Active Directory Synchronization between Microsoft Azure and Amazon Web Services
Running workloads on different Clouds together with on-premise locations are getting more and more common nowadays. Many organizations do not run 100% Cloud-Native applications for their businesses, they are still using traditional applications or legacy systems that typically do not work very well on the Cloud.
For instance, a bank that could have AS/400 loan origination systems running on-premise and at the same time they would have CRM applications running on the Cloud. Another example, a streaming services company that are using Windows Servers with IIS to power their web applications on the AWS for several years until recently they realize in order to avoid vendor lock-in, having workloads distributed across different Clouds could be a good idea.
In most cases where user identity management is concerned, organizations are most likely use certain identity management software to help them to control users, groups and roles and to secure access to their applications. Microsoft Active Directory is one of the most widely used identity management solution especially in the traditional on-premise or virtualization setup environment.
So, the question is, how do I be able to reuse my existing AD for my new applications that is planned to be deployed on another Cloud? The answer is using Azure Active Directory, Azure Active Directory Domain Services and Azure AD Connect.
In the diagram above, you can see both sides of the Cloud are installed with Microsoft Active Directory. On AWS, the EC2 could be installed with Microsoft Active Directory Domain Services as the local user identity management. Typically in Production environment, this service should be on a dedicated server with high availability setup to avoid single point of failure. This server would then installed with Azure AD Connect. It is used to synchronized the metadata to the Azure AD. On the Azure, Windows Server that are domain-joined would need a Azure Active Directory Domain Services (Azure AD DS) for authentication. This is a fully managed service that provides user authentication, for the domain-joined servers. But, we need a service to be able to add, modify and delete users, groups, this is where Azure AD comes in. The data from Azure AD would be synchronized to the Azure AD DS from time to time.
In this article, I want to share with you on how can I use my users created in AWS AD to login into the domain-joined servers in Azure.
What is Azure Active Directory?
Azure Active Directory or Azure AD is a Microsoft’s cloud-based identity and access management service, which helps users sign in and access resources in:
- External resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications.
- Internal resources, such as apps on the corporate network and intranet, along with any cloud apps developed by your own organization.
It provides single sign-on and multi-factor authentication to help protect users from 99.9 percent of cybersecurity attacks.
What is Azure Active Directory Domain Services?
Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos / NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
Hybrid Active Directory Use Cases
Use Case 1 : Leverage on existing users management on a separate Cloud or on-premise
For this scenario, an organization probably have already invested a huge Active Directory infrastructure and wanted to leverage their existing AD for usage on Azure.
Use Case 2: On-Premise Traditional Active Directory
Some of the customers are still using their traditional Active Directory setup on-premise to run their day to day business. They could not afford to lose their effort on the current setup and do not see to modernize their infrastructure or applications anytime sooner. Therefore, with this hybrid AD approach, they would be able to lift and shift to the Azure quickly while leveraging on the existing on-premise setup users management capabilities especially on the schema extension and rely on trust relationships.
Having said that, there are some scenarios where we could get away on Azure AD DS and/or Azure AD. For situation where companies are only running on Cloud-Native applications that are usually using modern authentication services.
Prerequisites
- An AWS account with a valid subscription
- An Azure account with a valid subscription
- Provision a AWS EC2 Windows Server 2019 (can use the free tier option t2.micro — 1vCPU, 1GB memory)
- Provision a Azure VM
- Domain names for both AWS and Azure (both sides much match). For e.g. The domain name on Azure is evanad.onmicrosoft.com then on the AWS AD must be evanad.com.
- AD Connect tool or it can be downloaded within the server
Add Azure AD Custom Domain Name (Optional)
If you are using Microsoft email or other public email providers, most likely the tenant would be assigned to the Microsoft owned domain — *.onmicrosoft.com. If this is the case, you would need to add in a custom domain name to the tenant.
Navigate to the Azure Active Directory page, scroll the the bottom on the left menu, click on the Custom domain names.
Click the + Add custom domain button and key in a custom domain name on the right panel. Click Add domain.
Take note on the DNS settings which you would need to add in a record for the TXT and MX record type.
