This design also has Pros and Cons.Īs I mentioned, it's familiar and comfortable.
These are tasks that we all know and have been doing for years. You need a connection (site-to-site VPN or ExpressRoute), DCs deployed in each Virtual networks, defined sites in AD to managed replication and authentication requests. There are no facilities for LDAP writebacks outside of the managed domain in that virtual network, which means that the changes are NOT written back to the on-prem AD through the AD Connect sync process.ĭeploying Active Directory in IaaS is virtually the same as setting it up in remote offices.
Your managed AADDS is limited to the virtual network on which you deployed it. You can go around that problem by setting up VPNs and peered virtual networks, but it adds considerably more complexity to your environments.Īs you can see in the diagram above, the replication from your Azure AD tenant to AADDS is a one-way replication. There are no capabilities for Geo-distributed deployments. You will not need to set up a site-to-site VPN or use ExpressRoute to facilitate the replication of self-managed regular AD domain controllers.ĪADDS does support Group Policies. However, there is no GPO replication from on-prem you must recreate the policies you need in the managed directory service. If you change one on-prem, you must perform the same change in the managed Directory.ĪD domain/forest trusts are not supported at this point.
#ACTIVE DIRECTORY DOMAIN SERVICES DEFINITION UPDATE#
It takes away the need for you to deploy your Domain Controllers in Azure and to ensure that your DCs are in different fault and update domains, and it takes care of the DC patching for you.ĪADDS provides an experience that is fully compatible with a subset of features of Active Directory (see above). Depending on your apps, they may keep running in the cloud without any modifications.Īs I mentioned since it's a managed Directory service, it is highly available the DCs and the AADDS will be automatically backed up. The deployment of AADDS is relatively simple once you have your on-prem AD connected to AAD using Ad Connect. It all sounds wonderful, and it is in most cases. Here are some pros and cons. It integrates with Azure AD and, when synchronized with an on-premises AD DS environment, allows you to extend your on-prem identities to run in Azure as part of a lift-and-shift strategy. Here are some of the differences you need to keep in mind.ĭomain or Enterprise administrator privilegesĭomain authentication using NTLM and KerberosĪzure Active Directory Domain Services (AADDS)Īzure Active Directory Domain Services (Azure AD DS) provides a managed domain services with a subset of fully compatible traditional AD DS features such as domain join, group policy, LDAP, and Kerberos / NTLM authentication. Once that is known, you can now decide if you will use one of the two remaining options, namely AD or AADDS, you can use to support your workload. You need to know your apps and how they interact with AD. When "lifting and shifting" applications to the cloud, there are a lot of identity needs that may be required, do they use AD services? Does the workload need a service account managed by AD both on-prem and in IaaS? Does the workload need to Extend the AD schema? Does the application need access to an Application Partition in AD? However, AAD does not have capabilities like Group Policies or Application Containers or extensible schema, which is sometimes required by some workloads, among other capabilities. It supports web-based OAuth 2.0, SAML 2.0 and Open ID authentication frameworks. AAD is our cloud-based identity solution that allows you to leverage users, groups, applications and security principal concepts. If you are moving to the cloud by subscribing to SaaS applications or rewriting existing applications using modern PaaS services, you’ll want to take advantage of Azure Active Directory (AAD). It's essential to understand the differences when you’re looking at a “lift-and-shift” scenario from on-prem to IaaS. Azure Active Directory Domain Services (AADDS).More specifically, what are the difference between: I met with some customers last week, and we had a great conversation about Active Directory and the differences between all the flavours available to them when adopting a hybrid posture.