Domain Controller as a Service in Azure

What is it?

It’s the Cloud version of the Windows Active Directory, it can be think of as a managed service, because:

  • You create the domain (the AD Forest)
  • Update the DNS settings of the Vnet for the Virtual machines to access it
  • Join the VMs to the Domain
  • Authenticate against it and this is fundamental, your Cloud Credentials in the Azure AD

This last difference is key because it simplifies connectivity to the IaaS resources and allows for Single Sign-On (SSO); and it also solves the great pain of having to deal with the user/password combination for every machine.

Domain Services is a service of the Azure AD.

The Testing

Elements of this setup:

  1. A Virtual Network must be created before Domain services
  2. 2 Virtual Machines, one with Windows Server 2016 and the other with Windows 10
  3. Create the Active Directory Services.
  4. Administrator level is required to create the service

Creating the Service

The DNS name can be routable but it doesn’t have to, this domain name will have its own dedicated service and the VMs connected to that network will resolve queries with it. The DNS server change for the network is performed at the Vnet configuration:

 

Domain Services run on two Virtual Machines with an internal load balancer in front, and runs with a limited set of features.

 

Users must belong to the AAD DC Administrators so they can Domain join VMs.

Adding a computer once all conditions are met is business as usual. Note: The user in the AAD has to belong to either the Administrator or the the Remote Desktop group(s) so it can start a remote desktop session.

Reboot afterwards, as always.

The Domain management Features

New OUs can be created

Group Policies can be modified and applied to the machines joined, not all policies are applicable. There’s no password reset as the users connecting belong to the AAD

The management tools can be installed in any Windows box which is of course Domain joined.

Nothing is modifiable in the domain properties: replication, add an additional UPN, add an extra DC, not possible.

No

No

Software Install via Group Policy

This is one of the things I was surprised to see working, and nicely so.

I added Chrome as I wanted to test with a more complex package. This on a Windows 10 VM which I joined afterward.

Network wise

I ran a port scanner on the VMs running the service and this is how i noticed they’re Windows boxes, those are the ports used for AD.

Conclusion

I think this could be a quite useful service, there were things I didn’t test, like on-premise synchronization but it works. The specific scenario of joining VMs to a central directory for management does make an important difference for operation teams. And being able to add Windows and Linux machines to it, makes it very attractive.

Roberto