question

ShujiKinoshita-3808 avatar image
0 Votes"
ShujiKinoshita-3808 asked Marco-6267 answered

Simple AD architecture with Azure AD DS, without on-premise AD?

Our organization is planning to establish a new AD server on cloud to manage our local machines' sign-in/out and policy settings. We do not have any existing on-premise AD server. As far as I understand, we have 2 plans.

  1. create new Azure AD DS server only.

  2. create new Azure AD DS server and on-premise AD server and establish syncing system with 2 servers.

I think (1) is suitable to mitigate our maintenance cost, but there is any problem on (1),
We think about plan (2).
This example shows 2 design-patterns, but both of them are not suitable for our company since we currently do not have any virtual machines on Azure. We just like to establish Active Directory server on Cloud to manage our local machines.
Are there any best practices?




azure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered Kev100-0122 commented

@ShujiKinoshita-3808, Unfortunately it is not recommended to use Azure AD DS service for any on-prem Windows Machine. We always recommend to deploy Azure VMs and then manage it using the Azure AD Domain services. Even in case of Azure AD Domain Services, you would have to deploy an Azure VM and connect it to the same vnet as that of the Azure AD Domain Service. Since the Domain Controllers running behind the scenes of Azure AD DS service are not accessible hence this Azure VM deployed in the same vnet can be used to access the services like managing the users, computers, creating group policies etc using the RSAT tools on that VM.

The only option available to manage a Windows Machine (on-prem machine) using AAD is by Azure AD Join or Hybrid Azure AD Join, but again using this feature you wont be able to control the Login/Logout. So the best option in hand is to deploy a Domain Controller on Prem and then manage you local policies for the local machines.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as "Answer" if the above response helped in answering your query.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,


So I have the same scenario as @ShujiKinoshita-3808. We presently have multi-site locations with no domain services (DC) presently. So, I was thinking that I would stand up a Azure AD VM, and use Azure AD DS to manage all of my Users, Computers, GPO's, etc. etc. without a need for a local Domain Controller. So, my question is can this be done without any local DC's at any of my offices? Or am I forced to install a local DC running Azure AD Connect? My thinking is (I am old school here... LOL), if that is the case, what is the benefit of using Azure AD DS?


Thank you very much for your assistance with this.


1 Vote 1 ·

Greg,

It sounds like I'm in a very similar situation as you (see my related question posted below).

Have you found any additional information or made any headway in deploying Azure AD DS solely ?

I would really like to avoid the hassle of installing and configuring another piece of hardware. My entire reason for pursing Azure is to avoid just that. Everything else we do is cloud-based. I just need to easily monitor things like Windows security, updates, and maybe occasionally lock down a PC in the event of an HR issue.

Thanks.

0 Votes 0 ·
JimmySalian-2011 avatar image
0 Votes"
JimmySalian-2011 answered

Hi,

Basically you are looking for a Full Azure based solution or a mix of hybrid solution for your requirements.

Without having complete information on the solution it will be difficult to suggest via this forum, however I would suggest if you combine above post reply and my recommendation to start with.

Start with reading this article and solution provided for this type of scenario:

https://docs.microsoft.com/en-us/azure/active-directory/devices/overview

If you are looking for using personal devices you can look for Azure AD registered device option 1.
If you are looking for using company branded devices you are looking for option 2
Third option is complex and requires on-prem devices such as AAD connect or ADFS for SSO capability.

Hope this helps and if you have any queries or questions, please ask.

If this answer is helpful please mark your response.Thanks.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Kev100-0122 avatar image
0 Votes"
Kev100-0122 answered

I have almost the identical situation as GregDowney above.

We have a main office (with a few users) but many small remote locations as well as several staff who work from home.

We do not have very sophisticated needs, even at what is considered the "main office". We have no legacy programs and no proprietary locally installed programs of any kind. All daily use involves simply web-based services.

Our local network at this main office is used for internet access, printing, and we have 1 NAS for simple file sharing.

We do not use local AD at any of our locations. I'm 100% with Greg to the point that I can simply re-post his summary ......

"am I forced to install a local DC running Azure AD Connect? My thinking is (I am old school here... LOL), if that is the case, what is the benefit of using Azure AD DS?"

In other words, Azure AD DS would be ideal for this organization. It would allow a no-muss system to have a degree of control of the Windows desktops and laptops spread over a few hundred square miles. Since even our main-office computer use is relatively simple, wouldn't the users here appear to Azure AD DS exactly as those at the remote locations ?

I hope this has been clear. Am I missing something obvious in thinking that our main office users are really no different (technically) than anyone else in the organization, as far as Azure AD DS would be concerned ?

I

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Marco-6267 avatar image
0 Votes"
Marco-6267 answered

It sounds Google Workspace with chromebooks are more cloud-ready and future-proof that Azure+Win10.
I cannot belive there's no way to make a new infeastructure full cloud. People are smart working since almost 2 years and I need a VPN to enable them to change their laptop password or to apply a new policy?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.