Microsoft Ignite NZ 25-28 October 2016 SKYCITY, Auckland

What can Azure AD Domain Services do for you? Tony Murray

Session objectives & takeaways Tech Ready 15 Session objectives & takeaways 9/19/2018 Introduce Azure AD Domain Services Understand how it works & its benefits See the available GA features Identify usage scenarios Understand the product roadmap Key takeaway: Learn when to use Azure AD Domain Services in preference to alternatives © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Differences in Directory Offerings 9/19/2018 8:37 PM Differences in Directory Offerings AADDS –ne AAD AADDS –ne ADDS © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The wider context: Azure Active Directory Microsoft Confidential NDA Only 9/19/2018 The wider context: Azure Active Directory 90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Azure AD Directories >10 M More than 750 M user accounts on Azure AD 33,000 Enterprise Mobility + Security | Azure AD Premium enterprise customers >110k third-party applications used with Azure AD each month >1.3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

The wider context: Identity as the core of enterprise mobility Build 2012 The wider context: Identity as the core of enterprise mobility 9/19/2018 Simple connection SaaS Azure Public cloud Cloud On-premises Other directories Windows Server Active Directory Self-service Single sign-on Microsoft Azure Active Directory

Options – moving applications to the cloud Microsoft Ignite 2016 Options – moving applications to the cloud 9/19/2018 8:37 PM Azure Subscribe to SaaS applications Rewrite existing applications ‘Lift-and-shift’ on-premises applications to IaaS © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

’Lift-and-shift’ existing on-premises apps. Easy? Microsoft Ignite 2016 ’Lift-and-shift’ existing on-premises apps. Easy? 9/19/2018 8:37 PM What about identity in the cloud? Azure Active Directory On-premise apps ? Lift-and-shift Lift-and-shift Active Directory AD Domain Services Domain join Group policy LDAP bind/authentication Kerberos, NTLM LDAP read/write © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Two widely-used options today … TechReady 23 9/19/2018 8:37 PM Two widely-used options today … Connect app to DC VM in Azure Connect app to on-premises DC © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Imagine a simpler alternative Microsoft Ignite 2016 9/19/2018 8:37 PM Imagine a simpler alternative Simple Compatible Available Cost-effective © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Introducing ‘Azure AD Domain Services’ … Azure Active Directory Azure AD Domain Services Contoso’s workloads/apps in Azure IaaS Virtual network Managed domain available in your Azure VNet.

Managed domains Domain controllers are patched automatically. Secure locked down domain – compliant with AD deployment best-practices. Fault resilience of Azure. Automatic health detection & remediation. Automatic backups for disaster recovery. No need to monitor replication to DCs. Highly available domain.

Synced tenants … Azure AD Domain Services Azure Active Directory Automatic background sync to your managed domain Managed domain available in your Azure VNet. … Azure AD Domain Services Azure Active Directory Virtual network Contoso’s workloads/apps in Azure IaaS Azure AD Connect Active Directory

Features Simple deployment Single managed domain per Azure AD directory High availability with fault tolerance Automatic health detection & remediation Auto-sync from Azure AD – use same users, groups & passwords On-premises SIDs are synced to SIDHistory in your managed domain Domain join Windows Integrated Authentication (Kerberos, NTLM) LDAP bind and LDAP read Secure LDAP (including over internet) Create custom Organizational Units (OUs) Administer DNS Basic Group Policy – single built-in GPO each for users & computers containers.

Service availability North Europe West Europe West US East US East US2 Central US South central US East Asia Southeast Asia Australia East Australia Southeast https://azure.microsoft.com/en-us/regions/#services

Networking considerations (1) Use your managed domain in multiple classic virtual networks

Networking considerations (2) Use your managed domain in Resource Manager virtual networks

Networking considerations (3) Subnets and Network Security Groups Deploy Azure AD Domain Services to a dedicated subnet Do not deploy to the Gateway subnet. Do not apply NSGs to your AAD-DS subnet. This prevents Microsoft from being able to manage & update your domain. It also breaks synchronization with your Azure AD tenant.

