If you’ve been working with Azure for a while you already know this, but this topic is something I see always with people who are approaching Azure for the first time and usually they rise the questions like:
- “How do I join my servers to Azure AD?”
- “Where can i create my OUs?”
- “May I copy my GPO in the cloud for security compliance?”
Azure Active Directory is not a cloud version of Active Directory, and in fact, I suspect this was more of a marketing decision than a technical one, and it has lead to terrible confusion.
So let’s have a look to the differences…
Active Directory Domain Services (AD DS) offers the following essential functions:
- Object store for Users, Computers and Groups etc..
- Object organisation artifacts like OUs, Domains and Forests
- Represent an Authentication and Authorisation provider
- LDAP, NTLM, Kerberos
- Group Policy
- Customizable Schema
- Federation Services
Azure Active Directory
Azure Active Directory (AAD) is a secure authentication store, which can contain users and groups, but that is about where the similarities with the old Active Directory is.
AAD is a cloud-based identity management store for modern applications. AAD is designed to allow you to create users, groups and applications that work with SAML and OAuth authentication mechanisms (do you remember ADFS? :))
AAD was specifically designed for PaaS and SaaS services.
What AAD does not provide any of the following:
- No Group Policy
- No Computer Join (at least not in the same way)
- No LDAP, Kerberos or NTLM (yuppy!)
- No OU, Domains, Forests..
Hopefully, now it’s clear what AAD is and isn’t and what is designed for. However, if you are planing to go IaaS route in Azure, you probably still need the services offered by AD domain.
In this case you have essentially two options:
Azure AD Domain Services
Azure AD Domain Services (AAD DS – yes… it’s to make even more confusion!!) is an Azure product that you enable on your virtual network which deploys two domain controllers that are managed by Microsoft and synchronised with your Azure AD tenant. This allows you to grant machine access to users in your AAD tenant, but also to implement things like custom OU’s, group policy, LDAP queries, NTLM and Kerberos.
This is a domain managed by Microsoft, so you do not have to worry about uptime (99.99% guarantee) or patching. However, it also means you do not have full control of the domain that brings you some limitations (you can see a full AAD DS limitations here)
IaaS Domain Controllers
Nothing is stopping you just to go with the nice old way and deploy some virtual machines in Azure and promote them into domain controllers.
This is a support configuration and is in use by many customers who need the full suite of services provided by AD inside Azure and connected with their AD On-Prem using VPN or ExpressRoute.
The downside to this approach is that you need to manage this yourself (2 additional VMs at least): You need to take care of patching and updating your servers, backing up your domain and any other maintenance you require.