Added AADDS Deployment files

Author: Rahul Khengare

101-AAD-DomainServices/README.md

@@ -0,0 +1,170 @@
+# Azure Active Directory Domain Service (AADDS) template
+
+<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-AAD-DomainServices%2Fazuredeploy.json" target="_blank">
+    <img src="http://azuredeploy.net/deploybutton.png"/> 
+</a>
+
+<a href="http://armviz.io/#/?load=https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-AAD-DomainServices%2Fazuredeploy.json" target="_blank">
+    <img src="http://armviz.io/visualizebutton.png"/> 
+</a>
+
+## Table of Contents
+
+1. [Overview](#overview)
+2. [Important Notes](#importantnotes)
+3. [Pre Deployment Steps](#predeployment)
+4. [Deployment](#deployment)
+5. [Post Deployment Steps](#postdeployment)
+6. [Teardown Deployment](#teardown)
+7. [References](#references)
+
+<a name="overview"></a>
+
+## Overview
+This template provision an Azure Active Directory Domain Service (AADDS) with required VNET and NSG groups.
+
+<a name="importantnotes"></a>
+
+### Important Notes
+
+* The scripts create manage Azure Active Directory domain services. We recommend creating a new Azure Active Directory (AD) tenant to deploy this solution.
+* Subscription tenant should not have existing managed Azure Active Directory Domain Services (AADDS). Azure active directory supports only **one Domain Service per tenant**.
+* Domain Name provided as input parameter while deployment should be **verified** within Azure active directory.
+* AAD Domain Services requires the chosen subnet to belong to a reserved private range. Use AADDS subnet range within one of the following IP address ranges: 192.168.0.0/16, 172.16.0.0/12, or 10.0.0.0/8.
+* Do not run this solution in **production environment/subscriptions**.
+* It is recommended you use a clean Windows 10 (or similar) VM to perform the solution to ensure that the correct PowerShell modules get loaded.
+* Deployment takes around **40-45 minutes** to complete.
+
+<a name="predeployment"></a>
+
+### Pre Deployment Step
+
+Before proceeding to deployment of the AADDS template, we need to perform following steps.
+
+**Note:** You can perform these steps through portal as well.
+
+#### 1. Install the required Powershell modules
+
+* Install and configure Azure AD PowerShell module
+
+    Follow the instructions in the article to [install the Azure AD PowerShell module and connect to Azure AD](https://docs.microsoft.com/powershell/azure/active-directory/install-adv2?toc=%2fazure%2factive-directory-domain-services%2ftoc.json).
+
+* Install and configure Azure PowerShell module
+
+    Follow the instructions in the article to [install the Azure PowerShell module and connect to your Azure subscription](https://docs.microsoft.com/powershell/azure/install-azurerm-ps?toc=%2fazure%2factive-directory-domain-services%2ftoc.json).
+
+#### 2. Connect To Azure Active Directory
+
+    # Connect to your Azure Account.
+    Connect-AzureAD -TenantId <Active Directory ID>
+
+#### 3. Register Azure Active Directory Application service principal
+
+    # Create the service principal for Azure AD Domain Services.
+    New-AzureRmADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"
+
+#### 4. Configure Administrative Group
+
+    # Create the delegated administration group for AAD Domain Services.
+    New-AzureADGroup -DisplayName "AAD DC Administrators" `
+                     -Description "Delegated group to administer Azure AD Domain Services" `
+                     -SecurityEnabled $true -MailEnabled $false `
+                     -MailNickName "AADDCAdministrators"
+
+    # Add user to "AAD DC Administrators" group
+
+    # First, retrieve the object ID of the newly created 'AAD DC Administrators' group.
