{"id":2186,"date":"2021-08-21T11:26:25","date_gmt":"2021-08-21T16:26:25","guid":{"rendered":"https:\/\/www.ciraltos.com\/?p=2186"},"modified":"2023-03-23T06:13:30","modified_gmt":"2023-03-23T11:13:30","slug":"dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers","status":"publish","type":"post","link":"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/","title":{"rendered":"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers"},"content":{"rendered":"\n<figure class=\"wp-block-image alignleft size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"137\" height=\"122\" src=\"https:\/\/www.ciraltos.com\/wp-content\/uploads\/2021\/08\/AzureADDS.png\" alt=\"Azure AD Domain Services\" class=\"wp-image-2187\"\/><\/figure>\n\n\n\n<p>I&#8217;ve been sitting on this topic for a while.&nbsp; I typically like to pass along information that helps people better understand Azure and other Microsoft products absent of my option.&nbsp; However, this post is slightly opinionated, an opinion that was formulated after seeing problems users ran into while trying to use Azure AD as a replacement for Windows AD.&nbsp; <\/p>\n\n\n\n<!--more-->\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<div class=\"ast-oembed-container\" style=\"height: 100%;\"><iframe loading=\"lazy\" title=\"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/L6KtTqCtxc8?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/div>\n<\/div><\/figure>\n\n\n\n<p>Azure Active Directory Domain Services (Azure AD DS) is not a replacement for Windows Active Directory.&nbsp; I understand the confusion, one of my most popular videos is on the difference between Azure AD DS, Windows AD and Azure AD (<a href=\"https:\/\/www.ciraltos.com\/active-directory-domain-service-azure-active-directory-and-azure-active-directory-domain-service-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">here<\/a>).&nbsp; At a high level, both Azure AD DS and Windows AD offer network-based authentication with Kerberos and NTLM support.&nbsp; Azure AD DS is compatible with Windows AD.<\/p>\n\n\n\n<p>Based on online forums and social media posts, The compatibility\nbetween Azure AD DS and Windows AD has caused problems.&nbsp; The problem usually starts with something like:\n\u201cWe want to get rid of on-premises domain controllers\u201d or \u201cI was given the\ndirective that we will no longer support Windows AD.\u201d&nbsp; Azure AD DS is a Platform as a Service (PaaS)\noffering, and it\u2019s understandable how, given these directives, moving from\nWindows AD to Azure AD DS may make sense.<\/p>\n\n\n\n<p>However, Azure AD DS is not intended as a replacement for Windows\nAD.&nbsp; Before we go over what it\u2019s intended\nfor, let\u2019s consider the limitations of Azure AD DS that make it a wrong choice as\na replacement to Windows AD.&nbsp; <\/p>\n\n\n\n<h1>Azure AD DS Limitations<\/h1>\n\n\n\n<h2>No Hybrid Azure AD Join<\/h2>\n\n\n\n<p>A client computer can be joined to AD DS (Windows or Azure)\nor to Azure AD.&nbsp; For client computers joined\nto Windows AD, Azure AD Connect Sync can hybrid join them to Azure AD.&nbsp; Azure AD Connect Sync does not support Azure\nAD DS and, therefore, client computers cannot be Hybrid Azure AD Joined if a\nmember of an Azure AD DS domain.&nbsp; These client\ncomputers cannot be part of services that require Azure AD Join or Hybrid Azure\nAD join, such as Universal Print or Conditional Access Policies.<\/p>\n\n\n\n<h2>No Enterprise or Domain Admin<\/h2>\n\n\n\n<p>There are no Enterprise or Domain admin accounts in Azure AD\nDS.&nbsp; Instead, there is a group called AAD\nDC Administrators used to manage Azure AD DS.&nbsp;\nAccounts in this group have rights such as local administrator on member\nservers and administrative rights required to manage Azure AD DS.&nbsp; The Domain and Enterprise Administrator permissions\nare reserved for the Azure AD DS service.<\/p>\n\n\n\n<h2>No Active Directory Certificate Services Support<\/h2>\n\n\n\n<p>The first requirement for installing Active Directory\nCertificate Services is to log in as a member of the Enterprise Admin\nGroup.&nbsp; As stated, these accounts do not\nexist in Azure AD DS, and therefore, AD Certificate Service is not supported in\nAzure AD DS.&nbsp; That rules out certificate-based\nfeatures such as smart card authentication.<\/p>\n\n\n\n<h2>Schema cannot be Extended<\/h2>\n\n\n\n<p>Azure AD DS does not support extending the schema.