Till now, we have only one way to put fully capable Active Directory in a cloud, is that we have to create an Azure VM in Azure IAAS and configure it as the domain controller. But it would require a different set of ‘cloud credentials’ to login/administer VMs in the cloud and it would be limited to the VM only. To go on next level, you can configure an AD trust relationship with your on-premises AD environment over the VPN/ExpressRoute connection. Then, you can join the virtual machines to your domain and user authentication will happen over either a VPN/ExpressRoute connection to your on-premises directory.
There are only a few benefits in doing this.
1. You extended your Active Directory to Cloud.
2. On-Premises Active Directory will replicate to Azure VM Active directory over the VPN/ExpressRoute connection.
3. You can join you Azure VMs to the domain and managed them.
4. You can use each and every functionality of Active directory in the cloud. Like, Domain Join, Group Policy, LDAP Bind/Read/Write and Kerberos/NTLM Authentication.
With these benefits, you have to manage the Domain Controller which you created on Azure VM. Like its, patching, monitoring, every small and big task which is the part of an Active directory administration.
If we talk about modern applications which support Azure AD Authenticate mechanism they can easily migrate to Azure. But what about Line-of-business (LOB) applications which rely on LDAP, NTLM, Kerberos, what about Azure VMs which needs to be secured by group policies.
After all these considerations, Microsoft Azure has introduced "Azure AD Domain Services" by which you can have a managed domain in your Azure network. Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that are fully compatible with Windows Server Active Directory. You can consume these domain services without the need for you to deploy, manage, and patch domain controllers in the cloud. Azure AD Domain Services integrates with your existing Azure AD tenant, thus making it possible for users to log in using their corporate credentials. Additionally, you can use existing groups and user accounts to secure access to resources, thus ensuring a smoother 'lift-and-shift' of on-premises resources to Azure Infrastructure Services.
A few salient aspects of the managed domain that is provisioned by Azure AD Domain Services are as follows:
1. The managed domain is a stand-alone domain, It is not an extension of your On-Premises AD.
2. You do not need to manage, patch, or monitor domain controllers for this managed domain.
3. There is no need to manage AD replication to this domain. User accounts, group memberships, and credentials from your On-Premises AD are synchronised to Azure AD via Azure AD Connect. These user accounts, group memberships, and credentials are automatically available within the managed domain.
4. Since the domain is managed by Azure AD Domain Services, On-Premises administrator does not have Domain Administrator or Enterprise Administrator privileges on this domain.
Benefits
Simple – You can satisfy the identity needs of virtual machines deployed to Azure Infrastructure services with a few simple clicks. You do not need to deploy and manage identity infrastructure in Azure or setup connectivity back to your on-premises identity infrastructure.
Integrated – Azure AD Domain Services is deeply integrated with your Azure AD tenant. You can now use Azure AD as an integrated cloud-based enterprise directory that caters to the needs of both your modern applications and traditional directory-aware applications.
Compatible – Azure AD Domain Services is built on the proven enterprise grade infrastructure of Windows Server Active Directory. Therefore, your applications can rely on a greater degree of compatibility with Windows Server Active Directory features. Not all features available in Windows Server AD are currently available in Azure AD Domain Services. However, available features are compatible with the corresponding Windows Server AD features you rely on in your on-premises infrastructure. The LDAP, Kerberos, NTLM, Group Policy, and domain join capabilities constitute a mature offering that has been tested and refined over various Windows Server releases.
Cost-effective – With Azure AD Domain Services, you can avoid the infrastructure and management burden that is associated with managing identity infrastructure to support traditional directory-aware applications. You can move these applications to Azure Infrastructure Services and benefit from greater savings on operational expenses.
Here are all feature of 'Azure AD Domain Services'.
Source: Microsoft
Thank you for your support. Please share your suggestions in comments or email me.
0 comments:
Post a Comment