Microsoft previews cloudy Active Directory Domain Services

Full Windows Active Directory service now available in Azure

Azure logo

Microsoft has announced a public preview of full Active Directory Domain Services running as a service in its Azure cloud.

Casual observers may be confused. Has not Microsoft offered Azure Active Directory (AD) forever, and used it for identity management in Office 365?

This is true, but until now Azure AD has not offered the full features of Active Directory running on premises. You could not join an Azure Virtual Machine (VM) to an Azure AD domain, for example, or set file permissions for Azure AD users.

Now you can, provided you sign up for Azure AD Domain Services, and are in a supported region, currently the US or Asia. This is a subscription which will cost $0.05 per hour (around $37.20 per month) for up to 5000 “objects”, $0.20 per hour (around $148.80 per month) for up to 25,000 objects, and $0.40 per hour (around $297.60 per month) for up to 100,000 obects.

An “object” is a user, a group, or a domain-joined computer. Microsoft quotes an “approximate supported user workload” which is around 25 per cent of the maximum object count, so the lowest tier supports up to about 1,250 users.

The new service is a significant feature, partly because AD is baked deeply into Microsoft’s server products like SQL Server and of course Windows Server itself. Until today, if you wanted to use AD with servers running in Azure, you had to either use a VPN to domain-join Azure VMs to on-premises AD, or run an AD controller on a VM in Azure.

These solutions immediately become critical to the entire Azure deployment, which means thinking about resilience and backup of the AD component as well as whatever other applications you are running. Using hosted Azure AD will be simpler and generally cheaper.

Azure AD domains are separate from on-premises domains, but can be synchronised so that users sign in to both with the same credentials.

Azure AD Domain Services are linked with Azure Virtual networks. When you set up Domain Services you have to specify the virtual network to which it applies. After setup, you get two IP addresses for your AD Domain Services, which you then use as the DNS servers for the virtual network. Other servers on that network can then be joined to the domain.

Existing users will have to reset their passwords in order to create the credential hashes used by Azure AD for authentication. If users are synced with an on-premises AD, a full password synchronization is needed for the same reason.

According to Director of Program Management Alex Simons: “This is a HUGE milestone for us as a team. After years of work, we've reached the point where Azure AD is now a super set of Windows Server AD.”

Group Policy is supported, so that you can manage the configuration of Azure VMs centrally.

Configuring Azure AD Domain Services

Configuring Azure AD Domain Services

In Windows 10, users can log on using Azure AD credentials, simplifying integration with Office 365. Such machines are not domain-joined though; the management model is more that of MDM (Mobile Device Management).

Another difference is that a Windows 10 PC is not on the same network as Azure AD. It looks as if Microsoft’s current focus is on server applications in Azure, rather than enhancing what can be done with external PCs.

The existence of Azure AD Domain Services will simplify matters for businesses moving applications to Microsoft’s cloud, though the non-availability of the preview in Europe is an annoyance. ®

Biting the hand that feeds IT © 1998–2018