Forum Discussion
Azure Active Directory Domain Services On -premises workstation Join
- Aug 02, 2017
Hello Gian,
Microsoft is trying to help customers simplify their cloud networks by building more services in the cloud. Before AAD DS, many customers used to build AD DS VMs on Azure in order to provide LDAP/Kerberos, etc., authentication for specific requirements. So, MS has simplified this by implementing AAD DS, meaning you get two IP DNS sources that are, in effect, AD DS VMs unmanaged by you. This is desgined devices that are on your Azure virtual network. This being said, for on-premises devices to authenticate to AAD DS, you must have a point-to-point VPN tunnel and point the local devices to your AAD DS DNS ips. But you should have a reliable network connection. As for AAD Connect (formerly DirSync), thats required for local AD DS synchronization to your AAD. Given that you prefer not having any local server resources, this would not apply in your case. Hope this helps.
That's not really a use case for AAD DS. It's intended to be more of an "extention" of on-premises AD, and not a standalone directory service. Think of it as "managed" AD, where the bulk of administrative effort is taken care by MS, but you are also limited in some operations (for example, no domain admin priviledges, even GPOs and OUs are very limited). Basically, it's only recommended for scenarios such as these: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-scenarios
Microsoft itself does not recommend using AAD DS for workstations, the alternative proposed being Azure AD join. If you ask me, neither is particularly good alternative, but as long as you are fine with the restrictions, they can certainly work in some scenarios.
Here's a detailed session on AAD DS from Ignite NZ: https://channel9.msdn.com/Events/Ignite/New-Zealand-2016/M248
- Sid MerrettAug 01, 2017Copper Contributor
I'm not sure I agree with the suggestion that standalone AAD is "not really a use case for AAD DS".
AAD domain join is supported in Windows 10 for example:
I would think that the use-case would define the suitability of AAD but according to the article below for new small to medium size businesses, AAD appears to be functional entirely on its own.
http://techgenix.com/pros-and-cons-azure-ad-join/
I quote:
"one needs to understand that Azure AD (which Azure AD Join lets you easily join to) is not really a complete enterprise directory service in every sense of the word. What I mean is that a traditional directory service like AD DS that uses Lightweight Directory Access Protocol (LDAP) for authentication also includes other bits and pieces such as network policies, security policies, and so on. Azure AD, on the other hand, basically (in its current rev at least) only provides identity management capabilities (using REST instead of LDAP), which means that Azure AD is mainly intended for running apps in Software as a Service (SaaS) clouds. On the other hand, Azure AD and Azure AD Join are continuing to evolve under Microsoft's cloud-first, mobile-first strategy championed by CEO Satya Nadella, so large traditional enterprises should keep an eye on it while smaller companies jump on the train and enjoy the ride."