www.sqltattoo.com Open in urlscan Pro
35.204.93.134  Public Scan

Form analysis
2 forms found in the DOM

GET https://www.sqltattoo.com/

<form role="search" method="get" class="searchform" action="https://www.sqltattoo.com/">
  <div> <input type="text" value="" name="s" class="s" placeholder="Type and hit enter"> <input type="submit" class="searchsubmit" value="Search"></div>
</form>

POST #

<form action="#" method="post" accept-charset="utf-8" id="subscribe-blog-blog_subscription-4">
  <div id="subscribe-text">
    <p>Enter your email address to subscribe to this blog and receive notifications of new posts by email.</p>
  </div>
  <p id="subscribe-email"> <label id="jetpack-subscribe-label" class="screen-reader-text" for="subscribe-field-blog_subscription-4"> Email Address </label> <input type="email" name="email" required="required" value=""
      id="subscribe-field-blog_subscription-4" placeholder="Email Address"></p>
  <p id="subscribe-submit"> <input type="hidden" name="action" value="subscribe"> <input type="hidden" name="source" value="https://www.sqltattoo.com/blog/2020/11/azure-ad-domain-services-replica-sets/"> <input type="hidden" name="sub-type"
      value="widget"> <input type="hidden" name="redirect_fragment" value="subscribe-blog-blog_subscription-4"> <button type="submit" class="wp-block-button__link" name="jetpack_subscriptions_widget"> Subscribe </button></p>
</form>

Text Content

Skip to content
Open toolbar

Accessibility Tools

 * Increase Text
 * Decrease Text
 * Grayscale
 * High Contrast
 * Negative Contrast
 * Light Background
 * Links Underline
 * Readable Font
 * Reset

‡ Living in a hybrid world ‡
 * home
 * about
 * contact
 * blog categories
   * Azure
   * SQL Server
   * Networking
   * Event
   * Learning
   * News & announcements
   * PowerShell
   * Monitoring
   * DevOps
 * blog archive


AZURE AD DOMAIN SERVICES REPLICA SETS

 * 2020-11-07
 * Comments Off on Azure AD Domain Services replica sets
 * By Vassilis Ioannidis

Facebook Twitter LinkedIn Email
Reading Time: 4 minutes

You’ve been assigned a task to design architecture a new cloud service
deployment that should be elastic, scalable, resilient with global coverage
while keeping the cost in control. Two things that make it even more
challenging: first it should be used by applications that do not speak
cloud-ready auth protocols and second give user-access to external SaaS public
offerings without recreating users to any external directory by leveraging Azure
AD features.

Let’s have a closer look.




BUSINESS CASE

We need the following to satisfy the business needs for identity:

 1. It should talk Kerberos, NTLM
 2. Access to external SaaS applications
 3. Be a global and resilient solution
 4. Lower overall maintenance cost




WINDOWS AD DS VS AZURE AD

Azure AD is not the traditional Windows AD DS but just on the cloud. They are
completely different. They talk different protocols (SAML and OAuth2, vs
Kerberos and NTLM, etc.) and they operate significantly differently. Azure AD is
a cloud-based identity solution that helps you manage users and applications.
Active Directory or Windows Active Directory if you will, manages objects, like
devices and users, on your on-premises network.

Azure AD came to bridge the gap between users in any identity provider (IdP)
like Active Directory and SaaS applications without the need to replicate the
users and maintain different user databases.

Windows AD and Azure AD

So that is a good thing, Azure AD can take the existing user base and make them
leverage direct access to 3rd party SaaS offerings. But we are still missing at
least one thing: the backward compatible auth protocols.




WHERE NEXT? AZURE AD DS

Azure AD DS is an Azure PaaS offering and the closest thing to Windows Server
Active Directory on Azure without you managing the domain controller (DC)
infrastructure. In few words, instead of you deploying 2 Azure VMs to hold your
DCs and then maintaining (= secure, patch, monitor, backup, and troubleshoot)
them, you can deploy one Azure AD DS resource on your Azure tenant that will act
almost identical to your “old-school” Windows Server Active Directory.

When you deploy an Azure AD DS instance, Azure in the back scene it deploys to
domain controllers to satisfy fault tolerance and high availability. If the
Azure region you deploy supports availability zones then the DCs are distributed
across zones. If not, then the domain controllers are deployed across
availability sets.

On-premises AD could be your AD living inside Azure VMs

Azure AD DS integrates with your existing Azure AD tenant. This integration lets
users sign in to service and applications connected to the managed domain using
their existing credentials. You can also use existing groups and user accounts
to secure access to resources.

Fast facts about Azure AD DS:

 * it can only be one per Azure AD tenant
 * once you deploy it you cannot change its location, virtual network (vnet), or
   just about anything else related to underlying infrastructure services
 * guest users on your Azure AD tenant cannot be synced
 * you don’t have direct access -desktop- on the domain controllers
 * Domain Administrator and Enterprise Administrator privileges aren’t available
   for you to use within the domain
 * Distributed File System (DFS) is not supported
 * Once deployed you can stop or otherwise pause the service

Note: To manage an Azure AD DS instance you need to deploy an Azure VM in the
same vnet and install the Remote Server Administration Tools of the Windows
Server features. Then you can manage the “managed” AD domain by using the tool
“Active Directory Administration Center”.



From the comparison table above we see that it all seems to check out fine apart
from one: geo-distributed deployment.

OK, we are getting somewhere but we need to tackle the global presence point
because if our domain controllers live in West Europe Azure region and we have
deployments in other Azure regions i.e. Brazil South, UAE Central, South India,
etc. there can be quite a network latency to authenticate and authorize users
and applications.