After that, create a DNS by navigating to the DNS zones.
Click the the + Add button.
Enter the name for the DNS and click Review + Create. After validation is passed, click Create.
Once it is created, click on the + Record set.
Enter @ for the name, TXT for the type and paste the value from the earlier exercise. Set the TTL to 3600.
Then, add in the MX record by entering all the details copied from the DNS servers earlier.
Add Azure AD Domain Services
To setup a Directory Service, we can provision a Windows Server and install the Active Directory Domain Services or we can use managed service on the Cloud such as Azure AD Domain Services. Using the managed AD Domain Services is very straight-forward, easy and very quick to setup. It manages the high availability to make sure that the Directory services are always available and to ensure optimum uptime.
To add an Azure AD Domain Services, on the Azure portal, type “Azure AD Domain Services” on the top search bar.
Click on the Azure AD Domain Services.
On the landing page, click the Create Azure AD Domain Services button.
On the basic page, create a resource group of choose a existing resource group. Enter a valid domain name that is reachable. Leave others as default and navigate to the Networking section.
Create a new Virtual network or choose an existing Virtual network, leave others as default and click Review + create.
On the summary page, review all the settings and click Create to setup the AD Domain Services.
There will be the pop-up confirmation to remind on the choices are final and it won’t be able to change afterwards, click OK.
Once the AD Domain Services is successfully deployed, navigate back to the service page. Click on the newly created AD Domain Services.
Update DNS settings for the Azure virtual network
With Azure AD DS successfully deployed, now configure the virtual network to allow other connected VMs and applications to use the managed domain. To provide this connectivity, update the DNS server settings for your virtual network to point to the two IP addresses where the managed domain is deployed.
Go down to the section on “Update DNS server settings…” and click Configure.
Create New Windows Server Virtual Machine
On the main portal page, click on the Virtual Machines.
On the Virtual machines page, click Add and choose Virtual machine.
Create a new resource group or choose existing resource group. Enter a name for the virtual machine. Choose the preferred region, no infrastructure redundancy required, Windows Server 2019 Datacenter — Gen1 for the image and choose Standard_B1ms or any preferred size. Scroll to the bottom.
Enter an username and password to access to the virtual machine later on. Leave others as default.
This is an important step, navigate to the Networking tab, choose the Virtual network and subnet that you have created earlier on the AD DS. This make sure that the virtual machines within the virtual network could join the domain. Leave others as default. Click Review + Create button.
After the validation is passed, click Create to provision the server. The deployment of the new Azure AD DS will take some time. It can take up to an hour to completely provision.
Add user into the Azure Active Directory
Click on the + New user to add a new user.
Enter an user name and key in the name.
Enter the initial password which will need to change later on.
Click on the User link on the Roles section.
Select the AAD DC Administrators group and click Select. To allow a user to use Remote Desktop to connect remotely to the VM, you would need to add the user into the AAD DC Administrators group. Because in Azure AD DS, you don’t have Domain Administrator or Enterprise Administrator permissions.
Reset Initial Password
This step is needed to reset the initial password for the first time login in order to be able to use to login into the domain. When a user is created in Azure AD, they’re not synchronized to Azure AD DS until they change their password in Azure AD. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD. The password hashes are needed to successfully authenticate a user in Azure AD DS.
The synchronization process is one way / unidirectional by design. There’s no reverse synchronization of changes from Azure AD DS back to Azure AD. A managed domain is largely read-only, you can’t make changes to user attributes, user passwords, or group memberships within a managed domain.
To reset the initial password, open a new tab on the browser, enter https://myapps.microsoft.com
Enter the email of the newly added user — for e.g, user is chris, primary domain is abc.com then the email is chris@abc.com and click Next.
To find the primary domain name for your current tenant, go to Azure Active Directory. On the overview page, locate the Primary domain under the Tenant information panel as highlighted above.
Key in the initial password and click Sign in.
Now, enter the new password. Remember this password to use for the user login into the Windows Server VM later.
Note: this manual reset password step is required because I do not have the P2 license which has the self reset password capability.
Join the VM to the Managed Domain
Navigate to the virtual machine that was created earlier. Click on the Connect button on the top.
