This chapter covers Microsoft Entra Domain Services (formerly Azure AD Domain Services), a managed domain service that provides domain join, Group Policy, LDAP, and Kerberos/NTLM authentication without deploying and managing domain controllers. For the SC-900 exam, this topic appears in Domain 2: Identity Access, Objective 2.1 (Describe the capabilities of Azure AD). Expect approximately 5-10% of exam questions to touch on Entra Domain Services, often in comparison with other identity services. Understanding its purpose, synchronization model, and limitations is critical for distinguishing it from Azure AD and on-premises Active Directory Domain Services.
Jump to a section
Imagine a company moving into a new city and needing an office. Instead of designing and building a custom office from scratch—which requires architects, permits, contractors, and months of construction—they lease a fully furnished, pre-built office in a managed business park. The landlord handles all structural maintenance: plumbing, electrical, HVAC, and security systems. The company simply brings in their furniture, computers, and employees, and can start working immediately. They have keys to their suite and can lock/unlock doors (administer users and policies), but they cannot modify the building's load-bearing walls or central electrical panel (no domain or forest-level schema changes). In this analogy, the building is Microsoft Entra Domain Services (formerly Azure AD DS). The company is an organization using Azure. The landlord is Microsoft, who manages the domain controllers, applies security patches, monitors for failures, and ensures high availability. The company's employees are users and applications that need to authenticate using legacy protocols like Kerberos or NTLM, or join virtual machines to a domain—all without the overhead of running their own domain controllers. The building's pre-wired network drops represent the one-way synchronization from Azure AD to the managed domain: users and groups flow in, but you cannot synchronize back to on-premises Active Directory. Just as a tenant cannot rewire the entire building, administrators cannot directly RDP into domain controllers or install custom software on them. The managed domain automatically integrates with your Azure virtual network via a delegated subnet, acting as the building's dedicated entrance. This analogy captures the core trade-off: convenience and reduced operational overhead versus loss of full control and flexibility.
What is Microsoft Entra Domain Services?
Microsoft Entra Domain Services (Entra DS) is a cloud-based managed domain service that provides domain join, Group Policy, LDAP, and Kerberos/NTLM authentication for Azure resources. It is designed for workloads that cannot use modern authentication protocols (like OAuth 2.0 or SAML) and require legacy Active Directory compatibility. Entra DS eliminates the need to deploy, patch, and monitor domain controllers (DCs) while still offering a familiar AD DS environment.
Entra DS is not a replacement for Azure AD or on-premises AD DS. It is a complementary service that bridges the gap between cloud-native identity (Azure AD) and legacy applications that require domain-joined infrastructure. The service runs on Microsoft-managed domain controllers in a customer-selected Azure region, with two domain controllers per instance for high availability. These DCs are fully patched, monitored, and backed up by Microsoft; customers have no direct administrative access to them.
How It Works Internally
Entra DS synchronizes identity information from Azure AD (or from on-premises AD DS via Azure AD Connect) into a managed domain. The synchronization is one-way only: from Azure AD to Entra DS. Changes made in Entra DS (e.g., password resets) are not written back to Azure AD or on-premises. The managed domain uses a separate, isolated Active Directory forest that is automatically created when you enable the service.
Key internal components:
- Managed Domain Controllers: Two DCs per instance, automatically deployed across availability zones in supported regions. They run Windows Server 2019 and are configured with a default domain name (e.g., aaddscontoso.com) or a custom domain name you specify.
- Delegated Subnet: When enabling Entra DS, you must create a dedicated subnet within an Azure virtual network. This subnet must be delegated to Microsoft.AAD/DomainServices and cannot contain any other resources. The DCs are placed in this subnet.
- Synchronization: User and group objects are synced from Azure AD. Password hashes for NTLM and Kerberos authentication must be enabled in Azure AD (for cloud-only users) or synced from on-premises (for hybrid users). Without these hashes, users cannot authenticate to the managed domain.
- Group Policy: A default Group Policy Object (GPO) is created for the AAD DC Computers and AAD DC Users containers. You can create custom GPOs using the Group Policy Management Console (GPMC) on a domain-joined management VM.
