Azure Active Directory Domain Services – Implementation Guidance
About Azure Active Directory Domain Services
Azure® Active Directory® (AD) Domain Services provide managed domain services such as domain join, group policy, Lightweight Directory Access Protocol (LDAP), and Kerberos/NT LAN Manager (NTLM) authentication that are fully compatible with Windows Server® Active Directory.Azure AD Domain Services allow these domain services to be consumed without the need to build, manage, and patch domain controllers as Azure Infrastructure as a Service (IaaS) virtual machines (VMs).
Azure AD Domain Services integrate with existing Azure AD tenants, allowing users to log in using their corporate credentials.
User accounts, group memberships and credentials from the customer's on-premises directory can be synchronized to Azure AD via Azure AD Connect, and are automatically available in the managed domain, eliminating the need to manage AD replication.
Existing groups and user accounts can be used to secure access to resources, ensuring a smoother "lift-and-shift" of on-premises resources to Azure Infrastructure Services.
Azure AD provides a stand-alone managed domain in Azure.
VMs can be joined to the stand-alone managed domain, and group policies can be created for it.
Requirements and Notes
- Azure AD Domain Services require a virtual network and a resource group. These can be existing resources, or they can be created as new resources.
- A pair of managed domain controllers are created behind the scenes to support Azure AD Domain Services. These are not directly accessible resources on the Azure subscription (like traditional IaaS virtual machines).
- When viewing the resource group into which Azure AD Domain Services is deployed, the corresponding NICs are the only visible manifestations of the domain controllers.
- VMs to be joined to the Azure AD DS managed domain must be on the corresponding virtual network or on a "peered" connected VNet.
- User accounts from on-premises Active Directory can be replicated to Azure AD Domain Services via Azure AD Connect.
Limitations
- An Azure environment supports only one Azure AD managed domain, and that managed domain is associated with a single VNet. It is not possible to have an Azure environment with multiple managed domains and multiple VNets, where each VNet has its own Azure AD managed domain.
- The stand-alone managed domain created via Azure AD Domain Services is not an extension of a customer's on-premises Active Directory domain.
- Domain-level or forest-level AD trusts are not possible. The stand-alone managed domain cannot be configured for trust relationships with other domains.
- Because the domain is managed by Azure AD Domain Services, the customer's IT administrator does not have Domain Administrator or Enterprise Administrator privileges on the domain.
- The schema for an Azure AD managed domain cannot be extended.
- LDAP write access to an Azure AD managed domain is not possible. Applications to be supported by a managed domain must not need to modify or write to the directory.
When to Use Azure Active Directory
Under certain circumstances, Azure AD is a low-cost and low-maintenance alternative to an IaaS-based domain controller for Active Directory services.Providing Active Directory services using Azure AD rather than IaaS is advantageous in the following cases:
- In simple deployment scenarios, when provisioning a self-contained standalone domain without trust relationships to any Active Directory domains or forests.
- When applications requiring LDAP support via a managed domain do not require LDAP write access to the directory.
- When integrating Azure portal access through a client's on-premises active directory services for self-managed clients.
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-scenarios
Refer to the following document to determine whether using Azure AD is appropriate for a particular use case:
https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-comparison
Comparison of Azure AD Domain Services vs. IaaS VMs
| Feature | Azure AD Domain Services | IaaS VMs for AD |
|---|---|---|
| Managed service | ✓ | ✕ |
| Secure deployments | ✓ | Administrator must secure the deployment |
| DNS server | ✓ (managed service) | ✓ |
| Domain or Enterprise administrator privileges | ✕ | ✓ |
| Domain join | ✓ | ✓ |
| Domain authentication using NTLM and Kerberos | ✓ | ✓ |
| Kerberos constrained delegation | resource-based | resource-based and account-based |
| Custom OU structure | ✓ | ✓ |
| Schema extensions | ✕ | ✓ |
| AD domain/forest trusts | ✕ | ✓ |
| LDAP read | ✓ | ✓ |
| Secure LDAP (LDAPS) | ✓ | ✓ |
| LDAP write | ✕ | ✓ |
| Group Policy | ✓ | ✓ |
| Geo-distributed deployments | ✕ | ✓ |