![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 1%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELL%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Lisa ,
Please find the answers. Azure AD domain services is a managed Active Directory instance with the main goal to provide Legacy authentication capabilities (for legacy apps which use Kerberos , NTLM) in the cloud so that anyone who would like to completely migrate to Azure and remove on-premise active directory could life and shift the on-prem application servers as is , and have the benefits of legacy auth protocols in the cloud. So as for your answer , please find the below.
- Does Azure Active Directory Domain Services (AADDS) support custom schema extensions
- No , It does not support custom schema extensions. Extending schema is not a permitted operation on the AAD Domain Services instance.
- Would you describe AADDS as a globally shared AD Forest with a managed domain for my org?
- Not exactly . Each instance is unique to one customer and part of a larger globally shared AD in the backend. Whenever you enable Azure AD domain services, a new restricted Domain Controller for the domain name you have provided during initial configuration , is created. The difference from on-premise AD is that you do not get complete flexibility to change and modify the domain controller settings as you would be able to do in your on-prem Domain controller. This is because it was never created for making it a feature-by-feature replacement for on-premise AD. If you require completely similar control in the cloud then we suggest you to create Azure VMs and promote them to domain controllers . You may have to setup a site-to-site VPN for the same between your on-prem location and the Azure using Azure gateway / Azure VPN.
Hope this clarifies your queries. I have added some links to my answer , please check the same. Also I would encourage you to go through the complete FAQ for the Azure AD domain Services and I am sure a lot of your queries could get answered automatically. In case the above information in the post helps you , please do mark it as answer so that it can help others in the community searching for same answers.
Thank you.