Share via

Cloud-only Domain Management (Domain Join and Group Policy) in Azure AD Domain Services without VM

MakeItDo 1 Reputation point
2020-10-12T16:35:59.32+00:00

Hello. I'm sorry if I'm missing something, but here goes:
In the overview page of Azure AD Domain Services - https://learn.microsoft.com/en-us/azure/active-directory-domain-services/overview - I see this information:
"Azure Active Directory Domain Services (AD DS) provides managed domain services such as domain join, group policy, LDAP...without the need to deploy, manage, and patch domain controllers (DCs) in the cloud."

But in subsequent tutorials, like
This page: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-management-vm
Or This page: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy#:~:text=Administer%20Group%20Policy%20in%20an%20Azure%20AD%20Domain,4%20Create%20a%20custom%20Group%20Policy%20Object.%20
It's clearly stated that one of the prerequisites is:
"A Windows Server management VM that is joined to the Azure AD DS managed domain."

What is the point of creating and paying for Azure AD Domain Services if I need to have a Server VM anyway to manage it? That is - why not just create a Server VM and promote it as a domain controller for a more traditional means of management if costs are roughly the same?

Is there something else I'm missing that would make management WITHOUT a server simple (via some other tool)?

Thanks in advance.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,630 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. thgibard-MSFT 356 Reputation points
    2020-10-12T18:03:02.247+00:00

    No you're not missing anything. Azure AD DS will allow you to create a new Windows Server Active Directory Domain. There will be 2 Domain Controllers generated.
    All the consoles and GPMC will be the same : AD Users & Computers, AD Sites, etc. But yes, if you want to customize GPO or objects inside your Active Directory Domain. So if you're not supposed to used the DC generated automatically - you may need a jump or administration server.

    The choice of using a standard Windows Server Active Directory Domain or using Azure AD Domain Services is just up to you. It's always the same question in the cloud : what do you want to manage and/or what do you prefer to be managed by your cloud provider.

    saas-vs-paas-vs-iaas-1024x953.png

    0 comments