I'm currently seeking some advice and guidance whether deploying additional Windows Server 2019 VM in Azure to run Active Directory Domain Controller / Global Catalog in separate AD sites called 'Azure' is really have any benefits or not?

At the moment my AD domain is just single forest AD, spread across multiple geographical locations throughout Asia Pacific.

Azure AD Connect runs Password Hash Sync to Azure AD, since we are still using Hybrid Exchange 2016-Office 365.

What are the benefits and the caveats when deploying one more AD DS as IaaS in Azure to serve the AD Sites called 'Azure' that is for the IP Subnet of the VNET I peered from Azure to OnPremise?


Solution 1:

If you want to run domain-joined VMs in your Azure virtual network, the best practice is for them to have a "local" Domain Controller (or two) available, running as another Azure VM; otherwise, they will need to reach out to one of your on-premises Domain Controllers every time they need to query DNS or AD (i.e. continuously).

Of course, if you don't want to run domain-joined VMs in your Azure virtual network, having a Domain Controller there would be quite useless.