-
Title
Does Authentication Services work with Azure Active Directory Domain Services? -
Description
Microsoft Azure offers Azure Active Directory Domain Services as well as virtualization services. More details can be seen here.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-whatis/
Does Authentication Services work with Microsoft Azure Active Directory at this time?
-
Resolution
RESOLUTION:
Authentication Services will work in an environment that is using Azure Active Directory Domain Services as an authenticator.
There are a number of specific caveats and limitations as compared to a traditional Active Directory setup and configuration. These are detailed below.
1. The join must be performed with a user account that is a member of the "AAD DC Administrators" group. Once a user is added to this group it can take up to 24 hours before you will be able to join.
2. The join command must include the option for --autogen-posix-attrs. This is because POSIX attributes are not currently synced from AD.
I.E. /opt/quest/bin/vastool -u <AAD admin> join --autogen-posix-attrs <domain name>
3. Licensing can be deployed either by copying the file to the licensing folder on the system. (/etc/opt/quest/vas/.licenses/)
It can also be deployed via Group Policy. The Authentication Services GPO extensions will work but requires a Windows machine to be joined to the domain and the tools installed there.
4. Writing to Azure Active Directory Domain Services is not possible, the only exception to this rule is creating the computer object. This includes but is not limited to creating users and groups. This is essentially a read only environment.
5. Since there is no Q.A.C. in Azure Active Directory (Also not synced from AD) the clients will join in version 3 compatibility mode.
For additional information on the Q.A.C. please see this article.
https://support.quest.com/authentication-services/kb/71908
For additional information on Version 3 compatibility mode please see this article.
https://support.quest.com/authentication-services/kb/76786
6. It is not possible to Unix Enable users in Azure Active Directory Domain Services at this time.
NOTE - The following article from Microsoft might prove useful in getting a Linux server deployed. Authentication Services can then be installed instead of the realmd and kerberos files.https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-admin-guide-join-rhel-linux-vm/