Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Ignite NZ 25-28 October 2016 SKYCITY, Auckland.

Published byJulián Moreno Coronel Modified over 6 years ago

Similar presentations

Presentation on theme: "Microsoft Ignite NZ 25-28 October 2016 SKYCITY, Auckland."— Presentation transcript:

1 Microsoft Ignite NZ 25-28 October 2016 SKYCITY, Auckland

2 What can Azure AD Domain Services do for you?
Tony Murray

3 Session objectives & takeaways
Tech Ready 15 Session objectives & takeaways 9/19/2018 Introduce Azure AD Domain Services Understand how it works & its benefits See the available GA features Identify usage scenarios Understand the product roadmap Key takeaway: Learn when to use Azure AD Domain Services in preference to alternatives © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Differences in Directory Offerings
9/19/2018 8:37 PM Differences in Directory Offerings AADDS –ne AAD AADDS –ne ADDS © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 The wider context: Azure Active Directory
Microsoft Confidential NDA Only 9/19/2018 The wider context: Azure Active Directory 90% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Azure AD Directories >10 M More than 750 M user accounts on Azure AD 33,000 Enterprise Mobility + Security | Azure AD Premium enterprise customers >110k third-party applications used with Azure AD each month >1.3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 The wider context: Identity as the core of enterprise mobility
Build 2012 The wider context: Identity as the core of enterprise mobility 9/19/2018 Simple connection SaaS Azure Public cloud Cloud On-premises Other directories Windows Server Active Directory Self-service Single sign-on Microsoft Azure Active Directory

7 Options – moving applications to the cloud
Microsoft Ignite 2016 Options – moving applications to the cloud 9/19/2018 8:37 PM Azure Subscribe to SaaS applications Rewrite existing applications ‘Lift-and-shift’ on-premises applications to IaaS © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 ’Lift-and-shift’ existing on-premises apps. Easy?
Microsoft Ignite 2016 ’Lift-and-shift’ existing on-premises apps. Easy? 9/19/2018 8:37 PM What about identity in the cloud? Azure Active Directory On-premise apps ? Lift-and-shift Lift-and-shift Active Directory AD Domain Services Domain join Group policy LDAP bind/authentication Kerberos, NTLM LDAP read/write © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Two widely-used options today …
TechReady 23 9/19/2018 8:37 PM Two widely-used options today … Connect app to DC VM in Azure Connect app to on-premises DC © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Imagine a simpler alternative
Microsoft Ignite 2016 9/19/2018 8:37 PM Imagine a simpler alternative Simple Compatible Available Cost-effective © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Introducing ‘Azure AD Domain Services’
Azure Active Directory Azure AD Domain Services Contoso’s workloads/apps in Azure IaaS Virtual network Managed domain available in your Azure VNet.

12 Managed domains Domain controllers are patched automatically.
Secure locked down domain – compliant with AD deployment best-practices. Fault resilience of Azure. Automatic health detection & remediation. Automatic backups for disaster recovery. No need to monitor replication to DCs. Highly available domain.

13 Synced tenants … Azure AD Domain Services Azure Active Directory
Automatic background sync to your managed domain Managed domain available in your Azure VNet. Azure AD Domain Services Azure Active Directory Virtual network Contoso’s workloads/apps in Azure IaaS Azure AD Connect Active Directory

14 Features Simple deployment
Single managed domain per Azure AD directory High availability with fault tolerance Automatic health detection & remediation Auto-sync from Azure AD – use same users, groups & passwords On-premises SIDs are synced to SIDHistory in your managed domain Domain join Windows Integrated Authentication (Kerberos, NTLM) LDAP bind and LDAP read Secure LDAP (including over internet) Create custom Organizational Units (OUs) Administer DNS Basic Group Policy – single built-in GPO each for users & computers containers.

15 Service availability North Europe West Europe West US East US East US2
Central US South central US East Asia Southeast Asia Australia East Australia Southeast

16 Networking considerations (1) Use your managed domain in multiple classic virtual networks

17 Networking considerations (2) Use your managed domain in Resource Manager virtual networks

18 Networking considerations (3) Subnets and Network Security Groups
Deploy Azure AD Domain Services to a dedicated subnet Do not deploy to the Gateway subnet. Do not apply NSGs to your AAD-DS subnet. This prevents Microsoft from being able to manage & update your domain. It also breaks synchronization with your Azure AD tenant.

19 Deployment scenarios …
1. Secure, streamlined administration of Azure virtual machines Domain join/ GP Domain-join your Azure IaaS virtual machines – Windows Server and Linux Use your corporate credentials to log-in to VMs No need for local administrator accounts Use Group Policy (built-in GPO for computers container) to manage & secure domain joined VMs. Contoso’s workloads/apps in Azure IaaS Virtual network

20 Deployment scenarios …
2. Lift-and-shift applications that use LDAP bind for authentication Consider the following web-app: An LOB application uses a web-form to collect user credentials and authenticates users via LDAP bind to the directory. This application can be migrated & deployed in Azure VMs. End-users sign in using their existing corporate credentials. The app is deployed in Azure, transparent to end-users. This app pattern is often used by organizations to grant access to vendors or partners to their applications. LDAP bind Virtual network

