Windows Server Active Directory as a Service using Azure AD Domain Services

At October 14 Microsoft released the Public Preview of a new Azure service called ‘Azure AD Domain Services”

Azure AD Domain Services provides Azure based services which are commonly used in traditional on-prem Windows Server Active Directory . Services provided by Azure AS Domain Services are NTLM, LDAP, Kerberos and Group Policy.

Azure AD Domain Services is best seen as a projection of your on-prem AD through Azure AD being managed as a service.

Without using Azure AD Domain Services there are two, rather time consuming and more complex methods to provide Windows Server AD to virtual machines running in Azure:

  1. setup a VPN or ExpressRoute connection between Azure and on-prem. Setup costs time, and the availability of AD relies on the availability of the network connection
  2. deploy VM’s in Azure IaaS with Active Directory installed. This adds additional costs (for consuming Azure resources) and maintenance (patching)

Azure AD Domain Services is a very efficient way to add Windows Server Active Directory services to Azure AD.  It is a Microsoft managed service paid per hour. The price depends on the number of objects used. Enabling is as simple as clicking a few buttons in the Azure portal. You will have to link a single virtual network to  AD Domain Services. The end result is the portal providing two IP-adresses. These can be used as pointer to AD, LDAP, NTLM and Group Policy services. These two IPs can also be used as DNS-servers.

Azure AD Domain Services retrieves the AD objects (user/group) from Azure AD. So any organization wanting to use AD Domain Services will have to make sure Azure AD is enabled and has user and group objects in it. For organizations using the on-prem Active Directory as leading directory, Azure AD Connect is required to feed Azure AD from on-prem Windows Server AD.


Azure AD Domain Services fills a need for organizations wanting to move to Azure cloud while keeping their legacy applications. This is a great new service when using SaaS or rewriting the application is not an option. The service is available only in Azure IaaS and only internally. So AD Domain Services cannot be accessed over the internet.

Adding users and groups is done using the Azure management portal. AD Users and Computers does not have an option to create new user and group objects. Also new OU’s cannot be created. However adding new computer objects is possible.

Mind that Microsoft supplies two GPO objects: one for users and one for computer objects. You cannot add GPO’s yourself.

Azure AD Domain Services is currently available as Preview in Azure regions in the US, Europe and Southeast Asia. It is available for all editions of Azure Active Directory (free, basic and premium)

This blog has many more details.

This is a great video expaining it all! The video is taken from here.

This blog has a great video explaining AD Domain Services

Add a Comment

Your email address will not be published. Required fields are marked *

Current ye@r *