You have an on-premise solution that you have customized over the years to meet your exact needs. A reasonable conclusion in the past. But as time has passed, you’ve been hearing more about the advantages of moving to the cloud and the security risks of staying off of it. You’re both nervous for losing the functionality you’ve grown accustomed to but excited for the new capabilities that are being released. As a result, you’ve looked into finding a middle-ground solution and often came across the term Azure Active Directory Domain Services (AD DS). So, what is it?
Before answering that and getting into deployment scenarios, it would be helpful to set the stage by reviewing your cloud migration alternatives.
INFRASTRUCTURE AS A SERVICE (IAAS)
IaaS would be something like a virtual machine in Azure. The infrastructure is managed by someone else, but you’re responsible for the operating system, applications, and backing up your data on the virtual machine. Depending on the situation, this can be a very popular and easy solution with vendor support.
PLATFORM AS A SERVICE (PAAS)
An example of PaaS would be Azure SQL Database, where Microsoft takes care of running the SQL Server and SQL Database for you. Here, you would continue to be responsible for the data in the database. Doing so could be expensive and require a lot of effort as existing applications will need to be rewritten.
SOFTWARE AS A SERVICE (SAAS)
SaaS is the most common cloud offering people are used to. An example would be Office 365, where you are provided with an URL or endpoint to connect to, while everything else is managed by someone else (in this case, Microsoft). While typically the quickest solution, going from on-premise to SaaS can sometimes be complex in certain instances.
Azure Active Directory Domain Services
Back to the question at hand, in order to migrate your on-premise solution, you will need to extend your on-premise Active Directory into the cloud in order to sync your identities. Before Azure AD DS, there were two options. The first is to rely on a VPN connection, which can be precarious. We’ve seen the site-to-site VPN fail, which means you would require a second connection for resiliency, which then adds to your cost. Your other option is to deploy a virtual machine into Azure to run your Active Directory. Same issue here, however, as one isn’t enough, which means you would have to get a second one again adding to your cost.
This is where Azure AD DS steps in. Microsoft takes care of the domain controllers for you, leaving you with no need for domain admin or schema admin privileges. To be clear, this isn’t an extension of your on-premise Active Directory environment, but rather a stand alone service. It provides synced user sign-ins against your on-premise users. In short, the benefits fall into four main categories:
- Simple — No domain controller deployment or patching required.
- Available — Highly available domain with automatic remediation and backups.
- Compatible — Fully compatible with Windows Server AD, natively talks to Kerberos, NTLM, LDAP and more, and has the same functionality as your on-premise Active Directory, leaving your apps to just keep working in the cloud.
- Cost-Effective — No need for complicated VPN networking and pay-as-you-go.
Now that we know what Azure Active Directory Domain Services is, how do we know when to use it? There are four common deployment scenarios.
SECURE, STREAMLINED ADMINISTRATION OF AZURE VIRTUAL MACHINES
If you have a bunch of servers on their own, you need to manage individual local admin accounts on each server. But with Azure AD DS, you can use your delegated admin rights to manage a whole slew of machines, no longer needing local admin accounts. You can also use Group Policy to manage and secure domain-joined virtual machines.
LIFT-AND-SHIFT APPLICATIONS THAT USE LDAP BIND FOR AUTHENTICATION
The second deployment scenario is all about LDAP. There are a lot of Open Source type of applications that don’t use Windows Integrated Authentication but do support LDAP. This is a perfect case where you set up a managed domain and you permit access to resources based on the LDAP directory you expose through Azure AD DS.
LIFT-AND-SHIFT APPLICATIONS THAT USE WINDOWS INTEGRATED AUTHENTICATION
This scenario deals with a use case where you need to migrate a legacy line of business applications that only support Windows Integrated Authentication. You can migrate and deploy the app in domain-joined virtual machines, create custom organizational units and provision service accounts, and assign custom password policies to service accounts.
LIFT-AND-SHIFT REMOTE DESKTOP DEPLOYMENT ON AZURE VIRTUAL MACHINES
It would also be useful if you have a Remote Desktop Deployment in the cloud. You will see RDP deployments used with Dynamics NAV often. In this case, you don’t require any virtual machines running AD and can instead use the managed service for authentication.
You now have a better understanding of what Azure Active Directory Domain Services is and how it can impact your cloud migration. If you’re ready to take the next step and explore which cloud migration alternative is right for you, feel free to contact us and we would be happy to talk about what makes sense for you.