Extending AD to Azure with Azure IaaS

Azure AD supports MFA, security reports, audits, alerts, and conditional access policies. Here's how it works with Azure IaaS

Save to My DOJO

Extending AD to Azure with Azure IaaS

In 1999, Microsoft previewed the first version of Active Directory in Windows Server 2000. Later, in April 2003, they improved it in Windows Server 2003. Since then, Active Directory has been a critical part of any size network.

The evolution of Active Directory didn’t stop with the development of cloud services. It became even more critical and agile. If you are running your workloads in the Azure cloud, there are three common ways to use Active Directory. Although all three solutions are based on Active Directory, they are used for different customer demands.

You can choose between Azure Active Directory, Azure Active Directory Domain Services, and Active Directory Domain Services. What’s the difference, and when do you prefer one over another: you will learn in this article.

What is Active Directory? For the folks not familiar with the topic, Active Directory is a directory-based service developed by Microsoft for Windows domain machines. The AD database contains critical information about your environment, users, computers, and who can do what. It offers centralized management of users, computers, and rights. It’s a must-have technology in any size network.

In the traditional way, you install Active Directory Domain Services (AD DS) role on Windows Server, making that server a domain controller (DC). You can learn more about all the different AD DS components in the Microsoft article Active Directory Domain Services Overview.

Azure Active Directory (AAD or Azure AD)

Azure Active Directory (AAD) is a cloud-based identity and access management service that provides your employees with a single sign-on (SSO). It is used to log in to Azure, Office365, Intune, and other third-party directory-aware applications. Azure AD supports multifactor authentication, security reports, audits, alerts, and conditional access policies.

For example, you may not need to deploy a dedicated AD DS for cloud-only users that run cloud services. Instead, your can use Azure AD. If you are running legacy directory-aware applications on-premise, you can migrate them to Azure and integrate with Azure Active Directory.

Before using it, you need to create an Azure AD tenant. You can deploy it in minutes using the Azure portal. Choose the resource group, tenant type, organization, initial domain name, country, and data center location. If you want to dig deep into details, check the Microsoft article about it.

Azure AD tenant created in minutes

Azure AD tenant created in minutes

Azure AD doesn’t include all the features as an on-premise AD DS (and vice versa). You will get access to some or all of the features listed in the article.

How much does it cost? Azure AD comes into four plans, including Free, Office 365 apps, Premium P1, and Premium P2. The free version is included with a subscription to a commercial online service (Azure, Dynamics 365, Intune, Power Platform). You can compare the different Azure Active Directory (Azure AD) pricing plans.

Sync your on-premises AD DS to Azure AD

As Microsoft fully manages Azure AD, that means you can use it as cloud AD-only services, or you can use it in combination with your on-premise Active Directory. Azure AD can be synced with an on-premises AD DS using Azure AD Connect to provide Single Sign On (SSO) to users who natively work in the cloud.

You need to install Azure ADConnect on an on-premise Active Directory joined server (member server is preferred but it can run on a DC). The installation tool will guide you in selecting a solution (password hash sync or federation with AD), establishing identity synchronization, and other Microsoft software components required for deployment. You need to specify Azure AD and AD DS credentials.

Azure AD Connect

Azure AD Connect

You can install Azure AD using express or customized settings. If you have a single forest, you use express settings and use the same password using password sync. The customized settings are used when you have multiple forests and need pass-through authentication, ADFS for federation, or use a 3rd party identity provider.

Using Azure AD Connect express settings to sync with an on-premises AD DS

Using Azure AD Connect express settings to sync with an on-premises AD DS

Once you are connected, the wizard will do a few automated tasks, including installing a synchronization engine, configuring the Azure AD connector, enabling password hash synchronization, enabling auto-upgrade, and configuring synchronization services on AD DS.

However, Azure AD does not have capabilities like group policies, application containers, or extensible schema, which is sometimes required by some workloads. For that, you need Active Directory Domain Services or Azure Active Directory Domain Services (AADDS): both covered in the next part.

An alternative to AAD Connect is AAD Connect Cloud Sync (yes – someone at Microsoft really has a sense of humour when they try to confuse us with all these names). This is a simpler solution than AAD Connect which is managed from Azure and only requires simple agents installed on-premises. The two can also be used together in a situation where you have a merger, for instance, your main organization is synced using AAD Connect but users and groups in the other forest need to be brought into your Azure AD through AAD Connect Cloud Sync.

Azure Active Directory Domain Services (AADDS)

Azure Active Directory Domain Services (AADDS) provides managed domain services such as domain join, NTLM, Kerberos, LDAP, group policy, and it is fully compatible with Windows Server AD DS. It is a PaaS cloud service available in Azure; you deploy it without deploying domain controllers. AADDS can synchronize with Azure AD, so if you have user accounts that are cloud-only, they’ll appear in your AADDS domain Alternatively, if you need on-premises AD accounts to appear in your AADDS instance, you’ll synchronize them to Azure AD through AAD Connect (described above) and from there they’ll be synchronized into AADDS.