- LDAP: Both LDAP v3 (port 389) and secure LDAP (port 636) are supported. Secure LDAP requires a certificate and must be explicitly enabled. LDAP can be used for authentication and directory lookups.
- Kerberos and NTLM: The managed domain supports these legacy protocols for authentication. Service Principal Names (SPNs) are automatically managed for domain-joined services.
Key Components, Values, Defaults, and Timers
SKU: Entra DS offers a single SKU based on the number of objects (users and groups). The default and only SKU is "Standard" (up to 25,000 objects). For larger directories, you must contact support or use multiple managed domains.
Synchronization Scope: By default, all users and groups in Azure AD are synced. You can configure scoped synchronization to sync only specific groups (e.g., only members of the "AAD DC Administrators" group).
Password Hash Synchronization: For cloud-only users, password hashes are automatically generated when you enable the service. For hybrid users, you must enable password hash sync in Azure AD Connect (the Synchronize user principal names and passwords option). This process can take up to 24 hours for existing users.
Domain Name: You can choose a custom domain name (e.g., contoso.com) if it matches a verified custom domain in Azure AD. Otherwise, the default domain name is <tenant-id>.onmicrosoft.com.
Secure LDAP: Requires a certificate (from a public CA or self-signed) and must be enabled via the Azure portal. The certificate's subject name must match the domain name. After enabling, you export the .pfx and upload it.
Health Monitoring: The service provides health alerts via Azure Monitor. Common alerts include "Domain Services is not available" and "Secure LDAP certificate is expiring." Microsoft automatically applies patches and updates.
Backup and Restore: Microsoft performs automated backups of the managed domain database. You cannot perform manual backups or restore to a point-in-time. In case of corruption, Microsoft restores from the latest backup.
Configuration and Verification Commands
Entra DS is configured entirely through the Azure portal, Azure CLI, or PowerShell. There is no direct access to the DCs.
Azure CLI example to enable Entra DS:
echo "This is a conceptual example; actual commands require specific parameters."
az ad ds create --resource-group myRG --name mydomain.com --domain-configuration-type FullySynced --replica-sets "[{\"location\":\"eastus\",\"subnet-id\":\"/subscriptions/.../subnets/aadds-subnet\"}]"PowerShell example to check sync status:
Get-AzADDomainService -ResourceGroupName myRG -Name mydomain.com | Select-Object SyncStatusVerification on a domain-joined VM:
# Check domain membership
Get-ComputerInfo | Select-Object CsDomain
# Verify authentication with Kerberos
klist
# Test LDAP connectivity
Test-NetConnection -ComputerName mydomain.com -Port 389Interaction with Related Technologies
Azure AD: Entra DS syncs one-way from Azure AD. Azure AD provides modern authentication (OAuth, SAML, OpenID Connect) and device management (MDM). Entra DS provides legacy authentication for IaaS workloads.
On-premises AD DS: If you have an on-premises AD DS, you can sync users and groups to Azure AD using Azure AD Connect, then those objects appear in Entra DS. However, Entra DS is a separate forest; there is no direct trust or replication between on-premises AD DS and Entra DS.
Azure AD Application Proxy: Can be used to publish legacy apps that require Kerberos authentication to remote users without domain-joining the proxy server.
Azure Virtual Desktop: Entra DS can be used as the identity provider for AVD session hosts that need domain join but cannot use Azure AD Join.
Azure NetApp Files: Supports LDAP over TLS with Entra DS for authentication.
SQL Server Managed Instance: Can be domain-joined to Entra DS for integrated authentication.
Limitations
No schema extensions: You cannot extend the AD schema.
No custom OU structure: The managed domain has a fixed OU hierarchy (AAD DC Computers, AAD DC Users, Domain Controllers). You can create OUs under AAD DC Computers but not under the root.
No domain/forest trusts: You cannot create trusts with other domains or forests.
No domain administrator privileges: You belong to the AAD DC Administrators group, which grants limited admin rights (e.g., ability to join machines to the domain, administer GPOs, but not to manage DCs).
No write-back to Azure AD or on-premises: Password changes in Entra DS are not synced back.
No support for Windows Server 2012 R2 or earlier: Domain-joined VMs must run Windows Server 2016 or later, or Windows 10/11.
