Options for Building Active Directory in the Cloud with Windows Azure

Today, my friend and colleague, Yung Chou, has written a great article overviewing the features provided by the Windows Azure cloud platform.  You can check out Yung’s article at:

One of the specific features that is a frequent topic of conversation at IT Pro events relates to supporting Active Directory on Windows Azure.  Active Directory is certainly an important infrastructural component of Windows networking shops, and is equally important to plan for when considering applications in the cloud.

The Windows Azure cloud platform provides two different options for running Active Directory services in the Cloud: (1) Windows Azure Active Directory and (2) Windows Server Active Directory on Windows Azure VMs.  In this article, I’ll describe the scenarios and considerations for using each option and provide additional resources for further exploration.

Active Directory Options with Windows Azure

When thinking about identity management on Windows Azure, two very different application scenarios immediately spring to mind:

  1. Identity management for new applications being developed for the cloud (ie., “cloud-first” applications) – supported by Windows Azure Active Directory.
  2. Identity management for existing on-premise applications that are being migrated to a cloud infrastructure – supported by Windows Server Active Directory on Windows Azure VMs.

Windows Azure Active Directory

Windows Azure Active Directory is a modern, REST-based service that provides identity management for “cloud-first” applications.  Instead of developing a separate identity store and authentication process for each discrete cloud application, Windows Azure AD provides a single identity service that can be leveraged by all of your cloud applications.  In addition, Windows Azure AD is the underlying identity management solution for our own cloud offerings, including the Windows Azure Management Portal, Office 365, Dynamics CRM Online, Windows Intune, and Windows Azure Online Backup.   

Windows Azure Active Directory management portal

Windows Azure AD can also be integrated with an on-premises Windows Server Active Directory infrastructure via Directory Synchronization and Active Directory Federation Services (ADFS) to provide single sign-on to Enterprise users for both on-premise applications as well as applications developed for the cloud.  This integration can be deployed by following the Integration Wizards available within the Management Portal.

Windows Azure Active Directory Integration Wizards

Sign-up for Windows Azure Active Directory to learn more about managing Active Directory for applications developed for the cloud.

Windows Server Active Directory on Windows Azure VMs

Running Windows Server Active Directory on Windows Azure VMs provides the ability to run a traditional on-premise Active Directory infrastructure in the Windows Azure cloud as one or more virtual machines.  Many existing on-premise applications expect Windows Server Active Directory to be available for identity management and authentication, and when migrating these applications to a virtual machine in the Windows Azure cloud, we’ll need to continue to provide a Windows Server Active Directory infrastructure for these applications to continue to work properly.  This is exactly what Windows Server Active Directory on Windows Azure VMs allows us to do.

While very similar to running virtualized domain controllers as VMs on Hyper-V within your data center, there are a few special considerations to keep in mind when deploying Windows Server Active Directory domain controllers as Windows Azure VMs:

  • DNS - Windows Azure built-in DNS services do not support all of the requirements for running Active Directory with Dynamic DNS.  As a result, we’ll need to make sure we’re using a BYOD (Bring Your Own DNS) configuration when provisioning our virtual environment on Windows Azure.
  • IP Addressing - Windows Azure VMs use dynamically assigned IP addresses that are constant for the lifetime of a VM (ie., until the VM is deleted).  While on-premise domain controllers generally are given static IP addresses, domain controllers running on Windows Azure will need to use a dynamic address.  To provide a suitable dynamic networking environment for these domain controllers, we’ll need to provision a Windows Azure Virtual Network prior to attempting to provision the first domain controller VM.
  • Disk - Windows Azure VMs default to using read-write host caching for OS virtual hard disks.  Read-write host caching can improve virtual hard disk access speeds, but it can also present a small window of data loss in the event of a VM failure – situations where data had been written to host cache, but not yet committed to the underlying virtual hard disk.  Additional virtual hard disks attached to a Windows Azure VM default “off” for host caching, making them suitable for persistent data disks.  For a domain controller VM on Windows Azure, this means we’ll want to make sure we attach a second empty disk to our VM that we format and use for the NTDS DIT and SYSVOL folder locations.

To step through the process of building a new Active Directory forest in Windows Azure with Windows Server 2012, follow this Step-by-Step guide:

What’s Next?

Get started with Windows Azure and prepare yourself for following along with the other articles in this series by completing the tasks in the article below:

How will you be using Active Directory on Windows Azure?

Are you planning to develop or migrate applications to Windows Azure?  Feel free to leave your comments and questions below related to how you will be supporting Active Directory for these applications.