Tag Archives: Managed Azure Domain Service

MANAGE AZURE ACTIVE DIRECTORY WITH POWERSHELL – PART 02

In previous part of this blog serious, I have explained how we can install Azure AD PowerShell module and how it can use it to manage Azure Active Directory directly using PowerShell Commands. If you not read it yet you can find it using http://www.rebeladmin.com/2017/02/manage-azure-active-directory-powershell-part-01/

In this post, I am going to explain about another set of cmdlets and the ways to use.

Some of the commands which we use for on-premises Active Directory Management works for Azure Active Directory too. only difference is the cmdlet itself. As an example, in on-premises AD, we use New-ADUser to add user, in Azure AD it becomes New-​Msol​User. If you like to know further about command and its use, easiest way to start is using following commands.

More information about a command can view using,

Get-Help New-​Msol​User -Detailed

Technical Information about thecommand can view using,

Get-Help New-​Msol​User -Full

Online information about the command can view using,

Get-Help New-Msol​User -Online

We also can view some example for the command using,

Get-Help New-Msol​User -Example

power1

We can simply create new user using,

New-MsolUser -UserPrincipalName "jeffm@therebeladmin.com" -DisplayName "Jeff Mak" -FirstName "Jeff" -LastName "Mak" -PasswordNeverExpires $true

power2

In order to create a user, you need to connect to Azure AD with a user who has “Global Admin” role.

In above command UserPrincipalName specify the UPN and user password s set not to expire.

It is obvious sometime we need to change password of an existing account.

Set-MsolUserPassword -UserPrincipalName "jeffm@therebeladmin.com" -NewPassword "pa$$word"

The above command will reset the password for the jeffm@therebeladmin.com in to new password.

Instead of specifying password, following command will generate random password and force user to reset it on next login.

Set-MsolUserPassword -UserPrincipalName "jeffm@therebeladmin.com" -ForceChangePassword $true

power3

Azure Active Directory does have predefined administrative roles with different capabilities. This allows administrators to assign permissions to users to do only certain tasks.

More details about these administrative roles and their capabilities can found on https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles

We can list down these administrative roles using

Get-MsolRole

power4

According to requirements, we can add users to these administrative roles.

Add-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberObjectId "e74c79ec-250f-4a47-80dd-78022455e383"

Above command will add user with object id e74c79ec-250f-4a47-80dd-78022455e383 to the role.

In order to view existing members of different administrator roles, we can use command similar to below.

$RoleMembers = Get-MsolRole -RoleName "User Account Administrator"

Get-MsolRoleMember -RoleObjectId $RoleMembers.ObjectId

This will list down the users with User Account Administrator role assigned.

power5

Apart from the roles, AD also have security groups.

New-MsolGroup -DisplayName "HelpDesk" -Description "Help Desk Users"

Above command creates a group called HelpDesk

power6

power7

A group contains members. We can add members to group using commands similar to below.

Add-MsolGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1 -GroupMemberType User -GroupMemberObjectId e74c79ec-250f-4a47-80dd-78022455e383

This will add user with object id e74c79ec-250f-4a47-80dd-78022455e383 to group with object id a53cc08c-6ffa-4bd6-8b03-807740e100f1.

We can list down the users of the group using

Get-MsolGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1

power8

We can view all the groups and their group ids using

Get-MsolGroup

power9

In order to remove member from the security group we can use Remove-MsoLGroupMember cmdlet.

Remove-MsoLGroupMember -GroupObjectId a53cc08c-6ffa-4bd6-8b03-807740e100f1 -GroupMemberType User -GroupmemberObjectId e74c79ec-250f-4a47-80dd-78022455e383

In order to remove a user from administrator role we can use Remove-MsolRoleMember cmdlet.

Remove-MsolRoleMember -RoleName "User Account Administrator" -RoleMemberType User -RoleMemberObjectId "e74c79ec-250f-4a47-80dd-78022455e383"

Above command will remove user with object id e74c79ec-250f-4a47-80dd-78022455e383 from the group User Account Administrator

This is the end of the part 2 of this series. In next part, we will look further in to Azure AD management with PowerShell.

If you have any questions feel free to contact me on rebeladm@live.com

Step-by-Step Guide to manage DNS records in Azure Managed Domain (AAD-DS)

In my recent articles I was explaining how to enable Azure Active Directory Domain Service and how to manage its services using domain-joined server.

If you not read it yet please check my last post in here.

When you manage a local active directory instance, using DNS mmc you can manage the DNS records. But can we do same with Azure managed domain? Answer is yes. In this post I am going to show how to manage dns records using domain-joined azure vm.

In order to do that we need following prerequisites.