No support for Azure AD joined devices: Entra DS does not support Azure AD joined devices; only domain-joined or hybrid Azure AD joined devices can authenticate.
Enable password hash synchronization
Before enabling Entra DS, password hashes must be available in Azure AD for NTLM and Kerberos authentication. For cloud-only users, this happens automatically when you enable the service (the hashes are generated from the existing password). For hybrid users (synced from on-premises AD DS), you must configure Azure AD Connect to synchronize password hashes. In Azure AD Connect, under 'Optional Features', select 'Password hash synchronization'. After enabling, run a full sync. The synchronization of password hashes for existing users can take up to 24 hours. Without these hashes, users cannot authenticate to the managed domain.
Create a delegated subnet
You must create a dedicated subnet within an Azure virtual network (VNet) for the managed domain controllers. This subnet must have an address range of at least /27 (32 IPs) to accommodate two DCs and future scaling. The subnet must be delegated to 'Microsoft.AAD/DomainServices'. No other resources (e.g., VMs, load balancers) can exist in this subnet. The VNet should be in the same region as the Entra DS instance. If you plan to use secure LDAP, ensure network security groups (NSGs) allow inbound traffic on TCP port 636 (and optionally 389 for LDAP).
Enable Microsoft Entra Domain Services
In the Azure portal, search for 'Microsoft Entra Domain Services' and click 'Create'. Provide a DNS domain name (e.g., 'contoso.com' if it matches a verified custom domain in Azure AD, or use the default 'contoso.onmicrosoft.com'). Select the SKU (Standard). Choose the virtual network and delegated subnet. Configure synchronization scope: 'All' or 'Scoped' (if scoped, select the groups to sync). Click 'Review + Create'. The deployment takes 1-2 hours. During this time, Microsoft provisions two domain controllers in the delegated subnet and configures the managed domain.
Configure secure LDAP (optional)
If applications require LDAPS (LDAP over TLS), you must enable secure LDAP. Obtain a certificate from a trusted public CA or generate a self-signed certificate for testing. The certificate's subject name must match the Entra DS domain name (e.g., 'CN=contoso.com'). Export the certificate as a .pfx file with private key. In the Azure portal, go to the Entra DS instance, select 'Secure LDAP', set the status to 'Enabled', upload the .pfx, enter the password, and save. After enabling, you must update NSG rules to allow inbound TCP 636. For public secure LDAP, also allow inbound TCP 636 from the internet (not recommended without certificate validation).
Join VMs to the managed domain
Create Windows Server or client VMs in the same VNet (or a peered VNet) as the delegated subnet. Ensure the VM's DNS server is set to the IP addresses of the managed domain controllers (these IPs are shown in the portal under 'Properties'). You can join the VM to the domain using the domain name (e.g., 'CONTOSO.COM'). Use the credentials of a user in the 'AAD DC Administrators' group (e.g., 'admin@contoso.com'). On the VM, run: 'Add-Computer -DomainName contoso.com -Credential (Get-Credential) -Restart'. After restart, the VM is domain-joined and can authenticate users via Kerberos or NTLM. You can also apply Group Policy and use LDAP queries.
Scenario 1: Lift-and-Shift of Legacy Application
A financial services company has an on-premises .NET application that uses Windows-integrated authentication (Kerberos) and reads user data via LDAP. They want to migrate this application to Azure IaaS to reduce datacenter costs. The application cannot be rewritten to use OAuth or SAML. By enabling Entra DS in the same VNet as the application VMs, they domain-join the VMs and configure the app to use LDAP (port 389) for authentication. The existing on-premises users are synced to Azure AD via Azure AD Connect, and password hashes are synced. The application works without code changes. Key consideration: The application must support LDAP v3. If it requires schema extensions, Entra DS cannot accommodate that—they would need to deploy traditional domain controllers.
Scenario 2: Azure Virtual Desktop with Legacy Requirements
A healthcare organization uses Azure Virtual Desktop (AVD) to provide remote access to legacy Windows-based EHR software. The EHR requires domain-joined session hosts and uses Kerberos authentication. The organization has no on-premises AD DS; they use Azure AD for identity. They enable Entra DS and join the AVD session hosts to the managed domain. Users authenticate to AVD using Azure AD credentials (via Azure AD Join for the AVD host pool), but the EHR uses Kerberos to authenticate against Entra DS. The managed domain provides the necessary legacy authentication. They must ensure that the AVD VMs are in a VNet that can reach the Entra DS delegated subnet. Performance is generally good with two DCs, but they monitor for latency if the VMs are in a different region.