&nbsp; Lack of schema extension rules out any applications,\nboth Microsoft and 3<sup>rd<\/sup> party, that require a schema extension.<\/p>\n\n\n\n<h2>Limited Group Policy Support<\/h2>\n\n\n\n<p>Azure AD DS is a PaaS offering, meaning customers don\u2019t have\nto log in and manage the Domain Controllers.&nbsp;\nWith that said, there is no access to server resources such as the sysvol\nfolder.&nbsp; Azure AD DS does support a\ndefault set of group policies.&nbsp; However, it\nis not possible to add ADMX files to the sysvol folder. <\/p>\n\n\n\n<p>Also, there is a default policy for account lockouts applied to all Azure AD DS users.&nbsp; You can create a new policy with more restrictive settings, but you can\u2019t change the default policy.<br>Update 8\/31\/2021<br>Someone pointed out the link below. Unfortunately, I can&#8217;t find who it was to give them credit.  It <em>is <\/em>possible to change the default password In Azure AD DS policy from the Azure Portal <a rel=\"noreferrer noopener\" aria-label=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/password-policy (opens in a new tab)\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/password-policy\" target=\"_blank\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/password-policy<\/a><\/p>\n\n\n\n<h2>Limited Redundancy<\/h2>\n\n\n\n<p>A best practice with Windows AD was to put a DC as close to users as possible.&nbsp; It is common to do this by deploying Domain Controllers in branch locations to process logins locally and provide login services if WAN connectivity failed.&nbsp; An Azure AD DS instance is limited to two domain controllers in a single region.&nbsp; If that region goes down or the network connectivity is disrupted, login processing would become unavailable.<\/p>\n\n\n\n<p>Update 9\/7\/2021<br>It is possible to add up to 5 replicas with the enterprise SKU of Azure AD DS.  Thanks to  G. Jongeneel  for pointing this out!   <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/concepts-replica-sets?WT.mc_id=AZ-MVP-5004159\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/concepts-replica-sets?WT.mc_id=AZ-MVP-5004159 (opens in a new tab)\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/concepts-replica-sets?WT.mc_id=AZ-MVP-5004159<\/a><\/p>\n\n\n\n<h2>Azure AD DS has a Different DNS Name<\/h2>\n\n\n\n<p>Azure AD DS requires a publicly routable domain when\ndeployed.&nbsp; The domina name is a different\ndomain from the on-premises domain and the Azure AD domain.&nbsp; User replicated from the source Azure AD\ndomain can log in with their Azure AD UPN, but any users provisioned from Azure\nAD DS will use the Azure AD DS domain suffix.&nbsp;\nThis situation is manageable but confusing for users and support.<\/p>\n\n\n\n<h2>No Forest Trusts<\/h2>\n\n\n\n<p>There are two types of Azure AD DS forests.&nbsp; A User forest synchronizes all objects from\nAzure AD.&nbsp; Included are users accounts sourced\nfrom Windows AD, providing Azure AD Connect Sync is in place between Windows AD\nand Azure AD.&nbsp; This forest type does not\nsupport forest trusts.&nbsp; Forest trusts are\ncommon for larger organizations, or during merger and acquisition activities that\nrequire sharing resources across disjoined forests.<\/p>\n\n\n\n<p>Technically, the second Azure AD DS forest type, a resource forest, does support trusts relationships.&nbsp; It does not, however, synchronize objects from Azure AD.&nbsp; Instead, it\u2019s used for resources that rely on a trust relationship with a Windows AD domain for access.<\/p>\n\n\n\n<p>Update 6\/18\/2022<br>The Microsoft documentation now indicates a one-way forest trust is is available with a user or resource forest.  <\/p>\n\n\n\n<h2>Not Publicly Available<\/h2>\n\n\n\n<p>One frequent question I see is a version of \u201cnow that I have\nAzure AD DS, how do I join my laptop to it?\u201d &nbsp;Joining a client to Azure AD DS requires a\nprivate network connection, VPN, or ExpressRoute, for the same reason joining a\nWindows AD domain requires one. There are significant security risks to\nexposing Active Directory Domain Services to the internet.&nbsp; <\/p>\n\n\n\n<h2>No MSIX App Attach Support<\/h2>\n\n\n\n<p>Update 8\/26\/2021<br> Azure Virtual Desktop supports Azure AD DS.