Moving Azure Active directory domain services to a different Vnet

Kei Moon 151 Reputation points
2021-02-22T16:48:09.273+00:00

I am new to Azure, please bear with me.

I joined the Azure team recently and the current architecture is the following:

One vNet, let's call it A-vNet, has AADDS and a lab environment with VMs and servers.

We have another project with a different vNet, say B-vNet, that has servers and VMs that need to be domain joined. I understand that I can peer two vNets so that I can use the AADDS service in the new vNet. However, since A-vNet has servers and VMs we did not want to peer to the vNet everytime there is a new vNet. Therefore after a bit of research, having a new vNet with AADDS only then allowing vNet peering to vNets that need to use the service is one solution.

My two questions are

Having a separate vNet with AADDS only is the best practice?

I understand that I need to delete and re-create AADDS, if I recreate with the same DNS name, do I need to rejoin the servers and VMs after peering? Or they will connect automatically? Will end-users experience any change?

Microsoft Entra
0 comments
Accepted answer
  1. Andreas Baumgarten 96,926 Reputation points MVP
    2021-02-22T17:50:50.693+00:00

    Hi @Kei Moon ,

    I would recommend a Hub&Spoke network topology for your requirement:
    Hub vNet with AADDS and Spoke vNets peered with the Hub vNet
    https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli

    If you delete the AADDS everything is "gone":

    Deletion is permanent and can't be reversed.
    When you delete a managed domain, the following steps occur:
    Domain controllers for the managed domain are de-provisioned and removed from the virtual network.
    Data on the managed domain is deleted permanently. This data includes custom OUs, GPOs, custom DNS records, service principals, GMSAs, etc. that you created.
    Machines joined to the managed domain lose their trust relationship with the domain and need to be unjoined from the domain.
    You can't sign in to these machines using corporate AD credentials. Instead, you must use the local administrator credentials for the machine.

    Source: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/delete-aadds

    If you create a new AADDS with the same name you start with an "empty" AD.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest