CloudWiki
Resource

Domain Service

Microsoft Azure
Identity
Azure Active Directory Domain Services (Azure AD DS) is a fully-managed domain service that provides managed domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication, all fully compatible with Windows Server Active Directory. It integrates with Azure AD and is used to provide managed domain services to Azure VMs and to deploy legacy applications that depend on domain services. Azure AD DS also provides secure LDAP access over SSL/TLS to Azure AD and supports hybrid identity scenarios.
Terraform Name
terraform
azurerm_active_directory_domain_service
Domain Service
attributes:

The following arguments are supported:

  • domain_name - (Required) The Active Directory domain to use. See official documentation for constraints and recommendations. Changing this forces a new resource to be created.
  • domain_configuration_type - (Optional) The configuration type of this Active Directory Domain. Possible values are FullySynced and ResourceTrusting. Changing this forces a new resource to be created.
  • filtered_sync_enabled - (Optional) Whether to enable group-based filtered sync (also called scoped synchronisation). Defaults to false.
  • secure_ldap - (Optional) A secure_ldap block as defined below.
  • location - (Required) The Azure location where the Domain Service exists. Changing this forces a new resource to be created.
  • name - (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created.
  • notifications - (Optional) A notifications block as defined below.
  • initial_replica_set - (Required) An initial_replica_set block as defined below. The initial replica set inherits the same location as the Domain Service resource.
  • resource_group_name - (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created.
  • security - (Optional) A security block as defined below.
  • sku - (Required) The SKU to use when provisioning the Domain Service resource. One of Standard, Enterprise or Premium.
  • tags - (Optional) A mapping of tags assigned to the resource.

A secure_ldap block supports the following:

  • enabled - (Required) Whether to enable secure LDAP for the managed domain. For more information, please see official documentation on enabling LDAPS, paying particular attention to the section on network security to avoid unnecessarily exposing your service to Internet-borne bruteforce attacks.
  • external_access_enabled - (Optional) Whether to enable external access to LDAPS over the Internet. Defaults to false.
  • pfx_certificate - (Required) The certificate/private key to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file).
  • pfx_certificate_password - (Required) The password to use for decrypting the PKCS#12 bundle (PFX file).

A notifications block supports the following:

  • additional_recipients - (Optional) A list of additional email addresses to notify when there are alerts in the managed domain.
  • notify_dc_admins - (Optional) Whether to notify members of the AAD DC Administrators group when there are alerts in the managed domain.
  • notify_global_admins - (Optional) Whether to notify all Global Administrators when there are alerts in the managed domain.

An initial_replica_set block supports the following:

  • subnet_id - (Required) The ID of the subnet in which to place the initial replica set. Changing this forces a new resource to be created.

A security block supports the following:

  • kerberos_armoring_enabled - (Optional) Whether to enable Kerberos Armoring. Defaults to false.
  • kerberos_rc4_encryption_enabled - (Optional) Whether to enable Kerberos RC4 Encryption. Defaults to false.
  • ntlm_v1_enabled - (Optional) Whether to enable legacy NTLM v1 support. Defaults to false.
  • sync_kerberos_passwords - (Optional) Whether to synchronize Kerberos password hashes to the managed domain. Defaults to false.
  • sync_ntlm_passwords - (Optional) Whether to synchronize NTLM password hashes to the managed domain. Defaults to false.
  • sync_on_prem_passwords - (Optional) Whether to synchronize on-premises password hashes to the managed domain. Defaults to false.
  • tls_v1_enabled - (Optional) Whether to enable legacy TLS v1 support. Defaults to false.

Associating resources with a
Domain Service
Resources do not "belong" to a
Domain Service
Rather, one or more Security Groups are associated to a resource.
Create
Domain Service
via Terraform:
The following HCL manages an Active Directory Domain Service
Syntax:

provider "azurerm" {
 features {}
}

resource "azurerm_resource_group" "deploy" {
 name     = "example-resources"
 location = "West Europe"
}

resource "azurerm_virtual_network" "deploy" {
 name                = "deploy-vnet"
 location            = azurerm_resource_group.deploy.location
 resource_group_name = azurerm_resource_group.deploy.name
 address_space       = ["10.0.1.0/16"]
}

resource "azurerm_subnet" "deploy" {
 name                 = "deploy-subnet"
 resource_group_name  = azurerm_resource_group.deploy.name
 virtual_network_name = azurerm_virtual_network.deploy.name
 address_prefixes     = ["10.0.1.0/24"]
}

resource "azurerm_network_security_group" "deploy" {
 name                = "deploy-nsg"
 location            = azurerm_resource_group.deploy.location
 resource_group_name = azurerm_resource_group.deploy.name

 security_rule {
   name                       = "AllowSyncWithAzureAD"
   priority                   = 101
   direction                  = "Inbound"
   access                     = "Allow"
   protocol                   = "Tcp"
   source_port_range          = "*"
   destination_port_range     = "443"
   source_address_prefix      = "AzureActiveDirectoryDomainServices"
   destination_address_prefix = "*"
 }

 security_rule {
   name                       = "AllowRD"
   priority                   = 201
   direction                  = "Inbound"
   access                     = "Allow"
   protocol                   = "Tcp"
   source_port_range          = "*"
   destination_port_range     = "3389"
   source_address_prefix      = "CorpNetSaw"
   destination_address_prefix = "*"
 }

 security_rule {
   name                       = "AllowPSRemoting"
   priority                   = 301
   direction                  = "Inbound"
   access                     = "Allow"
   protocol                   = "Tcp"
   source_port_range          = "*"
   destination_port_range     = "5986"
   source_address_prefix      = "AzureActiveDirectoryDomainServices"
   destination_address_prefix = "*"
 }

 security_rule {
   name                       = "AllowLDAPS"
   priority                   = 401
   direction                  = "Inbound"
   access                     = "Allow"
   protocol                   = "Tcp"
   source_port_range          = "*"
   destination_port_range     = "636"
   source_address_prefix      = "*"
   destination_address_prefix = "*"
 }
}

resource "azurerm_subnet_network_security_group_association" "deploy" {
 subnet_id                 = azurerm_subnet.deploy.id
 network_security_group_id = azurerm_network_security_group.deploy.id
}

resource "azuread_group" "dc_admins" {
 display_name     = "AAD DC Administrators"
 security_enabled = true
}

resource "azuread_user" "admin" {
 user_principal_name = "dc-admin@hashicorp-example.com"
 display_name        = "DC Administrator"
 password            = "Pa55w0Rd!!1"
}

resource "azuread_group_member" "admin" {
 group_object_id  = azuread_group.dc_admins.object_id
 member_object_id = azuread_user.admin.object_id
}

resource "azuread_service_principal" "example" {
 application_id = "2565bd9d-da50-47d4-8b85-4c97f669dc36" // published app for domain services
}

resource "azurerm_resource_group" "aadds" {
 name     = "aadds-rg"
 location = "westeurope"
}

resource "azurerm_active_directory_domain_service" "example" {
 name                = "example-aadds"
 location            = azurerm_resource_group.aadds.location
 resource_group_name = azurerm_resource_group.aadds.name

 domain_name           = "widgetslogin.net"
 sku                   = "Enterprise"
 filtered_sync_enabled = false

 initial_replica_set {
   subnet_id = azurerm_subnet.deploy.id
 }

 notifications {
   additional_recipients = ["notifyA@example.net", "notifyB@example.org"]
   notify_dc_admins      = true
   notify_global_admins  = true
 }

 security {
   sync_kerberos_passwords = true
   sync_ntlm_passwords     = true
   sync_on_prem_passwords  = true
 }

 tags = {
   Environment = "prod"
 }

 depends_on = [
   azuread_service_principal.example,
   azurerm_subnet_network_security_group_association.deploy,
 ]
}

Create
Domain Service
via CLI:
Parameters:

az ad ds create --domain
               --name
               --replica-sets
               --resource-group
               [--domain-config-type {FullySynced, ResourceTrusting}]
               [--external-access {Disabled, Enabled}]
               [--filtered-sync {Disabled, Enabled}]
               [--ldaps {Disabled, Enabled}]
               [--no-wait]
               [--notify-dc-admins {Disabled, Enabled}]
               [--notify-global-admins {Disabled, Enabled}]
               [--notify-others]
               [--ntlm-v1 {Disabled, Enabled}]
               [--pfx-cert]
               [--pfx-cert-pwd]
               [--resource-forest {Disabled, Enabled}]
               [--settings]
               [--sku {Enterprise, Premium, Standard}]
               [--sync-kerberos-pwd {Disabled, Enabled}]
               [--sync-ntlm-pwd {Disabled, Enabled}]
               [--sync-on-prem-pwd {Disabled, Enabled}]
               [--tags]
               [--tls-v1 {Disabled, Enabled}]

Example:

az ad ds create --domain "TestDS.com" --replica-sets location="West US" subnet-id="<subnetId>" --name "TestDS.com" --resource-group "rg"

aws cost
Costs
Direct Cost
Indirect Cost
No items found.
Best Practices for
Domain Service

Categorized by Availability, Security & Compliance and Cost

Low
Access allowed from VPN
No items found.
Low
Auto Scaling Group not in use
No items found.
Medium
Connections towards DynamoDB should be via VPC endpoints
No items found.
Medium
Container in CrashLoopBackOff state
No items found.
Low
EC2 with GPU capabilities
No items found.
Medium
EC2 with high privileged policies
No items found.
Medium
ECS cluster delete alarm
No items found.
Critical
ECS task with Admin access (*:*)
Medium
ECS task with high privileged policies
No items found.
Critical
EKS cluster delete alarm
No items found.
Medium
ElastiCache cluster delete alarm
No items found.
Medium
Ensure Container liveness probe is configured
No items found.
Medium
Ensure ECS task definition has memory limit
No items found.
Critical
Ensure EMR cluster master nodes are not publicly accessible
No items found.
More from
Microsoft Azure