Azure Active Directory Domain Services Capabilities and Limitations.


Here are the Capabilities and Limitations of "Azure Active Directory Domain Services" which you need to consider while making a decision for Active Directory in cloud.

Managed service
Azure AD Domain Services domains are managed by Microsoft. You do not have to worry about patching, updates, monitoring, backups, and ensuring availability of your domain. These management tasks are offered as a service by Microsoft Azure for your managed domains.


Secure deployments
The managed domain is securely locked down as per Microsoft’s security best practices for AD deployments. These best practices stem from the AD product team's decades of experience engineering and supporting AD deployments. For do-it-yourself deployments, you need to take specific deployment steps to lock down/secure your deployment.

DNS server
An Azure AD Domain Services managed domain includes managed DNS services. Members of the 'AAD DC Administrators' group can manage DNS on the managed domain. Members of this group are given full DNS Administration privileges for the managed domain. DNS management can be performed using the 'DNS Administration console' included in the Remote Server Administration Tools (RSAT) package.

Domain or Enterprise Administrator privileges
These elevated privileges are not offered on an AAD-DS managed domain. Applications that require these elevated privileges to be installed/run cannot be run against managed domains. A smaller subset of administrative privileges is available to members of the delegated administration group called ‘AAD DC Administrators’. These privileges include privileges to configure DNS, configure group policy, gain administrator privileges on domain-joined machines etc.

Domain join
You can join virtual machines to the managed domain similar to how you join computers to an AD domain.

Domain authentication using NTLM and Kerberos
With Azure AD Domain Services, you can use your corporate credentials to authenticate with the managed domain. Credentials are kept in sync with your Azure AD tenant. For synced tenants, Azure AD Connect ensures that changes to credentials made on-premises are synchronised to Azure AD. With a DIY domain setup, you may need to set up a domain trust relationship with an on-premises account forest for users to authenticate with their corporate credentials. Alternately, you may need to set up AD replication to ensure that user passwords synchronise to your Azure domain controller virtual machines.

Custom OU structure
Members of the 'AAD DC Administrators' group can create custom OUs within the managed domain.

Schema extensions
You cannot extend the base schema of an Azure AD Domain Services managed domain. Therefore, applications that rely on extensions to AD schema (for example, new attributes under the user object) cannot be lifted and shifted to AAD-DS domains.

AD Domain or Forest Trusts
Managed domains cannot be configured to set up trust relationships (inbound/outbound) with other domains. Therefore, scenarios such as resource forest deployments or cases where you prefer not to synchronize passwords to Azure AD cannot use Azure AD Domain Services.

LDAP Read
The managed domain supports LDAP read workloads. Therefore you can deploy applications that perform LDAP read operations against the managed domain.

Secure LDAP
You can configure Azure AD Domain Services to provide secure LDAP access to your managed domain, including over the internet.

LDAP Write
The managed domain is read-only for user objects. Therefore, applications that perform LDAP write operations against attributes of the user object do not work in a managed domain. Additionally, user passwords cannot be changed from within the managed domain. Another example would be modification of group memberships or group attributes within the managed domain, which is not permitted. However, any changes to user attributes or passwords made in Azure AD (via PowerShell/Azure portal) or on-premises AD are synchronized to the AAD-DS managed domain.

Group policy
Sophisticated group policy constructs aren’t supported on the AAD-DS managed domain. For example, you cannot create and deploy separate GPOs for each custom OU in the domain or use WMI filtering for GP targeting. There is a built-in GPO each for the ‘AADDC Computers’ and ‘AADDC Users’ containers, which can be customized to configure group policy.

Geo-dispersed deployments
Azure AD Domain Services managed domains are available in a single virtual network in Azure. For scenarios that require domain controllers to be available in multiple Azure regions across the world, setting up domain controllers in Azure IaaS VMs might be the better alternative.

Source: Microsoft
Thank you for your support. Please share your suggestions in comments or email me.

6 comments:

  1. Really nice blog, through your i learn new thing thanks for providing for more updates Azure Online Training Bangalore

    ReplyDelete
  2. Thank you for posting the valuable information about the Azure Blogs .And every people easily understand about your posting, and I am learning a lot of things from your posts,Keep it up.
    Microsoft Azure Online Training

    ReplyDelete
  3. Thanks for sharing Azure Active Directory tips. for more info i rfer cion systems Azure Active Directory in USA.

    ReplyDelete