No DCs on premises

Luis Olias 181 Reputation points


I am a newcomer to Azure, so I don't know if this basic question will be allowed:

Imagine I have a small business but I don't want any datacenters, but I do want Active Directory.

So, as far as I am reading , if I want this scenario, I should go for "Azure Active Directory Domain Services" .

So , all the DCs would be in the cloud.

Also, my on-premises Windows 10 devices couldn't get any GPOs, nor authenticate against those DCs , could they ?

That is what I can't grasp.

From what I am reading, the devices should be placed as VMs in Azure, so my personnel would log in to their on-premises Windows 10 machines, but then open a RDP session to their machines in the cloud ?

I am sorry if this is too basic, I can't understand it.

Thanks in advance.

Microsoft Entra
0 comments No comments
{count} votes

Accepted answer
  1. Sam Cogan 10,342 Reputation points MVP

    The first thing you need to do is understand what capabilities of AD you actually need. If you just need domain join, then you can use AAD Domain Join for Win 10 machines. If you need device management, like GPO, then you can look at adding InTune to that, and so on. It may be that you don't need full AD at all.

    If you decide you do need full AD then think carefully about AAD DS. Whilst this can provide domain controllers as a PaaS service, it wasn't designed to replace your on-prem domain controllers. It has a number of limitations, some of which I talk about here, so you need to make sure you are OK with those. You will also need a persistent, VPN or Express Route connection to the Azure vNet that hosts AAD DS to be able to service you machines.

    To answer your specific questions, yes you can authenticate your machines against AAD DS and use group policy.

    You could also consider running IaaS VMs as domain controllers.

    5 people found this answer helpful.
    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Ville Laitinen 1 Reputation point

    Azure AD and AD DS are entirely different beasts, whereas Azure AD DS is a subset of AD DS.

    As for your scenario:

    Also, my on-premises Windows 10 devices couldn't get any GPOs, nor authenticate against those DCs , could they ?

    GPOs depend on domain join & joining devices to Azure AD DS follows standard domain join prerequisites. In other words: if you have private network connectivity, compatible device and permission you should be able to complete join for the Windows 10 devices successfully.

    Authentication does not requires domain join. But depending on method it might require private network connectivity. LDAPS, for example, is supported over internet.

    Some useful links:

    0 comments No comments

  2. Luis Olias 181 Reputation points

    Many thanks to both of you for your kind and insightful replies!

    0 comments No comments