Azure Active Directory Domain Services: What Is It and When to Use It?

You have an on-premise solution that you have customized over the years to meet your exact needs. A reasonable conclusion in the past. But as time has passed, you’ve been hearing more about the advantages of moving to the cloud and the security risks of staying off of it. You’re both nervous for losing the functionality you’ve grown accustomed to but excited for the new capabilities that are being released. As a result, you’ve looked into finding a middle-ground solution and often came across the term Azure Active Directory Domain Services (AD DS). So, what is Azure Active Directory Domain Services (Azure AD DS)?

IaaS would be something like a virtual machine in Azure. The infrastructure is managed by someone else, but you’re responsible for the operating system, applications, and backing up your data on the virtual machine. Depending on the situation, this can be a very popular and easy solution with vendor support.

An example of PaaS would be Azure SQL Database, where Microsoft takes care of running the SQL Server and SQL Database for you. Here, you would continue to be responsible for the data in the database. Doing so could be expensive and require a lot of effort as existing applications would need to be rewritten.

SaaS is the most common cloud offering people are used to. An example would be Office 365, where you are provided with an URL or endpoint to connect to, while everything else is managed by someone else (in this case, Microsoft). While typically okthe quickest solution, going from on-premise to SaaS can be complex in certain instances.

Back to the question at hand. In order to migrate your on-premise solution, you will need to extend your on-premise Active Directory into the cloud in order to sync your identities. Before Azure AD DS, there were two options. The first is to rely on a VPN connection, which can be precarious. We’ve seen the site-to-site VPN fail, which means you would require a second connection for resiliency, which adds to your cost. Your other option is to deploy a virtual machine into Azure to run your Active Directory. Same issue here, however, as one isn’t enough, you would have to get a second one, again, adding to your cost.

This is where Azure AD DS steps in. Microsoft takes care of the domain controllers for you, leaving you with no need for domain admin or schema admin privileges. To be clear, this isn’t an extension of your on-premise Active Directory environment, but rather a stand alone service. It provides synced user sign-ins against your on-premise users. In short, the benefits fall into four main categories:

• Simple — No domain controller deployment or patching required.
• Available — Highly available domain with automatic remediation and backups.
• Compatible — Fully compatible with Windows Server AD, natively talks to Kerberos, NTLM, LDAP and more, and has the same functionality as your on-premise Active Directory, leaving your apps to just keep working in the cloud.
• Cost-Effective — No need for complicated VPN networking and pay-as-you-go.

If you have a bunch of servers on their own, you need to manage individual local admin accounts on each server. But with Azure AD DS, you can use your delegated admin rights to manage a whole slew of machines, no longer needing local admin accounts. You can also use Group Policy to manage and secure domain-joined virtual machines.

The second deployment scenario is all about LDAP. There are a lot of Open Source type of applications that don’t use Windows Integrated Authentication but do support LDAP. This is a perfect case where you set up a managed domain and you permit access to resources based on the LDAP directory you expose through Azure AD DS.

This scenario deals with a use case where you need to migrate a legacy line of business applications that only support Windows Integrated Authentication. You can migrate and deploy the app in domain-joined virtual machines, create custom organizational units and provision service accounts, and assign custom password policies to service accounts.

It would also be useful if you have a Remote Desktop Deployment in the cloud. You will see RDP deployments used with Dynamics NAV often. In this case, you don’t require any virtual machines running AD and can instead use the managed service for authentication.