How to create hierarchical OUs in Azure Active Directory Domain Services

Note on 1/8/2021: This page reflects the very beginning experiments with AAD, and I was trying to use the GUI provided by windows. Turns out that's not the best way to do it. It can be done much more easily directly through LDAP protocol, either programmatically or using linux ldap utils.

1. Create and configure an Azure Active Directory Domain Services instance

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance

The domain here is derived from the active directory default directory. For example my default directory is mitbbs888outlook.onmicrosoft.com, and it fills in this value automatically as the domain, but then complains it's too long, so I changed it to mitbbs888.onmicrosoft.com (in most real use cases people may want to change it to mitbbs888.com)

Take a note of the virtual network here. The following steps when you create a management VM, that VM should be in the same VN (otherwise you need to set up VN peering). As for the subnet, it's recommended that the management VM and the DS to be on separate ones, but I put them on the same and it worked fine.

Make sure you don't miss the "Update DNS settings for the Azure virtual network" step (see the link above), which will make the VN use the new DC as DNS server, so that in later steps your management VM will be able to find and join the domain.

2. Add an admin user for the domain in active directory

I added a user [email protected], make sure you add it to the "AAD DC Administrators" group. The password you first provided is only temporary, to get an updated permanent password, try to logon with the user at https://myapps.microsoft.com, it will prompt you to update the password.

3. Create a management VM and join the VM to the domain

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm

As mentioned above, put the VM on the same Virtual Network as the DC. Also if you logon to the VM through bastion, the bastion requires a separate subnet "AzureBastionSubnet" in the VN, and the name of the subnet has to be spelled like that.

You can login to the VM with any user, for example a local user when you do the setup.

When joining the domain, use the mitbbs888.onmicrosoft.com domain that you defined when you set up the domain service.

4. Install AD admin tools to manage the domain

As mentioned ealier, before running the Active Directory administration tools on the VM (see next steps), you need to make sure that you logon with the admin1 azure AD user that you created above (with the full spelling).

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm

When you run into issues like can't login, or cann't find domain, reboot the VM sometimes helps.

5. Create the OUs with Active Directory Administrative Center

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/create-ou

After creating the top level OU, you can change the "Create in" by selecting OUs already created, so as to create hierarchical OUs.

When I tried to use the Active Directory Users and Computers tool to change the permissions on the OU by right clicking on the OU and selecting "Properties", only "General", "Managed By" and "COM+" tabs show up, "Security" tab is missing. Not sure why the tool behaves differently for Azure AD (vs regular AD), it's possible that permissions and security are implemented differently for Azure AD, not the same way as regular AD where security descriptors are stored with the OU.

Also displaying and managing the OUs don't seem to be available within Azure portal and can only be done with the management VM's AD administrative tools.