Azure Active Directory Domain Services

  • Author: Ronald Fung

  • Creation Date: May 9, 2023

  • Next Modified Date: May 9, 2024


A. Introduction

Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, lightweight directory access protocol (LDAP), and Kerberos/NTLM authentication. You use these domain services without the need to deploy, manage, and patch domain controllers (DCs) in the cloud.

An Azure AD DS managed domain lets you run legacy applications in the cloud that can’t use modern authentication methods, or where you don’t want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.

Azure AD DS integrates with your existing Azure AD tenant. This integration lets users sign in to services and applications connected to the managed domain using their existing credentials. You can also use existing groups and user accounts to secure access to resources. These features provide a smoother lift-and-shift of on-premises resources to Azure.


B. How is it used at Seagen

As a biopharma research company using Microsoft Azure, you can use Azure Active Directory Domain Services (Azure AD DS) to provide managed domain services such as domain join, group policy, LDAP, and Kerberos/NTLM authentication. Here are some ways you can use Azure AD DS:

  1. Domain join: Azure AD DS allows you to join your virtual machines to a managed domain. This can help you to manage your virtual machines using group policy and other domain services.

  2. Group policy: Azure AD DS allows you to use group policy to manage the configuration of your virtual machines. You can define policies for settings such as security, software installation, and user preferences.

  3. LDAP: Azure AD DS provides LDAP support, which allows you to use LDAP-based applications and services such as Active Directory Lightweight Directory Services (AD LDS).

  4. Kerberos/NTLM authentication: Azure AD DS provides Kerberos/NTLM authentication, which allows you to authenticate users and applications using the same protocols used in on-premises Active Directory.

  5. Domain services in Azure: Azure AD DS provides domain services in the cloud, which can help you to manage your virtual machines and domain services without the need for on-premises infrastructure.

Overall, Azure AD DS can help your biopharma research company to provide managed domain services in the cloud. With domain join, group policy, LDAP, and Kerberos/NTLM authentication, Azure AD DS can help you to manage your virtual machines and domain services in Azure.


C. Features

To provide identity services to applications and VMs in the cloud, Azure AD DS is fully compatible with a traditional AD DS environment for operations such as domain-join, secure LDAP (LDAPS), Group Policy, DNS management, and LDAP bind and read support. LDAP write support is available for objects created in the managed domain, but not resources synchronized from Azure AD.

To learn more about your identity options, compare Azure AD DS with Azure AD, AD DS on Azure VMs, and AD DS on-premises.

The following features of Azure AD DS simplify deployment and management operations:

  • Simplified deployment experience: Azure AD DS is enabled for your Azure AD tenant using a single wizard in the Azure portal.

  • Integrated with Azure AD: User accounts, group memberships, and credentials are automatically available from your Azure AD tenant. New users, groups, or changes to attributes from your Azure AD tenant or your on-premises AD DS environment are automatically synchronized to Azure AD DS.

    • Accounts in external directories linked to your Azure AD aren’t available in Azure AD DS. Credentials aren’t available for those external directories, so can’t be synchronized into a managed domain.

  • Use your corporate credentials/passwords: Passwords for users in Azure AD DS are the same as in your Azure AD tenant. Users can use their corporate credentials to domain-join machines, sign in interactively or over remote desktop, and authenticate against the managed domain.

  • NTLM and Kerberos authentication: With support for NTLM and Kerberos authentication, you can deploy applications that rely on Windows-integrated authentication.

  • High availability: Azure AD DS includes multiple domain controllers, which provide high availability for your managed domain. This high availability guarantees service uptime and resilience to failures.

    • In regions that support Azure Availability Zones, these domain controllers are also distributed across zones for additional resiliency.

    • Replica sets can also be used to provide geographical disaster recovery for legacy applications if an Azure region goes offline.

Some key aspects of a managed domain include the following:

  • The managed domain is a stand-alone domain. It isn’t an extension of an on-premises domain.

    • If needed, you can create one-way outbound forest trusts from Azure AD DS to an on-premises AD DS environment. For more information, see Forest concepts and features for Azure AD DS.

  • Your IT team doesn’t need to manage, patch, or monitor domain controllers for this managed domain.

