Q. What is Azure AD Domain Services?
A. For Active Directory Domain Service features in Azure it has been required to either place domain controllers in Azure or have a site-to-site/ExpressRoute connection from Azure to on-premises where on-premises domain controllers can be contacted. For some organizations they are moving to a cloud only environment and don't want to manage domain controllers but have services that require Active Directory membership/connectivity. Other organizations have AD but do not with to extend it to the cloud.
Azure Active Directory (AD) provides a cloud-based identity solution which can be populated with users and groups from on-premises Active Directory through Azure AD Connect with the option of also synchronizing a hash of the hash of the user password which enables authentication in Azure AD. Alternatively ADFS can be used for authentication to occur against regular Active Directory. Azure AD Domain Services extends the functionality of your Azure AD instance to enable Active Directory Domain Services like functionality enabling:
- Machines in Azure to join the domain
- Have basic Group Policy applied
- Use Kerberos/NTLM
- Read-only LDAP access but in the future this could change based on user feedback
- Use ADAC and PowerShell to manage
- Simple deployment (flip a switch!)
Because this is an extension of Azure AD it is inherently highly available and there is no patching required, it is a managed service. Note this is not intended as a replacement for Active Directory Domain Services but rather to enhance for key cloud scenarios. It is not intended to join workstations/laptops to, instead in those scenarios use the new Windows 10 feature that allows machines to use Azure AD join.
More information can be found at https://azure.microsoft.com/en-us/documentation/articles/active-directory-ds-overview/ and https://azure.microsoft.com/en-us/services/active-directory-ds/.