&nbsp; However, MSIX App Attach is not supported in environments that use Azure AD DS for the directory service (<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-desktop\/app-attach-faq?WT.mc_id=AZ-MVP-5004159#can-i-use-azure-active-directory-domain-services--azure-ad-ds--with-msix-app-attach-\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Link. (opens in a new tab)\">Link.<\/a>)&nbsp; This is because the computer objects in Azure AD DS are not synchronized to Azure AD and, therefore, the required RBAC roles cannot be applied to the computer object.<\/p>\n\n\n\n<h1>What is Azure AD DS for?<\/h1>\n\n\n\n<p>You may question the point of Azure AD DS if it comes with\nall these limitations, but it does have a valid use case.&nbsp; Below is a paragraph from the Microsoft Azure\nAD DS Overview Documentation.<\/p>\n\n\n\n<p>\u201cAn Azure AD DS managed domain lets you run legacy applications in the cloud that can\u2019t use modern authentication methods, or where you don\u2019t want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.\u201d<br><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/overview\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/overview (opens in a new tab)\">https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory-domain-services\/overview<\/a><\/p>\n\n\n\n<p>Notice one word that\u2019s missing from this paragraph: clients.&nbsp; Azure AD DS provides a way to move applications\nthat require network authentication methods, Kerberos and NTLM, into Azure\nwithout extending an on-premises Windows AD directory to Azure.&nbsp; It is not intended for client and device management\nor as a direct replacement for Windows AD.<\/p>\n\n\n\n<h1>Moving to Modern Authentication<\/h1>\n\n\n\n<p>As stated in the beginning, most attempts to move to Azure\nAD DS start with \u201cWe want to get rid of on-premises domain controllers\u201d or \u201cI\nwas given the directive that we will no longer support Windows AD.\u201d&nbsp; If you are one of those facing this directive,\nI suggest reframing the goal to \u201cwe need to move away from Kerberos and NTLM\nWindows AD Authentication.\u201d&nbsp; This becomes\na much more tangible and achievable goal.<\/p>\n\n\n\n<p>Replacing Active Directory Domain Services with Azure AD\nJoin and leveraging modern applications such as Teams, SharePoint and OneDrive will\nalleviate the need for Windows AD authentication.&nbsp; Use Microsoft Endpoint Management and Intune to\nmanage devices instead of Group Policies.&nbsp;\nThis path removes the underlying dependency on Active Directory Domain Services\nand, thereby, the need for domain controllers.<\/p>\n\n\n\n<h1>Options<\/h1>\n\n\n\n<p>An attempt to move away from Active Directory Domain Services\nmay be short-lived due to applications or services that require AD DS.&nbsp; In that case, the organization has two\noptions, Move to Azure AD DS and accept the limitations, or continue with Windows\nDomain Controllers.<\/p>\n\n\n\n<h2>Accept AD DS Limitations<\/h2>\n\n\n\n<p>Sometimes directives are mandated despite the repercussions.&nbsp; If that\u2019s the case, you will have to accept\nthe limitations. That may be fine as a stop-gap for a legacy application but\nnot as a solution for managing enterprise clients.&nbsp; If Azure AD DS is used for managing clients,\nconsider how the organization will migrate to Windows AD when the limitations make\nthe service no longer viable.<\/p>\n\n\n\n<h2>Stay with Windows AD <\/h2>\n\n\n\n<p>If the organization requires AD DS and Azure AD DS limitations\nwon\u2019t fit the environment, the only other option is to stay with Windows\nAD.&nbsp; Windows AD can exist as IaaS VM\u2019s in\nAzure, and unlike Azure AD DS, redundant Windows Domain Controllers can be\ndeployed to multiple regions to provide high availability.&nbsp; Add ExpressRoute or VPN to support a hybrid environment\nof on-premises and cloud-based Windows AD Domain Controllers.<\/p>\n\n\n\n<p>Prices vary by region and size, but two IaaS VM\u2019s used for Domain\nControllers can be provisioned at close to the same monthly price as Azure AD\nDS.<\/p>\n\n\n\n<h2>Summary<\/h2>\n\n\n\n<p>At first sight, it may be tempting to think of Azure AD DS\nas a replacement for Windows AD.&nbsp; However,\nthat\u2019s not the intent of the product.&nbsp;\nAzure AD DS has limitations that make it less than ideal for a direct replacement\nto Windows AD.&nbsp; Recognize how these limitations\nimpact the deployment now and into the future.&nbsp;\n&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve been sitting on this topic for a while.