Hello anonymous userC-0496,
Thank you for posting here.
Here are the answers for your references.
Q1:I know we will need to use AD sites and services to separate out the various subnets so clients know which DC is closest, but cannot find much else about what we need to do?
A1:If we promote a DC, we will select a site for this DC to put this DC.
The subnet is linked to one specific site (site1), if one client belongs to this subnet, then the client will select one DC in this site1 to authenticate.
Only if the DCs in this site1 are unavailable, this client will find DC in other sites to authenticate.
For more information about site, subnet and client, we can refer to the links below (especially the first link, it is a good article to read).
Using Catch-All Subnets in Active Directory
https://learn.microsoft.com/en-us/previous-versions/technet-magazine/dd797576(v=msdn.10)?redirectedfrom=MSDN
How to Create an Active Directory Subnet/Site with /32 or /128 and Why
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-create-an-active-directory-subnet-site-with-32-or-128-and/ba-p/256105
Q2:In particular, what ports need to be allowed from our on premises clients to our cloud based domain controllers in the event of an on premises domain controller being unavailable?
A2:For port requirements in on premises AD, we can refer to the following links.
Active Directory and Active Directory Domain Services Port Requirements
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)?redirectedfrom=MSDN
Active Directory Replication over Firewalls
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727063(v=technet.10)?redirectedfrom=MSDN
Q3:Do we need to allow all traffic from our on premises networks to reach our Azure based AD servers, or etc?
Q3:See A2.
Hope the information above is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou