Entra Domain Services considerations

Eddie Vincent 85 Reputation points
2024-12-22T10:40:36.0666667+00:00

Hi All!

I am considering using Entra domain services (PaaS) as an option for extending (not replacing) our AD infrastructure into the cloud (as opposed to sticking a VM in Azure with AD running on it).

It looks like a good option since I like the idea of keeping on premise and cloud AD domains separate, also Microsoft will take ownership of updates and failover it would seem with this service.

I have had a good look through all the documentation however a couple questions still remain.

  • I read that it is recommended to use a DNS domain name that you "own" I would take this as a publicly owned DNS name - is this really needed since I also read that the service would not be publicly accessible, why would this need a publicly owned DNS? would local suffice?
  • SKU's as per the below, why is Enterprise cheaper than premium, unless I've read this wrong the main difference between Enterprise and Premium was daily backups vs 3 day backups (note that Standard is not an option as we would like support for forest trust).

User's image

Any help with this would be appreciated, also any best practice setup or things to do/avoid would be very useful - this service would mainly be used for moving legacy on premise applications to the cloud so support for a legacy AD type environment is what I want to achieve here.

Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
707 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,764 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,645 questions
0 comments No comments
{count} votes

Accepted answer
  1. Marcin Policht 29,885 Reputation points MVP
    2024-12-22T12:13:18.7633333+00:00

    Regarding the publicly registered DNS name, you are correct - this is not required. However, you might want to consider implementing it for a number of reasons:

    • Uniqueness: It ensures no conflict with existing domain names within or outside your organization, especially if you later need to integrate with other services or external partners.
    • Future-proofing: Even though Entra Domain Services is not publicly accessible, a publicly registered DNS name avoids potential conflicts with global DNS namespaces.

    Regarding Enterprise vs. Premium SKU

    • As you pointed out, the Premium SKU includes the additional capability (daily backup frequency) that caters to specific, high-demand scenarios where recovery points need to be more frequent.

    More at https://learn.microsoft.com/en-us/entra/identity/domain-services/administration-concepts#azure-ad-ds-skus


    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.