Azure AD, Azure AD DS, & AD DS on Azure

What are these different services? When should we use one versus the other? Do they provide similar capabilities? There are a number of identity options within Azure and its easy to confuse the purposes and capabilities of each solution.

Azure AD

Many organizations today are already utilizing Azure AD and may not even realize it. Azure AD by default is a cloud based domain service that provides the ability to create and manage users and groups and provide access to Azure or Office 365. In the context of Azure, Azure AD is utilized in conjunction with Azure RBAC to control user access to different Subscriptions and Resources within Azure. Azure AD is almost a given today and is utilized in addition to Active Directory Domain Services, not as a replacement.

AD DS on Azure

Here I’m referring to AD DS (Active Directory Domain Services) running on Azure Virtual Machines, a service which should be a very familiar to most organizations. There are a few things to take into consideration when configuring Domain Controllers within Azure but overall the service itself behaves exactly the same as it would with your existing Domain Services. For a brand new Azure deployment, AD DS Domain Controller Virtual Machines are typically one of the first workloads to deploy. This comes down to treating Azure as an extension of your data center and providing Domain Service capabilities to your Azure workloads in the event that the connection back to your data center is dropped and to ensure that Azure workloads aren’t having to traverse an ExpressRoute or VPN connection every single time they need to check into the domain. AD DS on Azure is almost a given for organizations that are already reliant on AD DS.

Azure AD DS

Azure AD Domain Services is a newer feature available within Azure that provides managed domain as a service capabilities. Think of it as PaaS version of Domain Controllers. Sounds really nice, right? A word of caution, as this service can trip you up if you don’t utilize it correctly. It is important to remember – Azure AD DS is NOT a replacement or extension of your existing domain. Although it would be really nice to never have to build Domain Controller VMs in Azure, that is not realistic at this point in time for most organizations.

So what is Azure AD DS? Azure AD Domain Services is a domain service that synchronizes Azure AD users, groups, and passwords, to a managed service available to Azure Virtual Machines. Once available, Virtual Machines can be joined to the managed domain and utilize Group Policy, users, and group membership similar to traditional Active Directory Domain Services.
Users, Groups, and Passwords are synchronized from Azure Active Directory to the managed domain instance, but group policy is not synchronized.

  • Only one instance of Azure AD DS can be deployed per Azure AD Tenant (no multi-region deployments)
  • Azure AD DS is highly available within each instance
  • Azure AD DS is a separate domain, but can be synchronized with your existing domain
  • Group Policy is not synchronized to Azure AD DS
  • Group Policy Objects can be created within Azure AD DS
  • Domain and Enterprise admin capabilities are not available for Azure AD DS
  • Azure AD password hash synchronization is required for Azure AD DS
  • Azure AD users and groups are synchronized to Azure AD DS

Example Scenario

In the following graphic portrays how each identity service may be utilized in a scenario of managing a single Azure Windows Virtual Machine.

In this scenario, the Windows VM can be joined to either AD DS domain or my Azure AD DS domain, but not both. The option to join a Virtual Machine to one of these domains is one or the other situation.

What do we do?

With this information, the solution that makes sense for most organizations includes deploying AD DS Domain Controllers on Azure and utilizing Azure AD synchronization to manage resources and users within the Azure Portal. Azure AD DS is a great service but should be used for a specific use case.

Leave a Comment

Your email address will not be published. Required fields are marked *