I hear over and over discussions about Windows Active Directory, Azure AD and Azure ADDS ( Active Directory Domain Services).
Is it the replacement of a traditional Windows Active Directory?
What is Azure Active Directory Domain Services?
Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.
An Azure AD DS managed domain lets you run legacy applications in the cloud that can’t use modern authentication methods, or where you don’t want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.
OK, Sounds interesting! Can i replace my on premises Active Directory with Azure ADDS???
Let’s see some very important limitations and then decide!
Azure AD DS Limitations
No Hybrid Azure AD Join
A client computer can be joined to AD DS (Windows or Azure) or to Azure AD. For client computers joined to Windows AD, Azure AD Connect Sync can hybrid join them to Azure AD. Azure AD Connect Sync does not support Azure AD DS and, therefore, client computers cannot be Hybrid Azure AD Joined if a member of an Azure AD DS domain. These client computers cannot be part of services that require Azure AD Join or Hybrid Azure AD join, such as Universal Print or Conditional Access Policies.
No Enterprise or Domain Admin
There are no Enterprise or Domain admin accounts in Azure AD DS. Instead, there is a group called AAD DC Administrators used to manage Azure AD DS. Accounts in this group have rights such as local administrator on member servers and administrative rights required to manage Azure AD DS. The Domain and Enterprise Administrator permissions are reserved for the Azure AD DS service.
No Active Directory Certificate Services Support
The first requirement for installing Active Directory Certificate Services is to log in as a member of the Enterprise Admin Group. As stated, these accounts do not exist in Azure AD DS, and therefore, AD Certificate Service is not supported in Azure AD DS. That rules out certificate-based features such as smart card authentication.
Schema cannot be Extended
Azure AD DS does not support extending the schema. Lack of schema extension rules out any applications, both Microsoft and 3rd party, that require a schema extension.
Azure AD DS is a PaaS offering, meaning customers don’t have to log in and manage the Domain Controllers. With that said, there is no access to server resources such as the sysvol folder. Azure AD DS does support a default set of group policies. However, it is not possible to add ADMX files to the sysvol folder.
Also, there is a default policy for account lockouts applied to all Azure AD DS users. You can create a new policy with more restrictive settings.
Limited Redundancy
It is possible to add up to 5 replicas with the enterprise SKU of Azure AD DS.
Azure AD DS has a Different DNS Name
Azure AD DS requires a publicly routable domain when deployed. The domina name is a different domain from the on-premises domain and the Azure AD domain. User replicated from the source Azure AD domain can log in with their Azure AD UPN, but any users provisioned from Azure AD DS will use the Azure AD DS domain suffix. This situation is manageable but confusing for users and support.
No Forest Trusts
There are two types of Azure AD DS forests. A User forest synchronizes all objects from Azure AD. Included are users accounts sourced from Windows AD, providing Azure AD Connect Sync is in place between Windows AD and Azure AD. This forest type does not support forest trusts. Forest trusts are common for larger organizations, or during merger and acquisition activities that require sharing resources across disjoined forests.
Technically, the second Azure AD DS forest type, a resource forest, does support trusts relationships. It does not, however, synchronize objects from Azure AD. Instead, it’s used for resources that rely on a trust relationship with a Windows AD domain for access.
Not Publicly Available
One frequent question I see is a version of “now that I have Azure AD DS, how do I join my laptop to it?” Joining a client to Azure AD DS requires a private network connection, VPN, or ExpressRoute, for the same reason joining a Windows AD domain requires one. There are significant security risks to exposing Active Directory Domain Services to the internet.
So, move to Azure AD DS and accept the limitations, or continue with Windows Domain Controllers. Windows AD can exist as IaaS VM’s in Azure, and unlike Azure AD DS, redundant Windows Domain Controllers can be deployed to multiple regions to provide high availability. Add ExpressRoute or VPN to support a hybrid environment of on-premises and cloud-based Windows AD Domain Controllers.