When Azure AD Domain Services is enabled and configured, we can add workloads to it and make it part of the domain. We also can use Windows AD tools to manage the Azure AD instance. In this section, we are going to learn how:

• Create virtual server in Azure under the same virtual network
• Join virtual server to Azure AD
• Install RSAT tools and manage Azure AD through virtual server

However, since it is a managed domain, we're only allowed to perform certain management tasks. Here's what Microsoft says (https://docs.microsoft.com/en-gb/azure/active-directory-domain-services/active-directory-ds-admin-guide-administer-domain):

• Administrative tasks you can perform on a managed domain: Members of the AAD DC Administrators group are granted privileges on the managed domain that enable them to perform tasks such as the following:
  • Join machines to the managed domain
  • Configure the built-in GPO for the AADDC Computers and AADDC Users containers in the managed domain
  • Administer DNS on the managed domain
  • Create and administer custom OUs on the managed domain
  • Gain administrative access to computers joined to the managed domain
• Administrative privileges you do not have on a managed domain: The domain is managed by Microsoft, including activities such as patching, monitoring, and performing backups. Therefore, the domain is locked down and you do not have privileges to perform certain administrative tasks on the domain. Some examples of tasks you cannot perform are as follows:
  • You are not granted domain administrator or enterprise administrator privileges for the managed domain
  • You cannot extend the schema of the managed domain
  • You cannot connect to domain controllers for the managed domain using remote desktop
  • You cannot add domain controllers to the managed domain