21 Deployment scenarios …
3. Lift-and-shift server applications that use Windows Integrated Authentication Consider the following application: An application uses an AD service account for its web front-end to authenticate access to a backend server. This application can be migrated & deployed in Azure VMs. You can create custom OUs & provision service accounts within those OUs. You can assign custom password policies (eg. password- never-expires) to service accounts. GMSAs (Group Managed Service Accounts) work as well. WIA service acct Virtual network

22 Deployment scenarios …
4. VDI – Lift-and-shift (Remote Desktop in Azure VMs) Deploy domain joined Remote Desktop VMs for VDI in the cloud. Use group policy to manage/secure Remote Desktop VMs. Known issue: Remote Desktop Licensing server AAD-DS does not support the ability to add computer accounts to the TS licensing group. Workaround : track licensing outside of AAD-DS domain join Remote desktop server VMs Virtual network

23 domain join, Kerberos etc.
Deployment scenarios 5. HD Insights Secure Hadoop HD Insights Hadoop clusters can be integrated with AAD Domain Services for secure Hadoop deployments. Feature currently in public preview domain join, Kerberos etc. Classic Virtual network VNet to VNet connection HD Insights cluster ARM Virtual network Preview

24 Deciding when not to ‘DIY’ your AD deployment
Feature Azure AD Domain Services 'Do-it-yourself' AD in Azure VMs Managed service Yes No Secured & locked-down deployment Needs to be secured DNS server Yes (managed service) Domain or Enterprise administrator privileges Domain join Domain authentication using NTLM and Kerberos Custom OU structure Schema extensions AD domain/forest trusts LDAP read Secure LDAP (LDAPS) LDAP write Group Policy Simple Full Geo-dispersed deployments More information:

25 domain join, Kerberos etc.
What about client workstations? Microsoft does not recommend this deployment with AAD Domain Services For Windows 10 devices, we recommend Azure AD Join Azure AD Join is better suited for mobile clients (e.g.. tablets, laptops) Supports BYO devices Devices are managed using MDM (Intune) Works even in the absence of VPN/ExpressRoute connection. More resilient to VPN/ExpressRoute outages. More information: us/documentation/articles/active-directory-azureadjoin- overview/ domain join, Kerberos etc. Virtual network VPN/ ExpressRoute

26 How much does it cost? Microsoft Ignite 2016 9/19/2018 8:37 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Demo Azure AD Domain Services Microsoft Ignite 2016 9/19/2018 8:37 PM
© 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28 Roadmap Azure Resource Manager (ARM) support
Microsoft Ignite 2016 9/19/2018 8:37 PM Roadmap Azure Resource Manager (ARM) support Support for new Azure portal (portal.azure.com) Resource forest deployments Schema extensions support Support for LDAP writes Sophisticated Group Policy support – including custom GPOs. © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 In review: Session objectives & takeaways
Tech Ready 15 In review: Session objectives & takeaways 9/19/2018 Introduce Azure AD Domain Services. Understand how it works & its benefits See the available GA features Identify usage scenarios Explore the product roadmap Key takeaway: Learn when to use Azure AD Domain Services in preference to alternatives © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 9/19/2018 8:37 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Microsoft Ignite NZ 25-28 October 2016 SKYCITY, Auckland."

Similar presentations

Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation

Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
customer.

customer.
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Identity; What you need to know to be in the Microsoft Cloud

Identity; What you need to know to be in the Microsoft Cloud
Active Directory Modernization Technical competitive comparison

Active Directory Modernization Technical competitive comparison
1/26/2018 Hosting Windows Desktops and Applications Using Remote Desktop Services and Azure Windows Server 2016 + Azure Resource Manager © 2014 Microsoft.

1/26/2018 Hosting Windows Desktops and Applications Using Remote Desktop Services and Azure Windows Server Azure Resource Manager © 2014 Microsoft.
Deployment Planning Services

Deployment Planning Services
TechReady 16 5/10/2018 Day 2, Session 4 Reaching the Summit: ITIL-integrated Self-Service in the Hybrid Cloud © 2013 Microsoft Corporation. All rights.

TechReady 16 5/10/2018 Day 2, Session 4 Reaching the Summit: ITIL-integrated Self-Service in the Hybrid Cloud © 2013 Microsoft Corporation. All rights.
Deployment Planning Services

Deployment Planning Services
Enterprise Security in Practice

Enterprise Security in Practice
5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.

5/21/2018 9:40 PM BRK3021 Learn about modern infrastructure roles in RDS: Next generation Windows desktop & app virtualization Clark Nicholson - Principal.
Deployment Planning Services

Deployment Planning Services
Azure File Sync Setup, configuration and management

Azure File Sync Setup, configuration and management
Manage Windows devices in the complex hybrid cloud world of today

Manage Windows devices in the complex hybrid cloud world of today
O365 & AZURE ADDS Mladen Baranek, Miadria

O365 & AZURE ADDS Mladen Baranek, Miadria
SaaS Application Deep Dive

SaaS Application Deep Dive
Migrating your IaaS infrastructure from ASM to ARM without downtime

Migrating your IaaS infrastructure from ASM to ARM without downtime
6/25/2018 11:13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.

6/25/ :13 PM BRK1076 Make Windows devices more secure by taking them out of your existing infrastructure Chris Rhodes & Andrew Bettany MCTs & MVPs.
What’s new in Azure Active Directory Domain Services

What’s new in Azure Active Directory Domain Services
Lessons learned from moving to Microsoft Azure

Lessons learned from moving to Microsoft Azure

Similar presentations

Ads by Google