Link to home
Start Free TrialLog in
Avatar of mkavinsky

asked on

Azure - VM Domain controller - connecting remote clients


I need some guidance and assistance please with more understanding with Azure and having a VM windows domain controller.  I know there are essentially 3 directory services now with Microsoft (AD DS - which is the traditional Active Directory on premise DC), Azure AD (which is entirely different than AD DS) and is a PaaS in Azure.  Then there is Azure AD Directory Services (which functions much like the on premise AD but with some limitations).  

I am looking at a situation with a client that wants to go to Azure. But we have 2 ways to go:
1)  Azure AD
2) or creating a VM in Azure and making a DC - then creating a Site-to-site VPN between the on premise AD and the cloud VM (Azure).   Eventually the client wants to do away with the on premise DC but maybe not for 6 months to a year+

My question is how to have remote users authenticate to the Azure VM Domain Controller?  

I know if we move all the users to Azure AD then we can have each desktop, laptop, mobile device, etc.. in Window 10 just create an account and connect to Azure AD (and creating a new profile for that user).   By they way, they are already on Office365, Teams and Sharepoint.

But if the client feels they want the DC in the cloud (Azure VM domain controller), does there need to be a vpn between the client and the Cloud DC? so that user can authenticate and use group policies and network resources/File shares?

Could we take this approach initially, then later on just move it all over to Azure AD(like AD Connect)?

Obviously we can just rip the band-aid off now and go right into Azure AD - but then no more DC (there will still be some onsite users but 80% will all be remote working from home).   But if we move right to Azure AD and do an AD connect to sync with onprem AD DS to Azure AD, will users permissions all migrate over or does all of that need to be recreated again?)

I know Microsoft Endpoint Manager is the way to manage/track all the endpoints (desktops, laptops, mobile devices, etc..) through Azure AD ( Intune).   That would have to come with the subscription cost for that.

One last part - MFA.  Would Multi Factor Authentication be available with an Azure VM Domain Controller?

Just need some help mapping this out and finding which solution may be better.  

Thank you very much in advance for your advice and input.
Avatar of Edward van Biljon (MVP)
Edward van Biljon (MVP)
Flag of United States of America image


You could install AAD Connect and then run Hybrid, you have a few options in a sense that you can have a two way sync with passwords etc.

If they want to move away from on-premise, instead of paying for a VM that runs 24/7 in Azure and for the site-to-site VPN costs, why not go straight to Azure AD? Yes there is a cost as well but if you want to move away from managing everything go Azure AD.

If you go AzureAD you can enable 2FA. have a neat profile migration wizard that will move everything as it is in the current profile to the new one they login to on AzureAD. I have done this for users moving to AzureAD and users moving back to on-premise.
Avatar of mkavinsky


thank you for your reply but Im still looking for an answer on how to have remote users (working from home) connect and authenticate into an Azure VM domain controller?  

and would MFA be available on the Azure VM domain controller too?

thank you
How are users going to know where to go? You would need to setup a vpn for them to connect then?

If all users move to Azure AD it would not matter about authenticating to a domain controller in azure.
Thank you and yes I already understand that.  Thats what I am trying to compare again - yes, Azure AD the users would authenticate directly and not need a DC.  But I am asking about remote users (internal users would authenticate via the on prem and cloud DC) and how would they authenticate into an Azure VM Domain controller?  Would they each need a VPN connection to the Azure VM DC? and what Azure solution would do that.  The Azure Site-to-site would be the vpn between azure and the onsite AD domain controller
If you run hybrid into azure ad you do not need a vm in azure. Remember that vm will cost money every day for storage usage etc. you also going to pay for the vpn and for licensing that machine in azure.

Remote users are no different in accessing azure ad. your remote users would now use a vpn to get to your data center. Your vpn will be between your dc and azure. It also has costs associated to it.

I honestly think you should go hybrid and then move everyone to Azure AD and decom the on-premise server.
Yes, the one option I first mentioned was going straight into Azure AD - with no need for a VM DC.  Yes I know that you will pay for a VM everyday and the VPN.    You'll also pay for the Azure AD (depending what level...P1, P2, etc...)

Im not asking about remote users connecting to Azure AD.  That would be solved through the Azure authentication.  So I get that.

I am specifically trying to look at 2 options here.    The second option is to go with an on prem AD and sync that to a Azure cloud VM DC.  Syncing AD between the 2.   What I am asking is how do the remote clients (laptops, desktops) connect and authenticate to the Azure VM DC???  Is is a VPN connection (just like it would be for an on prem DC for remote users) and if so - what VPN tool is used for that in Azure?

yes, overall they would like to go right to Azure AD and remove the on prem DC  but I am just looking at both sides here with the 2 different Directory Services options

Im just figuring I would have the remote clients use the Point-to-site VPN connection to the  DC in the Azure cloud.  
Avatar of mkavinsky

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial