Is a cloud-based domain controller behind a VPN feasible?
I'm considering setting up a windows domain controller in MS Azure within an Azure virtual network. Goal is to be able to centrally manage GPs and users.
Is this even feasible, since the client computers would need to essentially be on the VPN before being able to authenticate?
I guess I could set up a site-to-site VPN connection to our office, but we have some nomadic users that are almost always mobile.
Solution 1:
It is definitely feasible and supported to run a domain controller in Azure. It depends on what you're looking to achieve as to whether that's the best option. If you're primarily looking to manage client PC policy and provide authentication, then you generally want a DC close to the machines it services. If most of the users are in an office and you have infrastructure there, it is still a good idea to keep your DC in the office near them. The main reason to put another DC in Azure would be to service applications that you are also putting in Azure VMs that require AD authentication or directory access.
If you are looking to get away from on premise infrastructure and still need traditional group policy and identity management, you could go with DCs in Azure and provide access via a VPN as you said. There is the site-to-site option to extend your network into Azure, or you can take a look at the new point-to-site VPN capability that allows direct VPN access into Azure using an agent installed on each client. This could work well for a small user base.
https://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/
Remember too that Windows caches credentials, so as long as you get a user authenticated once through the VPN, they won't need to have it running to log in subsequently. Of course, they'll need to log in periodically to apply the latest policy, which might be enforced or encouraged through a logon script, etc.
Hope that helps.
Solution 2:
The classical solution to this is to set up a VPN that a computer can use without a user login; the mechanism used is similar to the one from ancient days when someone might dial an internet connection to connect to their domain. Setting this up can be somewhat of a chore because you have to define the VPN connection in such a way that it can actually be initiated through the network connections API without having to load a client program (basically, you have to deploy PPP).
A newer and likely easier way of doing this is to use DirectAccess, which Microsoft have released for this exact use case; a detailed guide is available here. It is basically a VPN solution.