On the connect menu, there are several options to choose to connect to the server such as using RDP or Bastion host. In this lab, we will be using Bastion to access to the VM.
Azure Bastion is a fully managed PaaS service that provides seamless and secured RDP/SSH connectivity to the VM directly on the Azure portal over SSL.
Click on Use Bastion button. To connect using the Azure Bastion, the virtual network must contain a subnet with the name AzureBastionSubnet with prefix of at least /27.
To do that, just click on the Manage subnet configuration link. Before we add the additional subnet for the Azure Bastion, we would need to create another address space for the virtual network.
On the left menu, click on the Address space. Create another address space 10.0.10.0/27. Click Save.
Go back to the subnet section and click + Subnet.
Enter AzureBastionSubnet for the subnet name and enter 10.0.10.0/27 for the subnet address range. Leave others as default and click OK.
Go back to the Azure Bastion page, choose Create new for Public IP address and leave everything to default and click Create.
Once is the provisioning is successful, enter the username and password for the Windows Server and click Connect.
If the browser is activated with popup blocker, it needs to be disabled.
Once the remote desktop session is established. On the Server Manager, navigate to the Local Server and locate the Workgroup on the properties. Click on the WORKGROUP.
On the System Properties dialog, click on the Change button.
Change Workgroup to Member of Domain: and enter the domain name that was created earlier in the AD DS setup.
It might prompt the above screen if the NetBIOS name is more than 15 characters, it will shorten it automatically if required. Click OK.
Enter the name and password to join the domain. Click OK.
If the domain join is successful, there will be a pop-up with welcome message. Click OK.
The VM is domain joined into the Active Directory Domain. Click OK and restart the server.
Test Login using Domain User Credential
To test if the domain joined server would be able to use the AD credential to login, navigate to the VM page -> Overview -> Connect -> Bastion.
Enter the AD username and password and click Connect. Once it is successful, you should be able to remote desktop into the Windows Server.
Setup VPN Gateway on Azure (Optional)
In this step, basically is a guide on how to setup connections between Cloud provider in a hybrid environment to showcase that both sides are able to domain-join the servers using Azure AD DS.
In order for the servers on both sides to communicate with each other, a connectivity between Cloud providers is required. This can be done via few methods, most commonly used is private dedicated line using ExpressRoute or site-to-site IPSec VPN Gateway. In this tutorial, we will be using VPN Gateway.
Before we create the VPN Gateway, we need to allocate a subnet within an address space in the virtual network. To do that, navigate back to the vnet that was created earlier.
On Address space settings, add another range for the VPN Gateway, for e.g. 10.0.11.0/29. Choose a range that does not overlap the other address space ranges. Click Save.
Then, navigate to the Virtual network gateway page by searching on the top bar or select from the services list
Choose the Virtual network gateway.
On the Virtual network gateways page, click on the Create virtual network gateway button or click on the Add button located on the top left of the panel.
Enter a name for the virtual network gateway and choose the existing virtual network that the VM and AD DS reside. The gateway subnet address range should be automatically populated based on the newly created address space earlier.
Scroll to the bottom, create a new Public IP and enter a name for it, leave others as default and click Review + create.
Click on the + Create new button
Enter the name tag for the connection, choose existing Virtual Private Gateway, choose existing Customer Gateway. Enter the CIDR block on local and the remote network CIDR which is the Azure subnet (refer to below to locate the info).
VPC CIDR Block
To get the CIDR block for the existing VPC, navigate to the VPC, scroll to the right and you should see the CIDR. For e.g. in the picture above, the CIDR is 172.31.0.0/16
Azure Virtual Network Subnet
Enter the pre-shared key for the tunnel 1.
Click Create Connection.
Setup VPN Gateway on AWS
Click on the Create Customer Gateway button.
Key in the IP Address (which is the Azure VPN Gateway Public IP address).
Next, we would need to Create a Virtual Private Gateway.
Enter a name for the VPG and click Create Virtual Private Gateway.
Then, attach the VPG to the existing VPC.
Choose the VPC from the dropdown list box and click Yes, Attach.
