Microsoft Entra Domain Services
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Microsoft Entra Domain Services: A Comprehensive Guide
Introduction: Bridging the Gap Between Legacy and Cloud
In the modern enterprise, the transition to cloud-native identity management has become a primary objective for IT departments. While many organizations have successfully migrated their user identities to Microsoft Entra ID (formerly Azure Active Directory), they often find themselves stuck with legacy applications and workloads that rely on traditional Active Directory Domain Services (AD DS). These older applications frequently require protocols like Kerberos, NTLM, Group Policy, and LDAP—features that the standard, REST-based Entra ID does not natively provide.
Microsoft Entra Domain Services (formerly Azure Active Directory Domain Services) acts as the bridge between these two worlds. It provides a managed domain environment that is compatible with traditional Windows Server Active Directory. By deploying Entra Domain Services, you gain the ability to migrate legacy applications to the cloud without re-architecting them, while still benefiting from the centralized management and security of your cloud-based identity provider. Understanding this service is critical for any infrastructure engineer responsible for hybrid identity management, as it allows for a gradual, controlled transition from on-premises infrastructure to a fully modern cloud environment.
Understanding the Architecture of Entra Domain Services
To effectively deploy and manage Entra Domain Services, you must first understand how it differs from a standard, self-managed Active Directory installation. When you deploy Entra Domain Services, you are not spinning up virtual machines and installing the AD DS server role yourself. Instead, you are consuming a managed service where Microsoft handles the underlying infrastructure, including the domain controllers, software patching, and high availability.
The service synchronizes identities from your primary Entra ID tenant into the managed domain. This means that users, groups, and password hashes are replicated from your cloud directory into the managed domain environment. Because it is a managed service, you do not have "Domain Admin" or "Enterprise Admin" privileges. You are provided with a specific "AAD DC Administrators" group that allows you to manage the domain settings, join machines to the domain, and configure Group Policy Objects (GPOs), but you are shielded from the complexities of managing the physical domain controller hardware or the underlying operating system.
Callout: Managed Service vs. IaaS AD DS A common point of confusion is the difference between Entra Domain Services and running Active Directory on Azure Virtual Machines. When you run AD DS on VMs (IaaS), you own the entire stack: you must patch the OS, manage backups, handle replication, and maintain the domain controller health. With Entra Domain Services, Microsoft manages the availability, replication, and patching. You trade off granular control for significant operational efficiency, making it the preferred choice for organizations that need legacy protocol support without the overhead of managing domain controllers.
Planning Your Deployment
Before jumping into the deployment process, you must carefully plan your network and identity requirements. Entra Domain Services requires a dedicated virtual network (VNet) in Azure. It is highly recommended to place the service in its own subnet, separate from your application workloads or other infrastructure components. This isolation ensures that the domain services can communicate freely without being impacted by security rules or traffic patterns from other parts of your network.
Prerequisites for Success
Before you begin the configuration, ensure your environment meets the following requirements:
- Active Directory Tenant: You must have an active Entra ID tenant.
- Licensing: While the service itself is a paid offering, you must ensure your tenant permissions allow for the creation of new resources.
- Networking: You need a virtual network with sufficient IP address space to accommodate the service.
- DNS Configuration: You must be prepared to configure your virtual network DNS settings to point to the IP addresses of the Entra Domain Services domain controllers.
Note: Entra Domain Services is a "one-way" synchronization service. Changes made to user objects or group memberships within the managed domain do not synchronize back to your primary Entra ID tenant. Always perform user and group management in your primary Entra ID interface (or your on-premises AD if using AD Connect) and allow the changes to flow down to the managed domain.
Step-by-Step Deployment Guide
Deploying Entra Domain Services involves several distinct phases, ranging from resource creation to network configuration. Follow these steps to ensure a stable and performant environment.
1. Creating the Managed Domain
Navigate to the Azure Portal and search for "Microsoft Entra Domain Services." Select "Create" to begin the wizard. You will need to provide a DNS domain name. This name should be unique and ideally distinct from your public internet-facing domain name to avoid DNS resolution conflicts. For example, use corp.contoso.com rather than contoso.com.
2. Networking Configuration
During the setup, you will be prompted to select a virtual network and a subnet. As previously mentioned, create a dedicated subnet specifically for the domain services. Microsoft requires this subnet to be dedicated because it will automatically apply network security groups (NSGs) to manage the traffic flow necessary for domain controller replication and client-server communication.
