Azure Active Directory Domain Services in the CloudBrandon Carnahan
What if I told you is all you need to operate a full-fledged business network is an internet connection? But when do you make that investment, that leap to actually owning more than a laptops and a printer? What would you think if I told you that you didn’t have to make that decision right now or maybe ever?
What if I told you is all you need to operate a full-fledged business network is an internet connection? You might laugh in my face. Small and medium businesses are increasingly leveraging technology to make the most out their opportunities. But when do you make that investment, that leap to actually owning more than a laptops and a printer? Obviously that tipping point is different for every business. What would you think if I told you that you didn’t have to make that decision right now or maybe ever? Surprised, crazy even, you would say.
Microsoft announced Azure Active Directory (AAD) domain services. What does that mean? Microsoft is now offering a cloud service that can do Domain Services off premises. In the traditional IT world Active Directory Domain Service is a critical service, probably THE critical service! It is the gatekeeper holding usernames, passwords, groups, and permissions for your entire network. Like any critical piece of Microsoft infrastructure, it is consistently in need of updates and maintenance. It also needs a server or 2 to run on for redundancy. These servers need power and licenses. So let’s do some quick math for a small or medium business:
For this exercise I’m going to use the setup I would recommend for a small business of 30 users that needs reliable hardware and redundancy for its network like Microsoft provides in the cloud.
2 Servers initial investment cost:
Prices approx. from NEWEGG.com
- HP ML110: $800 x 2 servers = $1600
- 2TB HDD x 2 = $150
- Windows Server 2012 R2 Standard license x 2= $1000
- CAL for 30 users= 6 sets of 5 CALs 6 x $150= $900
- Total initial investment= $3650
Power 2 X 350 watt power supplies *24 hrs * $.1181391= Approx. $2 a day = $730 a year (Source)
So at first glance it will cost you over $4000 to create a basic redundant network AD in the first year. Ouch! You could always lessen the blow by cutting down equipment costs but then you don’t have a warranty for that equipment or it is less reliable. We aren’t figuring the office space or the time spent maintaining the hardware or operating system. Right now, Microsoft has pricing listed that for less than 1250 users AAD domain services with cost $38 a month. Do the math 38*12=$456 or about 10% of your initial investment. Now there is additional expense related the amount of data traffic you have but I’m confident it will be significantly less than $4K you just saved.
This sounds like a pretty great service but Domain Services in the cloud? I’m not sure if that is a good idea. What if I have software that needs to authenticate to my AD? Well Azure Active Directory Domain Services supports LDAP, Kerberos and NTLM. Basically if it authenticates to a local AD it can do it in the cloud. What about Group Policy? AAD has that too but I will discuss that in a later post. What about security? Well if you use Office365 you are using AAD already. Have you had any security issues? I didn’t think so! How secure would your local domain server be? What if there is a break in? If you have doubts about security, I highly encourage a visit to the Microsoft Azure Trust Center website.
IT as a service: Active Directory Domain Services in the Azure Cloud
There is a business case for Domain services in the cloud. As we will discuss, there are some limitations on the domain services in the cloud. So why consider the cloud? Well the cost saving is a powerful consideration. However, a company with 20 to 30 users probably already has some or a full network infrastructure in place. May even have a redundant AD solution in place. Is there a reason to consider cloud based domain services? I will discuss 3 different scenarios that come to mind.
Scenario 1: Quick and Easy Dev environment
The old standby for the cloud. A company may be testing a new app for the business. Using domain services in the cloud is much cheaper and simpler than standing up an additional AD server in the cloud. Rather configuring domain replication over site to site VPN, AADConnect can be utilized to pull in the directory and test VMs can be joined in Azure. Quick and easy dev environment. This is a service that can be turned on and off which also makes it great for a dev environment.
Scenario 2: Infrastructure Refresh
Consider a business needing an Infrastructure refresh and an upgrade to Server 2012, possibly coming from 2003. Due to the limits of Cloud Domain Services you may not want to be completely in the cloud but putting your redundant Domain services in the cloud would reduce the cost of the refresh. Depending on the size of your server’s power supplies the power savings alone could justify using cloud based domain services. For a company with less than a 1000 users, it could be like getting two backup domain servers for the price of powering 1 server on premise. Now this will require some technical know how to meld this in with your current network since it requires a site to site VPN connection into Azure but the savings over a new server cost is hard to ignore!
Scenario 3: AD Continuity
What is probably the one service that any IT infrastructure relies on more than any other and least afford to lose? It’s authenticating directory. If I can’t authenticate, I can’t log on to LOB apps, if I can’t log in, I’m not making any money for my company. Cloud Domain Services can be used as an as needed backup solution for AD. If you were to lose on premise AD, it doesn’t mean that all business must stop. On-Site Apps could still authenticate to your cloud domain directory while IT figures out what in the heck just happened to the on premise DC. File shares could still share while you investigate. Business continuity with minimal setup!
The benefits don’t stop there. If you also add AAD premium for about $6 a user, you open some pretty great options. AAD provides for single sign for a growing list of business apps that integrate seamlessly with AAD. For your users Multi-Factor Authentication protects them as well as the business from compromised accounts. Some nice add on features.
What is the catch? There are a few catches here. This not a perfect replacement strategy for any AD implementation. First of all, Group policy management is limited. According to the documentation you can only implement 1 Builtin Group policy for users and 1 policy for computers. You can only implement 1 domain per directory so child domains are not going to be in play. Since this is a managed service Enterprise and Domain Administrator roles are not available. This service is only in preview so I would imagine that the list of things you can do will get larger and list of things you can’t do to get smaller over time.
Today, Azure Active Directory is not a full replacement for on premises Active Directory; but with the addition of Domain Services, it gets one step closer. If you can’t live with the AAD limitations as mentioned above, we have the option to run your own domain controllers in the cloud. Whether you use AAD or build your own cloud domain controllers, all you will need to operate a fully developed network is an internet connection!
by Monty Harris, Magenium Solutions, firstname.lastname@example.org
Photos source Microsoft