Managed Azure Active Directory Domain Services
Updated: Nov 14, 2019
In a previous post, I explored how to extend your on-premises Active Directory Domain Services (AD DS) to the Azure cloud. But, what if you don't have an on-premises AD DS environment, yet still need to take advantage of AD DS features like LDAP, Kerberos, or Group Policy in the cloud?
One solution is to build your own virtual machines in Azure and use them to stand up your own AD DS domain in the cloud from scratch. This works great, but now you've added more to your workload: you'll have to constantly patch and update the operating system on each VM, you'll need to setup and configure Azure AD Connect if you want to sync accounts between your new domain and Azure AD, and a few years down the road you'll need to worry about upgrading to a new version of AD DS.
What if you didn't have to worry about any of that overhead of running your own AD DS domain in the cloud? That's where Azure's managed AD DS service comes into play.
In a nutshell, it's just an Azure service that you subscribe to. You get to create your own AD DS domain that lives in the cloud and is fully managed by Microsoft. In the background, Microsoft is actually providing you with 2 Domain Controllers for redundancy. If you place your new domain in an Azure Region that supports Availability Zones, then your domain controllers will also be spread across zones for additional resiliency.
You don't actually get to interact with the Domain Controllers at an Operating System level. You can use your standard admin tools to connect to your new AD DS domain, and let Microsoft handle everything on the backend.
Your new domain will automatically sync with Azure AD. Users, groups, and credentials will automatically sync from Azure Active Directory to your managed AD DS. This is only a one-way sync! While you can create new objects directly in your managed AD DS, they will not be synchronized back to Azure Active Directory.