&nbsp; I typically like to pass along information that helps people better understand Azure and other Microsoft products absent of my option.&nbsp; However, this post is slightly opinionated, an opinion that was formulated after seeing problems users ran into while trying to use Azure AD as a &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/\"> <span class=\"screen-reader-text\">Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":2187,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":""},"categories":[2,1021],"tags":[533,1079,142,535,1085,1078,307,1086,1082,1081,1084,1083,1087,1080,595],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers - ciraltos<\/title>\n<meta name=\"description\" content=\"Azure AD DS is not intended as a replacement for Windows AD. Before we go over what it\u2019s intended for, let\u2019s consider the limitations of Azure AD DS that make it a wrong choice as a replacement to Windows AD.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers - ciraltos\" \/>\n<meta property=\"og:description\" content=\"Azure AD DS is not intended as a replacement for Windows AD. Before we go over what it\u2019s intended for, let\u2019s consider the limitations of Azure AD DS that make it a wrong choice as a replacement to Windows AD.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/\" \/>\n<meta property=\"og:site_name\" content=\"ciraltos\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-21T16:26:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-03-23T11:13:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2021\/08\/AzureADDS.png\" \/>\n\t<meta property=\"og:image:width\" content=\"137\" \/>\n\t<meta property=\"og:image:height\" content=\"122\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Travis Roberts\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ciraltos\" \/>\n<meta name=\"twitter:site\" content=\"@ciraltos\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Travis Roberts\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/\"},\"author\":{\"name\":\"Travis Roberts\",\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\"},\"headline\":\"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers\",\"datePublished\":\"2021-08-21T16:26:25+00:00\",\"dateModified\":\"2023-03-23T11:13:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/\"},\"wordCount\":1757,\"commentCount\":14,\"publisher\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\"},\"keywords\":[\"Active Directory Domain Services\",\"AD Design\",\"Azure AD\",\"Azure AD DS\",\"Azure AD Join\",\"Certificate Services\",\"DNS\",\"Domain Admin\",\"Enterprise Admin\",\"forest\",\"GPO\",\"Hybrid Join\",\"limitations\",\"Schema\",\"Windows AD\"],\"articleSection\":[\"Azure\",\"Azure AD\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/\",\"url\":\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/\",\"name\":\"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers - ciraltos\",\"isPartOf\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#website\"},\"datePublished\":\"2021-08-21T16:26:25+00:00\",\"dateModified\":\"2023-03-23T11:13:30+00:00\",\"description\":\"Azure AD DS is not intended as a replacement for Windows AD. Before we go over what it\u2019s intended for, let\u2019s consider the limitations of Azure AD DS that make it a wrong choice as a replacement to Windows AD.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/www.ciraltos.com\/staging2\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#website\",\"url\":\"http:\/\/www.ciraltos.com\/staging2\/\",\"name\":\"ciraltos\",\"description\":\"cloud, technology and trends\",\"publisher\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.ciraltos.com\/staging2\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a\",\"name\":\"Travis Roberts\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png\",\"contentUrl\":\"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png\",\"width\":5657,\"height\":3563,\"caption\":\"Travis Roberts\"},\"logo\":{\"@id\":\"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/\"},\"sameAs\":[\"http:\/\/www.ciraltos.com\",\"https:\/\/twitter.com\/ciraltos\"],\"url\":\"https:\/\/www.ciraltos.com\/staging2\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers - ciraltos","description":"Azure AD DS is not intended as a replacement for Windows AD. Before we go over what it\u2019s intended for, let\u2019s consider the limitations of Azure AD DS that make it a wrong choice as a replacement to Windows AD.