+    $GroupObjectId = Get-AzureADGroup `
+    -Filter "DisplayName eq 'AAD DC Administrators'" | `
+    Select-Object ObjectId
+
+    # Now, retrieve the object ID of the user you'd like to add to the group.
+    $UserObjectId = Get-AzureADUser `
+    -Filter "UserPrincipalName eq '[email protected]'" | `
+    Select-Object ObjectId
+
+    # Add the user to the 'AAD DC Administrators' group.
+    Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId
+
+#### 5. Register Resource Provider
+
+    # Login to Azure Account
+    Connect-AzureRmAccount -TenantId <Active Directory ID>
+    # Register the resource provider for Azure AD Domain Services with Resource Manager.
+    Register-AzureRmResourceProvider -ProviderNamespace Microsoft.AAD
+
+
+<a name="deployment"></a>
+
+### Deployment
+
+<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2Fazure-quickstart-templates%2Fmaster%2F101-AAD-DomainServices%2Fazuredeploy.json" target="_blank">
+    <img src="http://azuredeploy.net/deploybutton.png"/> 
+</a>
+
+<p></p>
+
+In case you want to deploy from deployment machine follow below steps,
+
+* Edit the deployment parameter file
+* Create resource group
+
+>     # Create new resource group
+>     New-AzureRmResourceGroup -Name <ResourceGroupName> -Location <location>
+
+
+* Deploy AADDS template
+
+>     # Deploy AADDS template
+>     New-AzureRmResourceGroupDeployment -ResourceGroupName <Resource Group Name> -TemplateParameterFile .\azuredeploy.parameters.json -TemplateFile .\azuredeploy.json -Verbose
+
+
+**Note:** 
+* Deployment takes around 40-50 minutes.
+
+<a name="postdeployment"></a>
+
+### Post Deployment Steps
+
+After deploying AAD Domain services it will take around 40 minutes more to get configured internally.
+
+#### 1. Check AADDS status
+To check configuration status follow below steps,
+Go to Azure portal -> Select AADDS resource group -> select Domain services resource -> see health status is "Running"(refer below image)
+
+    ![](images\aaddsstatus.png)
+
+#### 2. Update DNS on virtual network
+
+Click on "Configure" button from overview blade to update the DNS server settings to point to the two IP addresses where Azure Active Directory Domain Services is available on the virtual network.
+
+    ![](images\dnsupdate.png)
+
+#### 3. Enable password hash synchronization
+
+Users cannot bind using secure LDAP or sign in to the managed domain until you enable password hash synchronization to Azure AD Domain Services. We are using cloud-only user accounts. Refer this document  for resetting the password and more details.
+
+**Reset AAD User password:** To use the Managed AADDS we need to perform the password hash synchronization.
+
+You need to change the active directory administrator [AADGlobalAdminUser] password. Azure requires 20 minutes to sync the password hashes from Azure AD to manage AADDS.
+
+<a name="teardown"></a>
+
+### Teardown Deployment
+Run following powershell command after login to subscription to clear all the resources deployed. Specify resource group name given during deployment.
+ 
+ `Remove-AzureRmResourceGroup -Name <ResourceGroupName>  -Force `
+ 
+    
+Verification steps -
+1. Login to Azure Portal / Subscription
+2. Check if resource group name given during deployment is cleared.
+<p/>
+
+<a name="references"></a>
+
+### References
+1. Pre-requisites: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-enable-using-powershell
+2. Networking Considerations: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-networking
+3. Password Synchronization: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started-password-sync
+4. Troubleshooting Giude: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-troubleshooting

