Azure AD Domain Services with WVD limitations
I get these questions all the time when implementing a new WVD POC.
Why do we need a VPN, Can’t we use Azure AD?
– No, not supported!
Can’t we use Azure AD Domain Services?
– No, Not recommended!
So, why do I not recommend Azure AD Domain Services? The short answer is: It has lots of features missing. So lets dig into it a bit deeper and give you the long answer.
Azure AD Domain services
- is not the same as setting up a domain controller in Azure. This service is managed by Microsoft and run as a service. no access to the VM it runs on.
- is not the same domain as your local AD. It will create a completely new domain, separate from both your existing AAD and AD.
- has a reverse sync compared to your existing AD connect. It will sync user and computer objects from Azure AD to Azure AD domain services (Not AD to AAD domain services)
- has very limited writeback. Computer objects are not synced back to Azure AD. Thereby, the wvd computer account will never occur in Azure AD and can never be Hybrid Azure AD Joined.
- WVD cannot be automatically enrolled to Intune. It require Hybrid Azure AD Join.
- has GPO functionality. But you need to setup an admin VM in Azure with RSAT installed.
- has DNS but not possible to manage. If you need WVD to lookup internal DNS records, it´s not possible.
- Azure AD is master of provisioning object to Azure AD Domain services. only computer accounts should be added to AAD Domain Services.
- Local AD is master of Azure AD, so now we get provisioning in two steps.
- it require Password Hash Sync to be enabled from Local AD to Azure AD. The password hash will then also sync to Azure AD Domain Services
- You cannot add additional Domain controllers to the Azure AD Domain Services domain.
- Password time set to default 90 days and password reset needs to be done in local AD or Azure AD.
- if you are cloud only and implement Azure AD domain services, users need to change their password before being able to login. (Might be fixed)
- No support for NPS, you cannot add radius services.
- No support for SPN and kerberos delegations
- No support for AD PKI
And the list goes on. So Azure AD Domain Services is more of an quick fix to setup a very limited WVD POC. But nothing to use if you need a realistic POC.
But hey, if you already are cloud only you have no option.