Using Azure AD Domain Services with Azure Government VMs

Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy domain controllers. Users sign in to these virtual machines using their corporate Active Directory credentials and access resources seamlessly. To more securely administer domain-joined virtual machines, use Group Policy—an easy, familiar way to apply and enforce security baselines on all of your Azure virtual machines.

Before I go too far I want to be clear on this one point:  Azure AD Domain Services is  NOT available in Azure US Government today.   With that being said, it is possible to join Azure Virtual Machines in Azure Government to Azure Active Directory Domain Services hosted in Azure Commercial.    This means that customers who are already using Azure Active Directory as part of an Office 365 deployment can extend it to provide domain services to VMs in both Azure Commercial and Azure Government.

I am not going to go into all of the details to setup Azure Active Directory Domain Services (AAD DS) in Azure commercial.  There is great documentation available that already provides all of the information to get started.

Once you have AAD DS setup and associated with a virtual network (VNet) in Azure commercial you can extend it into Azure Government with a simple VNet to VNet connection.   Below are a few points to be aware of when setting this up:

  • AAD DS is only available in Azure commercial.  Today AAD DS is in a preview status which does not include a SLA.
  • VNets that are connected must have IP Address spaces that do not overlap.
  • You must add the AAD DS DNS IP addresses to all of the VNets, in both commercial and government, which will provide AAD DS features to virtual machines in the VNet.
  • I have not tested this with an ARM VNet in Azure commercial and an ASM (classic) VNet in Azure Government.  Based on this article it appears that establishing a VNet to VNet connection across the ARM and ASM should be possible.

To summarize, AAD DS enables organizations to quickly deploy domain joined virtual machines into Azure without having to deploy additional domain controllers in the cloud.   Currently AAD DS is in preview and does not have a SLA.   When architecting your solutions there may be situations where having full domain controllers in Azure will make more sense than using AAD DS.   Always ensure you are using an architecture that fits the solution instead of trying to fit a solution into a specific architecture.



Leave a Reply