2021 Annual Petri Reader Survey - We want to know what's important to you! 2021 Annual Petri Reader Survey - We want to know what's important to you!
Microsoft Azure

Azure AD Domain Services Gets a Few Improvements

Azure AD Domain Services – A Reminder

If you are building an infrastructure-based application deployment in Azure (virtual machines) then it’s not unusual to require a domain – correctly referred to in Windows Server as Active Directory Domain Services (ADDS). ADDS provides us with a directory that has features such as organizational units (OUs), role-based access control (RBAC), and group policy objects (GPO). You can deploy some virtual machines, even modestly priced B-Series machines, to host this Windows Server role and then join the other Windows Server machines to the domain.

In The Cloud, we should want to push as many services as possible down into the fabric. This approach allows us to spend less time on the mundane and time-consuming work, and spend more time on more valuable work at the application, settings, and data layers. Azure AD Domain Services is an example of this.

Instead of building virtual machines as domain controllers which we then must maintain, patch, backup, and eventually replace with machines with a newer OS, Microsoft offers us a domain-as-a-service – and no, that is not Azure AD.

We can deploy Azure AD Domain Services which is linked to the Azure AD tenant. Under the covers, Microsoft deploys a pair of virtual machines that will act as domain controllers. The machines are connected to a virtual network of our choice in an Azure region of our choice. The domain controllers synchronize with Azure AD but, unlike Azure AD, they offer OUs, GPOs, RBAC, and classic machine join – which is supported only with Azure virtual machines (not on-premises or roaming machines).

The service allows us to run a classic domain for cloud-based machines but without the burden of managing additional machines: patching, backup, “upgrades”, and so on. Like with all cloud services, improvements are made.

Improved Synchronization

Very large customers have had issues with the synchronization of hundreds of thousands of users, groups, and group memberships between Azure AD and Azure AD Domain Services – sometimes taking weeks to complete! Microsoft claims that these huge synchronizations now take “a few days”.

Health Monitoring

Under the covers, there are still machines. It’s still the same old Active Directory Domain Services in those machines, and backups are still required. Microsoft has added health monitoring:

  • You can view the health of Azure AD DS, depicted as Running, Needs Attention (Warning), Needs Attention (Critical), or Deploying.
  • It monitors backup and synchronization health.
  • Alerting for issues

Managed Disks

New deployments of Azure AD Domain Services now are created using managed disks. The main benefit for us is alignment with the availability set, which should ensure higher levels of uptime for the domain service.

Better Security Options

SMB 1 might not be the only protocol that you should kill off on your networks! We now have the ability to disable the following in Azure AD Domain Services:

  • NTML v1
  • Synchronization of NTLM password hashes from an on-premises domain (via Azure AD Connect)
  • TLS v1

Scoped Synchronization

You can limit which user accounts should be synchronized from Azure AD into the managed domain in Azure AD Domain Services. This will result in better security and more efficient synchronization for very large customers.

Fine-Grained Password Policy

You now have more control over password policies in a managed domain, enabling longer password lifetimes (if required), and custom complexity and lockout settings for OUs.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.

Register for the Hybrid Identity Protection (HIP) Europe Conference!

Hybrid Identity Protection (HIP) Europe 2021 - Virtual Conference

Mobile workforces, cloud applications, and digitalization are changing every aspect of the modern enterprise. And with radical transformation come new business risks. Hybrid Identity Protection (HIP) is the premier educational forum for identity-centric practitioners. At the inaugural HIP Europe, join your local IAM experts and Microsoft MVPs to learn all the latest from the Hybrid Identity world.