3. Synchronizing Identities
Once the managed domain is provisioned, you need to decide which users and groups will be synchronized. By default, the service might attempt to synchronize all users. However, for security and performance reasons, it is often better to use "Scoped Synchronization." This allows you to select specific groups in Entra ID that contain the users who actually need access to the legacy applications.
4. Configuring DNS
For your virtual machines to join the domain, they must be able to resolve the domain's name. Go to your virtual network settings and update the DNS server configuration. Instead of using the default Azure-provided DNS, set the DNS servers to the IP addresses of the two domain controllers provided by the Entra Domain Services instance.
Managing the Environment: Best Practices
Once your managed domain is operational, the focus shifts to maintenance and security. Managing a managed domain differs from a traditional environment because you cannot use standard tools like "Active Directory Users and Computers" (ADUC) on the domain controllers themselves. Instead, you must install the Remote Server Administration Tools (RSAT) on a Windows virtual machine that is joined to your managed domain.
Managing via RSAT
To perform administrative tasks such as creating Organizational Units (OUs), managing Group Policies, or configuring DNS zones, you must:
- Deploy a Windows Server virtual machine in the same virtual network.
- Join the VM to the managed domain.
- Install the RSAT-AD-AdminCenter and RSAT-GroupPolicy-Management-Tools features via PowerShell:
Install-WindowsFeature RSAT-AD-AdminCenter, RSAT-GroupPolicy-Management-Tools - Log in as a member of the "AAD DC Administrators" group and launch the tools to perform your configuration.
Security and Hardening
Because your managed domain handles sensitive authentication traffic, it is imperative to apply strict security controls. Ensure that the virtual network hosting the domain services is protected by appropriate NSG rules. While Microsoft manages the domain controllers, you are responsible for the security of the virtual machines that join the domain. If an application server is compromised, it can be used to pivot within your domain. Implement a "least privilege" model for service accounts and avoid using high-privilege accounts for running application services.
Tip: Regularly review the "AAD DC Administrators" group membership. Since this group provides significant control over the managed domain, ensure that only authorized IT staff are members. Audit these memberships quarterly as part of your identity governance process.
Common Pitfalls and Troubleshooting
Even with a managed service, issues can and will arise. The most frequent problems encountered by IT teams typically revolve around networking and synchronization.
Synchronization Delays
A common mistake is assuming that changes in Entra ID are instantaneous in the managed domain. In reality, there is a synchronization interval. If you create a user in Entra ID and immediately try to log in to a domain-joined machine using that user, authentication might fail. Wait at least 15–30 minutes for the sync to complete. If the issue persists, check the Entra Domain Services status page in the portal to ensure there are no active health alerts regarding synchronization.
DNS Resolution Failures
If machines cannot join the domain, the culprit is almost always DNS. Verify that your VNet DNS settings are correct. If you are using a custom DNS server for other parts of your network, you may need to configure a conditional forwarder on that DNS server to point requests for your managed domain to the Entra Domain Services IP addresses.
Password Hash Synchronization
Entra Domain Services requires legacy password hashes (NTLM and Kerberos) to function. If you are using Entra ID Connect to sync users from an on-premises AD, you must ensure that password hash synchronization is enabled in the sync tool. Without these specific hashes, users will not be able to authenticate against the managed domain, even if their accounts appear to be present.
Warning: Avoid changing the domain name of the managed domain after it has been deployed. This is an extremely disruptive process that often requires a complete tear-down and rebuild of the service. Choose your domain namespace carefully during the initial planning phase.
Comparison Table: Entra Domain Services vs. Traditional AD
| Feature | Entra Domain Services | Traditional AD DS (on VMs) |
|---|---|---|
| Maintenance | Managed by Microsoft | Self-managed by your team |
| Control | Limited (Managed) | Full administrative access |
| Deployment | Quick (Minutes/Hours) | Slow (Manual installation) |
| Protocol Support | LDAP, Kerberos, NTLM | LDAP, Kerberos, NTLM, DNS, etc. |
| Scalability | Automated | Manual |
| Cost Model | Subscription/Hourly | Hardware/Licensing/Labor |
Advanced Configuration: Custom OUs and Group Policy
One of the most powerful features of Entra Domain Services is the ability to create custom Organizational Units (OUs). By default, all users and computers are placed in the "AADDC Users" and "AADDC Computers" OUs. You can create your own OUs to better organize your infrastructure and apply specific Group Policy Objects (GPOs).
