Question: Can Azure Active Directory run directory access queries on LDAP/Secure LDAP?

1. Quick answer - kind of

2. Long answer - read below

WE ALL AGREE THAT WE HAVE TWO VERSIONS OF AD HERE

1. Azure AD

2. Windows Server AD

IN THE STRICT SENSE, AZURE AD DOES NOT RUN LDAP/SECURE LDAP

1. Instead, the programmatic directory service interface for Azure AD is the REST-based Graph API .

   • Read more here: https://msdn.microsoft.com/en-us/library/azure/hh974476.aspx

2. Instead of developing a separate identity store and authentication process for each discrete cloud application, Windows Azure AD provides a single identity service that can be leveraged by all of your cloud applications.

   • This is a key point regarding Azure AD - that a single identity service that can be leveraged by all or groups of your cloud applications .

3. Azure AD can also be integrated with an on-premises Windows Server Active Directory infrastructure via Directory Synchronization and Active Directory Federation Services (ADFS) to provide single sign-on to Enterprise users for both on-premise applications as well as applications developed for the cloud.

4. My colleague Keith explains here:

   • https://blogs.technet.com/b/keithmayer/archive/2013/01/06/options-for-building-active-directory-in-the-cloud-with-windows-azure.asp

SPECIAL CONSIDERATIONS WHEN RUNNING WINDOWS SERVER ACTIVE DIRECTORY IN VIRTUALIZED DOMAIN CONTROLLERS

1. The assumption is that your VM in Azure is on VMs with Hyper-V

DNS

1. The built in Azure DNS doesn?t have all the features needed by Active Directory, such as Dynamic DNS

   • Here are some links that might help

     • https://technet.microsoft.com/en-us/library/cc725925.aspx
     • https://msdn.microsoft.com/en-US/library/azure/jj156088.aspx
     • https://www.ytechie.com/2013/06/setting-up-a-dns-server-in-azure-iaasvms/
     • https://social.msdn.microsoft.com/Forums/windowsazure/en-US/565ef33c-0a97-4721-8239-a6d5efecb487/dns-for-azure-vm?forum=WAVirtualMachinesforWindows

IP ADDRESSING

1. Azure VMs using dynamic IP that are constant for the lifetime of the VM

   • When a VM is shutdown (deallocated) mode that the virtual network IP is lost
   • https://adventuresinsidethemessagebox.wordpress.com/2013/08/15/windows-azure-vm-ip-addressing-behavior-change-shutdown-in-azure-portal-now-releases-dynamic-ip-address/

2. To overcome this issue, you will need to provision a Windows Azure Virtual Network prior to attempting to provision the first domain controller VM

   • A Virtual Network in Microsoft Azure provides you the ability to predict which IP address your virtual machine will have at boot time and as long as the virtual machine is not re-provisioned that IP address will remain the same
   • https://michaelwasham.com/windows-azure-powershell-reference-guide/setting-static-ip-addresses-in-a-virtual-network/

DISK

1. For disk access speed, Azure uses Read-write host caching. But there is a slight chance of data loss.

2. To overcome this, attach a second empty disk to our VM that we format and use for the NTDS DIT and SYSVOL folder locations

Summary

1. For step by step instructions, see this post:

   • https://blogs.technet.com/b/keithmayer/archive/2013/01/17/step-by-step-building-a-windows-server-2012-active-directory-forest-in-the-cloud-with-windows-azure.aspx