The state should be “attached” now.
Click on the Create VPN Connection.
Enter a name for the connection, choose Virtual Private Gateway as the target gateway type and select the existing VPG, choose Existing Customer Gateway, set the routing options to Static and specify the Azure subnet.
After the VPN is created, go to the Overview page and locate thee Public IP address. Copy this IP address so that we can use it for the VPN configuration on AWS.
Scroll to the settings section and click on the Connections. Click on the + Add button to add a new site to site connection.
Give a name to the connection name, choose Site-to-Site (IPSec) for the connection type. Use the existing virtual network gateway. Key in a Shared key, this would be use to configure on the AWS side later. Choose IKEv2 as the IKE Protocol. Finally, click on Choose a local network gateway to create a new local network gateway.
Key in the AWS VPN Gateway public IP and click OK.
Azure
Virtual network: 10.0.1.0/24
Gateway subnet address range: 10.0.11.0/29 (This has to sit within the virtual network)
Azure Public IP for VPN Endpoint: xx.xx.xx.xx
AWS
Virtual network: 172.31.0.0/16
AWS Public IP for VPN Endpoint: xx.xx.xx.xx
Add Route
Before we are able to ping each other servers, we need to add the custom routing to the route tables.
Add in the address space from Azure into the Route Tables.
Examine if the VPN state is available on AWS.
Check to see the the VPN status is connected in Azure.
Test ping to the Azure AD DS from AWS. If the ping is successful, this means that AWS can ping to Azure. Next, we would need to do the same on AWS so that Azure can ping AWS.
First, locate the AWS EC2 private IP address.
Click on the security groups.
Click on the Edit inbound rules.
Click Add rule and add the rule for All ICMP — IPv4 and enter 0.0.0.0/0 for the source.
On the Azure VM, open a command prompt window and test ping the AWS EC2. If the result is successful, this means both Clouds are connected now.
EC2 Windows Server Domain-Joined with Azure AD DS (Optional)
This step is optional, it is a way to prove that the servers outside of Azure would be able to domain-joined on Azure AD DS.
Set local DNS server to point to the Azure AD DS private IP address.
To locate the Azure Active Directory Domain Service, click on the AD DS service instance, on the Properties page, refer to the IP addresses as highlighted above. There are two IP addresses, copy them and save somewhere and will be use it to specify on the AWS EC2 Windows server’s DNS server.
On the AWS EC2, right click on the networking icon on the bottom right on the Windows desktop.
Click on the Open Network & Internet settings
On setting page, click on the Change adapter options
On the Network Connections folder, right click on the ethernet adapter and click Properties.
On the Ethernet properties dialog, click on the Internet Protocol Version 4 (TCP/IPv4).
Enter the both Azure AD DS private IP addresses on the DNS server addresses — Preferred DNS server and Alternative DNS server.
Close all the windows and get back to the Server Manager. Navigate to the Local Server and click on the Workgroup link.
Click on the Change… button
Then, enter the domain name from the Azure AD DS. For e.g, xxxx.onmicrosoft.com and click OK.
On the security prompt, key in the Azure AD username and password and click OK.
After domain join is successful, you should see the above message. Click OK. And now, the Windows Server running on AWS EC2 is domain joined into the Azure AD DS.
To test remote login using the Azure AD user, right click on the RDP connection file.
Click Edit.
Check the Always ask for credentials in order to key in User name. Enter the UPN name of the Azure AD. Click Connect.
Now, this works when there is a connectivity between both sites. But what happen if the connection is not available? The user would not be able to login into the server. This is where sometimes setting up a distributed identity management system is crucial to ensure that operations are not interrupted due to technical issues. Typically, in an enterprise, there would be a local Active Directory which act as the local identity management and this could be synchronized to another site. In the next step, we would be setting up a local Active Directory Domain Services in AWS EC2 and the subsequent step is to configure AD Connect to synchronize the user data to the Azure AD.
Setup Active Directory Domain Services on AWS
In this step, we would be setting up a new Windows Server 2019 with Active Directory Domain Services (AD DS) and DNS server. The objective of this step is to emulate the traditional way of managing user identities using Microsoft Active Directory.
To setup a EC2 with Windows Server 2019, you can refer to https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EC2_GetStarted.html
Firstly, on the Windows Server GUI, click on the Windows icon on the bottom left of the screen and click the Server Manager.
On the main page of the Server Manager, click on the “Add roles and features”.
On the start of the Add Roles and Features Wizard, click Next > to go to the next screen.
Choose the first option — “Role-based or feature-based installation”.
On the Server Selection, it should list the default server, choose the first option and click Next >.
On the Server Roles section, check on the Active Directory Domain Services (ADDS).
It will then pop-up a dialog to show the role services or features that is required to install the ADDS. Make sure the option “Include management tools (if application) is checked and click Add Features.
After that check on the DNS Server to install DNS Service. In the DNS Server pop-up dialog, choose the default option (include management tools) and click Add Features.
If the computer is not set to static IP address, the above warning will appear. Just ignore at the moment. Click Continue.
Note: The best practice especially for Production is to configure static IP so that the IP would not change and therefore will not impact clients that is connecting to the server.
Click Next >.
On this Features section, leave everything to default and click Next >.
On this AD DS page, click Next >.
Click Next > at the DNS Server section to proceed to the Confirmation page.
Click on the Install button to install the AD DS and DNS Server. After couple of minutes, the installation should be completed.
When the installation completed, click on the link — “Promote this server to a domain controller”.
On the Deployment Configuration section, choose “Add a domain controller to an existing domain” and specify the domain name. Click Next >.
Note: The root domain name of this must match on the Azure AD DS domain name in order for users to sign on using Azure AD.
Enter a password for the Directory Services Restore Mode (DSRM) password and leave others as default. Click Next >.
Uncheck the Create DNS delegation and click Next >.
The NetBIOS domain name would be automatically generated. Leave it as default and click Next >.
Leave it as default for the paths and click Next >.
At last, review the options and click Next >.
After the prerequisites check is passed successfully, click the Install button. After a while, the server will be automatically restarted to finish the installation process.
Add User to Active Directory Domain Services in AWS
This step is to create new user into the AD DS in AWS for testing purpose later on.
On the server manager, click on the Tools and choose Active Directory Users and Computers.
Click on the user icon as highlighted above.
Key in the First name and User logon name (note: use a different name from the Azure AD so that we can differentiate for testing). Click Next >.
On the password screen, key in the password and confirm. Click Next >. On the final confirmation dialog, click Confirm.
Setup AD Connect
In order to synchronize the directory data on the Active Directory Domain Services in AWS to the Azure AD, we need to use a tool called Azure AD Connect. Download the tool from the Azure or Microsoft download site.
After downloaded the AD Connect, launch the program and click Continue after checked the license terms.
Choose Express settings
Click Install.
Enter the Azure AD credential and click Next.
Enter the local username and password on the Active Directory Domain Services that was created in the earlier step and click Next.
Click Configure.
Go back to the Azure, navigate to the Azure Active Directory->Users. The user that was created in AWS AD DS is now synchronized to the Azure AD. The AD Connect sync works!
To double confirm if the synchronization is working correctly, navigate to the Azure AD -> Azure AD Connect page. The sync status should show Enabled.
To use the replicated user credential from AWS to login into the domain-joined VM, you would need to add the user into the AAD DC Administrators group. Because in Azure AD DS, you don’t have Domain Administrator or Enterprise Administrator permissions. Only members of this group can use Remote Desktop to connect remotely to domain-joined VMs.
To do that, navigate to the Groups and click Add Memberships, select the AAD DC Administrators group and click Select.
Finally, go back to the VM page, connect to the VM via the Bastion, enter the credentials and click Connect. After the successful authentication you should be able to remote desktop into the VM using the replicated user from AWS!
Summary
This configuration should not only limited to connect to different Cloud providers but also to connect to on-premise environments. With this cross hybrid identity management in-placed, organizations are now able to work on their preferred infrastructure and yet to be able to collaborate and integrate to various of business units or departmental units or even to external parties that are using non-AD authentication by using B2C identity management such as Azure Active Directory B2C.
