Enrolling Windows Server 2016 Instances In Azure AD Domain Services - Part One
Posted on Mon 28 November 2016 in Azure • 3 min read
Brief introduction
First off let's start with some background on how I ended up digging around the treacherous world of a "non-domain controller-controlled world".
My current consulting gig is with a large corporation that has a sizable amount of sub-companies. This means that there are a lot of people divided up between companies in varying sizes and needs. Due to new regulations they were suddenly faced with a need to split out some legal entities from the parent company. That meant that they needed to do a local carve-out of previously mentioned entities under a new umbrella.
Enter the world of cloud computing!
The old IT administration was clunky and slow moving like a lot of corporations are experiencing. Some tasks were dealt with in-house and some was scattered across different vendors and consultancies spanning three countries.
A decision was taken to move to a more agile platform that didn't need day to day maintenance and fiddling. Probably after a lot of deliberating of which I have no privy to the process, they ended up doing a complete move to Azure with no reliance on local infrastructure except for a wifi router in the different branches and subsidiaries.
They reached out to my employer, Crayon, and together with Microsoft we're currently implementing their infrastructure as a cloud only solution that will have some odd 600 users in the end.
We originally wanted to use Azure RemoteApp to deploy their applications, but in August 2016 that option went away. As an intermediary solution, before XenApp Express arrives, we had to set up Remote Desktop Services farms for their computing and usage needs. We didn't want to use a plain old Citrix solution or VMware since that would mean just moving old struggles to Azure.
Before I entered the stage in the project, a very competent colleague of mine had started moving all the users to Azure AD and Office365. His work would turn out to be a great starting point for the Azure AD Domain Services solution that we're currently implementing.
We originally looked at the possibility of running a centralized Active Directory stack in the subscription of the primary company. This would mean that we would have ended up with a source of authority that was located on the domain controllers instead of in the Azure AD solution where administration would be much easier. OR we would end up with a solution where we would need to administrate users in two places which wasn't really an option when you look at the extra work it would cause.
After throwing the above solutions in the bin, we got our brave-trousers on and made a commitment to using only Azure AD Directory Services. These were uncharted waters and, in a lot of the ongoing cases with the same customer, still are.
And now, the wish list
What we need to achieve:
- Easy management of users, both existing and new
- Portability of identity control so that we can integrate Azure AD SSO for in-house and third party applications
- Managing rights and accessibility for IT managers across regions and plenty of legal entities
- Save operating by removing what would have been almost 30 domain controllers (when redundancy has been factored in)
- Future proofing so that XenApp Express can be implemented quickly when it arrives
- Utilizing as many PaaS and managed services as possible