Forum Discussion
Azure ADDS extension of my onpremises domain
Hi,
If you study the documentation for AAD DS service, you find out that this service is not designed for "anywhere / any device purpose". Moreover, it is not encouraged to domain join machines that are not running in Azure to this domain (e.g. endpoint devices, VMs running on-prem). The managed domain is a stand-alone domain. It isn't an extension of an on-premises domain.
You should think about AADS as a cloud "equivalent" to your WS ADDC service you are hosting on-prem. You don't expose it to the Internet (it is protected behind a perimeter network), and machines joined to this domain are in the same network (or connected via a VPN, if they are portable).
Keep in mind that you need much more than just LDAP port to be available outside your perimeter. Active Directory and protocols it uses was not designed as "internet-friendly". Even if you could enable 'secure LDAP' and choose to expose it to the Internet, it is not recommended for "all source IPs", but only some specific ranges and use Network Security Groups, difficult to achieve in your scenario).
Your scenario is about remote users (working from home). Their endpoints are currently joined to your on-prem AD, I presume. "Switching" to AAD DS is really not a good idea, among many things it would require you to join all the endpoint devices to AADDS domain (instead of your on-prem AD). In the documentation you will see, this option (joining W10 / client devices) is not even there.
Most of my customers use a different strategy instead:
- use AAD-join or Hybrid AD-join (on-prem AD + AAD)
- use Intune / Endpoint Manager for management (instead of GPOs and System Center)