Azure Active Directory Domain Services

Almost a year ago Microsoft announced Azure Active Directory Domain Services in preview (and it is still in preview). Before releasing this service you needed to deploy domain controllers in Azure or have a site-to-site VPN (from on-premises to Azure) contacting on-premises domain controllers to use services in the cloud relying on active directory and related servics. With the release of Azure AD Domain Services you now have a cloud-based identity solution which allows you to manage users and groups without deploying domain controllers.

When you enable this service, two domain controllers are automatically setup in you environment for high-availability, but you don`t have to pay for these two domain controllers (VM`s), you pay for the service per hour (see this site for the pricing). As you can not login directly to these domain controllers, you don`t have to worry about managing these domain controllers like you have to do with on-premises domain controllers or domain controllers deployed by yourself in Azure, Microsoft does it for you. It is really Active Directory as a service.

azure-ad-domain-services-aducWhen the two domain controllers are up-and-running you can manage Active Directory by joining a Windows Server Virtual Machine hosted on Azure to the domain you setup AD Domain Services for. Just add the required management features to the server and you are able to manage the environment via Active Directory Users and Computers or Group Policy Management. All your users and groups which are available in Azure AD/ Office 365, from now can also be found in ADUC.
Note that managing the AD and policies are very basic at this moment. You are not a Domain Admin and you have limited rights on the AD. You are allowed to manage the existing Group Policies, but at this moment, you are not allowed to create your own GPO`s unfortunately.

You are now able to deploy VM`s (Windows or Linux) running an application which rely on Active Directory to the cloud  without deploying domain controllers to the cloud. Access control can be done by Azure AD Domain Services. You don`t have to use different user accounts from another cloud provider which hosts your application, you just use the same user accounts already present in Azure/ Office 365. Another example is running an FTP server on IIS deployed on an Azure VM. Setup the required user rights on the FTP folder based on the AD groups/ users and your users only have to remember just one set of credentials.

Some functionalities Azure AD Domain Services provides:

  • Join servers to a domain (Windows and Linux)
  • Use (basic) Group Policies
  • Create custom organizational units (OU`s)
  • Use Kerberos/ NTLM
  • Support for secure LDAP
  • Administer DNS on the managed domain

For now Azure AD Domain Services is still in preview and some functionalities, like managing Group Policies, are very basic. But I expect the functionalities will be increased in the future.

For further information and pricing you can visit this website of Microsoft.

Be the first to comment

Leave a Reply

Your email address will not be published.