Share via

AVD - Using AAD DS or AD DS

Daniel Greenwood 60 Reputation points
2025-05-21T10:37:33.15+00:00

Hello Team,

Am looking for some clarification. Having conducted some research I would just like a second opinion. Am not looking for architectural advice help, just need to understand what would be a more suitable solution and some of the downsides of using AD DS without any sort of domain controller.

Here is a summary of the deployed:

  • AVD with one Host pool that may need to be created across multiple regions
  • Golden image with a number of traditional applications alongside O365 apps
  • Fslogix for over 150 profile users
  • Azure Files for storage profiles
  • Group policy for Fslogix deployment
  • Separate tenant for dedicated avd deployment

Now what i understand is AD DS has its limitation and one of the things I have looked into is the

  • Limited Group Policy support
  • Limited administration rights
  • Limitations on features a full DC would provide
  • Potentially more pricier than having a small DC VM

So my question is, what would be the specific drawback of the above deployment with using a AVD with FSlogix and GPOs for AAD DS to AD DS, if there are any at all? Would we need some sort of AD controller for AD DS configuration anyway?

TL;DR Is it a required to have a Virtual machine instance of a domain controller to run AVD with Profiles and traditional applications or is everything supported through AD DS

Azure Virtual Desktop
Azure Virtual Desktop

A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.

Answer accepted by question author
  1. Marcin Policht 87,160 Reputation points MVP Volunteer Moderator
    2025-05-21T13:02:28.7566667+00:00

    Your terminology is a bit off. Entra Domain Services is a managed AD deployment in Azure - there are no "Entra ID Domain servers".

    If you want to be able to host Active Directory in Azure, then you can deploy it in one of two ways:

    • Azure VMs hosting Windows Servers that you promote to domain controllers - pretty much the same way you'd do this in Azure
    • Azure VMs hosting Windows Servers that have been promoted to domain controllers by the platform as part of an Entra Domain Services deployment

    If you are referring to the former, than this behaves (for the most part) the same way as your AD environment on-premises (and fully supports all of the technologies you listed). The latter is subject to the limitations outlined earlier in this thread.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    2 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mounika Reddy Anumandla 7,135 Reputation points Moderator
    2025-05-21T12:12:54.7933333+00:00

    Hi Daniel Greenwood,

    Additional points to consider with AVD, FSLogix, and GPOs Using AAD DS:

    • AADDS does support Group Policies. However, there is no GPO replication from on-prem; you must recreate the policies you need in the managed directory service. If you change one on-prem, you must perform the same change in the managed Directory. In your FSLogix-heavy setup, this becomes tedious and increases the risk of Policy drift, Misconfigurations and Inconsistent user experience.
    • There are no capabilities for Geo-distributed deployments. Your managed AADDS is limited to the virtual network on which you deployed it. For your multi-region AVD host pool, this is a critical limitation.
    • The replication from your Azure AD tenant to AADDS is a one-way replication. There are no capabilities for Geo-distributed deployments.  Your managed AADDS is limited to the virtual network on which you deployed it. You can go around that problem by setting up VPNs and peered virtual networks, but it adds considerably more complexity to your environments.

    As said by Marcin Policht the main drawbacks would be limited Group Policy support and lack of certain features (like app attach) that could impact the usability of your applications, especially traditional ones.

     Do we need a domain controller VM if we want to use AD DS?

    AD DS is not a service; it’s a role you must install and run on Windows Server — which means you need to deploy and manage DC VMs.
    If you want to use Active Directory Domain Services (AD DS) in the traditional sense (i.e., Windows Server Active Directory), you must have at least one domain controller VM running AD DS. The domain controller is essential for providing authentication, authorization, LDAP, Kerberos, and group policy services within your domain environment. Best practices recommend deploying at least two domain controller VMs for high availability, ideally in different availability zones.
    https://learn.microsoft.com/en-us/azure/architecture/example-scenario/identity/adds-extend-domain
    https://techcommunity.microsoft.com/blog/itopstalkblog/what-are-the-differences-between-azure-active-directory-and-azure-active-directo/917392

    Hope it helps!

    Let me know if you have any further queries!

    If the information is helpful, please click "upvote" to let us know.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.