You can now join your Azure instances to your local AD


I was particularly interested in the features of Azure Connect – up until now called “Project Sydney”. A way of getting your corporate network joined up to the instances you have running in the cloud.

One particular feature I think will interest enterprises (outside of the fact you can connect the network up in the first place), is Domain-Join

.image

In the diagram above you can see how this is achieved. You’d typically install the connect agent on to a domain controller and that DC will be responsible for communicating with the instances in the cloud. It’s recommended you create an AD site to achieve this.

It’s then down to how you wire up the serviceconfiguration.cscfg file which will suport new sections:

  • The domain credentials used to perform the domain-join itself
  • THe OU you wish to place the server object in which represents your instance. In this case you can see the Target OU in the .cscfg file is “sales” and if you look in the local AD, in the sales OU, you can see the server object CN=Web1, OU=sales, DC=plankytronixx, DC=com.

Putting all this in the .cscfg file has meant it will work with Web or Worker role. For VM roles you need to install a plugin.

Of course, now that you have a “connection” between your local network and the instances you have running in the cloud, it’s as if your corporate network extends out in to the bits of Windows Azure that are hosting your instances. To the rest of the corporate network, they now look like normal Windows servers on your network.

The Windows Azure instances will have a default local Administrators group. In the .cscfg file, you can specify which users or groups from the AD are members of that group – meaning selected individuals and groups can administer the machine (within the limits of the service model).

One feature that has been added with PDC announcements is support for RDP – meaning somebody from your local AD could use a terminal server session to perform the admin functions on the machine.

Planky

 


Comments (5)

  1. Kris says:

    Is there a VM configuration that MS can provide to test this scenario out? That will be of great value.

  2. ...Planky says:

    …do you mean a VM configuration of the DC in the on-premise environment?

  3. Graham says:

    You don't find this rather insecure? Connecting you domain to Azure? You are extending your AD outside your org to a "basic work in progress" system that makes no clear assurances about its security. Very risky!

  4. Graham says:

    You don't find this rather insecure? Connecting you domain to Azure? You are extending your AD outside your org to a "basic work in progress" system that makes no clear assurances about its security. Very risky!

  5. ...Planky says:

    Hi Graham,

    Our opinions differ. The security of the Azure data centers is good (ISO 27001, SAS 70) and has a host of measures taken to safeguard the system at multiple levels, including the physical security of the facility and so on. I don't see Azure as a basic work in progress system.

    However if you do, then this wouldn't be a good technology for you to adopt. Anything that gives security concerns is going to result in you wasting cycles waiting for something to go wrong or wondering if it already has gone wrong.

    Planky

Skip to main content