Forum Discussion
Azure Active Directory Domain Services On -premises workstation Join
- Aug 02, 2017
Hello Gian,
Microsoft is trying to help customers simplify their cloud networks by building more services in the cloud. Before AAD DS, many customers used to build AD DS VMs on Azure in order to provide LDAP/Kerberos, etc., authentication for specific requirements. So, MS has simplified this by implementing AAD DS, meaning you get two IP DNS sources that are, in effect, AD DS VMs unmanaged by you. This is desgined devices that are on your Azure virtual network. This being said, for on-premises devices to authenticate to AAD DS, you must have a point-to-point VPN tunnel and point the local devices to your AAD DS DNS ips. But you should have a reliable network connection. As for AAD Connect (formerly DirSync), thats required for local AD DS synchronization to your AAD. Given that you prefer not having any local server resources, this would not apply in your case. Hope this helps.
Hello Gian,
Microsoft is trying to help customers simplify their cloud networks by building more services in the cloud. Before AAD DS, many customers used to build AD DS VMs on Azure in order to provide LDAP/Kerberos, etc., authentication for specific requirements. So, MS has simplified this by implementing AAD DS, meaning you get two IP DNS sources that are, in effect, AD DS VMs unmanaged by you. This is desgined devices that are on your Azure virtual network. This being said, for on-premises devices to authenticate to AAD DS, you must have a point-to-point VPN tunnel and point the local devices to your AAD DS DNS ips. But you should have a reliable network connection. As for AAD Connect (formerly DirSync), thats required for local AD DS synchronization to your AAD. Given that you prefer not having any local server resources, this would not apply in your case. Hope this helps.
Hi Loryan, Vasil and Sid,
Thank you so much for your replies and inputs and I really appreciate it. I have been reading also just wanted to validate my understanding on Azure AD DS. Based on what you guys mentioned, it seems like company A needs to have a local AD domain controller on premises and extend it to Azure depending on the requirement and In order to have full enterprise directory capabilities such as GPO's etc just like traditional directory service on Windows Server. So I think the way to go here is to build S2S VPN connectivity to Azure from Onpremises and build Azure ADDS VMs and have the workstations join to the domain. If connecting to Office 365, then a Dirsync server running AAD connect should also be built in Azure as an IaaS VM and have it synchronize to Azure AD.
Hello Josh, Thank you for providing your input on the matter. Hopefully in the future, MS would offer a full standalone enterprise directory service in Azure just like the traditional LDAP directory service in Windows Server without even building servers onpremises. In that way, we are able to address customers that are cloud-only organizations especially those that do not have plans on refreshing server hardware. Azure ADDS is also a good offering given especially for customers that are running Azure workloads already.
Again, Thank you guys for your responses.
- Sid MerrettAug 03, 2017Copper Contributor
Hi everyone,
I'm very familiar with MS Active Directory having supported it since WIndows Server 2003 but, now working for a small software business that is entertaining a full Cloud infrastructure but does not already run Active Directory in any shape or form, I started investigating what is described here by Microsoft as effectively, "Active Directory as a Service"
https://azure.microsoft.com/en-gb/services/active-directory-ds/
Microsoft state in the above link
"Use Azure Active Directory Domain Services to join Azure virtual machines to a domain, without having to deploy domain controllers. Sign in to the virtual machines using their corporate Azure Active Directory credentials and seamlessly access resources. Use Group Policy to more securely administer domain-joined virtual machines – a familiar way to apply and enforce security baselines on all of your Azure virtual machines."
Another quote :
"Take advantage of Azure Active Directory Domain Services features like domain join, LDAP, NT LAN Manager (NTLM) and Kerberos authentication, which are widely used in enterprises. Migrate legacy directory-aware applications running on-premises to Azure, without having to worry about identity requirements. Easily deploy line-of-business applications on Linux and Windows Server virtual machines on Azure. You don’t have to deploy domain controllers as Azure virtual machines or use a VPN connection back to your identity infrastructure."
So, if AAD DS, is in not a Cloud based Active Directory that facilitates some traditional Domain management such as Group Policy (albeit via an Azure VM running Active Directory Adminstration Tools and joined to the AAD Domain) and other "on premise" AD functionality, including Windows 10 workstation AAD domain join without the need for building, deploying and maintaining Domain Controllers, what is it exactly?
Sid
- Sid MerrettAug 03, 2017Copper ContributorOh and @Gian - I apologise if I have rather hijacked this thread - I think you and I have similar if not identical ambitions for Azure AD and I hope my observations are relevant to your original post.
Sid- DerrickFlAug 15, 2017Copper Contributor
Hi Sid,
No problem. Glad you have good observations too and yes I think we have identical ambitions for Azure Active Directory. Thank you for adding this up.
Cheers!