Linux to Azure ADDS Integration

Azure AD DS integrates with your existing Azure AD tenant.

This integration allows users sign in using their corporate credentials, and you can use existing groups and user accounts to secure access to resources.

Kindly note the following :

Understand DNS requirements for a managed domain
Create a managed domain
Enable password hash synchronization

Prerequisites:
- An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
- You need Application Administrator and Groups Administrator Azure AD roles in your tenant to enable Azure AD DS.
- You need Domain Services Contributor Azure role to create the required Azure AD DS resources.
- A virtual network with DNS servers that can query necessary infrastructure such as storage. DNS servers that can’t perform general internet queries might block the ability to create a managed domain.

If you create a custom domain name, take care with existing DNS namespaces. It’s recommended to use a domain name separate from any existing Azure or on-premises DNS name space.

For example, if you have an existing DNS name space of contoso.com, create a managed domain with the custom domain name of addscontoso.com. If you need to use secure LDAP, you must register and own this custom domain name to generate the required certificates.

How to Create AD DS in an Azure Subscription

To create an Azure Active Directory (Azure AD) tenant in the Azure portal, navigate to “Create a resource,” then select “Identity” and “Azure Active Directory.” Provide an organization name, initial domain name, and region, then select “Create.”

This process creates the following :

Creates a virtual network named adds-vnet that uses the IP address range.
Creates a subnet named aadds-subnet using the IP address range.

Ensure to Synchronizes All users from Azure AD into the managed domain. The managed domain is associated with your Azure AD tenant. During the provisioning process, Azure AD DS creates two Enterprise Applications named Domain Controller Services and Azure Active Directory Domain Controller Services in the Azure AD tenant. These Enterprise Applications are needed to service your managed domain. Don’t delete these applications.

Another easy proceedure i can list is this :

Get elevation for the deployment (PIM)
Create a vnet (You can use pre-existing vnet)
Create the ADDS (Set DNS Domain name = test-test.local)
Attach the Vnet during creation of ADDS
After deploying Enable the DNS
Connect the Vnet to the DNS Server by updating the DNS Service having this IP Addresses (10.4.0.36 10.4.0.37).

1. This can be done manually by going to the Properties in the ADDS, get the two DNS IP, Move to the VNET DNS Servers (Change from Default to custom and input the two DNS server IPs)
2. When adding a new Vnet, There will need to be an editing of the “Replica set” by adding the new Vnets manually.

Create a VM. (VM should be created with the Vnet attached to the DNS)
Updating Legacy password Hash Sync (Admin users would need to change their passwords to enable sync with the hashing of password)
Use the new credential to join the VM to the newly created Domain.
Restart the VM to update Group policy.
Add groups that should have access to particular VMs. [Check for Remote Desktop under settings, select user accounts, add the group]
Add the Active directory Tools. [This can be used to configure and manage ADDS]

[If the Organization uses a Windows on-prem AD initially, follow the steps below]
— Run the Force sync AD Connect script to sync passwords between Windows Active Directory & Azure DDS.

Things advised to be implemented after Configuring the ADDS
1. Groups needs to be created
2. Making The Administrators Group as well as other required groups and assign users to the groups.

STEP for Joining of Linux VM to the Domain.

Switch to root user
$sudo -i
APT Update
$ sudo apt update
Installation packages required for domain joining of ubuntu
$ sudo apt install sssd-ad sssd-tools realmd adcli
Check the installed packages of SSSD
$ apt policy sssd-ad sssd-tools realmd adcli
Install required packages :
$sudo apt install -y realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
Update hostname of Ubuntu to AD domain (vm-name.domain-name)
$sudo hostnamectl set-hostname xxxx-test-VM5.xxxx-test.local
Disable systemd-resolved
$sudo systemctl disable systemd-resolved.service
$sudo systemctl stop systemd-resolved.service
Configure the IP ADDRESS
$sudo vi /etc/hosts
input the following
x.x.x.1 xxxxx-test-VM5.xxxxx-test.local
x.x.x.36 xxxxx-test-li-vm2.xxxxx-test2.com xxxxx-test-li-vm2
x.x.x.37 xxxxx-test-li-vm2.xxxxx-test2.com xxxxx-test-li-vm2
x.x.x.36 E41JG8GVxxxxxx E41JG8GVxxxxxx.xxxxx-test.local
x.x.x.37 G230MWYxxxxxx G230MWYxxxxxx.xxxxx-test.local
Run this
$sudo vi /etc/resolv.conf
input the following
nameserver x.x.x.36
nameserver x.x.x.37
Join to Domain
$realm discover xxxxx-test.local
$realm join xxxxx-test.local -v -U xxxxx_test_user@xxxxx-TEST.LOCAL
$realm join xxxxx-test.local -v -U xxxxx_test_user@M365X62628102.ONMICROSOFT.COM P@ssw0rxxxxx
Update the NTP
$ apt install ntpdate
$ apt install ntp
$ ntpdate -u “in.pool.ntp.org”
$ sudo service ntp restart