The managed domain is something you create in the Azure portal in a few minutes using Azure AD Domain Services (AADDS). It is associated with your Azure tenant. That will create DNS name, subscription, resource group, virtual network, subnet, and forest type. The complete guide on how to do it is covered in this article.

AADDS successfully created in the resource group

AADDS successfully created in the resource group

Once you deploy it, Microsoft creates two domain controllers for you and patches them accordingly. This deployment is known as a replica set. If you want to dig deep into details, check the Microsoft article about it.

How much does it cost? It’s is subscription-based. There are no upfront costs and termination fees. You only pay for what you use. The price depends on the performance plan you choose; Standard, Enterprise, and Premium. You can check all the details here. The other option is to create a self-managed domain, simply by deploying a dedicated virtual machine in Azure and installing AD DS. That sounds fine, but how can you make the connection between on-premise and cloud possible? You will need to set up a site-to-site VPN or use ExpressRoute to facilitate the replication of self-managed regular AD domain controllers.

ExpressRoute provides direct connectivity between on-premises environments and Azure via private tunnels. It happens through a third-party connectivity provider, and it supports bandwidth up to 10 Gbps (or 100 Gbps with ExpressRoute Direct).

Azure VPN gateway works like the traditional VPN; the connection between on-premise and cloud happens via the Internet using IPSec protocol.

Azure VPN Gateway

Azure VPN Gateway

In the table below, you can see the difference between Azure Active Directory Domain Services (AADDS) and self-managed Active Directory Domain Services (ADDS).





Managed service

Secure deployments

You secure the deployment

DNS server

  (managed service)

Domain or Enterprise administrator privileges

Domain join

Domain authentication using NTLM and Kerberos

Kerberos constrained delegation


Resource-based & account-based

Custom OU structure

Group Policy

Schema extensions

AD domain/forest trusts


LDAP read

LDAP write

  (within the managed domain)

Geo-distributed deployments


Azure AD DS and self-managed AD DS

Run Active Directory within the Azure VM

If you are running an on-premise Active Directory, you are already familiar with this procedure. Running Active Directory within the Azure VM means creating a dedicated Azure VM instance that includes Windows Server 2012 R2/2016/2019/2022 and then installing the Active Directory role on it. Basically, the Active Directory in the cloud runs the same way as it runs in the on-premise machine.

Before installing it, you need to prepare your Azure environment. That includes a resource group where you want to install VM, virtual network, subnet, network security group, and enabled RDP to connect to your VM. The components created upon creating Azure VM are shown in the screenshot below.

Azure resource group with all the components created upon creating "dc-on-premise" VM

Azure resource group with all the components created upon creating “dc-on-premise” VM

As in the premise environment, to provide high availability of your Active Directory, you also need to deploy at least two virtual machines (Active Directory + DNS). Azure provides you with the high availability of your VM, but not services that you are running within the VM. So, that is up to you.

Once you install the Active Directory Domain Services (ADDS), you need to set up the forest and configure domain controllers. You can do it using Azure portal (GUI) or Azure CLI. The complete Microsoft guide on installing is available here.

Virtual machine backed up from onsite location to Azure cloud

Virtual machine backed up from onsite location to Azure cloud

To properly protect your Hyper-V virtual machines, use Altaro VM Backup to securely backup and replicate your virtual machines. We work hard perpetually to give our customers confidence in their Hyper-V backup strategy.

To keep up to date with the latest Hyper-V best practices, become a member of the Hyper-V DOJO now (it’s free).

Want to do more with Azure IaaS?

Whether you’re making new VMs directly in the cloud, have VMs in your own datacenter and are looking to migrate to Azure, or you’re looking to manage VMs with cloud-based tools regardless of where they live, The SysAdmin Guide to Azure Infrastructure as a Service (Iaas) will teach you to set up and maintain a high-performing Azure IaaS environment.

Written, and now updated, by Paul Schnackenburg, veteran IT consultant and trainer, grab your free 100+ page guide now!


As always, I hope you enjoyed reading the article at hand, as well as learning something from it. Feel free to leave a comment or ask any questions you might have. Also, feel free to connect with me and check out the latest content on my personal blog.

Altaro Hyper-V Backup
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Frequently Asked Questions

It depends on how big your environment is and what version of Windows Server you want to run.
It depends on how big your VM is. Microsoft created a pricing calculator to check its monthly or annual costs. Since you’re going to leave this VM on permanently it's recommended to reserve the instance; you pay less.
Yes, you can. You need to prepare the virtual disk (VHD or VHDX). Azure supports both gen1 and gen2 virtual machines.
Yes, you can do it using Azure VPN gateway or ExpressRoute.

Leave a comment or ask a question

Your email address will not be published. Required fields are marked *

Your email address will not be published. Required fields are marked *

Notify me of follow-up replies via email

Yes, I would like to receive new blog posts by email

What is the color of grass?

Please note: If you’re not already a member on the Dojo Forums you will create a new account and receive an activation email.