Test and verify your new Azure AD Domain Services

To test the Domain Services, we complete the following tasks:

1. Install a virtual Windows Server in your Azure IaaS environment by using a deployment template (https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-join-windows-vm-template):

1. Install the administrative tools for Active Directory and DNS on the newly joined server:

Install-WindowsFeature RSAT-ADDS,DNS-Server-Tools

1. Connect to Active Directory Users and Computers (dsa.msc) and the Group Policy Management console to verify your configuration:

1. Next, we need to create a DNS HOST (A) record for our test application:

1. Now, we can install a basic IIS configuration, used to handle the Kerberos part. For this, you need to install the IIS components, choose the Kerberos authentication feature, and activate it on the default website. Only Windows Authentication needs to be activated:

1. Next, we will install and configure the Azure AD App Proxy connector to provide the application to your users. We use the following cmdlets to configure the needed, resource-based KCD feature:

# inovitcloudlabs represents the computer name
$ConnectorComputerAccount = Get-ADComputer -Identity inovitcloudlabs
Set-ADComputer inovitcloudlabs -PrincipalsAllowedToDelegateToAccount $ConnectorComputerAccount
setspn -S HTTP/kerb.inovitlabs.ch inovitlabs\inovitcloudlabs

1. Next, we will activate and configure the Azure AD App Proxy. To make it simple, we disable the IE Enhanced Security Configuration so that we don't need to provide any IE Security Zone configurations, just for the lab:

1. Next, we need to download the connector and install it on the server:

To configure the connector on the server, you need to provide a user with global administrator rights.

1. After installing and configuring the connector, we will add our example app:

1. Next, we configure our example app as shown:

1. Next, we configure the Integrated Windows Authentication (IWA) option:

Finally, we assign some users or groups and test the application at https://myapps.microsoft.com. As a result, you should see the IIS test page. We provided a sample Kerberos-based application to Azure AD Domain Services and used the Azure AD App Proxy functionality.