By Rajat Bhargava Posted February 1, 2017
Microsoft is pushing hard on its cloud domain controller called Azure Active Directory Domain Services. It was created to be a domain controller for Azure systems. This makes some sense because many of Microsoft’s solutions require (or work better with) a local domain controller and Active Directory instance.
Unfortunately, though, you are now creating multiple domains – one with your Azure infrastructure and then another domain for your on-prem infrastructure.
Managing User Access to IT Resources
We are often asked the question of whether you even need to have domain controllers anymore. With the concept of Directory-as-a-Service®, there is a different approach to how to manage user access to all of the various IT resources within an IT organization. Many of these resources are hosted in the cloud, while others are on-prem. And when you add in WiFi connectivity, the IT environment is dramatically different than it once was. This is sparking a new approach to identity management.
Here’s some more information on Azure AD Domain Services and how it relates to Active Directory and on-prem domain services from a Spiceworks thread:
“Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.
“That’s why there is no actual “migration” path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc.
“As you can see here Azure Active Directory is an identity and access management solution for hybrid or cloud-only implementations. It can extend the reach of your on-premises identities to any SaaS application hosted in any cloud. It can provide secure remote access to on-premises applications that you want to publish to external users. It can be the center of your cross-organization collaboration by providing access for your partners to your resources. It provides identity management to your consumer-facing application by using social identity providers. Cloud app discovery, Multi-Factor Authentication, protection of your identities in the cloud, reporting of Sign-ins from possibly infected devices, leaked credentials report, user behavioral analysis are a few additional things that we couldn’t even imagine with the traditional Active Directory on-premises.
“Even the recently announced Azure Active Directory Domain Services are not a usual DC as a service that you could use to replicate your existing Active Directory implementation to the cloud. It is a stand-alone service that can offer domain services to your Azure VMs and your directory-aware applications if you decide to move them to Azure infrastructure services. But with no replication to any other on-premises or cloud (in a VM) domain controller.
“If you want to migrate your domain controllers in the cloud to use them for traditional task you could deploy domain controllers in Azure Virtual Machines and replicate via VPN.
“So to conclude, if you would like to extend the reach of your identities to the cloud you can start by synchronizing your Active Directory to Azure AD.”
If you go down the path with AD and Azure AD, you are essentially creating two domain infrastructures with many of your other resources living outside of that domain. For instance, your AWS, G Suite, Google Cloud, and other platforms will be outside of the internal domain. This approach is leading many IT admins to think hard about whether the concept of the domain is relevant anymore.
JumpCloud® Provides Alternative to the Cloud Domain Controller
The alternative to the cloud (or on-prem) domain controller is Directory-as-a-Service. There is no need to create a domain with this centralized identity provider. IT resources are authenticated leveraging a wide variety of authentication protocols, including native OS authentication, LDAP, RADIUS, SAML, SSH, and others. Linux or Windows cloud servers located at any Infrastructure-as-a-Service provider can be connected to the central directory service. Cloud and on-prem apps are also connected to user identities, and access to the WiFi and network infrastructure is controlled by Directory-as-a-Service. With the cloud directory, there is no reason for a domain controller – on-prem or in the cloud.
If you would like to learn more about an alternative to the domain controller, drop us a note. Also, give Directory-as-a-Service a try. Finally, please be aware that your first 10 users are free forever.