Deployment scenarios … 1. Secure, streamlined administration of Azure virtual machines Domain join/ GP Domain-join your Azure IaaS virtual machines – Windows Server and Linux Use your corporate credentials to log-in to VMs No need for local administrator accounts Use Group Policy (built-in GPO for computers container) to manage & secure domain joined VMs. … Contoso’s workloads/apps in Azure IaaS Virtual network

Deployment scenarios … 2. Lift-and-shift applications that use LDAP bind for authentication Consider the following web-app: An LOB application uses a web-form to collect user credentials and authenticates users via LDAP bind to the directory. This application can be migrated & deployed in Azure VMs. End-users sign in using their existing corporate credentials. The app is deployed in Azure, transparent to end-users. This app pattern is often used by organizations to grant access to vendors or partners to their applications. LDAP bind … Virtual network

Deployment scenarios … 3. Lift-and-shift server applications that use Windows Integrated Authentication Consider the following application: An application uses an AD service account for its web front-end to authenticate access to a backend server. This application can be migrated & deployed in Azure VMs. You can create custom OUs & provision service accounts within those OUs. You can assign custom password policies (eg. password- never-expires) to service accounts. GMSAs (Group Managed Service Accounts) work as well. WIA … service acct Virtual network

Deployment scenarios … 4. VDI – Lift-and-shift (Remote Desktop in Azure VMs) Deploy domain joined Remote Desktop VMs for VDI in the cloud. Use group policy to manage/secure Remote Desktop VMs. Known issue: Remote Desktop Licensing server AAD-DS does not support the ability to add computer accounts to the TS licensing group. Workaround : track licensing outside of AAD-DS domain join … Remote desktop server VMs … Virtual network

domain join, Kerberos etc. Deployment scenarios 5. HD Insights Secure Hadoop HD Insights Hadoop clusters can be integrated with AAD Domain Services for secure Hadoop deployments. Feature currently in public preview domain join, Kerberos etc. … Classic Virtual network VNet to VNet connection HD Insights cluster … … ARM Virtual network Preview

Deciding when not to ‘DIY’ your AD deployment Feature Azure AD Domain Services 'Do-it-yourself' AD in Azure VMs Managed service Yes No Secured & locked-down deployment Needs to be secured DNS server Yes (managed service) Domain or Enterprise administrator privileges Domain join Domain authentication using NTLM and Kerberos Custom OU structure Schema extensions AD domain/forest trusts LDAP read Secure LDAP (LDAPS) LDAP write Group Policy Simple Full Geo-dispersed deployments More information: https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-comparison

domain join, Kerberos etc. What about client workstations? Microsoft does not recommend this deployment with AAD Domain Services For Windows 10 devices, we recommend Azure AD Join Azure AD Join is better suited for mobile clients (e.g.. tablets, laptops) Supports BYO devices Devices are managed using MDM (Intune) Works even in the absence of VPN/ExpressRoute connection. More resilient to VPN/ExpressRoute outages. More information: https://azure.microsoft.com/en- us/documentation/articles/active-directory-azureadjoin- overview/ domain join, Kerberos etc. … Virtual network VPN/ ExpressRoute …

How much does it cost? Microsoft Ignite 2016 9/19/2018 8:37 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo Azure AD Domain Services Microsoft Ignite 2016 9/19/2018 8:37 PM © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Roadmap Azure Resource Manager (ARM) support Microsoft Ignite 2016 9/19/2018 8:37 PM Roadmap Azure Resource Manager (ARM) support Support for new Azure portal (portal.azure.com) Resource forest deployments Schema extensions support Support for LDAP writes Sophisticated Group Policy support – including custom GPOs. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

In review: Session objectives & takeaways Tech Ready 15 In review: Session objectives & takeaways 9/19/2018 Introduce Azure AD Domain Services. Understand how it works & its benefits See the available GA features Identify usage scenarios Explore the product roadmap Key takeaway: Learn when to use Azure AD Domain Services in preference to alternatives © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9/19/2018 8:37 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.