Running Windows Domain Controller in the cloud?

Thread: Running Windows Domain Controller in the cloud?

  1. evilsatan's Avatar

    evilsatan said:

    Default Running Windows Domain Controller in the cloud?

    Has anyone managed to do this before? The only thing my local DC is used for is active directory and pushing GPOs as it isn't used to run any software anymore or used as a fileserver. I thought I could do away with an onsite server/VM and put it in the cloud.

    I have read up about Azure AD a few times over the past year or so and it doesn't sound like it can be used to push "proper" group policy to clients, by this I mean using WMI filters, OUs etc to set policy. I have come across Intune in my research but still it seems that has limited policies mainly for controlling mobile devices.

    Am I best putting a windows Server VM in the cloud? Anyone tried it?

    Cheers

     
  2. evilsatan's Avatar

    evilsatan said:

    Default Re: Running Windows Domain Controller in the cloud?

    I made some time to try this out and got it to work. Set up a virtual network in Azure then set up a virtual gateway and a site-to-site VPN with my Draytek router. I then set up a Server 2016 VM in azure, promoted to a DC, set the DNS in my Draytek to use the remote DC IP as primary and OpenDNS as secondary and was then able to fire up some local VMs and join the remote domain. Set up some WMI filters and policies were pushed to clients correctly.

    Folder redirections will be a nono as it would rinse bandwidth but the idea is we will use cloud based file solutions such as Sharepoint/Dropbox for business (with Smart Sync enabled) and the DC would just be used for AD and GPO.

    I had lightly tested Jumpcloud a year or two ago but found the policies to be too limited, sometimes we need to add/edit reg keys in policies etc. so their preset policies weren't quite enough. If anyone has any other ideas about what can be used for AD/GPO would be great to hear them as this all seems a bit overkill when just using those services.

     
  3. liveseytowers's Avatar

    liveseytowers said:

    Default Re: Running Windows Domain Controller in the cloud?

    I get the logic but it just doesn't seem quite right having a VPN into Azure and then running a VM with domain controller on it. I'd question how can I remove the need for a domain controller altogether rather than how can I connect to my domain controller in Azure. What about using intune or some other form of MDM to manage devices? Have you considered having a DC without the VPN and then using AAD Connect to sync your identities to Azure AD instead, and then having users sign into their PC's using their AzureAD account instead? Or just having the Azure AD only identities?

    I'm assuming you don't have too many users if you only have one DC to worry about?
     
  4. evilsatan's Avatar

    evilsatan said:

    Default Re: Running Windows Domain Controller in the cloud?

    Quote Originally Posted by liveseytowers View Post
    I get the logic but it just doesn't seem quite right having a VPN into Azure and then running a VM with domain controller on it. I'd question how can I remove the need for a domain controller altogether rather than how can I connect to my domain controller in Azure. What about using intune or some other form of MDM to manage devices? Have you considered having a DC without the VPN and then using AAD Connect to sync your identities to Azure AD instead, and then having users sign into their PC's using their AzureAD account instead? Or just having the Azure AD only identities?

    I'm assuming you don't have too many users if you only have one DC to worry about?
    You’re right there aren’t many users which is partly why I was avoiding upgrading an on-site DC as it’s not needed as a file server and yes ideally I’d get rid of it altogether but during my research and demos of third party solutions none seemed to have the same GPO abilities. I looked into Azure AD several times but each time the consensus seemed to be it can’t be used for GPOs, I hadn’t thought about connecting the DC to it so will check that out. I only read the brief description of Intune but I thought it was mainly meant for mobile devices.

    I might take another look at jumpcloud too, one benefit of it was it supports Macs too so maybe I can get by on limited GPOs.

     
  5. liveseytowers's Avatar

    liveseytowers said:

    Default Re: Running Windows Domain Controller in the cloud?

    Microsoft have a big event happening in London this week, Future Decoded. Its fully booked now but you'll be able to watch the sessions online or after the event. This one sounds like it would be relevant as its talking about the modern workplace and how you can get rid of AD. [Only registered and activated users can see links. ] You'll probably need to change your way of thinking though as you are right, Azure AD doesn't have the same GPO functionality but you can secure a device by other ways in a modern workplace.