Forum Discussion
DerrickFl
Aug 01, 2017Copper Contributor
Azure Active Directory Domain Services On -premises workstation Join
Hello, Just a quick one, I know this might not be something new but was wondering if anyone can help. Scenario: Company A is a start up company who wants a cloud only infrastructure with Offi...
- Aug 02, 2017
Hello Gian,
Microsoft is trying to help customers simplify their cloud networks by building more services in the cloud. Before AAD DS, many customers used to build AD DS VMs on Azure in order to provide LDAP/Kerberos, etc., authentication for specific requirements. So, MS has simplified this by implementing AAD DS, meaning you get two IP DNS sources that are, in effect, AD DS VMs unmanaged by you. This is desgined devices that are on your Azure virtual network. This being said, for on-premises devices to authenticate to AAD DS, you must have a point-to-point VPN tunnel and point the local devices to your AAD DS DNS ips. But you should have a reliable network connection. As for AAD Connect (formerly DirSync), thats required for local AD DS synchronization to your AAD. Given that you prefer not having any local server resources, this would not apply in your case. Hope this helps.
Aug 01, 2017
AAD DS is not really for on-premises machines, it's for cloud-hosted servers.
Local machines will scan the network for a domain controller, and if one is not found then they will use local resources. So given AAD DS is not on the same network as you the machines won't find the service. At best you would need ExpressRoute so that you can have a Layer 2 connection to AAD DS, but this is a lot of work.
Realistically if you don't need AD locally, then just have the users authenticate using their AAD (not DS) credentials to the machines. This would be the same identity as used in O365, and therefore in Windows 10 would give a SSO experience to those services.
Local machines will scan the network for a domain controller, and if one is not found then they will use local resources. So given AAD DS is not on the same network as you the machines won't find the service. At best you would need ExpressRoute so that you can have a Layer 2 connection to AAD DS, but this is a lot of work.
Realistically if you don't need AD locally, then just have the users authenticate using their AAD (not DS) credentials to the machines. This would be the same identity as used in O365, and therefore in Windows 10 would give a SSO experience to those services.