Active Directory deployment considerations for Azure IaaS

Hello identity

I have been advising a number of Solidsoft internal projects and external clients on the options for deploying Active Directory (“AD”) to support Microsoft server services in Windows Azure Infrastructure as a Service (“IaaS”) virtual machines.


Whist one of the best authoritative articles from Microsoft is Contrasts between deploying Windows Server Active Directory domain controllers on Windows Azure Virtual Machines versus on-premises, it doesn’t really cover all the initial considerations between infrastructure and developers, so I have been using this simple checklist to help guide appropriate conversations and decision making;



A. Unless it’s all on one box (workgroup mode), most Microsoft servers (SQL, BizTalk, SharePoint, TFS) are dependent on full AD (mode is a factor) for inter-server service authentication.

B. They do not support ADAM (or non-Microsoft LDAP) or Windows Azure Active Directory Service.

C. Providing AD authentication in Windows Azure that is integrated to a corporate AD is dependent on an underlying VPN connection.


Scenario 1 - Do not deploy AD in Azure

a. Mo AD server in Azure, use on-premises/data centre corporate AD services across the VPN amd join the servers in Azure to the corporate domain.

b. Authentication round-trip latency and link down events may affect the servers and services in Azure "chatting" amongst themselves.

c. Fine for non-production or POC, but production risk without significant testing.


Scenario 2 – Deploy AD in a single Domain

a. Deploy AD server(s) in Azure as replicas in the corporate domain.

b. Needs to be configured with sites and subnets for traffic management, or make Azure instance(s) read only domain controller (RODC).

c. Downside is bandwidth of all org objects replicated to the Azure instance, but no Azure cost as data entry into Azure is free.


Scenario 3- Create separate AD domains

a. Deploy AD server(s) in Azure in a separate domain, but part of the corporate forest.

b. For networking this is generally the most efficient and elegant solution.

c. For logical administration and security you must trust the forest administrators.


Scenario 4 – Create new forest

a. Deploy AD server(s) in Azure in a separate forest and connect the forests using cross-forest trusts or Windows Server Active Directory Federation Services (AD FS).

b. Benefits - Forest trusts provide distinct, segregated security levels and policies for administrative autonomy which are easy to fully separate.

c. Issues - They are dependent on specific domain version/functional level and require more work assigning permissions correctly which introduces complexity.


PS selecting the most appropriate AD deployment pattern can be equal in complexity to configuring non-known compatible VPN devices. Who was saying that "infrastructure skills are now just a commodity ?"

Written by Ian McQueen at 00:00

Categories :



Comments closed