Active Directory (AD) is one of the core services in every company. Authentication has always been crucial for IT admins, for the clients opening their sessions, or for the external IT consultants which need to work within the client's environments. Active Directory is kind of a “holy grail”, a standard if you ask me. The usual protection of AD is to have a multi site environment and replicate the AD between different DCs. But this is not always the case for very small businesses, which have sometimes only single server. So how about to switch the authentication and move the “responsibility” of your local Domain controllers, to an Azure cloud? Or to go hybrid? Does it mean that you simply install an additional DC within an Azure cloud and replicate your existing environment? No, there is something else that I want to talk today. It is an AAD Domain services which support Kerberos, Windows Integrated Authentication, and NTLM. Also Group Policy Objects (GPO) or Lightweight Directory Access Protocol (LDAP).
There is several ways which you could leverage AD within a hybrid environment with Microsoft Azure. Some of them are too complex, some of them are paid ones. Basically, to implement Azure Active Directory (AAD) Domain services:
- You don't need to install a domain controller (DC) in the cloud.
- You don't need to sett up ExpressRoute (It's a paid service – “service that enables you to create private connections between Azure datacenters and infrastructure that’s on your premises or in a colocation environment. ExpressRoute connections do not go over the public Internet, and offer more reliability, faster speeds, lower latencies and higher security than typical connections over the Internet.”). Basically, to create an ExpressRoute, you need your ISP to support it.
- You don't need to create a VPN to connect on-premises DCs to Azure.
This is rather encouraging, right? At first, what do you need to know is that AAD doesn’t support all the services provided by Windows Server AD. (Not yet, but Microsoft is progressively adding new features). And also you should know that this service is “in preview” for now… so I'd suggest to test it on a separate domain, other than your production AD first !!!
But yes, it is very promising technology, supporting already native domain-join, Group Policy, Kerberos and NTLM authentication, and Lightweight Directory Access Protocol (LDAP) access to the directory.
3 Editions of AAD are currently available:
- Free – limited to 500.000 user objects
- Basic – supports group-based access management, branding of login pages
- Premium Edition – supports self-service password reset, group-based access management and federation with your existing environment.
Image courtesy of Microsoft…
You can find more information about different editions here.
When I connect to my Azure Account and select AAD, I can see the message saying that the AAD is in preview…
the implementation of AAD is (apparently) simple. Only four clicks is necessary.
Quote from Microsoft:
With just four clicks, Azure AD can be integrated with an existing Windows Server Active Directory, giving organizations the ability to leverage their existing on-premises identity investments to manage access to cloud-based SaaS applications.
For now, the service is in preview…
Azure AAD is certainly interesting from DR perspective. It is something that very small businesses could use for their DR strategies. Businesses, which usually runs an “all-in-one” server with several roles, including the DC, but they don't usually have DR plan in case their office catches fire. , and they, of course, do not have another remote site (with an additional DC). Sometimes they do have a kind of a backup solution, but how difficult is to maintain (and protect) this kind of installation?
And sometimes, of course, they do not have another remote site (with an additional DC), or a backup solution for their physical host. They kind of taking a risk where they can simply lose their AD…
Windows Server 2016 recommended posts:
- Windows Server 2016 Active Directory Installation Guide
- Windows Server 2016 Active Directory Improvements
- Windows Server 2016 Telemetry Details
- Windows Server 2016 Essentials vs Standard
- Windows Server 2016 – How to configure data deduplication
- Windows Server 2016 – What is the difference between Standard and Datacenter Edition (Hot!)
- Windows Server 2016 licensing moves from per Socket to per core licensing model
