Azure AD DS details

iutecg 1 Reputation point
2020-03-24T10:00:21.357+00:00

Hello
I have got some questions about Azure AD DS. I couldnt find answers.

I want to use Azure AD DS in my company, so

  1. Is there any solution to pay for Azure AD DS service for a year or three years so I can pay less for a month?
  2. Do I need a local domain controller in my company's network? Or I can use only Azure AD DS service?
  3. How can I authenticate to Azure AD DS? Do I need any software on my workstation or server to do this? Do I need to connect to my private network or can I authenticate from any place, for example from my home?
  4. Can I synchronize my local domain controller with Azure AD DS? If yes what will happen if my local domain controller will crash?

Thank You for all Your answers.

Microsoft Entra
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-03-24T11:11:30.183+00:00

    @iutecg , For Azure AD Domain Services to work these are the prerequisites that needs to be in place:

    1. An active Azure subscription.
    2. An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory. If needed, create an Azure Active Directory tenant or associate an Azure subscription with your account.
    3. You need global administrator privileges in your Azure AD tenant to enable Azure AD DS.
    4. You need Contributor privileges in your Azure subscription to create the required Azure AD DS resources.

    For Azure Subscription, you can refer to the following url:

    Secondly, for the Domain Controller requirement, when you enable Azure AD Domain Services, it automatically spins up two instances of Domain Controllers in the backend [That you wont have access on], hence no on-prem Domain Controller is needed. Azure AD DS enables you to move away from your on-prem infrastructures and maintaining the Domain Controllers.

    After you enable to Azure AD DS service, you would have to spin up an Azure VM in the same VNET as that of the Azure AD DS service. Once done, you need to domain join this Azure VM to your Azure AD DS environment. After doing domain join, you would need to install the RSAT tool on that Azure VM and using that RSAT tool you would be able to manage your Domain Controllers as you used to in your on-prem Active Directory.
    For more details: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm
    https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm

    You can authenticate to Azure AD Domain Services using any user who is synced to the Azure AD Domain Services.
    For more details: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds

    Yes, you can sync the users from your local DC to Azure AD Domain Services. But, the steps are as followes:

    • First, sync of users is setup between your on-prem DCs and Azure AD using AD Connect.
    • Users gets synced from Azure AD to Azure AD DS as mentioned here: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#enable-user-accounts-for-azure-ad-ds
    • Once the users are synced to Azure AD, post that even if your local DC crashes, your synced objects like users, groups etc would be safe. but, there might be other consequences and failures. But if we just speak about user objects that are already synced, they would be safe and they can continue authenticating to Azure AD DS service through the Azure VMs that are domain joined to Azure AD DS managed domain.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query

    .