numerous options for customers to encrypt their data so that access by Microsoft is
not possible. When the domain controller in Microsoft Azure is configured, care is
taken to make sure that endpoints, which aren’t required, are not exposed and to
ensure that firewall services and monitoring are in place. These are the same steps
that you would take for an on-premises domain controller, but you need to be aware if
any endpoints defined for the virtual machine are directly accessible on the Internet.
Most likely, the domain controller would also be a global catalog, or at least one of
them if you place multiple domain controllers in Microsoft Azure. For a small number
of domain-joined machines in Microsoft Azure, the authentication traffic and other
directory services data could be facilitated by the on-premises domain controllers and
accessed using the VPN gateway. However, as the number of domain-joined Microsoft
Azure resources grows, it will become necessary to have a local domain controller.
Companies often consider using a read-only domain controller (RODC) in Microsoft
Azure because an RODC has passwords for only a subset of the users cached, and it
cannot make changes, which minimizes damage if the RODC is compromised. The
decision depends on which services are running in Microsoft Azure and whether they
work with an RODC. If a service does not work with RODCs, there is no point in
placing an RODC in Microsoft Azure, and you will need a regular domain controller or
will need to accept that the Active Directory traffic will need to traverse cross-
premises. Another option is to create a child domain for Microsoft Azure.
Once a domain controller is running in Microsoft Azure and it is configured as a DNS
server, the virtual network can be modified to use the domain controller(s) in
Microsoft Azure as the primary DNS server. Remember not to deprovision the domain
controller(s), because this could result in an IP address change. However, using a
small, separate subnet just for domain controllers can help alleviate this problem by
reducing the possible IP addresses that can be allocated to those domain controllers
and stopping other VMs from using those IP addresses.
If an organization wishes to run services in Microsoft Azure that require Active
Directory, but that organization does not have Active Directory available in Microsoft
Azure, there is another option: Azure AD Domain Services. Azure AD is primarily an
identity solution that enables a single sign-on across many cloud services with
multifactor authentication, machine learning backed reporting, and more built in, but
it is not a traditional directory service that machines can be joined to and have policy
applied, like standard Active Directory. Azure AD Domain Services is a feature that can
be enabled on an Azure AD instance, which allows Azure AD to emulate a traditional
Active Directory. This enables VMs running on a specific virtual network that has been
configured with a specific Azure AD Domain Services DNS configuration in Azure to
“join” the Azure AD instance, have policy applied, and authenticate to Azure AD using
Kerberos and NTLM, which typically is not possible. Now services that need AD can
run in Azure by utilizing Azure AD and save the cost and management of standing up
regular domain controllers. Note that if you do have an AD instance, it is generally
better just to extend that into Azure and think of Azure AD Domain Services as
functionality when no such AD availability is possible.