What Is Azure AD Domain Services?

Azure Active Directory Domain Services (AD DS) is managed domain service suite that offers full compatibility with Windows Server Active Directory and supports Kerberos/NTLM, domain join, group policy, and LDAP authentication. You can use an AD domain service without manually deploying, managing, or patching domain controllers.

You can integrate Azure AD DS with your existing Azure AD tenant. This integration allows users to log in to services and applications connected to the managed domain using their existing credentials. You can also leverage existing group and user accounts to restrict access and protect your resources. These features enable seamless promotion and transfer of on-premise resources to Azure.

How Does Azure AD DS Work?

When you create an Azure AD DS–managed domain, you must define your own namespace. This namespace is your company’s domain name. Then, you deploy two Windows Server domain controllers (DCs) in the Azure region of your choice. This deployment is called a replica set.

There is no need to configure, manage, or update the DCs. The Azure platform treats DCs as part of a managed domain, which automatically performs backups and encrypts data via Azure Disk Encryption.

Managed domains can perform one-way synchronization in Azure AD to grant access to a set of credentials, users, and groups. You can create a resource directly in a managed domain, but it will not be synchronized with Azure AD. Azure applications, services, and virtual machines that connect to a managed domain can use AD DS features like domain join, Kerberos/NTLM, group policy, and LDAP authentication.

In hybrid environments with on-prem AD DS, you can use Azure AD Connect to synchronize identity information with your cloud-based Azure AD environments. In turn, Azure AD synchronizes the identity information with the managed domain.

Azure AD DS replicates the identity information from Azure AD, so it works with a cloud-only Azure AD tenant or an Azure AD tenant that’s synchronized with your on-premises AD DS environment. Both environments have the same Azure AD DS feature set:

• If you have an existing on-premise AD DS environment, you can enable consistent user identity by synchronizing user account information.
• In a cloud-only environment, there is no need for an existing on-premise AD DS environment to leverage the Azure AD DS centralized identity service.

You can extend the managed domain to have multiple replica sets for each Azure AD tenant. You can add replica sets to peer-to-peer virtual networks in any Azure region that supports Azure AD DS. Adding a replica set to another Azure region can provide geo-disaster recovery for legacy applications when an Azure region goes offline.

AD DS vs. Other Active Directory Options

There are five main options for managing domain services:

• Domain Services (AD DS)—stores directory information centrally and enables domains and users to communicate. This service handles login authentication and verifies user login credentials and permissions when users attempt to connect to devices or resources on the network.
• Lightweight Directory Services (AD LDS)—uses the Lightweight Directory Access Protocol (LDAP), which is similar to AD DS but less restrictive. AD LDS, for example, enables cross-platform features that allow Linux-based computers to operate on a network.
• Federation Services (AD FS)—provides single sign-on (SSO) authentication, allowing users to log in once and access multiple applications within the same user session.
• Rights Management Services (AD RMS)—controls data access policies and manages access rights. For example, permission management determines which folders a user can access.
• Certificate Services (AD CS)—allows domain controllers to create and manage digital signatures, certificates, and public key cryptography.

AD DS has four main benefits compared to other options:

• Hierarchical structure—AD DS provides a structure for organizing the information in Active Directory. This structure is its main advantage.
• Flexibility—AD DS gives you the flexibility to decide how to organize data on your network. It centralizes services such as user and rights management to simplify administrative tasks and provide a level of security. Users can access Active Directory from any device on the network.
• Single point of access—AD DS creates a single point of access to all network resources. This allows IT teams to collaborate more effectively and limits access points to more sensitive resources.
• Redundancy—AD DS has built-in replication and redundancy. There are at least two domain controllers, so if one fails, the other domain controller automatically takes over.

Azure DS vs. Azure AD vs. Azure AD DS

There are three popular ways to use Azure AD-based services to provide access to the central identity of an application, service, or device. This choice of identity solution gives you the flexibility to use a directory that best fits your organization’s needs.

For example, building and running your AD DS identity solution may be unnecessary if you primarily manage cloud-only users on mobile devices. Alternatively, you can use Azure AD.

Although these three identity solutions share the same basic Active Directory concepts and technology, each offers different services to meet diverse customer needs. Each identity solution has distinct features:

• Active Directory Domain Services (AD DS)—an enterprise-grade Lightweight Directory Access Protocol (LDAP) server. It offers critical features like object management, trust, group policy, and identity and authentication. AD DS is a key component of many on-premises enterprise IT environments, providing core computer management and user account authentication capabilities.
• Azure Active Directory (Azure AD)—cloud-based identity and device management providing user account and authentication capabilities for resources like Microsoft 365, Azure portal, and SaaS applications. You can synchronize Azure AD with your on-premises AD DS environment to allow users to create a single identity for both on-prem and cloud-based resources.
• Azure Active Directory Domain Services (Azure AD DS)—offers a subset of existing AD DS features that are fully compatible with Managed Domain Services, including group policy, domain join, Kerberos/NTLM, and LDAP authentication. Azure AD DS integrates with Azure AD and can synchronize with your on-prem AD DS environment. This feature extends the central identity use case to existing web applications running on Azure.

Extend Azure AD to Cloud and On-Premise Applications with Pathlock

Pathlock is the leader in Access Governance for business-critical applications. Staying compliant with Sarbanes-Oxley is a critical business requirement, and Pathlock Control helps to automate the compliance process. As a MISA member, Pathlock can bring these capabilities to users of Azure Active Directory, with tight integration between the solutions.

Customers rely on Pathlock to streamline critical processes like fine-grained provisioning, separation of duties, and detailed user access reviews. Pathlock can connect to a wealth of applications hosted both on-premise and in the cloud.

With Pathlock’s out-of-the-box integration to Azure Active Directory, customers can enjoy the great features they are used to with deeper control over their enterprise applications, including:

• Coverage for the leading business applications, with support for key applications like SAP, Oracle, Workday, Dynamics365, Salesforce, and more
• Perform compliant provisioning at a transaction code or function level into both cloud and on-premise applications
• Define Separation of Duties (SOD) rules, both within an application and across them, and enforce them to prevent access risks and stay compliant
• Enrich User Access Reviews (UARs) with fine-grained entitlement details and usage about transactions performed with specific access combinations

Interested to learn more about the winning combination of Pathlock and Azure Active Directory? Request a demo today to see the solution in action!