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/","og_locale":"en_US","og_type":"article","og_title":"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers - ciraltos","og_description":"Azure AD DS is not intended as a replacement for Windows AD. Before we go over what it\u2019s intended for, let\u2019s consider the limitations of Azure AD DS that make it a wrong choice as a replacement to Windows AD.","og_url":"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/","og_site_name":"ciraltos","article_published_time":"2021-08-21T16:26:25+00:00","article_modified_time":"2023-03-23T11:13:30+00:00","og_image":[{"width":137,"height":122,"url":"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2021\/08\/AzureADDS.png","type":"image\/png"}],"author":"Travis Roberts","twitter_card":"summary_large_image","twitter_creator":"@ciraltos","twitter_site":"@ciraltos","twitter_misc":{"Written by":"Travis Roberts","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/#article","isPartOf":{"@id":"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/"},"author":{"name":"Travis Roberts","@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a"},"headline":"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers","datePublished":"2021-08-21T16:26:25+00:00","dateModified":"2023-03-23T11:13:30+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/"},"wordCount":1757,"commentCount":14,"publisher":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a"},"keywords":["Active Directory Domain Services","AD Design","Azure AD","Azure AD DS","Azure AD Join","Certificate Services","DNS","Domain Admin","Enterprise Admin","forest","GPO","Hybrid Join","limitations","Schema","Windows AD"],"articleSection":["Azure","Azure AD"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/","url":"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/","name":"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers - ciraltos","isPartOf":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#website"},"datePublished":"2021-08-21T16:26:25+00:00","dateModified":"2023-03-23T11:13:30+00:00","description":"Azure AD DS is not intended as a replacement for Windows AD. Before we go over what it\u2019s intended for, let\u2019s consider the limitations of Azure AD DS that make it a wrong choice as a replacement to Windows AD.","breadcrumb":{"@id":"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.ciraltos.com\/staging2\/dont-use-azure-ad-domain-services-to-replace-windows-domain-controllers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/www.ciraltos.com\/staging2\/"},{"@type":"ListItem","position":2,"name":"Don\u2019t Use Azure AD Domain Services to Replace Windows Domain Controllers"}]},{"@type":"WebSite","@id":"http:\/\/www.ciraltos.com\/staging2\/#website","url":"http:\/\/www.ciraltos.com\/staging2\/","name":"ciraltos","description":"cloud, technology and trends","publisher":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.ciraltos.com\/staging2\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/25391996d6cddfecd4d257162b7e373a","name":"Travis Roberts","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/","url":"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png","contentUrl":"https:\/\/www.ciraltos.com\/staging2\/wp-content\/uploads\/2023\/03\/Logo-1.png","width":5657,"height":3563,"caption":"Travis Roberts"},"logo":{"@id":"http:\/\/www.ciraltos.com\/staging2\/#\/schema\/person\/image\/"},"sameAs":["http:\/\/www.ciraltos.com","https:\/\/twitter.com\/ciraltos"],"url":"https:\/\/www.ciraltos.com\/staging2\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts\/2186"}],"collection":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/comments?post=2186"}],"version-history":[{"count":9,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts\/2186\/revisions"}],"predecessor-version":[{"id":3818,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/posts\/2186\/revisions\/3818"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/media\/2187"}],"wp:attachment":[{"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/media?parent=2186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/categories?post=2186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ciraltos.com\/staging2\/wp-json\/wp\/v2\/tags?post=2186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}