For managed domains that use a Resource Manager-based virtual network, you can restrict inbound access to that port to the AzureActiveDirectoryDomainServices serial number. DOMAIN_NAME. The name of the local domain. Note that this must be contoso.com if you are using the environment created by the onpremdeploy.sh script. Virtual networks connected to the managed domain virtual network typically have their own DNS settings. When you connect to virtual networks, name resolution for the connecting virtual network is not automatically configured to resolve the services provided by the managed domain. Name resolution in connection VNets must be configured so that application workloads can find the managed domain. Azure AD DS also uses the default security rules AllowVnetInBound and AllowAzureLoadBalancerInBound. A managed domain creates network resources during deployment. These resources are necessary for the proper functioning and administration of the managed domain and should not be configured manually. Add NSG rules to the AD subnet that allow inbound traffic from the on-premises environment. For more information about the ports used by Active Directory Domain Services, see Active Directory Domain Services and Active Directory Domain Services Port Requirements.
There are «Active Directory Domain Services,» but it`s something you probably don`t need. Take a look at this post: azurescene.com/2020/01/22/active-directory-azure-ad-azure-ad-domain-services/ The Next Network Security Group Inbound rules are required for the managed domain to provide authentication and management services. Do not modify or delete these NSG rules for the virtual network subnet of your managed domain. Review the inbound and outbound rules and compare them to the list of required rules in the previous section. If necessary, select and delete any custom rules that block the required traffic. If any of the required rules are missing, add a rule in the next section. The AllowVnetInBound rule allows all traffic within the virtual network, which allows domain controllers to communicate and replicate correctly, and allows domain join and other domain services for domain members. For more information about ports requirements for Windows, see Service overview and Network port requirements for Windows.
Although the remaining subnet design with the virtual network provides endless options, it is entirely possible that NSG rules will need to be updated again and again to add or remove additional source subnets from the rules. For example, suppose you have an «Applications» subnet (10.20.30.0/24) where all your application servers reside, and this is currently the only subnet whose hosts require a connection to ADDS. You can have NSG DS rules with the source address prefix 10.20.30.0/24 so that all hosts in this subnet can communicate with domain controllers on the ADDS subnet. Tomorrow, however, you will find that a special case host on your «Data» subnet must also communicate with your domain controllers. Here`s the problem: There are ~20 inbound rules and ~20 outbound rules to cover Active Directory and Active Directory Domain Services Port Requirements (ADDs), and manually updating them would take a long time, whether using PowerShell or the Azure portal. That`s where this script comes in! As mentioned in the previous section, you can only create one managed domain in a single virtual network in Azure, and only one managed domain can be created per Azure AD tenant. Based on this architecture, you might need to connect one or more virtual networks that host your application workloads to the virtual network in your managed domain. You use AD DS to authenticate identities. These identities can belong to users, computers, applications, or other resources that are part of a security domain. You can host Active Directory Domain Services on-premises, but in a hybrid scenario where the elements of an application reside in Azure, it may be more efficient to replicate this functionality and the AD repository to the cloud.
This approach can help reduce the latency caused by sending on-premises authentication and authorization requests from the cloud to on-premises Active Directory Domain Services. You must also route incoming traffic from the IP addresses included in each Azure service tag to the managed domain subnet.