With Azure Active Directory Domain Services you can join your Azure Virtual machines with Active Directory domain without domain controller. This services is hosted in Azure Platform.
So the users can sign into your virtual machine with the present identifiers in the AD database. It’s possible to secure the virtual machine with Grtoup Policy.
Create the Azure Active Directory Domain Controllers Administrator group
You need in the first time create an administrative group in your Azure AD tenant. The member of this group are granted administrative privileges on machines that are joined the domain. The group is added to the ‘Administrators’ group.
The Domain Administrator or Enterprise Administrator privileges are not available, it’s reserved by the service. So the privileged operations (configure group policy, joined computer,…) can perform with the Administrator group created (see below).
Go to her azure portal classic (https://manage.windowsazure.com), click on Active Directory tab and select the Azure AD desired.
Now you can create group, click on Group Tab
Click on Add Group and configure the Windows. Enter the Name and Description. Click on validate to perform the creation.
Go to the properties of the group in order to add users in the group.
Add Domain Name
With Azure AD you can add a personalized domain name (nibonnet.fr, inyourcloud.fr,…). For this action, click on Active Directory and select the desired Azure AD. Click on Domain Tab and on Add button. Enter the domain name and click Add.
You need add in your Public DNS Server one TXT records for verify the Domain Name.
You can now use the domain name on Azure AD
Create virtual network
It is necessary to create a virtual network. In the left pane, click Network. Click new, Network Services and Virtual Network. Click on Quick Create.
Enter the name you want. Select the address space and the number of maximum machine. Select the desired location and none in DNS server.
click the Create a Virtual Network. When the creation is completed, go to properties and then click Configure.
It is possible to add a subnet or to change one already present.
Enable the Azure AD Domain Services
In the Azure Classic Portal, click on Active Directory Tab and select the Azure AD desired.
Click on Configure Tab, in domain services, enable the setting « enable the domain for this directory services » by clicking Yes.Enter the DNS domain name and selects the virtual network. Click the Save button. After 20-30 minutes, the ip address of domain controller is displayed.
You can now modify the Azure Virtual Network for Add DNS Server. Click Add for save the configuration.
It is now necessary to synchronize an Active Directory database with the Azure AD base. It is also possible (for a very limited number of user account) to create accounts manually.
Enable credential hashes required for NTLM and Kerberos authentication
With your Navigator, go to the URL http://myapps.microsoft.com.
Click on Profiles Tab and click on Change the password button. Change the button and click on Send. If you use USers Synchronisation (with Azure AD Connect), use this PowerShell script on each AD Forest.
$adConnector = «
$azureadConnector = «
$c = Get-ADSyncConnector -Name $adConnector
$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter « Microsoft.Synchronize.ForceFullPasswordSync », String, ConnectorGlobal, $null, $null, $null
$p.Value = 1
$c = Add-ADSyncConnector -Connector $c
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $false
Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $azureadConnector -Enable $true
After the creation of the azure AD, the Workstation or server can be join to the domain. It is not necessary to have a virtual machine with ADDS roles in azure to manage these machines (GPO application,…).
Source : https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-getting-started/