Azure AD Domain Services Preview
In this episode of the Azure AD and Identity Show, your host, Simon May, talks to Mahesh Unnikrishnan of the Identity Division about Azure AD Domain Services and how your organization can easily enable domain services capabilities, such as domain join, for Azure IaaS VMs without having to build and manage Windows Domain Controllers in Azure IaaS.
Azure Active Directory Domain Services provides scalable, high-performance, managed domain services such as domain-join, LDAP, Kerberos, Windows Integrated Authentication and Group Policy support. With a click of a button, administrators can enable managed domain services for virtual machines and directory-aware applications deployed in Azure Infrastructure Services. By maintaining compatibility with Windows Server Active Directory, Azure AD Domain Services provides an easy way to migrate traditional on-premises applications to the cloud. For more information, see Azure Active Directory Domain Services.
More resources and next steps
- Learn: Enterprise mobility core skills
- Try: Enterprise Mobility Suite (EMS) free evaluation
- Connect: Join the Identity conversation on Twitter
- Gartner Magic Quadrant: Visionary in Identity as a Service
- Watch: Get the inside track from Microsoft experts
[00:21] Simon: Hello and welcome to the Azure Active Directory and Identity Show. My name is Simon May and I'm your host taking you through all things new inside of Identity. Joining me for this show is Mahesh Unnikrishnan and we're going to be talking about something really new - Azure Active Directory Domain Services.
[00:41] Mahesh: Yes, this is the first time we get to talk about it - really excited about talking about the service.
[00:46] Simon: So what is Domain Services and what have you built it to do?
[00:51] Mahesh: Sure, so we have a lot of customers today who are sort of moving workloads up into the cloud, and these workloads have been written over the course of the past decade or so, and they have a lot of ties to their identity infrastructure so they might even use LDAP, Kerberos, NTLM, authentication.
[01:07] They might use Group Policy to manage the machines these apps run on. So when people actually take these applications, try to move them to the cloud, one thing that's missing is the identity ties to that application.
[01:20] So when we talk to customers we found that most of them were trying to set up VPN connections from the cloud back to their on-premises directory or spin up VMs up in the cloud - make those be their domain controllers and so on. So what we're trying to do with this service is provide a much simpler alternative.
[01:36] So if you're moving workloads from the cloud in Azure IaaS, we're trying to build a service that makes it very, very easy for you to handle those identity needs for your app.
[01:44] Simon: So kind of what I'm hearing is that we're trying to take away a lot of the pain of actually being able to move into a cloud-based identity model, actually take away all of the difficulty of moving the VMs up into IaaS and make it generally much easier for the IT guy to actually make the stuff work.
[02:02] Mahesh: That's absolutely right. With Azure AD we've done a lot of work for SaaS applications. If you essentially look at the ways in which people move their applications to the cloud, you have a whole category of applications where it's really simple to switch to a SaaS-based app. A great example of that is Office 365.
[02:19] With Azure AD being the backing directory for that, we do whole lot of work to make it really simple to deploy Office 365, to manage it, to get conditional access control to it and so on. So that's really good and that's a category of apps that people can essentially simply switch out with SaaS applications.
[02:36] Then there's this other category of applications where you can actually rewrite your authorization or your authentication stack and for that we essentially built newer protocols in Azure AD, OpenID Connect, OAuth and so on.
[02:48] So if you've got the score code for your application and you really want to rewrite your auth stack, it makes it much simpler to move it into the cloud. You can use the PaaS infrastructure in Azure to move those applications up into the cloud.
[02:59] But what's really interesting is this third category of applications, what we call the lift-and-shift kind of applications. So you've got apps that somebody wrote for you maybe ten years ago but you don't have the source code to them.
[03:11] Simon: I used to manage those kinds of applications.
[03:13] Mahesh: Never fun. So with those applications, many a time you don't even know what the needs of that app are, like does it rely on schema extensions, does it rely on custom things in your directory, do you need Group Policy to manage those machines, does it do LDAP authentication or LDAP buy-ins and so on.
[03:29] We're really targeting the service at that category of applications. So we hope to make it really simple to move those applications to Azure IaaS.
[03:37] Simon: Cool. So in terms of the service itself, how does it kind of fit together? What's actually the component that's in the cloud? What's the components that sit on-prem?
[03:46] Mahesh: Sure, so let's imagine that you're an Azure AD tenant, right, and a lot of customers are moving their applications to the cloud. They're using SaaS apps and so as part of that they have their Azure AD tenancy. We've two categories of customers typically.
[04:00] The purely cloud customers, everything is up in the cloud, you simply have a cloud-only Azure AD tenant. So for those customers it's as simple as turning on a couple of check boxes. You say enable Domain Services, you pick a virtual network in Azure and then we project Domain Services onto that VNet.
[04:16] From that point onwards any VM in that VNet can use Domain Services. You can do Domain Join, LDAP authentication, Kerberos, NTLM, all that stuff.
[04:26] If you're the second category of customer which essentially synchs their data from on-premises to the cloud, you use what's called Azure AD Connect and that's a tool that went generally available a few months ago.
[04:36] So with Azure AD Connect, what happens is that you've got all of your users, your groups, your passwords, all of that being synchronized up into Azure AD. With Domain Services, we simply use what's available in your Azure AD tenant so you do not need to set up any separate synchronization channel.