1)    Azure Active Directory Domain Service (AAD-DS) managed domain Instance
2)    Domain Joined Virtual Server
3)    User account with member of AAD DC Administrators group

I have explain all of above in my last 3-4 posts. Please follow them if you like to know more about those.
So in this demo, I am going to use the already setup Azure managed domain instance.

dnsad1

I also have a virtual server running on Azure with windows server 2016 TP5. It is already jointed to the managed domain.

dnsad2

dnsad3

To start with the configuration RDP to the virtual server

1)    Log in to server with member account of AAD DC Administrators group

dnsad4

2)    Open Server Manager > Add Roles and Features

dnsad5

3)    In first screen of wizard click on next to proceed

dnsad6

4)    In next window keep the default and click next

dnsad7

5)    In server selection keep it default and click next

dnsad8

6)    In server roles keep default and click next

dnsad9

7)    Under the features, go to Remote Server Administration Tools > Roles Administration Tools > DNS Server Tools. Then click next to proceed

dnsad10

8)    In next confirmation window click on install to install the tools

dnsad11

9)    Once it’s done go to server manager > tools > DNS

dnsad12

10)    On first start it will prompt where to connect. In their select the option as below and then type the managed domain you have in place. Then click ok

dnsad13

11)    It will open up the DNS mmc.

dnsad14

In here we can manage the DNS records as we need. There are some dns records which related to the managed domain service. So make sure those records are not modified or deleted.

The virtual machine no need to be on server version, if you install desktop version you can still managed dns by installing RSAT tools.

If you have any questions about the post feel free to contact me on rebeladm@live.com

Step-by-Step Guide to manage Azure Active Directory Domain Service (AAD-DS) managed domain using Virtual Server

In my last two blog post I explain how to enable Azure Active Directory Domain Service and how to configure it properly. If you still not read those you can find those in following links.

Step-by-Step Guide to enable Azure AD Domain Services

Step-by-Step Guide to enable password synchronization to Azure Active Directory Domain Services (AAD DS)

In this post I am going to demonstrate how to add a virtual server which is setup on azure in to the managed domain and how to use Active Directory administration tools to manage the AAD-DS managed domain.

One thing I need to make clear is since it’s a managed domain services you do not going to have same manageability as in house domain controller.

According to Microsoft

Administrative tasks you can perform on a managed domain

•    Join machines to the managed domain.
•    Configure the built-in GPO for the 'AADDC Computers' and 'AADDC Users' containers in the managed domain.
•    Administer DNS on the managed domain.
•    Create and administer custom Organizational Units (OUs) on the managed domain.
•    Gain administrative access to computers joined to the managed domain.

Administrative privileges you do not have on a managed domain

•    You are not granted Domain Administrator or Enterprise Administrator privileges for the managed domain.
•    You cannot extend the schema of the managed domain.
•    You cannot connect to domain controllers for the managed domain using Remote Desktop.
•    You cannot add domain controllers to the managed domain.

Create VM

As the first step I am going to setup new VM under the same virtual network as the managed domain.

1)    In order to join VM to the same virtual network, we have to use Azure classic portal to build the VM.
2)    Log in to the azure classic portal > New > Compute > Virtual Machine > From Gallery ( The reason is using this option can define the advanced options)

md1

3)    Then select the template from the list. I am going to use windows server 2016 TP 5. Click on arrow to proceed.

md2

4)    In next window provide the info for the new VM (such as name, resources and local admin account) and click proceed arrow.

md3

5)    In Next window select the Virtual network as same as the one you setup the AAD-DS managed domain. If you do not select correct virtual network you will not be able to connect this vm to the managed domain. Once done, click on button to proceed.

md4

6)    In next window can add the extensions you like and click to button to setup the vm.

md5

Connect VM to the Managed Domain

1)    Once New VM is up and running, click on connect to log in to the VM

md6

2)    Now the server is ready, next step is to join it to the domain.

md7

3)    In domain, type the managed domain name and type the credentials. The use account used for authentication should be member of AAD DC Administrators group ( I explain on my first article how to setup this group)

md8

md9

md10

4)    Once connected to the domain, reboot it to complete the process.

Manage domain using AD administration tools

In this step I am going to install AD admin tools using that we can manage the Azure managed domain.
Note – This also can do using desktop operating system as well. Ex- windows 10. To do it, need to install RSAT for windows 10. (https://www.microsoft.com/en-gb/download/details.aspx?id=45520)

1)    Log in to the server as member of AAD DC Administrators group
2)    Server Manager > Add Roles and Features

md11

3)    Click next in the wizard

md12

4)    In next window keep the default and click next

md13

5)    In next window keep the default and click next to proceed

md14

6)    On the roles page, keep default values and click next

md15

7)    In features select Remote server administration tools > Role administration tools > AD DS and AD LDS Tools and then click next to proceed.

md16

8)    In next window click on install to proceed with the installation

md17

9)    Once install done go to Server Manager > Tools > Active Directory Users and Computers
Here we can see the AD console which Admins familiar with.

md18

md19

md20

Hope this is helpful and if you have any question feel free to contact me on rebeladm@live.com