New Zealand | Azure AD Domain Services Replica Sets

Neil Hoffman - 06.12.2021

Azure AD Domain Services Replica Sets

New Zealand | Azure AD Domain Services Replica Sets

I wanted to do a quick blog today around an awesome feature which has just been added to Azure Active Directory Domain Services (AADDS) called Replica Sets.

Before I explain the benefits of Replica Sets, let me recap what AADDS is. AADDS, also known as Domain Controller-as-a-Service, is a hosted Active Directory (AD) in the Azure cloud which you don’t need to manage, configure or update. AADDS is not to be confused with Azure Active Directory (AAD), however if you are a bit perplexed, please read on.

WHAT IS AZURE ACTIVE DIRECTORY

When you first describe AAD to someone, they usually think it is “Domain Controllers in the Sky” or something similar. This is not an accurate description of AAD. 

AAD is an Identity-as-a-Service platform which is born in the cloud and made to support cloud applications with native web-based protocols such as OAuth2, OpenID Connect, SAML and WS-Fed. While you can join a computer to AAD (Azure AD Join), the relationship is very different from a traditional on-premises AD join of yesteryear. Also, AAD does not support any of the older protocols found in traditional AD, such as Kerberos and LDAP. The older protocols were designed to work on a local LAN and not over the public Internet. 

WHAT IS AZURE ACTIVE DIRECTORY DOMAIN SERVICES

AADDS offers a managed AD environment which runs in an Azure Virtual Network and includes hosted Domain Controller VMs that your Azure VMs can leverage just as they would traditional Domain Controllers. These Domain Controllers support Kerberos, LDAP and even GPOs. AADDS is, in fact, more of a “Domain Controller in the Sky” solution. 

Although many organisations operate an on-premises AD, there are other cases where a full-blown AD running on VMs is not required or desired. An example of this would be a born-in-the-cloud organization which has no on-premises AD and wants to leverage Azure Virtual Desktop (AVD). Even though AVD is part of Microsoft 365, it does have a dependency on AD since the AVD VMs must be AD domain joined (not Azure AD Joined). It would be crazy to ask an organisation to implement a traditional AD infrastructure just to support AVD. In this case AADDS would be a fantastic way to achieve this requirement with very little effort. 

AADDS can be considered an extension of AAD, since all the user/credentials, groups, and group memberships from AAD are synchronized into AADDS on an ongoing basis. If your AAD is synced from an on-premises AD, then AADDS could ultimately mirror your on-premises AD. If AAD is not synced with on-premises AD, then AAD would be the source of authority for AADDS since the synchronization of objects is one way, AAD to AADDS. AADDS does not write back to AAD nor, by extension, AD if there is one. 

Here is what the relationship looks like with on-premises AD —> synced to Azure AD —> synced to AADDS: 

New Zealand | Azure AD Domain Services Replica Sets

Notice the arrow from Azure AD to the managed domain (AADDS) is a one-way relationship. Even though you can create users and groups in AADDS, they are not synced back to Azure AD and if you do have an on-premises domain synced to Azure AD (as shown in the diagram above on the far right), there is no direct communication between the on-premises AD and AADDS. The on-premises AD has no concept this AADDS managed domain even exists.

WHAT IS CHANGING

One major limitation of AADDS has been its inability to support multiple regions. That means you cannot plan for any type of multi-region deployment to support geo-dispersed organisations, high availability, or disaster recovery scenarios. You could create separate AADDS instances in different regions, however they would not share directory information between them, such as computer accounts, thus limiting the benefit.

Microsoft has now introduced the concept of Replica Sets which allow you to create replicas of an AADDS instance in up to four additional regions. Now customers who are geo-dispersed or have a requirement for true business continuity and disaster recovery can now seriously consider AADDS over a traditional AD deployment.

Here are some design considerations if you are planning to implement Replica Sets:

  • IP addressing of the VNETs in the different regions which will host AADDS replicas must not overlap since they will all need to be peered with each other to support the AADDS replication
  • Of the three SKUs of AADDS, you must be on either Enterprise or Premium. Standard will not support replica sets; the good news is it is a simple process to upgrade the SKU from Standard
  • Billing for each replica set is based on AADDS SKU. For example, if you have a managed domain which uses the Enterprise SKU and you have two replica sets, your subscription is billed per hour for the initial instance of Enterprise as well as the two replica sets

This is a major improvement to AADDS and takes what used to be a clever but not-quite-enterprise-ready solution to the next level. If you have a genuine use case for AADDS and were hesitant due to the lack of multi-region support, then you should have another look!

You can read more of my blogs here.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

New Zealand | M365 Archiving in a Nutshell

M365 Archiving in a Nutshell

Discover the benefits of M365 archiving in SharePoint Online. Overcome storage limitations and unlock the true potential of archiving with AvePoint Cloud Archiving. Request a demo today!

Read More »

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

New Zealand | Azure AD Domain Services Replica Sets

Unleashing the power of Microsoft Copilot

This comprehensive guide provides everything you need to get your organisation ready for and successfully deploy Copilot.

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

New Zealand | Azure AD Domain Services Replica Sets

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.