Scenario 3: SQL Server Managed Instance with Integrated Authentication
A software company wants to use SQL Server Managed Instance (MI) with Windows authentication. SQL MI can be domain-joined to Entra DS to allow users to connect using their Azure AD credentials (via Kerberos). The company enables Entra DS, creates a SQL MI in the same VNet (or a peered VNet), and configures the MI to use the managed domain. Users in the 'AAD DC Administrators' group can be granted SQL permissions. This eliminates the need to manage SQL logins. A common pitfall: forgetting to configure DNS correctly—the SQL MI must resolve the Entra DS domain name to the DC IPs. Also, the managed domain must be in the same region as SQL MI for best performance.
What Goes Wrong When Misconfigured
Missing password hashes: Users cannot authenticate. The error is 'The user name or password is incorrect' even though the same credentials work in Azure AD. The fix is to enable password hash sync in Azure AD Connect and wait for the sync to complete.
Incorrect DNS: VMs cannot find the domain controller. The VM's DNS server must be set to the IP addresses of the managed domain. If using Azure-provided DNS, you must configure a DNS forwarder or use custom DNS in the VNet.
Subnet not delegated: The service fails to deploy. The subnet must be delegated to 'Microsoft.AAD/DomainServices' and cannot contain other resources.
Secure LDAP certificate mismatch: LDAPS connections fail if the certificate's subject name does not match the domain name. The client will reject the certificate.
What SC-900 Tests on Entra Domain Services
The SC-900 exam focuses on understanding the purpose and capabilities of Entra DS, not on deep configuration. You must be able to:
Describe the scenarios where Entra DS is appropriate (legacy authentication, domain join, LDAP).
Compare Entra DS with Azure AD and on-premises AD DS.
Identify the synchronization direction (one-way from Azure AD to Entra DS).
Recognize that password hashes must be available for NTLM/Kerberos.
Understand that Entra DS is a managed service—no direct access to DCs.
Common Wrong Answers and Why Candidates Choose Them
"Entra DS can replace on-premises AD DS for all scenarios." Wrong. Entra DS is limited—no schema extensions, no trusts, no write-back. It is for specific legacy workloads.
"Entra DS synchronizes two-way with Azure AD." Wrong. Synchronization is one-way only. Changes in Entra DS do not go back to Azure AD.
"You can manage the domain controllers via RDP." Wrong. Microsoft manages the DCs; you have no direct access.
"Entra DS supports Azure AD Join." Wrong. Entra DS is a separate domain; Azure AD Join is for modern devices.
Specific Numbers and Terms That Appear on the Exam
Synchronization: "One-way from Azure AD to Entra DS"
Password hashes: Must be present for NTLM and Kerberos authentication.
Delegated subnet: Must be /27 or larger, delegated to Microsoft.AAD/DomainServices.
SKU: Standard (only one SKU).
Default OU structure: AAD DC Computers and AAD DC Users.
Admin group: AAD DC Administrators — grants limited admin rights.
Protocols: Kerberos, NTLM, LDAP, LDAPS.
Edge Cases and Exceptions
If you have a custom domain in Azure AD, you can use it as the managed domain name. If not, you get the default .onmicrosoft.com domain.
Secure LDAP requires a certificate; the subject name must match the domain.
Entra DS cannot be used with Azure AD joined devices; only domain-joined or hybrid Azure AD joined.
The service is not available in all Azure regions; check regional availability.
You cannot migrate an existing on-premises AD domain to Entra DS; it is a new forest.
How to Eliminate Wrong Answers
When you see a question about Entra DS, first identify what the question is asking: Is it about legacy authentication? About managed service? About sync direction? Then eliminate answers that:
Suggest you can directly manage DCs.
Imply two-way sync.
Claim it supports all AD DS features.
Confuse it with Azure AD (e.g., "It uses OAuth" — wrong, that's Azure AD).
