Microsoft recently announced that Azure RemoteApp can be used with Azure AD Domain Services (still in preview) for domain authentication, without running domain controllers as virtual machines in Azure. I’ll explain what this means in this post.
Many services that customers want to migrate or run in the cloud still depend on thick client applications. For example, a business might want to go all in on the cloud, deploy Office 365, and still need to run Office Pro Plus. This business could use Remote Desktop Services (RDS) in Azure to deploy Office Pro Plus and publish the applications to the users. Or in another example, an organization might use Azure Site Recovery (ASR) as a disaster recovery (DR) solution. In the event of a fire, they might need to failover. The services and data are safe in Azure, but they’re useless without end-user access. RDS comes in handy because it can provide near instant access to Mac, iOS, Android, and Windows devices.
On the downside, RDS requires:
RemoteApp is licensed per-user (based on the service being deployed and the number of users assigned to the deployment). You don’t need RDS CALs or software assurance, and RDS takes care of all of the RDS infrastructure. All RDS asks you for is:
In just about every scenario that I’ve been involved with, customers have opted for a RemoteApp deployment that uses Active Directory in conjunction with Azure AD:
And here is the catch: You need to run domain controllers (ideally, at least two) as virtual machines in Azure for the above configuration. Although they are probably lightweight machines, adding cost is bad – especially when the customer asks why they have to use two Active Directories (Azure AD and Domain Controllers).
Microsoft realized that many customers are looking to deploy services, new or old, into Azure that rely on Domain Services, such as Group Policy, LDAP, and so on. These are things that Azure AD just cannot do. So Microsoft launched a preview of Azure AD Domain Services that provides many of the services that legacy AD offers. The goal here is to let us have a domain in Azure without deploying DCs in Azure (note I said, “in Azure”).
When you deploy Azure AD Domain Services you will:
Before you read any further, remember that Azure AD Domain Services is in preview. There are going to be issues, so be prepared for them. In this solution you will:
Authenticating RemoteApp users with Azure AD Domain Services [Image credit: Microsoft]
There are a few notes from Microsoft:
There are lots more notes from Microsoft for this preview scenario. For example:
This is definitely an interesting design option for those that are considering a deployment in Azure that will have no backwards integration into the on-premises network, such as a complete migration or a DR scenario. It will reduce labour requirements and reduce costs, and those are good things.