Primary DC in Azure RRS feed

  • Question

  • We have a small client with very few users and only 1 domain controller. They currently use Office 365 for all services (email, SharePoint, OneDrive, etc.) They would like to get completely rid of their DC, and have zero footprint.

    With Windows 8.1, you can use Windows Live Accounts to sign in to Windows, does anyone know if this functionality will ever extend to Office 365/Azure accounts? If so, this would be the solution.

    If not, has anyone ever build a DC in Azure, migrated the FSMO roles, then used it as the ONLY DC in the infrastructure. I'm reading that a site to site VPN to the Azure Network would be required, for client authentication, but I want to confirm this solution before moving forward. Thank you.

    • Edited by B2BTech_Jim Thursday, April 2, 2015 7:56 PM
    Thursday, April 2, 2015 7:55 PM


All replies

  • Regarding your first question, last year we announced that Windows 10 would be able to leverage Azure Active Directory in this way: http://blogs.windows.com/business/2014/11/07/windows-10-manageability-choices/

    [...] With Windows 10 we’ll also add the ability to leverage Azure Active Directory, devices can be connected to Azure AD, and users can login to Windows with Azure AD accounts or add their Azure ID to gain access to business apps and resources.

    At the same time, we’ll ensure that Windows works better when using Active Directory and Azure Active Directory together. When connecting the two, users can automatically be signed-in to cloud-based services like Office 365, Microsoft Intune, and the Windows Store, even when logging in to their machine using Active Directory accounts. [...]

    Regarding building the DC in Azure, I can't say I've done this myself, so others may have better guidance. My first concern would be that the site-to-site VPN (which you do require) would need to be quite hardy if it's the *only* DC. Have you had a chance to look at these resources?

    Thursday, April 2, 2015 9:00 PM
  • Philippe:

    Thank you very much for the reply. Yes, I have read that Win 10 will indeed have the feature to join client machines directly to Azure AD, which is a FANTASTIC feature, especially for small businesses who want to go full cloud/hosted with no on-premise footprint (which is where computing seems to be going).

    But for now, as they require a solution within a time frame, I am still exploring this single DC in Azure. The Win 10 solution is not yet released, and besides that, upgrading an entire companies client machines probably is not an option.

    I am currently building an Azure VM, going to connect it to a test domain here on premise, and see if clients can connect when the on-premise DC is shut down. I really do not know if this is feasible, and would love any input from MS confirming or denying it as a solution. Will let you know how it goes. Thank you.


    Friday, April 3, 2015 2:51 PM
  • Greetings, Jim!

    Could you get a chance to try having a DC on-prem and also hosted on Azure VM and both sites connected?

    As Philippe rightly suggested, you can have a hybrid setup of DC hosted at both sites for higher availability. You can have clients authenticated via either of the DCs (nearest is faster). Having a DC hosted on Azure VM only and proper connectivity to it, at all times might totally rely on the broadband connection from your ISP. DC on Azure VM needs to be in a vNet and that vNet needs to securely connected via S2S VPN to on-prem network.

    JFYI - The DC hosted on Azure VM can also be used to authenticate other VMs within that vNet.

    Thank you,



    • Edited by Arvind S. Iyer Thursday, April 16, 2015 8:17 AM Added a point.
    Tuesday, April 14, 2015 7:45 AM