2024 Nerdio Training Camps for MSPs now open for registration! 

REGISTER
  • Support
    • Cost Estimator for MSPs

    • A FREE MSP tool to properly quote and cost-predict Microsoft Azure licenses, margins, etc., prior to deployment – no Nerdio commitment or licensing required.

    • AVD Modeler Tool for Enterprise

    • A FREE enterprise tool to model and cost-predict Azure Virtual Desktop environments – no Nerdio commitment or licensing required.

Schedule a Demo

Can Azure AD DS Replace Windows AD (AD DS)?

Table of Contents

Table of Contents

  • 4 min read

Microsoft has three different directory services, all with “Active Directory” in the name: Active Directory Domain Services (Windows AD), Azure Active Directory Domain Services (Azure AD DS), and Azure Active Directory (Azure AD). This article focuses on two with similar functionality, Windows AD and Azure AD DS, and whether we can replace Windows AD with Azure AD DS.

If you are looking for more insight on Azure AD, visit this blog by our UK Field CTO Neil McLoughlin.

Azure AD DS and Windows AD (AD DS) Overview

Windows AD is the directory service used with on-premises Active Directory deployments for over 20 years. It requires at least one dedicated Windows server and the same management as other on-premises servers, including updating, patching, and backups.

Azure AD DS is a Windows AD-compatible directory service hosted in Azure. It offers Kerberos and NTLM authentication, group policies, and many other features that traditional on-premises Windows AD has to offer. It can also extend functionality to on-premises with VPN connections or ExpressRoute.   

Azure AD DS has some advantages over Windows AD. It is hosted in Azure, managed by Microsoft, and there is no need to patch or backup servers. With that in mind, should we use it to replace Windows AD?  Maybe, but in most cases, probably not.

Limitations for Replacing Windows AD with Azure AD DS

Nerdio supports all three directory options, but there are some things to be aware of when comparing Windows AD and Azure AD DS. While Azure AD DS is compatible with Windows AD, it does not have feature parity with Windows AD. It is important to understand the following differences when considering replacing Windows AD with Azure AD DS.

No Hybrid Azure AD Join Support

To start, there is no option for hybrid Azure AD Join when using Azure AD DS. A Windows client can be AD DS joined (Windows AD or Azure AD DS), or Azure AD joined. Also, a hybrid Azure AD join option for environments that use Azure AD Connect sync to replicate identities from Windows AD to Azure AD.  Hybrid Azure AD join provides many of the same management options as an Azure AD joined computer. 

As the image below shows, a Windows AD joined computer can be Hybrid Azure AD Joined by replicating the computer identity from Windows AD to Azure AD with Azure AD Connect Sync. 

Hybrid Azure AD Join is not an option for Azure AD DS joined computers. There is a one-way replication from Azure AD to Azure AD DS, and no way for a computer object joined to Azure AD DS to replicate to Azure AD. Azure AD Connect Sync is not supported with Azure AD Domain Services.

No Windows 365 Support

Windows 365 requires Azure AD join or Hybrid Azure AD join devices. Currently, Windows 365 is not supported with Azure AD DS.

No Microsoft Intune Automatic Enrollment

Microsoft Intune requires Azure AD or Hybrid Azure AD Join for automatic enrollment. A computer or AVD session host joined to Azure AD DS is limited to Azure AD Registered, the same identity trust as a BYOD device. 

No MSIX App Attach

MSIX App Attach requires the session host to be Hybrid Azure AD joined to Azure AD and not supported with Azure AD DS.

No Domain or Enterprise Administrator Account

There is no Domain, or Enterprise Administrator account in Azure AD DS. Instead, a group called “AAD DC Administrators” provides permissions to manage Azure AD DS. This group is sufficient for managing Azure AD DS but limits some common tasks in Windows AD. For example, many Windows services, such as Certificate services, require logging with domain administrator privileges to configure the service.  Because there are no Domain or Enterprise admin accounts, the certificate service is not supported with Azure AD DS.

No Local Domain Controllers

A common practice when managing Windows AD is to deploy domain controllers to remote and branch offices. This configuration speeds up logins and processes logins in case of a WAN outage. Deploying domain controllers on-premises is not supported with Azure AD DS.

No Schema Extension

Azure AD DS does not support extending the schema. This may not seem significant but limits the ability to deploy Microsoft and third-party applications. For example, Microsoft Exchange server requires a schema extension and is not supported with Azure AD DS. 

Limited Trust Relationship

Organizations frequently use domain trust relationships to share resources between Windows AD domains. One common example is mergers and acquisitions, where two autonomous domains must share resources. Azure AD DS is an independent domain and namespace. Azure AD DS only supports a one-way transit trust, whereas the Azure AD DS domain trusts other domains. 

The limited trust relationship could be problematic if an organization is involved in mergers or acquisitions in the future. Also, it limits partner arrangements where two organizations share resources between domains. 

What Is Azure AD DS Used for?

With all these limitations, you may ask yourself, what’s it for? Microsoft documentation references the use of Azure AD DS to support legacy applications in Azure that can’t use modern authentication. In this scenario, Azure AD DS provides a way to prevent directory lookups from going back to on-premises Windows AD.

Also, Azure AD does not support LDAP (lightweight directory access protocol). Azure AD DS can support LDAP queries for organizations that are Azure AD native and don’t use AD DS. If there is a need to support LDAP, that support can be provided by Azure AD DS.

Summary

Can you replace Windows AD with Azure AD DS? Yes, but with some consideration. The limitations outlined in this article illustrate why Azure AD DS may not be a good alternative to a traditional Windows AD domain. Even if the limitations are not a concern today, future needs may change, and the limitations may become significant. In addition, there is no back-out plan with Azure AD DS. If the limitations are reached, there is no Azure native way to migrate from Azure AD DS to Windows AD.

Azure AD DS also requires a management server to manage the domain. In most cases, the monthly cost to run two servers suitable as domain controllers in Azure is about the same, if not less than an instance of Azure AD DS and a management server. 

After reading this, you may decide that Azure AD DS is the right option for your organization. The good news is that no matter what Active Directory you choose, Nerdio will support it. 

Subscribe to our newsletter

Related Resources

Nerdio Manager for MSP: The Swiss Army Knife for Verified Technologies’ IT Operations
  • Case Studies

Nerdio Manager for MSP: The Swiss Army Knife for Verified Technologies’ IT Operations 

  • 4 min read
Explore how the MSP leveraged its partnership with Nerdio to streamline operations and enhance both
Read More
Endpoint Management Options for MSPs: Choosing the Right Solution for Your Business
  • Articles

Endpoint Management Options for MSPs: Choosing the Right Solution for Your Business 

  • 5 min read
Explore the evolution of endpoint management options for MSPs and the power of modern solutions
Read More
Canada’s Equitable Bank Leverages Nerdio for Its Digital Transformation Journey
  • Case Studies

Canada’s Equitable Bank Leverages Nerdio for Its Digital Transformation Journey  

  • 2 min read

Known as Canada’s Challenger Bank™, Equitable Bank prides itself on being ahead of consumer demand

Read More
Linkedin Twitter Facebook Youtube

Subscribe to our newsletter

© Copyright Nerdio 2024. All Rights Reserved.