Is a cloud-based domain controller behind a VPN feasible?

azure vpn domain-controller

I'm considering setting up a windows domain controller in MS Azure within an Azure virtual network. Goal is to be able to centrally manage GPs and users.

Is this even feasible, since the client computers would need to essentially be on the VPN before being able to authenticate?

I guess I could set up a site-to-site VPN connection to our office, but we have some nomadic users that are almost always mobile.


Solution 1:

It is definitely feasible and supported to run a domain controller in Azure. It depends on what you're looking to achieve as to whether that's the best option. If you're primarily looking to manage client PC policy and provide authentication, then you generally want a DC close to the machines it services. If most of the users are in an office and you have infrastructure there, it is still a good idea to keep your DC in the office near them. The main reason to put another DC in Azure would be to service applications that you are also putting in Azure VMs that require AD authentication or directory access.

If you are looking to get away from on premise infrastructure and still need traditional group policy and identity management, you could go with DCs in Azure and provide access via a VPN as you said. There is the site-to-site option to extend your network into Azure, or you can take a look at the new point-to-site VPN capability that allows direct VPN access into Azure using an agent installed on each client. This could work well for a small user base.

https://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/

Remember too that Windows caches credentials, so as long as you get a user authenticated once through the VPN, they won't need to have it running to log in subsequently. Of course, they'll need to log in periodically to apply the latest policy, which might be enforced or encouraged through a logon script, etc.

Hope that helps.

Solution 2:

The classical solution to this is to set up a VPN that a computer can use without a user login; the mechanism used is similar to the one from ancient days when someone might dial an internet connection to connect to their domain. Setting this up can be somewhat of a chore because you have to define the VPN connection in such a way that it can actually be initiated through the network connections API without having to load a client program (basically, you have to deploy PPP).

A newer and likely easier way of doing this is to use DirectAccess, which Microsoft have released for this exact use case; a detailed guide is available here. It is basically a VPN solution.

Related

Accessing LXC container's filesystem from host
More Searchfilters in AuthLDAPURL
MySQL slave server not removing old relay binlogs
Why are http headers not set when I use proxypass on apache2.2
How to mirror MacBook Pro screen to Apple TV?
Can I delete the app that created my Passbook passes?
Search LaTeX documentation with Alfred
Swipe between pages doesn't work and unable two fingers scrolling up/down
OS X Yosemite installation error: File system verify or repair failed
Format External Disk in FAT, NOT FAT32
Need help with update to latest Git using Terminal
Is it possible to disable Junk Mail filtering in mail.app?