In Part 1 in our series on Active Directory, I discussed the history of Active Directory and where identity management in Azure is heading with Azure Active Directory.
In this next part of the series, we look into the three different types of Active Directory options (all supported within Nerdio) and call attention to some things you need to be aware of when managing identity in Azure.
There are three different types of Active Directory options are:
- Active Directory Domain Services (AD DS)
- Azure Active Directory Domain Services (Azure AD DS)
- Azure Active Directory (Azure AD)
Let’s discuss these at a high-level as well as the need-to-knows and differences between them.
It’s also worth mentioning that you can absolutely use a combination if you want to, although you still need to pick a primary authentication mechanism. For example, if we want to use a combination of AD DS to authenticate the users and use Azure AD to “manage” the devices, we can absolutely do that by performing a “Hybrid” Domain Join. In this scenario the session hosts are “joined” to AD DS, but are “registered” against Azure AD.
Active Directory Domain Services (AD DS)
AD DS is the option most people think of when thinking about Active Directory. AD DS was introduced in 2000, over 20 years ago, by Microsoft as part of Windows 2000. I have very fond memories of the offering as I have worked on some of the largest Active Directory deployments (100,000 seat deployments and more) in the world!
AD DS consists of a database (NTDS.DIT) and uses something called LDAP (Lightweight Directory Access protocol). This is how services integrate with Active Directory, they perform LDAP Lookups. AD DS provides many services including authentication (using Kerberos and NTLM), Directory lookup (using LDAP), Group Policy to apply settings, and much more.
To enable AD DS, you must install it on a Windows Server (which can be physical or virtual), and then enable a feature called “Active Directory Domain Services.”
This will enable your Windows Server to operate as a domain controller for your domain. Typically, when deploying Azure Virtual Desktop (AVD) solutions, we often see customers deploy multiple Active Directory domain controllers inside their Azures subscription and synchronise the Active Directory database with their on-prem deployments. This is by far the most common use case we see. This ensures that any LDAP or authentication traffic is contained within Azure, rather than having to traverse VPN links. This can be a poor user experience, and also a security risk.
Azure Active Directory Domain Services (Azure AD DS)
As we have seen so far, there is work we need to do to get Active Directory up and running. We must deploy a server, deploy a role, manage that server etc, what if there were a better way? Enter Azure AD DS. Azure AD DS is an Azure service is a managed domain in which Azure manages everything for you. You don’t need to worry about deploying servers, managing servers, installing Active Directory etc.
However, this type of managed domain is a brand-new Active Directory domain, you cannot join your existing Active Directory domain. You can still use Azure AD Connect to synchronise your user accounts into this separate Active Directory domain if required.
However, because we don’t actually have access to the domain controllers via Azure AD DS, there are a few limitations that you need to be aware of:
- No Hybrid Azure AD Join
- No Enterprise or Domain Admin
- No Active Directory Certificate Services Support
- Schema Cannot be Extended
- Limited Group Policy Support
- Limited Redundancy
- Azure AD DS has a different DNS Name
- No Forest Trusts
- No MSIX App Attach Support
- Not available in all regions
From an AVD perspective, the biggest limitations are the lack of support for MSIX App Attach and Hybrid AD Join. This will stop you from being able to manage your hosts using Microsoft Endpoint Manager (MEM)/Intune in the future.
For simple solutions, Azure AD DS works well, but as you get into more complicated deployments its limitations start to become more apparent. I would only recommend choosing Azure AD DS unless you have to, as the cost of the service, compared to deploying a few domain controllers as VMs, is about the same.
Azure Active Directory (Azure AD)
So where does Azure AD fit into this?? Microsoft describes Azure AD as an “Enterprise identity service that provides single-sign-on, MFA (multifactor authentication), and conditional access”. So, you are probably thinking, “…well isn’t that what Active Directory is also?” And yes, you are correct, Active Directory provides user authentication. However, when we authenticate to any Azure services (i.e., Office 365) we authenticate against Azure AD, not AD DS.
But most user accounts are held in AD DS. To fix this authentication issue, you can use something called Azure AD Connect which synchronises AD DS users with Azure AD. This means your users will appear in your Azure AD, and we can also sync the password. So, when I authenticate against Azure AD, I can use the same password that I use for my on-prem environment as they synchronise.
Let’s think about this from an AVD perspective. AVD is an Azure service that IT authenticates with Azure AD accounts. That’s authentication point number one. Once we have authenticated against the AVD service, we then authenticate against the AVD session host (VM) which is part of our Active Directory domain – that’s authentication point number two.
What we can also do now, is utilize a tool called Azure AD Join. This means that we can join our session hosts directly to Azure AD.
This unlocks a whole set of capabilities including Single Sign-on for AVD (SSO), Windows Hello Authentication and also password-less authentication for AVD. To enable the single sign on (SSO) capability you just need to ensure you are running the September 2022 Cumulative Update.
This capability is also available if you are using Hybrid Join also. To read more about the update please view the Microsoft guidance here – Configure single sign-on for Azure Virtual Desktop – Azure | Microsoft Learn
Let’s finish up by answering a few frequently asked questions (FAQs) around these three Active Directory options in Azure.
Can I get rid of my Domain Controllers if I’m Using Azure AD?
Not quite yet, your users still need to be synced from a full Active Directory, but that limitation will be lifted soon when Azure AD Join goes GA.
So, what’s Hybrid Azure AD Join all about then?
You have probably heard about Hybrid Azure AD Join. This is where your session hosts are “registered” against Azure AD, but not joined to Azure AD. If you want to be able to still join them to your AD DS domain, but also manage them via Intune, then this is where you would use Hybrid Azure AD Join.
Does Nerdio support all of the above identity options in Azure?
The good news is that using Nerdio, you can use all of the above scenarios and pick which one best suit your needs.
Hope you enjoyed this article and I look forward to seeing you in Part 3 which will go into detail about how to manage a native Azure AD environment.