locked
How to use a new AD domain without on-premise AD server

    Question

  • I have a small client that we're trying to move to the cloud for all services. Currently they do not have any AD domain or server setup internally. My intention is to create an Azure-based AD domain and manage all user accounts in the cloud. Then users would log into their Windows 7 and 8 workstations using the Azure accounts. This sounds like a piece of cake when there is an existing local AD domain setup, but I'm not finding how to do this when there is no local active directory domain. Can someone please confirm what I'm trying to do is possible and provide me with a rough idea of how to set this up? Thx!
    Monday, March 25, 2013 10:27 PM

Answers

  • If you want an AD for on-premise activities, you will need a local domain controller. SO far as I can tell, you can not have a local machine trust the cloud AD, at least yet. The two tools you normally use to co-ordinate an on-premise and Cloud identites, Dirsync and ADFS (Active Directory Federatin Services) are essentially one way - from on premise to the cloud. Dirsync copies the local domain identites to the cloud, then the cloud servers use ADFS to authenticate cloud users against the on-premise AD. So far as I am aware, these tools do not work in reverse. These tools are under development, and at some point, should do what you want. Having said that, if your clients are Windows 8, then you can use WIndows LIve ids (or whatever MS is calling them these days), but i do not know if that syncs with a private cloud AD.

    Sorry if that's not the answer you want to hear.


    Thomas Lee <DoctorDNS@Gmail.Com>

    • Marked as answer by Ken Milhous Wednesday, March 27, 2013 8:16 PM
    Wednesday, March 27, 2013 2:17 PM

All replies

  • If you want an AD for on-premise activities, you will need a local domain controller. SO far as I can tell, you can not have a local machine trust the cloud AD, at least yet. The two tools you normally use to co-ordinate an on-premise and Cloud identites, Dirsync and ADFS (Active Directory Federatin Services) are essentially one way - from on premise to the cloud. Dirsync copies the local domain identites to the cloud, then the cloud servers use ADFS to authenticate cloud users against the on-premise AD. So far as I am aware, these tools do not work in reverse. These tools are under development, and at some point, should do what you want. Having said that, if your clients are Windows 8, then you can use WIndows LIve ids (or whatever MS is calling them these days), but i do not know if that syncs with a private cloud AD.

    Sorry if that's not the answer you want to hear.


    Thomas Lee <DoctorDNS@Gmail.Com>

    • Marked as answer by Ken Milhous Wednesday, March 27, 2013 8:16 PM
    Wednesday, March 27, 2013 2:17 PM
  • I was afraid of that. This client wanted to eliminate the need of a local server (let alone the proper config of additional servers for Fed Services), so based on what you said I think they may just stick with the current workgroup environment for now. If anyone else comes across a solution in the meantime, please let me know! Thx!
    Wednesday, March 27, 2013 8:16 PM
  • AAD is aimed at present at providing authentication to applications running in cloud (e.g. Office 365). You can populate AAD either totally in the cloud, or via dirsync from on-prem AD. Finally, with Federation, you can get the cloud authentication process to defer to On-Prem AD to perform the authentication.

    With Windows 8, you can login using your Live or MSFT id, but this, strictly speaking is not the same as an Azure AD account. That might work, although it's a totally end-user operated system (i.e. an admin can't just reset a Live ID's password, only the user can do that). Of course, you could build something on top of live to manage the IDs, but that might not be very cost effective.

    At some point, there must be a case for Azure hosting your AD, and doing away with on-prem AD altogether. Of course, with such as solution, you would need to think very carefully about failure recovery - what happens with your Internet connection goes down?

    Their current work group environment might be easiest for the time being.


    Thomas Lee <DoctorDNS@Gmail.Com>

    Friday, April 19, 2013 1:37 PM
  • Thanks for this discussion, very helpful.
    Sunday, October 13, 2013 1:28 AM