Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Using Azure Domain Services with default domain name scheme

Posted on 2016-07-21
16
Medium Priority
?
64 Views
Last Modified: 2016-08-28
Hello everyone,

I am currently building a testing environment in Office 365/Azure to get a feel for Domain Services and how it can help our business. I currently have it setup with a <companyname>.onmicrosoft.com domain name. I am trying to configure LDAPS, and it requires me to create a DNS record with the external DNS provider so that the DNS name of the managed domain points to the external IP address that gets created during setup. (using steps listed here, under Task 5: Configure LDAPS)

My issue is that I am not using an external DNS provider, just what MS is providing. Is there something that I am doing wrong, or will I need to get ahold of an external DNS provider like NetSol?
0
Comment
Question by:LA_Admin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 3
16 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 41724728
are you using contoso.onmicrosoft.com or your custom domain in azure

If you are using contoso.onmicrosoft.com, no dns entry is required, in fact you can't do it because you don't have control on that dns zone

If you are using custom domain, you would get custom dns zone for custom domain (public domain) where you can create required Host(A) record
I don't think this is your case
Further more, this step is optional and applicable only if you are accessing resources from managed domain over internet using LDAPS
0
 
LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 2000 total points (awarded by participants)
ID: 41725036
hi.
do you have a domain like "mydomain.com" to use?

you must have your own domain ldap.mydomain.com , and cannot use vanity domain <tenant>.onmicrosoft.com

i have recently deployed this so i know the limitation well.
If you want to by pass, you can expose your LDAP via a kemp/netscaler load balancer
this will not require a wildcard certificate as well
0
 

Author Comment

by:LA_Admin
ID: 41730035
So I went and bought a .com domain. I was able to generate an A record for the external IP address for LDAPS access within NetSol. When I attempt to join a physical laptop to the domain, it tells me that it cannot find it. Also, when I attempt to connect Azure ADDS to an Amazon Workspace directory via AD Connector, I get the following message: "Connectivity issues detected: DNS unavailable (TCP Port 53) for IP X.X.X.X. Please ensure that the listed ports are available and retry the operation".
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 2000 total points (awarded by participants)
ID: 41730332
wait, what do you mean JOin to the domain?

you cannot joined a physical laptop to the domain unless you have site to site VPN.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 41730677
In addition to above the functionality you are trying to explore is available only with Windows 10 machines
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 41730694
this is Azure Active directory domain services, NOT azure AD.
AADDS allows any windows to join to domain, as long as they are in the same network.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 41730706
Thanks Jian.

Not aware with this.
0
 

Author Comment

by:LA_Admin
ID: 41731215
Ok, so it would appear that I misinterpreted the ability of AADDS. That is no problem. Any ideas about the Amazon Workspaces issue?
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 41732191
what Amazon Workspaces issue?
as i said, do your both network (amazon and microsoft azure) are on the same (private) network, can they route via private IP?

AADDS is a domain controller, you never expose it directly via internet public IP address.
the only thing AADDS are exposing is the LDAPS that microsoft provided.
ALl other features (DOMAIN JOIN, kerberos and etc) required private IP address to function
0
 

Author Comment

by:LA_Admin
ID: 41733104
From above:  "when I attempt to connect Azure ADDS to an Amazon Workspace directory via AD Connector, I get the following message: "Connectivity issues detected: DNS unavailable (TCP Port 53) for IP X.X.X.X. Please ensure that the listed ports are available and retry the operation"."
0
 
LVL 37

Accepted Solution

by:
Jian An Lim earned 2000 total points (awarded by participants)
ID: 41733426
can you tell me technically how do you achieve this?

I am not a Amazon workspace experts so I am clueless how it works.
According to this http://docs.aws.amazon.com/workspaces/latest/adminguide/prep_connect.html
 , you need to have VPN between amazon and Azure.

you also need to run the connect verification to make sure it is OK.
my understand is AADDS should able to achieve that, but VPN and firewall might block it.
0
 

Author Comment

by:LA_Admin
ID: 41743256
Anyone else have any experience here?
0
 
LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 2000 total points (awarded by participants)
ID: 41743498
you can "request attention" below the question but you need to work with some one ..

I might not be experts in amazon but i indeed experts in Azure, especially my last project is working on AADDS preview.

YOu have not attempt to answer my previous question. can you kindly tell me whether you have a VPN on board?
also, you wrote "Connectivity issues detected: DNS unavailable (TCP Port 53) for IP X.X.X.X" is this X.X.X.X an internal IP or external IP. and if it is external IP, is it the LDAPS IP address provided by Microsoft?
0
 

Author Comment

by:LA_Admin
ID: 41749685
To answer your question about the IP address, I realized I was using an internal address, so no wonder it couldn't find it.

So I have attempted to configure a VPN between AWS and Azure. I have configured static gateways on both sides and tried to complete the connection, but so far the tunnels are still down. I have found walkthrough's that mention point to site VPN by spinning up a VM on one side or the other and installing RRAS, but I would like to avoid running a VM if at all possible.

I have configured site to site VPN connections in Azure, and feel confident that my config here is correct, but am green in AWS. Do you know if this is possible? Also, is there a way to export my AWS config so that I can share it?
0
 
LVL 37

Assisted Solution

by:Jian An Lim
Jian An Lim earned 2000 total points (awarded by participants)
ID: 41749789
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 41773561
There are no AAADS connectivty between Azure and AWS.
a VPN is required.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question