Azure Active Directory Domain Services Domain Service
This page shows how to write Terraform and Azure Resource Manager for Active Directory Domain Services Domain Service and write them securely.
azurerm_active_directory_domain_service (Terraform)
The Domain Service in Active Directory Domain Services can be configured in Terraform with the resource name azurerm_active_directory_domain_service. The following sections describe 7 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_active_directory_domain_service" "standard" {
name = "example-aadds_1"
location = "australiaeast"
resource_group_name = "aadds-rg"
domain_name = "widgetslogin.net"
resource "azurerm_active_directory_domain_service" "standard" {
name = "example-aadds_1"
location = "australiaeast"
resource_group_name = "aadds-rg"
domain_name = "widgetslogin.net"
resource "azurerm_active_directory_domain_service" "avd-domain" {
name = var.avd_domain_name
location = module.rg.rg_location
resource_group_name = module.rg.rg_name
domain_name = var.avd_domain_name
resource "azurerm_active_directory_domain_service" "example" {
name = "example-aadds_3"
location = "australiaeast"
resource_group_name = "aadds-rg"
domain_name = "widgetslogin.net"
resource "azurerm_active_directory_domain_service" "example" {
name = "example-aadds_3"
location = "australiaeast"
resource_group_name = "aadds-rg"
domain_name = "widgetslogin.net"
resource "azurerm_active_directory_domain_service" "aadds" {
name = var.name
location = azurerm_resource_group.aadds_rg.location
resource_group_name = azurerm_resource_group.aadds_rg.name
domain_name = var.domain_name
resource "azurerm_active_directory_domain_service" "adds" {
name = "avd-adds"
location = azurerm_resource_group.adds.location
resource_group_name = azurerm_resource_group.adds.name
domain_name = var.adds_domain
Parameters
The following arguments are supported:
domain_name- (Required) The Active Directory domain to use. See official documentation for constraints and recommendations.filtered_sync_enabled- Whether to enable group-based filtered sync (also called scoped synchronisation). Defaults tofalse.secure_ldap- (Optional) Asecure_ldapblock as defined below.location- (Required) The Azure location where the Domain Service exists. Changing this forces a new resource to be created.name- (Required) The display name for your managed Active Directory Domain Service resource. Changing this forces a new resource to be created.notifications- (Optional) Anotificationsblock as defined below.initial_replica_set- (Required) Aninitial_replica_setblock as defined below. The initial replica set inherits the same location as the Domain Service resource.resource_group_name- (Required) The name of the Resource Group in which the Domain Service should exist. Changing this forces a new resource to be created.security- (Optional) Asecurityblock as defined below.sku- (Required) The SKU to use when provisioning the Domain Service resource. One ofStandard,EnterpriseorPremium.tags- (Optional) A mapping of tags assigned to the resource.
A secure_ldap block supports the following:
enabled- (Required) Whether to enable secure LDAP for the managed domain. Defaults tofalse.external_access_enabled- (Optional) Whether to enable external access to LDAPS over the Internet. Defaults tofalse.pfx_certificate- (Required) The certificate/private key to use for LDAPS, as a base64-encoded TripleDES-SHA1 encrypted PKCS#12 bundle (PFX file).pfx_certificate_password- (Required) The password to use for decrypting the PKCS#12 bundle (PFX file).
A notifications block supports the following:
additional_recipients- (Optional) A list of additional email addresses to notify when there are alerts in the managed domain.notify_dc_admins- (Optional) Whether to notify members of the AAD DC Administrators group when there are alerts in the managed domain.notify_global_admins- (Optional) Whether to notify all Global Administrators when there are alerts in the managed domain.
An initial_replica_set block supports the following:
subnet_id- (Required) The ID of the subnet in which to place the initial replica set.
A security block supports the following:
ntlm_v1_enabled- (Optional) Whether to enable legacy NTLM v1 support. Defaults tofalse.sync_kerberos_passwords- (Optional) Whether to synchronize Kerberos password hashes to the managed domain. Defaults tofalse.sync_ntlm_passwords- (Optional) Whether to synchronize NTLM password hashes to the managed domain. Defaults tofalse.sync_on_prem_passwords- (Optional) Whether to synchronize on-premises password hashes to the managed domain. Defaults tofalse.tls_v1_enabled- (Optional) Whether to enable legacy TLS v1 support. Defaults tofalse.
In addition to all arguments above, the following attributes are exported:
id- The ID of the Domain Service.deployment_id- A unique ID for the managed domain deployment.resource_id- The Azure resource ID for the domain service.
A secure_ldap block exports the following:
external_access_ip_address- The publicly routable IP address for LDAPS clients to connect to.
An initial_replica_set block exports the following:
domain_controller_ip_addresses- A list of subnet IP addresses for the domain controllers in the initial replica set, typically two.external_access_ip_address- The publicly routable IP address for the domain controllers in the initial replica set.location- The Azure location in which the initialreplica set resides.replica_set_id- A unique ID for the replica set.service_status- The current service status for the initial replica set.
Explanation in Terraform Registry
Manages an Active Directory Domain Service.
Implementation Note: Before using this resource, there must exist in your tenant a service principal for the Domain Services published application. This service principal cannot be easily managed by Terraform and it's recommended to create this manually, as it does not exist by default. See official documentation for details. -> Supported Modes: At present this resource only supports User Forest mode and not Resource Forest mode. Read more about the different operation modes for this service.
Microsoft.AAD/domainServices (Azure Resource Manager)
The domainServices in Microsoft.AAD can be configured in Azure Resource Manager with the resource name Microsoft.AAD/domainServices. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"galleries": [{ "type":"workbook", "resourceType":"Microsoft.AAD/domainServices", "order": 200 }],
"order": 200,
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/settings.json"
"galleries": [{ "type":"workbook", "resourceType":"Microsoft.AAD/domainServices", "order": 100 }],
"order": 100,
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/settings.json"
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"properties": {
"tenantId": "3f8cd22c-7b32-48aa-a01c-f533133b1def",
"domainName": "zdomain.zforest.com",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"tags": {
"Owner": "jicha"
},
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
"type": "Microsoft.AAD/domainServices",
"location": "westus",
"tags": {
"Owner": "jicha"
},
"etag": "W/\"datetime'2017-04-10T04%3A42%3A19.7067387Z'\"",
Parameters
apiVersionrequired - stringetagoptional - stringResource etag
locationoptional - stringResource location
namerequired - stringThe name of the domain service.
propertiesrequireddomainConfigurationTypeoptional - stringDomain Configuration Type
domainNameoptional - stringThe name of the Azure domain that the user would like to deploy Domain Services to.
domainSecuritySettingsoptionalkerberosArmoringoptional - stringA flag to determine whether or not KerberosArmoring is enabled or disabled.
kerberosRc4Encryptionoptional - stringA flag to determine whether or not KerberosRc4Encryption is enabled or disabled.
ntlmV1optional - stringA flag to determine whether or not NtlmV1 is enabled or disabled.
syncKerberosPasswordsoptional - stringA flag to determine whether or not SyncKerberosPasswords is enabled or disabled.
syncNtlmPasswordsoptional - stringA flag to determine whether or not SyncNtlmPasswords is enabled or disabled.
syncOnPremPasswordsoptional - stringA flag to determine whether or not SyncOnPremPasswords is enabled or disabled.
tlsV1optional - stringA flag to determine whether or not TlsV1 is enabled or disabled.
filteredSyncoptional - stringEnabled or Disabled flag to turn on Group-based filtered sync.
ldapsSettingsoptionalexternalAccessoptional - stringA flag to determine whether or not Secure LDAP access over the internet is enabled or disabled.
ldapsoptional - stringA flag to determine whether or not Secure LDAP is enabled or disabled.
pfxCertificateoptional - stringThe certificate required to configure Secure LDAP. The parameter passed here should be a base64encoded representation of the certificate pfx file.
pfxCertificatePasswordoptional - stringThe password to decrypt the provided Secure LDAP certificate pfx file.
notificationSettingsoptionaladditionalRecipientsoptional - arrayThe list of additional recipients
notifyDcAdminsoptional - stringShould domain controller admins be notified.
notifyGlobalAdminsoptional - stringShould global admins be notified.
replicaSetsoptional arraylocationoptional - stringVirtual network location
subnetIdoptional - stringThe name of the virtual network that Domain Services will be deployed on. The id of the subnet that Domain Services will be deployed on. /virtualNetwork/vnetName/subnets/subnetName.
resourceForestSettingsoptionalresourceForestoptional - stringResource Forest
settingsoptional arrayfriendlyNameoptional - stringFriendly Name
remoteDnsIpsoptional - stringRemote Dns ips
trustDirectionoptional - stringTrust Direction
trustedDomainFqdnoptional - stringTrusted Domain FQDN
trustPasswordoptional - stringTrust Password
skuoptional - stringSku Type
tagsoptional - stringResource tags
typerequired - string
Frequently asked questions
What is Azure Active Directory Domain Services Domain Service?
Azure Active Directory Domain Services Domain Service is a resource for Active Directory Domain Services of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Active Directory Domain Services Domain Service?
For Terraform, the gilyas/infracost, infracost/infracost and chad-neal/avdtf-with-modules source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the sanjaypavan/OldAzure-Rest-API, sanjaypavan/OldAzure-Rest-API and vutran01/Application-Insights-Workbooks-Int source code examples are useful. See the Azure Resource Manager Example section for further details.
