question

KeiMoon-3644 avatar image
0 Votes"
KeiMoon-3644 asked ·

Moving Azure Active directory domain services to a different Vnet

I am new to Azure, please bear with me.

I joined the Azure team recently and the current architecture is the following:

One vNet, let's call it A-vNet, has AADDS and a lab environment with VMs and servers.

We have another project with a different vNet, say B-vNet, that has servers and VMs that need to be domain joined. I understand that I can peer two vNets so that I can use the AADDS service in the new vNet. However, since A-vNet has servers and VMs we did not want to peer to the vNet everytime there is a new vNet. Therefore after a bit of research, having a new vNet with AADDS only then allowing vNet peering to vNets that need to use the service is one solution.

My two questions are

Having a separate vNet with AADDS only is the best practice?

I understand that I need to delete and re-create AADDS, if I recreate with the same DNS name, do I need to rejoin the servers and VMs after peering? Or they will connect automatically? Will end-users experience any change?

azure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndreasBaumgarten avatar image
0 Votes"
AndreasBaumgarten answered ·

Hi @KeiMoon-3644 ,

I would recommend a Hub&Spoke network topology for your requirement:
Hub vNet with AADDS and Spoke vNets peered with the Hub vNet
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

If you delete the AADDS everything is "gone":

Deletion is permanent and can't be reversed.
When you delete a managed domain, the following steps occur:
Domain controllers for the managed domain are de-provisioned and removed from the virtual network.
Data on the managed domain is deleted permanently. This data includes custom OUs, GPOs, custom DNS records, service principals, GMSAs, etc. that you created.
Machines joined to the managed domain lose their trust relationship with the domain and need to be unjoined from the domain.
You can't sign in to these machines using corporate AD credentials. Instead, you must use the local administrator credentials for the machine.

Source: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/delete-aadds

If you create a new AADDS with the same name you start with an "empty" AD.




·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.