Claim it requires on-premises AD DS (it does not, but hybrid sync is optional).
Entra DS provides managed domain services (Kerberos, NTLM, LDAP, Group Policy) without deploying DCs.
Synchronization is one-way: from Azure AD to Entra DS only.
Password hashes for NTLM and Kerberos must be enabled in Azure AD or synced from on-premises.
The delegated subnet must be /27 or larger and delegated to 'Microsoft.AAD/DomainServices'.
Only one SKU exists: Standard (up to 25,000 objects).
Administrators have no direct access to domain controllers.
Entra DS is not a replacement for Azure AD or on-premises AD DS; it bridges legacy authentication needs.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Entra Domain Services
Managed by Microsoft; no direct access to DCs.
One-way sync from Azure AD; no write-back.
Fixed OU structure; limited schema.
No domain/forest trusts.
Automatic patching and monitoring; no administrative overhead.
On-premises Active Directory Domain Services
Fully customer-managed; full admin access to DCs.
Full read-write replication within the domain.
Customizable OU and schema.
Supports trusts with other domains/forests.
Requires manual patching, monitoring, and high availability planning.
Mistake
Entra Domain Services is the same as Azure Active Directory.
Correct
Entra DS is a managed domain service that provides legacy authentication (Kerberos/NTLM) and domain join, while Azure AD is a cloud identity service using modern protocols (OAuth, SAML). They are different services with different purposes.
Mistake
You can install custom software on the managed domain controllers.
Correct
No. Microsoft fully manages the DCs; you have no administrative access to them. You cannot RDP, install software, or modify the DC OS.
Mistake
Entra DS synchronizes bidirectionally with Azure AD.
Correct
Synchronization is one-way only: from Azure AD to Entra DS. Changes made in Entra DS (e.g., password changes, new users) are not written back to Azure AD.
Mistake
Entra DS can be used to extend your on-premises domain to Azure.
Correct
Entra DS creates a new, separate forest. It does not extend your on-premises domain; there is no trust or replication between on-premises AD DS and Entra DS. For extending an on-premises domain, use Azure AD Domain Services (legacy) or deploy IaaS domain controllers.
Mistake
You need an on-premises Active Directory to use Entra DS.
Correct
No. Entra DS can work with cloud-only users in Azure AD. On-premises AD is optional; if you have it, you can sync users via Azure AD Connect, but it is not required.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes. Entra DS works with cloud-only users in Azure AD. You do not need on-premises AD. Users and groups in Azure AD are synced to the managed domain, and you can join VMs to the domain using those identities.
For cloud-only users, password hashes are automatically generated when you enable Entra DS. For hybrid users synced from on-premises, you must enable password hash sync in Azure AD Connect under 'Optional Features'. After enabling, run a full sync; it may take up to 24 hours for existing users.
Yes, but only under the 'AAD DC Computers' container. You cannot create OUs under the root or under 'AAD DC Users'. The default OU structure is fixed. You can use Group Policy Management on a domain-joined VM to create GPOs linked to custom OUs.
First, check if password hashes are synchronized. For hybrid users, verify that password hash sync is enabled in Azure AD Connect and that a full sync has occurred. For cloud-only users, ensure the service has been running long enough (hashes are generated after enabling). Also, verify DNS settings on the VM point to the managed domain controllers' IPs.
No. Entra DS is a separate domain. Azure AD joined devices cannot authenticate directly to Entra DS. You must domain-join the device to the managed domain (making it a traditional domain-joined device) or use hybrid Azure AD join (which requires on-premises AD DS and Azure AD Connect).
Yes. You can enable secure LDAP by uploading a certificate (PFX) whose subject name matches the managed domain name. After enabling, you must update NSG rules to allow TCP 636. Secure LDAP can be used for authentication and directory lookups over TLS.
Microsoft automatically monitors the health of the domain controllers. If one DC fails, the other continues serving requests. Microsoft will attempt to restore the failed DC. The service has a 99.9% SLA (with correct configuration). You cannot manually failover or restart DCs.
You've just covered Microsoft Entra Domain Services — now see how well it sticks with free SC-900 practice questions. Full explanations included, no account needed.
Done with this chapter?