IntroductionWelcome to Extending Ac

Introduction

Welcome to Extending Active Directory to the Cloud. My name is Russell Smith, and I'm going be your host for this course on deploying Active Directory domain controllers into the Azure cloud. So before we start, let's have a quick overview of what we're going to cover in this module. So I'm going to give you some examples and reasons to extend your on-premise AD to the cloud, and I will also explain the differences between two different deployment options. So there's Azure Active Directory and there's also the option to run Windows Server Active Directory in a virtual machine. So I'll explain the differences between those two options. I'll also explain a little bit more about Azure Active Directory itself in case this is new to you, and the applications that it can be used for, and also some of the different authentication options that can be used when you are extending your on-premise Active Directory into the cloud, or indeed if you're just running Azure Active Directory with no connection back to your on-premise AD. So why would you want to extend your AD into the cloud? So let's have a look at a couple of reasons that you might want to do that. So the first reason is that maybe you are going to migrate an existing on-site application and essentially turn it into a cloud application, or maybe you're going to implement a brand new application straightaway into the cloud. So instead of having a completely separate system for authenticating users to that application, why not use your existing infrastructure to simplify this process. You don't need to have a completely new system for authentication just because the application is based in the cloud. So you may want to integrate applications that you have running currently on site with applications that are going to be or are already running in the cloud. So again, you don't need to have two different authentication systems, they can be integrated together. Of course many applications already use Active Directory for authentication, so if you're going to implement something in the cloud, maybe not your own application, maybe somebody else's application, it could well be that it relies on Active Directory, or even if you're going to install your own application in the cloud, why not use Active Directory as a very standard solution. Also you might think about using the cloud and putting Active Directory there to improve performance and make sure that your users can authenticate quickly and reliably against your cloud applications. Finally there's one more aspect to this, and you might want to think about using the cloud to just back up your on-premise Active Directory. It can actually be quite a cost effective solution for doing this maybe if don't have your own additional data center, then why not use the cloud as a backup option for Active Directory.

Options for Deploying Active Directory in the Cloud

So what are the different options for deploying Active Directory into the cloud? Well there are two main options, and the first of those is Microsoft Azure Active Directory Service. I'll explain a little bit more about this in the following slides, the technical background and some of its applications, but essentially this is a cut-down version of your full on-premise Active Directory, and of course it's designed specifically for cloud applications. If you need the full functionality of on-premise Active Directory or you need more control over what's going on, then the second option is to deploy Windows Server in a virtual machine in the Azure cloud, and to then install Active Directory on that server, and you can extend your on-premise Active Directory to that domain controller running in the cloud just as you might extend your Active Directory to a different physical geographical site for instance. There is no difference in fact between doing this and extending Active Directory into the cloud, essentially as far as Active Directory is concerned. Of course there are considerations in terms of deploying VMs in the cloud, and we'll talk about that later in this course. So let's talk a little bit more about Azure Active Directory just so you have an understanding of how it differs from your Windows Server Active Directory. So of course it's designed for cloud-first applications. This is something that Microsoft has coined along with born in the cloud. So these applications, they're designed for the cloud, they're optimized for the cloud, and this is what Azure Active Directory is really designed for. It's also interesting of course that many of you will be familiar with Office 365 and the authentication system that Office 365 uses is Azure Active Directory. So all of those applications that make up the Office 365 suite, so SharePoint Online, Exchange Online, Yammer, they're all using Azure Active Directory in the background for authentication. And of course other cloud-based software and platform as a service solution can also utilize Azure Active Directory, there's no reason why they can't also plug in to that. So from a technical point of view, Azure Active Directory is a REST-based cloud directory, so you have those APIs that allow your applications to interact with Azure AD, and of course also PowerShell can be used to interact with the directory as well. Of course the great thing about it is that it can be used as a central repository for all of your user identities, for all of your cloud applications. So it doesn't have to be used just to service one application, it can be used to service an entire suite of applications that you might be running in the cloud. And as I've already mentioned, this is a well-proven technology. So Office 365 is based on Azure Active Directory, as is the Azure Management Portal itself, so when you log in to that, actually it's Azure AD that's authenticating you, and of course other Microsoft services.

Windows Server Active Directory on Azure Virtual Machines

So of course that differs a little bit from running the full version of Active Directory in the cloud itself, but this might be a requirement, for instance, if you need to run legacy applications that rely on some features that are not available in Azure Active Directory. It's clear that Azure Active Directory is a full cloud-based application because it doesn't contain things like Group Policy for instance, that's something that you're only going to get from your full Active Directory running on Windows Server. But you might want to run Active Directory in its full form in the cloud on a VM if you need all of that full functionality and more control, if you want to do backup for instance, so there are reasons to extend your on-premise AD into the cloud as well. So can these two things work together, so Azure Active Directory, Windows Server Active Directory on-premise? So the answer to that is, yes they can, and I just want to give you a little bit of background as to how that works. Microsoft has three different types of cloud identity if you want to use these two systems together, or if you want to use Azure Active Directory by itself. If you're using Azure Active Directory standalone, then you're using something called a cloud identity. So you're adding users into Azure AD and they are not connected in any way back to your Windows Server AD. You need to provide users with an additional log on, a separate cloud identity to authenticate to your cloud applications. Synchronized identities differ from cloud identities in that they link on-premise Active Directory domains to Azure Active Directory using a piece of software called the Azure Active Directory Sync Services tool. This replaces a previous tool called Directory Synchronization, which is still supported to the end of 2015, but is essentially now being replaced by AAD Sync. And what this tool does is it synchronizes your on-premise accounts from full Windows Server AD into AAD, and it also synchronizes your password hashes into the cloud, so you need to remember that from a security point of view. Federated identities again differ from synchronized identities in that you need an additional component on Windows Server called Active Directory Federation Services. This can be quite complicated to set up, but is actually the only way you can provide true single sign-on capability to your users. The other advantage of using Federation Services is that all the authentication is always done on-premise, so your password hashes are never synchronized into the cloud. So if security is a top priority, then you might want to consider this solution, and as I said, it is the most convenient for users as it is real, true single sign-on. These are the three different types of cloud identity that you can work with. So let's just have a quick recap of what we covered in this module. So I gave you some practical uses why you might want to extend your Windows Active Directory on-premise solution into the cloud. We covered the two deployment options, so you either have Azure Active Directory or you can run full Windows Server Active Directory in the Azure cloud. So I explained also what Azure Active Directory is for and some of the technical background behind it. And I also explained about some of those cloud identities that you can use, just to get an understanding of how that authentication works.

Concepts and Prerequisites

IP Addressing and Name Resolution

In this second module I'm going to walk you through some of the concepts and prerequisites required for running Active Directory domain controller in the Azure cloud. So we're going to have a look at not only running Active Directory on an Azure virtual machine, but also some of the networking considerations that you need to bear in mind, because it's not quite the same as running it on a physical Windows server. We'll also have a look at the fault tolerance considerations when you're planning your AD for the Azure cloud, and understanding a little bit about the ba