Azure Active Directory Domain Services

Working with Infrastructure as a Service (IaaS) deployments always presents a challenge of Active Directory Domain Services: namely, what to do for the AD services in the cloud. To date, we have had a few options each of which required running Domain Controllers in the cloud, with the additional maintenance and overhead associated with this.

Azure AD Domain Services is a fairly recent service addition to the Azure Platform as a Service (PaaS) offering, bringing Active Directory Services without the need to deploy Domain Controllers on Virtual Machines. In addition to allowing you to join VMs to a domain, user and group management, the service also supports applications requiring NTLM, Kerberos and LDAP.

See the Azure AD Domain Services page for information on the features, capabilities and pricing.

The service is still in Preview mode with a number of limitations. Hopefully this will change over time as the limitations do restrict the usefulness to somewhat simple scenarios. While the service is in preview there is only a single tier available and it's billed at half price.

As far as I can tell it's currently limited to a single Virtual Network; tenants with multiple subscriptions will only be able to domain-join Virtual Machines existing in one of the subscriptions. Additionally, the service only supports a flat OU structure - there's no ability to nest OUs and create the hierarchies for organizing user accounts as on-premises. Similarly, only simple Group Policy Objects (GPOs) are available for managing the objects in the directory.

Despite the limitations, the service does provide good value and capabilities - especially when compared to the effort and cost required to deploy and maintain multiple domain controllers in the cloud.

I've been working with the service for the last couple of weeks for customer that is starting out with cloud-only identities. After a quick review of our options, we chose to use the new service based on the relative ease and minimal ongoing cost. Though the project is not in full production yet, we've been pleased with the service so far.

For organizations that have directory synchronization with password sync in-place, or those that are starting with a cloud-only identity model, Azure Active Directory Domain Services is worth taking a look at.