For hybrid environments that run AD DS on-premises, you don’t need to manage AD replication to the managed domain. User accounts, group memberships, and credentials from your on-premises directory are synchronized to Azure AD via Azure AD Connect. These user accounts, group memberships, and credentials are automatically available within the managed domain.


D. Where implemented

LeanIX


E. How it is tested

Testing Azure Active Directory Domain Services involves ensuring that the domain service is functioning correctly, securely, and meeting the needs of all stakeholders involved in the project. Here are some steps to follow to test Azure Active Directory Domain Services:

  1. Define the scope and requirements: Define the scope of the project and the requirements of all stakeholders involved in the project. This will help ensure that Azure Active Directory Domain Services is designed to meet the needs of all stakeholders.

  2. Develop test cases: Develop test cases that cover all aspects of Azure Active Directory Domain Services functionality, including user and group management, domain join, and authentication. The test cases should be designed to meet the needs of the organization, including scalability and resilience.

  3. Conduct unit testing: Test the individual components of Azure Active Directory Domain Services to ensure that they are functioning correctly. This may involve using tools like PowerShell or Azure CLI for automated testing.

  4. Conduct integration testing: Test Azure Active Directory Domain Services in an integrated environment to ensure that it works correctly with other systems and applications. This may involve testing Azure Active Directory Domain Services with different operating systems, browsers, and devices.

  5. Conduct user acceptance testing: Test Azure Active Directory Domain Services with end-users to ensure that it meets their needs and is easy to use. This may involve conducting surveys, interviews, or focus groups to gather feedback from users.

  6. Automate testing: Automate testing of Azure Active Directory Domain Services to ensure that it is functioning correctly and meeting the needs of all stakeholders. This may involve using tools like Azure DevOps to set up automated testing pipelines.

  7. Monitor performance: Monitor the performance of Azure Active Directory Domain Services in production to ensure that it is meeting the needs of all stakeholders. This may involve setting up monitoring tools, such as Azure Monitor, to track usage and identify performance issues.

  8. Address issues: Address any issues that are identified during testing and make necessary changes to ensure that Azure Active Directory Domain Services is functioning correctly and meeting the needs of all stakeholders.

By following these steps, you can ensure that Azure Active Directory Domain Services is tested thoroughly and meets the needs of all stakeholders involved in the project. This can help improve the quality of Azure Active Directory Domain Services and ensure that it functions correctly in a production environment.


F. 2023 Roadmap

????


G. 2024 Roadmap

????


H. Known Issues

There are several known issues that can impact Azure Active Directory Domain Services. Here are some of the most common issues to be aware of:

  1. Configuration issues: Configuration issues can arise when setting up Azure Active Directory Domain Services. It is important to ensure that all configurations are set up correctly to avoid issues with authentication and access management.

  2. Performance issues: If the system is not properly sized, it can impact performance and availability, causing issues with authentication and access management.

  3. Integration issues: Integration issues can arise when integrating Azure Active Directory Domain Services with other systems and applications. It is important to ensure that Azure Active Directory Domain Services is designed to work seamlessly with other systems and applications to avoid integration issues.

  4. Security issues: Security is a critical concern when it comes to Azure Active Directory Domain Services. It is important to ensure that all data is encrypted in transit and at rest, and that access to Azure Active Directory Domain Services is restricted to authorized personnel.

  5. Directory synchronization issues: Directory synchronization issues can arise when synchronizing user and group data between Azure AD and Azure AD Domain Services. It is important to ensure that the synchronization process is set up correctly to avoid issues with user and group management.

  6. DNS issues: DNS issues can impact the ability to access Azure AD Domain Services. It is important to ensure that DNS is set up correctly to avoid issues with domain join and authentication.

  7. Network connectivity issues: Network connectivity issues can impact the ability to access Azure AD Domain Services. It is important to ensure that the network is set up correctly to avoid issues with domain join and authentication.

Overall, Azure Active Directory Domain Services requires careful planning and management to ensure that it is functioning correctly and meeting the needs of all stakeholders involved in the project. By being aware of these known issues and taking steps to address them, you can improve the quality of Azure Active Directory Domain Services and ensure the success of your project.


[x] Reviewed by Enterprise Architecture

[x] Reviewed by Application Development

[x] Reviewed by Data Architecture