Enterprise Mobility and Security Blog

RSS

Howdy folks,

The #1 reason customers email (and tweet and in-message) me is to ask us to add support for Azure Resource Manager based virtual networks to Azure AD Domain Services.

So I’m excited to announce the public preview of Azure AD Domain Services support for virtual networks created using the Azure Resource Manager deployment model. You can now create new managed AD domains in virtual networks that were provisioned using Azure Resource Manager. This public preview release makes deployment of Azure AD Domain Services much easier for you!

If you follow the blog, you already know that Azure AD Domain Services is pretty cool. It provides managed AD domain services like domain join, group policy, LDAP, and Kerberos/NTLM authentication, and all those services are fully compatible with Windows Server Active Directory.

Azure Resource Manager provides a consistent management layer for the tasks you perform through Azure PowerShell, Azure CLI, Azure portal, REST API, and development tools. Learn more about Azure Resource Manager. The resource manager deployment model is widely used across Azure and is now the preferred way to deploy new Azure workloads.

This new public preview lets you create a managed AD domain in a resource manager virtual network from the Azure portal. To do this, you’ll use the brand-new wizard experience we previewed recently.

Getting Started

Here’s how to get started with the preview:

  1. If Azure AD Domain Services is not enabled for your Azure directoryCreate a new managed AD domain using the Azure portal. Be sure to select ‘Resource Manager’ as the virtual network type.

  2. If you’ve already enabled Azure AD Domain Services for your Azure directory – You have an existing managed AD domain enabled in a classic virtual network.
    1. If the existing managed AD domain is a production instance, you won’t be able to use this preview. We are working on a migration feature that allows you to migrate your managed AD domain from the classic virtual network to a Resource Manager virtual network, without deleting the managed AD domain. We will make that available in public preview before the end of December 2017.
    2. If the existing managed AD domain is a test instance, you can disable Azure AD Domain services for the directory. You can then create a new instance and select a Resource Manager-based virtual network.

Note: If you are using Azure AD Domain Services in a classic virtual network for production purposes, do not disable Azure AD Domain Services. You will lose state within the managed AD domain, such as domain joined computers, any custom OUs you’ve created, and objects within them. We will be supporting the migration process of existing managed AD domains from classic virtual networks to resource manager virtual networks later this year.

The Road to GA

We have quite a bit of work still to go before we can GA this feature. The two biggest remaining are:

  1. We’re going all in on resource manager virtual networks: This public preview release defaults to using resource manager-type virtual networks when you create a new managed AD domain. During the public preview, you’ll be able to choose classic virtual networks while creating a new managed AD domain. But, when support for resource manager virtual networks becomes generally available, you won’t be able to create new managed AD domains in classic virtual networks anymore. Resource manager-based virtual networks will be the only supported deployment model for newly created managed AD domains.

  2. Migration process for existing managed AD domains: We do plan to support a migration process for existing managed AD domains, so you can easily switch from a classic virtual network to a resource manager-based virtual network. We’ll have more details on that process in the coming weeks.

We want to hear from you!

As always, your feedback is very important to us! Please share your comments, questions, or concerns on our discussion forum, send us an email at aaddsfb@microsoft.com, or comment below. We’re listening!

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division