We are extending our domain into Azure. I am setting up an AD site for Azure and deploying a domain controller there. I have always thought the best design of AD is to allow any client to authenticate to any DC. That way if a DC goes down or there is a site discovery issue, etc. things do not break. Obviously you still want your on-premises clients to authenticate to your on-premises DCs and your Azure clients to authenticate to your Azure DCs. In order to accomplish this, we obviously have to setup a lot more NSG/Firewall rules, etc. What do you guys think? Obviously you need the DCs to replicate to each other, but should you allow on-premises clients to authenticate to an Azure DC? or is that not really needed if you have multiple on-premises DCs?