101-AAD-DomainServices/azuredeploy.json

@@ -0,0 +1,211 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "domainName": {
+      "type": "string",
+      "metadata": {
+        "description": "Domain Name"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for all resources."
+      }
+    },
+    "domainServicesVnetName": {
+      "type": "string",
+      "defaultValue": "domain-services-vnet",
+      "metadata": {
+        "description": "Virtual Network Name"
+      }
+    },
+    "domainServicesVnetAddressPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/16",
+      "metadata": {
+        "description": "Address Prefix"
+      }
+    },
+    "domainServicesSubnetName": {
+      "type": "string",
+      "defaultValue": "domain-services-subnet",
+      "metadata": {
+        "description": "Virtual Network Name"
+      }
+    },
+    "domainServicesSubnetAddressPrefix": {
+      "type": "string",
+      "defaultValue": "10.0.0.0/24",
+      "metadata": {
+        "description": "Subnet prefix"
+      }
+    }
+  },
+  "variables": {
+    "domainServicesNSGName": "[concat(parameters('domainServicesSubnetName'), '-nsg')]",
+    "nsgRefId": "[resourceId('Microsoft.Network/networkSecurityGroups', variables('domainServicesNSGName'))]",
+    "vnetRefId": "[resourceId('Microsoft.Network/virtualNetworks/', parameters('domainServicesVnetName'))]",
+    "subnetRefId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('domainServicesVnetName'), parameters('domainServicesSubnetName'))]",
+    "PSRemotingSlicePIPAddresses": [
+      "52.180.179.108",
+      "52.180.177.87",
+      "13.75.105.168",
+      "52.175.18.134",
+      "52.138.68.41",
+      "52.138.65.157",
+      "104.41.159.212",
+      "104.45.138.161",
+      "52.169.125.119",
+      "52.169.218.0",
+      "52.187.19.1",
+      "52.187.120.237",
+      "13.78.172.246",
+      "52.161.110.169",
+      "52.174.189.149",
+      "40.68.160.142",
+      "40.83.144.56",
+      "13.64.151.161"
+    ],
+    "RDPIPAddresses": [
+      "207.68.190.32/27",
+      "13.106.78.32/27",
+      "13.106.174.32/27",
+      "13.106.4.96/27"
+    ],
+    "PSRemotingSliceTIPAddresses": [
+      "52.180.183.67",
+      "52.180.181.39",
+      "52.175.28.111",
+      "52.175.16.141",
+      "52.138.70.93",
+      "52.138.64.115",
+      "40.80.146.22",
+      "40.121.211.60",
+      "52.138.143.173",
+      "52.169.87.10",
+      "13.76.171.84",
+      "52.187.169.156",
+      "13.78.174.255",
+      "13.78.191.178",
+      "40.68.163.143",
+      "23.100.14.28",
+      "13.64.188.43",
+      "23.99.93.197"
+    ]
+  },
+  "resources": [
+    {
+      "apiVersion": "2018-06-01",
+      "type": "Microsoft.Network/networkSecurityGroups",
+      "name": "[variables('domainServicesNSGName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "securityRules": [
+          {
+            "name": "AllowPSRemotingSliceP",
+            "properties": {
+              "protocol": "TCP",
+              "sourcePortRange": "*",
+              "destinationPortRange": "5986",
+              "sourceAddressPrefixes": "[variables('PSRemotingSlicePIPAddresses')]",
+              "destinationAddressPrefix": "*",
+              "access": "Allow",
+              "priority": 301,
+              "direction": "Inbound"
+            }
+          },
+          {
+            "name": "AllowRDP",
+            "properties": {
+              "protocol": "TCP",
+              "sourcePortRange": "*",
+              "destinationPortRange": "3389",
+              "sourceAddressPrefixes": "[variables('RDPIPAddresses')]",
+              "destinationAddressPrefix": "*",
+              "access": "Allow",
+              "priority": 201,
+              "direction": "Inbound"
+            }
+          },
+          {
+            "name": "AllowSyncWithAzureAD",
+            "properties": {
+              "protocol": "TCP",
+              "sourcePortRange": "*",
+              "destinationPortRange": "443",
+              "sourceAddressPrefix": "*",
+              "destinationAddressPrefix": "*",
+              "access": "Allow",
+              "priority": 101,
+              "direction": "Inbound"
+            }
+          },
+          {
+            "name": "AllowPSRemotingSliceT",
+            "properties": {
+              "protocol": "TCP",
+              "sourcePortRange": "*",
+              "destinationPortRange": "5986",
+              "sourceAddressPrefixes": "[variables('PSRemotingSliceTIPAddresses')]",
+              "destinationAddressPrefix": "*",
+              "access": "Allow",
+              "priority": 302,
+              "direction": "Inbound"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "apiVersion": "2018-06-01",
+      "type": "Microsoft.Network/virtualNetworks",
+      "name": "[parameters('domainServicesVnetName')]",
+      "location": "[parameters('location')]",
+      "properties": {
+        "addressSpace": {
+          "addressPrefixes": [
+            "[parameters('domainServicesVnetAddressPrefix')]"
+          ]
+        }
+      },
+      "dependsOn": [
+        "[variables('domainServicesNSGName')]"
+      ],
+      "resources": [
+        {
+          "apiVersion": "2018-06-01",
+          "type": "subnets",
+          "location": "[parameters('location')]",
+          "name": "[parameters('domainServicesSubnetName')]",
+          "dependsOn": [
+            "[parameters('domainServicesVnetName')]"
+          ],
+          "properties": {
+            "addressPrefix": "[parameters('domainServicesSubnetAddressPrefix')]",
+            "networkSecurityGroup": {
+              "id": "[variables('nsgRefId')]"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "type": "Microsoft.AAD/DomainServices",
+      "name": "[parameters('domainName')]",
+      "apiVersion": "2017-06-01",
+      "location": "[parameters('location')]",
+      "properties": {
+        "domainName": "[parameters('domainName')]",
+        "vnetSiteID": "[variables('vnetRefId')]",
+        "subnetId": "[variables('subnetRefId')]"
+      },
+      "dependsOn": [
+        "[parameters('domainServicesVnetName')]"
+      ]
+    }
+  ],
+  "outputs": {}
+}