Tailwind Traders has been using Active Directory Domain Services (AD DS) as its identity provider on its on-premises network since migrating from Windows NT 4.0 in the early 2000s. Many existing applications at Tailwind Traders depend on Active Directory. Some have a simple dependency as an identity provider, while others have more complex dependencies, such as Group Policy requirements, custom domain partitions, and custom schema extensions.

As Tailwind Traders begins moving some resources and developing new applications in Azure, the company wants to avoid creating a parallel identity solution. It does not want users to manage separate login information for on-premises resources and those in the cloud.

In this unit, you will learn about the different ways to implement a hybrid identity.

Deploying Domain Controllers in Azure

The simplest way to provide the same AD DS environment in Azure as the one used on-premises is to:

• Deploy a pair of AD DS domain controllers on a subnet of an Azure virtual network.
• Connect this virtual network to the on-premises network.
• Configure this subnet as a new AD DS site, as shown in the following image.

Another option is to configure the cloud-hosted AD DS domain as a child domain of the on-premises domain forest.

Another possibility is to configure the AD DS domain controllers running in the cloud as a separate forest that maintains a trust relationship with the on-premises forest.

The following image shows this resource forest topology.

Deploying Domain Controllers in Azure
Organizations that deploy domain controllers on virtual machines (VMs) in Azure can then deploy workloads that require direct visibility to a domain controller. This deployment is possible as long as the workloads are on the same subnet of the Azure virtual network as the domain controller VMs.

This hybrid cloud model is conceptually simple for many organizations because Azure datacenters are considered a remote Active Directory site.

For Tailwind Traders, extending its on-premises Active Directory domain or forest to Azure may be sufficient, depending on application requirements.
The downside of this option is that VMs that need to run continuously, such as domain controllers, generate ongoing costs.

What is Microsoft Entra Connect?

Microsoft Entra Connect (formerly Azure AD Connect) enables organizations to synchronize identities from their on-premises Active Directory instance to Microsoft Entra ID (formerly Azure AD).

This method allows the same identity to be used for both cloud and on-premises resources. Microsoft Entra Connect is often used when organizations adopt Microsoft 365. It enables applications like Microsoft SharePoint and Exchange, running in the cloud, to be accessed through on-premises applications.

If Tailwind Traders plans to adopt Microsoft 365 technologies such as Exchange Online or Microsoft Teams, it will need to configure Microsoft Entra Connect to replicate identities from its on-premises AD DS environment to Azure.

If the company also wants to use on-premises identities with applications in Azure but does not want to deploy AD DS domain controllers on VMs, it will also need to deploy Microsoft Entra Connect.

What is Microsoft Entra Domain Services?

You can use Microsoft Entra Domain Services to project a Microsoft Entra domain onto an Azure virtual network subnet. With this configuration, services such as:

• Domain join
• Group Policy
• LDAP protocol
• Kerberos and NTLM authentication

become available for any VM deployed on that subnet.

Microsoft Entra Domain Services provides a basic managed Active Directory environment for VMs without having to manage, maintain, or pay for VMs acting as domain controllers.

It also allows the use of on-premises identities via Microsoft Entra Connect to interact with VMs running on a specially configured Azure subnet.

Limitations of Microsoft Entra Domain Services

One drawback of Microsoft Entra Domain Services is that Group Policy implementation is basic. It includes a fixed set of policies and does not allow creating Group Policy Objects (GPOs).

Even though on-premises identities are available in Azure, the policies configured on-premises are not available.

For Tailwind Traders, Microsoft Entra Domain Services represents a good compromise for hybrid workloads. It enables the use of domain-joined identities and substantial Group Policy configuration.

However, it does not support applications that require complex Active Directory features, such as custom domain partitions and schema extensions.