Active Directory, Azure Active Directory and Azure AD Domain Services Explained
Articles,  Blog

Active Directory, Azure Active Directory and Azure AD Domain Services Explained


in this video I’m gonna try to make
sense out of all the directory options from Microsoft hello everyone my name is
Travis and this is Ciraltos there’s a lot of confusion with identity services
from Microsoft and Azure I get it there are like three identity options all with
Active Directory in the name in this video I’m gonna review the different
options and give some examples of how each may be used hopefully I’ll be able
to help answer the question do we still need two main controllers before I jump
into that please take a second to subscribe it’s painless and it might
even bring you good luck I’m going to just jump into a by outlining the three
different directory services that can be somewhat confusing
they are Active Directory Domain Services Azure Active Directory and Azure Active Directory domain services first up is Active Directory domain
services I’ve been calling this Active Directory
or AD since Server 2000 and I’m not going to stop for this video Active
Directory is an on-premise directory service used by the majority of
companies over the past 20ish years here are some characteristics in no
particular order it’s a hierarchical directory it has an
extensible schema it stores objects such as users computers group and security
principles you can use group policies to manage users and devices it’s highly
available multi-master but that does require multiple servers
it supports Kerberos LDAP and ntlm for authentication it’s based on standards
such as LDAP and DNS and it requires dedicated domain controllers Active
Directory has been around for a long time and is well documented it does
require dedicated servers and relatively speaking it uses a lot of resources both
from compute for things like backup version updates and patching Network
resources for replication also management of users group sites from my
perspective I can see why some might be interested in an alternative next is Azure Active Directory if you use an O365 or product or Azure you have azure
ad it’s very different from Active Directory domain service but the to
complement each other while ad supports network based
authentication like Kerberos and NTLM azure ad supports web-based
authentication such as OAuth and SAML here’s a list of characteristics it’s a
cloud-based identity solution it’s used for office 365 and Azure user management
it contains users groups applications and security principles it leverages
web-based OAuh 2 SAML2 or open ID for authentication it can be managed with a
graph API it’s multi-tenant and it has a flat architecture it’s not extensible
there’s no GPOs there’s four licensing options free basic premium 1 and premium
2 each one with more features and a higher price as you move along it’s tennant
base and tied to an enrollment let’s pause the overview for a minute and go
over how these two directory services complement each other
remember that Active Directory the on premises one uses Network authentication
like Kerberos and ntlm and azure Active Directory is cloud-based and uses
OAuth and SAMLfor accessing cloud-based services like o365 now
wouldn’t it be great if you could synchronize these two somehow so users
and admins didn’t have to manage two different identities for services in the
cloud and on-premises well let me introduce you to ad Connect this is a
small service that runs on your internal network that replicates IDs and other
attributes from Active Directory to Azure Active Directory it can replicate
password hashes and gives users the same username and passwords for on-premises AD and Azure ad services it’s capable of more than that but that’s outside the
scope of this video let’s get back to it with the third active directory option
this time Azure Active Directory domain services this is close to the
traditional on-premises ad that we all know and love but hosted in Azure here
are some characteristics it’s a cloud-based paas offering it supports
LDAP Kerberos and ntlm it’s compatible with Windows Active Directory domain
services and it integrates with Azure ad there are no domain or enterprise admin
accounts you cannot extend the schema you cannot trust other forests or
domains and LDAP is read-only Azure AD domain services use
Azure AD as a source for management so objects added to and managed from Azure AD are replicated to Azure AD DS now what happens if we put all of these
three services together in this configuration identities are created in
AD synchronized to Azure ad with AD connect and then to Azure Active
Directory domain services but why would you do this let’s say you have an IIS
application that doesn’t support modern authentication and you want to move it
quickly to Azure without having to deploy servers as domain controllers
with this model you can lift and shift the server into Azure without deploying
ad servers or relying on a VPN or Express route connection back to your
network here’s a breakdown of the services and limitations that I went
over this is not all-inclusive by any means but it should give you an idea of
how these services compare to each other so our domain controllers still needed
I’ve been in this business for 20 years and I’ll give you the qualified answer
it depends if your cloud native no servers on-premises and using Azure ad
join along with mobile device management solutions like Intune you may be able
to leverage just Azure AD if your cloud native but have third-party
applications that require Active Directory you may be able to get away
with Azure AD and Azure AD domain services the sticking point will be no
domain or enterprise admin that may become hard to work around especially
with third-party applications for the rest companies that rely on traditional
Active Directory for using group management need to extend schemas and
rely on trust relationship you will be stuck with the main controllers for
some time Azure AD directory services can still be leveraged but it will
complement traditional Active Directory not replace it hopefully this
information will help you understand the different directory services offered by
Microsoft and how they may be applied to your organization I hope you found this
helpful please don’t forget to subscribe and
thanks for watching

4 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *