Azure Active Directory Domain Services Domain Service
This page shows how to write Terraform and Azure Resource Manager for Active Directory Domain Services Domain Service and write them securely.
azurerm_active_directory_domain_service (Terraform)
The Domain Service in Active Directory Domain Services can be configured in Terraform with the resource name azurerm_active_directory_domain_service
. The following sections describe 7 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_active_directory_domain_service" "standard" {
name = "example-aadds_1"
location = "australiaeast"
resource_group_name = "aadds-rg"
domain_name = "widgetslogin.net"
resource "azurerm_active_directory_domain_service" "standard" {
name = "example-aadds_1"
location = "australiaeast"
resource_group_name = "aadds-rg"
domain_name = "widgetslogin.net"
resource "azurerm_active_directory_domain_service" "avd-domain" {
name = var.avd_domain_name
location = module.rg.rg_location
resource_group_name = module.rg.rg_name
domain_name = var.avd_domain_name
resource "azurerm_active_directory_domain_service" "example" {
name = "example-aadds_3"
location = "australiaeast"
resource_group_name = "aadds-rg"
domain_name = "widgetslogin.net"
resource "azurerm_active_directory_domain_service" "example" {
name = "example-aadds_3"
location = "australiaeast"
resource_group_name = "aadds-rg"
domain_name = "widgetslogin.net"
resource "azurerm_active_directory_domain_service" "aadds" {
name = var.name
location = azurerm_resource_group.aadds_rg.location
resource_group_name = azurerm_resource_group.aadds_rg.name
domain_name = var.domain_name
resource "azurerm_active_directory_domain_service" "adds" {
name = "avd-adds"
location = azurerm_resource_group.adds.location
resource_group_name = azurerm_resource_group.adds.name
domain_name = var.adds_domain
Parameters
The following arguments are supported:
domain_name
- (Required) The Active Directory domain to use. See official documentation for constraints and recommendations.filtered_sync_enabled
- Whether to enable group-based filtered sync (also called scoped synchronisation). Defaults tofalse
.secure_ldap
- (Optional) Asecure_ldap
block as defined below.location
- (Required) The Azure location where the Domain Service exists. Changing this forces a new resource to be created.name
- (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created.notifications
- (Optional) Anotifications
block as defined below.initial_replica_set
- (Required) Aninitial_replica_set
block as defined below. The initial replica set inherits the same location as the Domain Service resource.resource_group_name
- (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created.security
- (Optional) Asecurity
block as defined below.sku
- (Required) The SKU to use when provisioning the Domain Service resource. One ofStandard
,Enterprise
orPremium
.tags
- (Optional) A mapping of tags assigned to the resource.
A secure_ldap
block supports the following:
enabled
- (Required) Whether to enable secure LDAP for the managed domain. Defaults tofalse
.external_access_enabled
- (Optional) Whether to enable external access to LDAPS over the Internet. Defaults tofalse
.pfx_certificate
- (Required) The certificate/private key to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file).pfx_certificate_password
- (Required) The password to use for decrypting the PKCS#12 bundle (PFX file).
A notifications
block supports the following:
additional_recipients
- (Optional) A list of additional email addresses to notify when there are alerts in the managed domain.notify_dc_admins
- (Optional) Whether to notify members of the AAD DC Administrators group when there are alerts in the managed domain.notify_global_admins
- (Optional) Whether to notify all Global Administrators when there are alerts in the managed domain.
An initial_replica_set
block supports the following:
subnet_id
- (Required) The ID of the subnet in which to place the initial replica set.
A security
block supports the following:
ntlm_v1_enabled
- (Optional) Whether to enable legacy NTLM v1 support. Defaults tofalse
.sync_kerberos_passwords
- (Optional) Whether to synchronize Kerberos password hashes to the managed domain. Defaults tofalse
.sync_ntlm_passwords
- (Optional) Whether to synchronize NTLM password hashes to the managed domain. Defaults tofalse
.sync_on_prem_passwords
- (Optional) Whether to synchronize on-premises password hashes to the managed domain. Defaults tofalse
.tls_v1_enabled
- (Optional) Whether to enable legacy TLS v1 support. Defaults tofalse
.
In addition to all arguments above, the following attributes are exported:
id
- The ID of the Domain Service.deployment_id
- A unique ID for the managed domain deployment.resource_id
- The Azure resource ID for the domain service.
A secure_ldap
block exports the following:
external_access_ip_address
- The publicly routable IP address for LDAPS clients to connect to.
