question

LuisOlias-4152 avatar image
0 Votes"
LuisOlias-4152 asked ·

No DCs on premises

Hello,

I am a newcomer to Azure, so I don't know if this basic question will be allowed:

Imagine I have a small business but I don't want any datacenters, but I do want Active Directory.

So, as far as I am reading , if I want this scenario, I should go for "Azure Active Directory Domain Services" .

So , all the DCs would be in the cloud.

Also, my on-premises Windows 10 devices couldn't get any GPOs, nor authenticate against those DCs , could they ?

That is what I can't grasp.

From what I am reading, the devices should be placed as VMs in Azure, so my personnel would log in to their on-premises Windows 10 machines, but then open a RDP session to their machines in the cloud ?

I am sorry if this is too basic, I can't understand it.

Thanks in advance.

azure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SamCogan avatar image
5 Votes"
SamCogan answered ·

The first thing you need to do is understand what capabilities of AD you actually need. If you just need domain join, then you can use AAD Domain Join for Win 10 machines. If you need device management, like GPO, then you can look at adding InTune to that, and so on. It may be that you don't need full AD at all.

If you decide you do need full AD then think carefully about AAD DS. Whilst this can provide domain controllers as a PaaS service, it wasn't designed to replace your on-prem domain controllers. It has a number of limitations, some of which I talk about here, so you need to make sure you are OK with those. You will also need a persistent, VPN or Express Route connection to the Azure vNet that hosts AAD DS to be able to service you machines.

To answer your specific questions, yes you can authenticate your machines against AAD DS and use group policy.

You could also consider running IaaS VMs as domain controllers.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VilleLaitinen avatar image
0 Votes"
VilleLaitinen answered ·

Azure AD and AD DS are entirely different beasts, whereas Azure AD DS is a subset of AD DS.

As for your scenario:

Also, my on-premises Windows 10 devices couldn't get any GPOs, nor authenticate against those DCs , could they ?

GPOs depend on domain join & joining devices to Azure AD DS follows standard domain join prerequisites. In other words: if you have private network connectivity, compatible device and permission you should be able to complete join for the Windows 10 devices successfully.

Authentication does not requires domain join. But depending on method it might require private network connectivity. LDAPS, for example, is supported over internet.

Some useful links:

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/compare-identity-solutions


https://docs.microsoft.com/en-us/azure/active-directory-domain-services/faqs


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LuisOlias-4152 avatar image
0 Votes"
LuisOlias-4152 answered ·

Many thanks to both of you for your kind and insightful replies!

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.