back to article Microsoft previews cloudy Active Directory Domain Services

Microsoft has announced a public preview of full Active Directory Domain Services running as a service in its Azure cloud. Casual observers may be confused. Has not Microsoft offered Azure Active Directory (AD) forever, and used it for identity management in Office 365? This is true, but until now Azure AD has not offered the …

  1. Lee D Silver badge

    I'm just not at all sure why you'd want this.

    AD is something that should be inherently internal to your network, not external. Especially with the recent focus on EU/US data transfer problems, this just seems like a big accident waiting to happen.

    1. Lusty

      If you take the time to learn about the services in Azure you'd find out it can be internal to your network, and it can be in a country of your choosing. Admittedly none of the countries in the United Kingdom, but your choosing nonetheless. Many companies already had domain controllers in other people's premises - we used to call that colo so it's nothing new. The main difference here is that a proper qualified Active Directory team is administering it and so it's infinitely more secure than the one Bob from Accounts configured in his lunch break. That, my friend, was an accident waiting to happen.

      No this doesn't suit everyone, of course it doesn't. What you need to remember when working in IT is that there is more than one use-case; other people's requirements are not the same as your requirements.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        you'd find out it can be internal to your network

        You mean there will be local Windows 20XX server system doing DirSync with the cloudy master?

        1. Anonymous Coward
          Anonymous Coward

          No, just add either a VPN or ExpressRoute (MPLS WAN) between your network and Azure.

    2. Anonymous Coward
      Anonymous Coward

      Does your data centre have the security certifications and layered security that Microsoft's Azure ones do?

      Also, with Azure ExpressRoute or VPN you can effectively add an Azure data centre as an extension of your own network with no Internet unless you want that too.

  2. Erik4872

    Interesting development in the cloud tug of war

    The other thing the article doesn't mention is that there really wasn't anything stopping you from building your own domain controllers in Azure virtual machines, and either having them work with on-site AD or (if you're nuts) just hosting the whole thing in Azure. Now it sounds like they're wrapping it as an "Azure AD" style service, where you just fire requests in and Microsoft handles all the heavy lifting. I'm definitely going to check it out - it would be cool if it was resillient enough to replace local AD, and I guarantee it's coming as a feature to Windows Server 2016 at some point, so not a bad idea to learn about it.

    It's interesting if it allows the company to fully control everything, including GPOs and other stuff, but I wonder how many companies are going to be comfortable doing all their identity management, authentication and systems management off-premises. I guess Microsoft is playing the long game on this one and waiting for the pendulum to come all the way over to the "cloud-only" setting. Call me old, but I would have a big issue with handing all of the keys to the organization to a provider of any kind. I'm still one of those crazy IT guys who think there's a balance involved.

    1. chivo243 Silver badge

      Re: Interesting development in the cloud tug of war

      @Erik4872

      Have an upvote, but I would never allow my connection to AD to have the achilles heel such as needing an internet connection. No internet connection, no authentication? No work? I see a great advantage to having a replica of your data offsite and in the cloud(?) or co-located, dark fibre to another branch, name your preference.

      I know companies with deep pockets can afford a redundant connection to the internet, but I have to believe that the SMB's may not have that depth of pocket, or the direction to acquire a redundant connection. My organization has a redundant connection, but only 25% of the bandwidth of our primary connection. And the one time we needed the redundant connection, the failover mechanism failed, or did not failover timely enough as the primary connection was restored before the secondary could take over.

      I am waiting for the failover system to be tested again. Not my circus, not my monkeys...

      1. richardcox13

        Re: Interesting development in the cloud tug of war

        > Have an upvote, but I would never allow my connection to AD to

        > have the achilles heel such as needing an internet connection.

        Hence the approach of running one AD tree in Azure and another in the office(s) with a trust relationship between them.

        This is only worth it when you have enough resources in Azure that the centralised authentication, authorisation, and group policy justify the extra infrastructure (much less than previously) and cost (including someone to do the admin).

        1. Lusty

          Re: Interesting development in the cloud tug of war

          Or just use AAD Connect DirSync whatever it's called today. Or replication? AD was designed around links going down from the word go - we used to be able to sync with SMTP for this reason. Flaky Internet is really not a problem unless you don't know what you're doing.

        2. Anonymous Coward
          Anonymous Coward

          Re: Interesting development in the cloud tug of war

          That isn't the only reason. Another would be to move entirely to Azure. For example running your entire desktop service from Azure. Now feasible with Windows 10.

      2. Anonymous Coward
        Anonymous Coward

        Re: Interesting development in the cloud tug of war

        It is no different to having an offsite data centre as many of us do. You still need suitable connectivity. You don't HAVE to use the Internet, it's just that that is the cheapest way.

    2. Anonymous Coward
      Anonymous Coward

      Re: Interesting development in the cloud tug of war

      It isn't nuts to work totally in Azure, it is what MS are aiming for. Why have your own data centres when they can build them better and cheaper? The current answer would be to have local control of the data but that comes at a massive cost and the investment in tin means a real friction against innovation and change.

      If Microsoft can, as I believe they have, demonstrate that their security model is sound - in fact it is better than the majority of data centres I've reviewed - would I be prepared to take some risk to move entirely to their DC's? Yup, indeed that is exactly what we are considering right now.

      And with Windows 10 and InTune, you no longer need to mess around with GPO's, instead you can move to a purely MDM model of control and validation.

      I know the word "revolution" is terribly overused in IT but we are genuinely on the cusp of one in IT bigger than I've seen in decades.

      1. MissingSecurity

        Re: Interesting development in the cloud tug of war

        Yes, why did we spend the last two decades trying to get out of vendor lock in, when we should just be locking ourselves in.

        I think you'll find that companies aren't building their own data centers. Their renting space (either physical or virtual) in data centers operated by third parties. Their quality can vary but I guarantee if you're in a sector where this matters, there are plenty of options.

        I don't see why I'd move an entire infrastructure from one data center to another, especially if I am a large enough customer to get lucrative deals with the third party.

        I love how you think that innovation has somehow been impeded, The standards, protocols, and technology for doing this has been around FOREVER, in fact a form of this is being done, at large corporations everywhere. The real question is will the use a service like MS/Google (cause what your really getting at is SSO) or "likely the case" will there still be a mix of services just your AD instance may or may not be in the cloud.

      2. Anonymous Coward
        Anonymous Coward

        Re: Interesting development in the cloud tug of war

        "move entirely to their DC's"

        I'm with you on the security, but the availability is a huge issue right now. Not all systems can be made highly available, especially within the confines of Azure where shared storage is not available without a 3rd party such as NetApp. Microsoft policy is to perform maintenance when they need to, and they give you a 2 day window for this to happen - normally during the week. Your servers will be rebooted when Microsoft need to reboot them - they do not support live migration to mitigate this. Sadly, although the SLA is still many 9's, the unpredictable window in which that downtime happens is not compatible with enterprise IT. It's planned downtime, but not planned by you. Imagine a reboot at month end of your accounts system at midday.

        Once they sort this, it's good to go. Unfortunately Microsoft are hoping applications will be written to be cloud native right now rather than accepting the reality of needing alternative solutions. VMware is the only "cloud" that has live migration and doesn't force downtime and reboots on the customer. Sadly, VMware don't support DR of systems in their cloud.

  3. dan1980

    Finally.

    Now, whether you think that's a good idea or not is another matter but this was a gap that needed to be addressed. If you think it's a bad idea then don't use it and continue as you have been but it's a useful addition that I am sure many will be very please with.

  4. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like