Deploy Azure AD Domain Services
Start course
1h 41m

This Designing for Azure Identity Management course will guide you through the theory and practice of recognizing, implementing, and deploying the services on offer within your enterprise. Learn how to better the protection of your organization by designing advanced identity management solutions. Recommended for those who already have some experience with the subject, this course is comprised of 24 lectures, including demos, and expertly instructed by one of our MS Azure subject matter experts.

Learning Objectives

  • Study and understand what Azure AD Domain Services do and what they can offer
  • Learn to create and manage hybrid identities via Azure AD Connect 
  • Understand the principles of Azure MFA and SSO, and how to enable them
  • Recognize and deploy the key principles of Azure AD B2B and B2C 
  • Learn and utilize Privileged Identity Management

Intended Audience

This course is intended for:

  • IT professionals who are interested in getting certified with MS Azure
  • Those looking to become Azure architects and/or tasked with designing identity management solutions


  • A mid-range knowledge of MS Azure is recommended before starting this course
  • An understanding of identity management concepts

Related Training Content

For more courses related to MS Azure, visit our dedicated Content Training Library.





To deploy Azure AD Domain Services log into the Azure portal. Once in the portal click on Create a Resource and then search for Domain Services. Select Azure AD Domain Services from the search results and then click Create. Provide the basic information for the domain, including the DNS name for the domain as well as the Subscription you are deploying to, along with a Resource group. You'll also need to supply a Location. Click Okay to move onto the next step. At this point you're prompted to create a Virtual network for the managed domain that you are setting up. Provide a name for the network along with an address space that works for your environment. You will also need to define a Subnet and a Subnet address range that you'd like to use for the managed domain. 

The managed domain controllers and associated infrastructure that gets deployed by Azure as part of the Manage Domain setup will reside on this network and on this subnet. Click Okay and then Okay again. Next you are advised that the AAD DC Administrators group has been created. This group is used to manage the domain. It's similar to but not quite like Domain Admins in an On-Prem Active Directory Domain. Click on the group to add members to it. When you're done adding members that need to manage the domain go back and click Okay. This synchronization step has nothing to do with Azure AD Connect or with On-Prem AD if one exists. Instead, this synchronization step is meant to sync users and groups from Azure AD into Domain Services. You have a choice of syncing all users or scoping the sync to just certain groups. In this demonstration I'm just going to sync all users and groups from Azure AD to Domain Services. Clicking Okay takes you to the next step where you can review your options. Click Okay to commence the deployment of Azure AD Domain Services. 

The actual deployment can take the better part of an hour because it's deploying lots of stuff in the background. It's deploying the network infrastructure that you've defined as well as two managed domain controllers. It's also setting up the managed domain itself. After enabling Azure Active Directory Domain Services you need to enable computers within the Virtual Network to connect to and consume these services. To do so you need to update the DNS Server Settings for your Virtual Network so that it points to the two IP addresses where Azure Active Directory Domain Services are available. To update the DNS Server settings for the Virtual Network hosting your Azure Active Directory Domain Services browse to the Azure portal and open up your instance of Azure AD Domain Services. The Overview tab will list a set of required configuration steps. One of those is to update the DNS Server settings for the Virtual Network. You will be presented with two different IP addresses. These are the IP addresses where Azure AD Domain Services is available. These are essentially the managed domain controllers that were stood up as part of the deployment of Azure AD Domain Services. After making a note of these IP addresses, click the Configure button and update the DNS Server settings for the Virtual Network. With Azure AD Domain Services provisioned and your DNS updated you can now move on and enable password hash synchronization using Azure AD Connect.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.