ENTERS THE REPLICA SETS CONCEPTS OF AZURE AD DS

In the previous section, we described that the creation of an Azure AD DS
managed domain creates in the back 2 domain controllers. This is called a
replica set.

There is a concept in Azure AD DS replica sets for expanding a managed domain to
have more than one replica set per Azure AD tenant. This is currently in preview
but the word is that it will go GA in Q1 of 2021.

You create each replica set in a virtual network located in the region that is
closest to your country deployment and then you need to setup vnet peering
between any virtual network that hosts the Azure AD DS replica set. This
configuration creates a mesh network topology and enables for directory
replication. Also, there is the option of deploying different replica sets in
the same virtual network but in different subnets.

This diagram shows a managed domain with two replica sets. The first replica set
is created with the domain namespace. A second replica set is created after
that.

Replica sets ensure availability of authentication services in regions where a
replica set is configured.

To support multiple Azure AD Domain Services replica sets, the managed domain
service SKU must be either Enterprise or Premium.

While in preview, it is limited to a maximum of four replica sets – the initial
replica set for the managed domain, plus three additional replica sets.

In a next blog post, I will walk you through the complete process of creating a
managed domain, a management VM and creating multiple replication sets to ensure
local resiliency for authentication to your regional solutions.

And with that, we covered all the business case points.

Hope you enjoyed it and feel free to comment below.

Cheers!

 
 * 
 * 
 * 
 * 
 * 

Rate this (1 Vote)

Facebook Twitter LinkedIn Email

I’m speaking at Global Azure!2021-04-16In "Azure"

Azure network round trip latency statistics2020-03-12In "Azure"

A simple app to alert you and log your home router’s public IP when your ISP
renews it!2021-02-20In "Networking"

 * Azure Azure AD
 * Tagged: architecture Azure AD azure ad ds talesFromTheTrenches

 * Previous
 * Next

POST BYVASSILIS IOANNIDIS

Vassilis Ioannidis holds the role of Microsoft Technical Trainer, part of the
Worldwide Learning organization at Microsoft. He's an Azure Cloud Solutions
Architect, a Microsoft SQL Server SME, a technical trainer, and a speaker at
community events revolving around Microsoft Azure and Microsoft SQL Server.
Vassilis has a degree in Computer Programming and numerous Microsoft
certifications. He is result-driven, and a lifelong learner.

Twitter Facebook Github Website

SOME RELATED POSTS

CONSTRAINED VCPU CAPABLE AZURE VMS

 * 2020-05-26

AZURE NETWORK SECURITY GROUPS

 * 2020-05-08

I’M SPEAKING AT GLOBAL AZURE!

 * 2021-04-16


COMMENTS (0)



Comments are closed.

SEARCH



SUBSCRIBE & STAY UP2DATE

Enter your email address to subscribe to this blog and receive notifications of
new posts by email.

Email Address

Subscribe

TAGS

Announcement (12) application security groups (2) ARM Templates (7) Azure (26)
Azure AD (2) azure data studio (3) azure portal (2) azuresql (2) C# (2) CU (19)
deployment (2) DevOps (5) event (8) extension (2) feature (2) features (6)
Global Azure (3) IaaS (4) itprodevgreece (3) latency (2) learning (3)
maintenance (18) management (8) monitoring (4) networks (12) PASS (2) patching
(16) performance (2) powershell (10) presentation (2) preview (2) Public Preview
(3) release (18) retirement (2) security (4) snippet (2) SQL Server (17)
sqlserver (26) tips (3) tools (3) troubleshooting (4) tsql (2) updates (3)
virtual (2) VS Code (4)
© 2020 sqltattoo blog - Vassilis Ioannidis
Twitter facebook linkedin github rss
Top




sqltattoo.com


We believe your data is your property and support your right to privacy and
transparency.
Select a Data Access Level and Duration to choose how we use and share your
data.
SilverGoldPlatinum
1 month6 months12 months

Highest level of privacy. Data accessed for necessary basic operations only.
Data shared with 3rd parties to ensure the site is secure and works on your
device

Balanced experience. Data accessed for content personalisation and site
optimisation. Data shared with 3rd parties may be used to track you and store
your preferences for this site.

Highest level of personalisation. Data accessed to make ads and media more
relevant. Data shared with 3rd parties may be use to track you on this site and
other sites you visit.

Consent Preferences
Use the toggles below to specify your data sharing purposes for this website.
Basic Operations
This type of sharing is necessary for us to access the data we need to make sure
the website is secure and working properly.
Data Accessed:
 * Anonymous data like browser name and version
 * Pseudonymous data like authentication token

Content Personalization
When enabled, you allow us to save your preferences and create a profile about
you so we can deliver personalized content.
Data Accessed:
 * Anonymous data like device type, model and operating system
 * Pseudonymous data like site browsing preferences
 * Personal data like your IP address and location

Site Optimization
When enabled, you allow us to monitor your behavior so we can analyze and
improve the services on our website for all visitors.
Data Accessed:
 * Anonymous data like the address of the previously visited website (HTTP
   Referer)
 * Pseudonymous data like website activity identifiers
 * Personal data like content, search and purchase history

Ad Personalization
When enabled, you allow us access to share data with our advertising partners
that build profiles about you across multiple websites.
Data Accessed:
 * Anonymous data like affiliate referral links
 * Pseudonymous data like identifiers used to track and profile users
 * Personal data like your age, gender and demographics

Protection & Metrics
View your consent record, and the list of 3rd parties blocked and allowed based
on your settings.
Consent Metrics

Consent ID—Date of Consent—Data Access Level—Purpose Categories—Duration of
Consent—

Privacy Protection
Services Blocked
 * Google Tag Manager

Services Allowed
 * —

Save my preferences
Customize