An initial_replica_set
block exports the following:
domain_controller_ip_addresses
- A list of subnet IP addresses for the domain controllers in the initial replica set, typically two.external_access_ip_address
- The publicly routable IP address for the domain controllers in the initial replica set.location
- The Azure location in which the initialreplica set resides.replica_set_id
- A unique ID for the replica set.service_status
- The current service status for the initial replica set.
Explanation in Terraform Registry
Manages an Active Directory Domain Service.
Implementation Note: Before using this resource, there must exist in your tenant a service principal for the Domain Services published application. This service principal cannot be easily managed by Terraform and it's recommended to create this manually, as it does not exist by default. See official documentation for details. -> Supported Modes: At present this resource only supports User Forest mode and not Resource Forest mode. Read more about the different operation modes for this service.
Microsoft.AAD/domainServices (Azure Resource Manager)
The domainServices in Microsoft.AAD can be configured in Azure Resource Manager with the resource name Microsoft.AAD/domainServices
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"galleries": [{ "type":"workbook", "resourceType":"Microsoft.AAD/domainServices", "order": 200 }],
"order": 200,
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/settings.json"
"galleries": [{ "type":"workbook", "resourceType":"Microsoft.AAD/domainServices", "order": 100 }],
"order": 100,
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/settings.json"
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"tags": {
"Owner": "jicha"
},
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"tags": {
"Owner": "jicha"
},
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
Parameters
apiVersion
required - stringetag
optional - stringResource etag
location
optional - stringResource location
name
required - stringThe name of the domain service.
properties
requireddomainConfigurationType
optional - stringDomain Configuration Type
domainName
optional - stringThe name of the Azure domain that the user would like to deploy Domain Services to.
domainSecuritySettings
optionalkerberosArmoring
optional - stringA flag to determine whether or not KerberosArmoring is enabled or disabled.
kerberosRc4Encryption
optional - stringA flag to determine whether or not KerberosRc4Encryption is enabled or disabled.
ntlmV1
optional - stringA flag to determine whether or not NtlmV1 is enabled or disabled.
syncKerberosPasswords
optional - stringA flag to determine whether or not SyncKerberosPasswords is enabled or disabled.
syncNtlmPasswords
optional - stringA flag to determine whether or not SyncNtlmPasswords is enabled or disabled.
syncOnPremPasswords
optional - stringA flag to determine whether or not SyncOnPremPasswords is enabled or disabled.
tlsV1
optional - stringA flag to determine whether or not TlsV1 is enabled or disabled.
filteredSync
optional - stringEnabled or Disabled flag to turn on Group-based filtered sync.
ldapsSettings
optionalexternalAccess
optional - stringA flag to determine whether or not Secure LDAP access over the internet is enabled or disabled.
ldaps
optional - stringA flag to determine whether or not Secure LDAP is enabled or disabled.
pfxCertificate
optional - stringThe certificate required to configure Secure LDAP. The parameter passed here should be a base64encoded representation of the certificate pfx file.
pfxCertificatePassword
optional - stringThe password to decrypt the provided Secure LDAP certificate pfx file.
notificationSettings
optionaladditionalRecipients
optional - arrayThe list of additional recipients
notifyDcAdmins
optional - stringShould domain controller admins be notified.
notifyGlobalAdmins
optional - stringShould global admins be notified.
replicaSets
optional arraylocation
optional - stringVirtual network location
subnetId
optional - stringThe name of the virtual network that Domain Services will be deployed on. The id of the subnet that Domain Services will be deployed on. /virtualNetwork/vnetName/subnets/subnetName.
resourceForestSettings
optionalresourceForest
optional - stringResource Forest
settings
optional arrayfriendlyName
optional - stringFriendly Name
remoteDnsIps
optional - stringRemote Dns ips
trustDirection
optional - stringTrust Direction
trustedDomainFqdn
optional - stringTrusted Domain FQDN
trustPassword
optional - stringTrust Password
sku
optional - stringSku Type
tags
optional - stringResource tags
type
required - string
Frequently asked questions
What is Azure Active Directory Domain Services Domain Service?
Azure Active Directory Domain Services Domain Service is a resource for Active Directory Domain Services of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Active Directory Domain Services Domain Service?
For Terraform, the gilyas/infracost, infracost/infracost and chad-neal/avdtf-with-modules source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the sanjaypavan/OldAzure-Rest-API, sanjaypavan/OldAzure-Rest-API and vutran01/Application-Insights-Workbooks-Int source code examples are useful. See the Azure Resource Manager Example section for further details.