[04:51] You simply use what's in your Azure AD tenant. What that means is all of your users, their credentials, the group memberships, everything that you defined on-premises, is now available up in the cloud in Azure AD Domain Services. It's a very simple model. All you do is pick the virtual network in which you'd like to have Domain Services be enabled.
[05:08] From that point onwards you do not need to manage. You can let us handle that domain control for you.
[05:13] Simon: That's pretty interesting kind of words you just used there as well, "project the services." It means that from what kind of picking up that there's no need to go in and actually deploy a domain controller IaaS VM onto that VNet anymore. You just literally are going to push, essentially, as you say, "project" the directory into that.
[05:30] So it takes away all of that kind of infrastructure as well.
[05:33] Mahesh: Absolutely. We really don't want people to be worried about dealing with domain controllers, managing them, patching them, worrying about replication schema updates and so on. We want to offer it more as a service.
[05:44] So from that perspective we take everything that's available in your Azure AD directory and we make it available on that VNet so any virtual machine that's on that VNet can now do LDAP, it can do NTLM, Kerberos, and Windows Integrated Auth and so on.
[05:58] Simon: That includes being able to domain join the IaaS virtual machines as well and that's kind of, I guess, one of the most cool things that you probably want to do with the service. So can we take a look at it?
[06:11] Mahesh: Oh yeah sure. Let's quickly switch to a demo. So here I've got my Azure AD tenant. I've actually got four directories here, it's really just to show you the demo. So let's pick my demo directory here and you'll find that I've got a couple of user accounts. I've got Bob Admin who's the admin for this tenant. I've got another user as well.
[06:34] If I navigate to the groups tab we'll see that I've created a group called AAD DC Administrators. So this is a special group that gives users who are a part of this group administrative rights on their domain.
[06:44] Now it's not the full-fledged domain admin enterprise admin privileges that you are used to on-premises but it allows you to do things like joining machines to the domain, managing Group Policy for the domain and so on. So for people who are used to Windows Server AD and all of its capabilities, it's a slightly different mindset.
[07:00] It's a service mindset where all the infrastructure pieces are taken care of by us and you simply have to worry about adding your machines, moving your workloads up into the cloud, joining them to the domain and so on.
[07:12] So what's new is that you essentially navigate to the configure tab of this directory and when that finishes loading you see a section for domain services. Now this is essentially how you turn on domain services. You simply toggle this to yes, you selected the domain name.
[07:29] By default it'll show you the default domain name of your directory but you could create a custom domain name so you could say something like tailspindemo.local for those who care about non-routable [inaudible] suffixes.
[07:40] So here you can simply create the exact same domain name that you have on-premises so it becomes a lot easier if the app has assumptions about domain names and so on. Once I've done that, the next step is to essentially pick a virtual network.
[07:53] So here I'm going to pick my demo VNet and you typically pick a VNet in a region that you'd actually like to deploy your workloads. So Azure AD Domain Services is available in many regions in the U.S. We're soon going to be adding support for Europe and we also have support for Southeast Asia as well.
[08:08] So you simply pick a VNet in the region that you would like to enable domain services and you hit Save. From this point onwards it takes about twenty minutes for us to provision Domain Services and to make it available inside your VNet. When that is done, you'll notice the IP addresses of domain controllers show up right here.
[08:25] So maybe I could just switch to a directory that has this setup already and you'll notice that here Domain Service is enabled, we've created a domain called contoso.local, we're projecting it into a virtual network called My Preview VNet and you'll also see two IP addresses here.
[08:41] So the other important point to note is that we also provide domain services within that domain so you can pick these IP addresses, pull back to your VNet and set those as the DNS servers for that VNet.
[08:53] Simon: Oh cool okay so...
[08:54] Mahesh: From that point onwards all machines can see each other, they can see the domain and so on because all DNS is handled by the domain.
[08:59] Simon: So exactly like you would normally have in an on-prem situation, we're actually doing exactly the same thing for you inside of your Azure VNet.
[09:05] Mahesh: That's right.
[09:06] Simon: That's pretty awesome that we've built that in there as well. I didn't kind of appreciate that we had that as well.
[09:10] Mahesh: Yeah, DNS tends to be very closely tied to AD so we really have to have a good solution for that.
[09:14] Simon: Yeah, definitely needs to be there. Cool.
[09:17] Mahesh: So that's about it. I mean it takes a while for your users, your groups and your passwords to synch in but the setup experience is extremely simple. If you've been through the DCPromo experience on-prem, it's a lot simpler than that. We're trying to really make it just a service thing where you do a couple of clicks and you're up and running.
[09:31] Simon: Excellent. It seems like we've got a really good piece of technology that you've built here that these folks can actually take and use in order to start understanding a little bit more. The service has just gone into public preview so go ahead, go inside of the Azure portal, go and try it out.
[09:48] Mahesh: Absolutely.
[09:49] Simon: Build a couple of Azure IaaS VMs, start to use Domain Services in order to be able to join those machines up and start to experience it.
[09:57] Then don't forget of course to give feedback into the UserVoice channel for Azure Active Directory as well, really critically important, especially while we're in preview, to make sure that we get lots of good, useful information back from you guys so that these services can be built to do even more for you.
[10:14] Kind of wraps us up. Thank you very much for watching and come back for the next Azure AD and Identity Show.
[10:20] Mahesh: Thanks, Simon.