For example, if you have a set of legacy servers that require specific security settings, you can create a dedicated OU for them. You can then use the Group Policy Management console to create a GPO that enforces password complexity, disables specific services, or manages local user accounts on those machines.
Implementing a GPO Example
To disable the guest account on domain-joined machines via GPO:
- Open the Group Policy Management console from your RSAT-enabled VM.
- Navigate to your custom OU.
- Right-click the OU and select "Create a GPO in this domain, and Link it here."
- Edit the GPO and navigate to
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options. - Locate "Accounts: Guest account status" and set it to "Disabled."
This level of control is exactly why organizations choose Entra Domain Services over standard Entra ID for their legacy server infrastructure. It allows you to maintain the "Group Policy" discipline that has been the backbone of Windows administration for decades, even while moving your workloads to the cloud.
Monitoring and Health Checks
Microsoft provides a health monitoring dashboard for Entra Domain Services within the Azure Portal. You should make it a habit to check this dashboard at least once a week. The service will report on the health of the domain controllers, the status of the synchronization process, and the connectivity of the underlying network.
If the service reports a "Critical" state, it often means the domain controllers are unreachable or are failing to synchronize. In such cases, the first step is to verify your network security group rules. Ensure that the required inbound ports (such as TCP/UDP 389, 636, 3268, and 445) are open as required by the service's documentation. If the network configuration is correct and the service remains unhealthy, open a support ticket with Microsoft, as you do not have the ability to restart the services or reboot the domain controllers yourself.
Integrating Legacy Applications: A Practical Scenario
Let's look at a common scenario: migrating an internal company wiki or a legacy document management system. These applications often use Windows Authentication (NTLM) to identify users. When you move these to an Azure VM, the application will fail to authenticate users if it cannot talk to a domain controller.
By deploying Entra Domain Services, you provide the "missing link." You join the application server to the domain, and the application now sees the domain controller as a legitimate source of truth. Users who log into their company laptops using their Entra ID credentials (which are synced to the managed domain) will be able to access the legacy application without needing to enter a separate set of credentials. This provides a "Single Sign-On" (SSO) experience for the end-user, significantly improving productivity and reducing the burden on helpdesk staff who would otherwise be managing multiple password resets for disparate systems.
Future-Proofing Your Identity Strategy
While Entra Domain Services is a powerful tool, it should be viewed as a transitional technology. The ultimate goal for most organizations is to move away from legacy authentication protocols entirely. As you plan your long-term roadmap, look for opportunities to refactor your applications to use modern authentication methods like OAuth 2.0, OpenID Connect, and SAML.
These modern protocols are natively supported by Entra ID and do not require the overhead of a managed domain environment. By slowly replacing your legacy applications with modern alternatives or refactoring them to use modern authentication libraries, you can eventually reduce your reliance on Entra Domain Services. This is the hallmark of a mature cloud identity strategy: leveraging managed services to bridge the gap today, while aggressively pursuing modernization to simplify the architecture for tomorrow.
Key Takeaways for Success
- Understand the Scope: Entra Domain Services is a managed service for legacy protocol support (Kerberos/NTLM/LDAP). It is not a replacement for Entra ID, nor is it a full-featured replacement for an on-premises domain controller.
- Network Isolation is Vital: Always deploy the service into its own dedicated subnet. This prevents network configuration conflicts and simplifies the management of the required security groups.
- Plan for Synchronization: Remember that Entra Domain Services is a downstream consumer of your Entra ID data. Always perform identity management in the primary directory and allow the synchronization process to update the managed domain.
- Use RSAT for Management: Since you do not have direct access to the domain controllers, you must use a domain-joined VM with Remote Server Administration Tools (RSAT) to perform administrative tasks like GPO management.
- Prioritize Modernization: Use Entra Domain Services as a bridge during your migration to the cloud. Continue to evaluate your legacy applications for potential refactoring to modern authentication protocols to eventually phase out the need for the managed domain.
- Regular Monitoring: Treat the service as an extension of your infrastructure. Monitor the health dashboard in the Azure Portal regularly to catch synchronization or connectivity issues before they impact end-users.
- Security Governance: Treat the "AAD DC Administrators" group with the same level of security as "Domain Admins." Audit memberships regularly and restrict access to the absolute minimum number of personnel.
By following these practices, you can effectively manage the transition of legacy workloads to the cloud while maintaining a high standard of security and operational efficiency. Entra Domain Services is an essential component of the hybrid identity toolkit, providing the flexibility needed to support a wide range of applications while moving toward a modern, cloud-first architecture.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons