for instance if your existing domain is contoso.com, you can use ds.contoso.com for your Entra Domain Services environment and then you can setup conditional forwards between your Entra Domain Service environment and your Active Directory environment so that they can resolve eachother's DNS. Even if you use a different domain from your user accounts (such as ds.contoso.com), the users themselves would be able to login with their username as it is currently displayed in Azure (email address removed for privacy reasons).
Entra Domain Services can't have endpoints added to additional subscriptions or virtual networks, but you can peer the virtual network that Entra Domain Services is deployed in to other virtual networks on other subscriptions so that they are able to authenticate against Entra Domain Services.
For servers/resources to use Entra Domain Services you have to specify it as the DNS for those resources, so only the virtual networks (or individual VMs) that have the Entra Domain Services IPs set as the DNS servers will use it for DNS & authentication.
Yes you can use an existing domain name space, however there are some caveats to doing so. If you want the Entra Domain Services resources to be able to interact with existing onpremise active directory resources that use the same domain name space you'll have to manually recreate DNS records in the Entra Domain Services DNS for all of your onpremise active directory resources. So instead you could use a subdomain, for instance if your existing domain is contoso.com, you can use ds.contoso.com for your Entra Domain Services environment and then you can setup conditional forwards between your Entra Domain Service environment and your Active Directory environment so that they can resolve eachother's DNS. Even if you use a different domain from your user accounts (such as ds.contoso.com), the users themselves would be able to login with their username as it is currently displayed in Azure (email address removed for privacy reasons).
Entra Domain Services can't have endpoints added to additional subscriptions or virtual networks, but you can peer the virtual network that Entra Domain Services is deployed in to other virtual networks on other subscriptions so that they are able to authenticate against Entra Domain Services.
For servers/resources to use Entra Domain Services you have to specify it as the DNS for those resources, so only the virtual networks (or individual VMs) that have the Entra Domain Services IPs set as the DNS servers will use it for DNS & authentication.