In this blog post, we’ll delve into the reasons why using Entra Domain Services (Entra DS) as a replacement for Windows AD might not be the best choice. We’ll break down each point discussed in a recent YouTube video, highlighting the limitations and considerations associated with Entra DS.

Overview of Microsoft’s Directory Services

Microsoft offers three directory services: Windows AD, Entra ID, and Entra DS. Let’s briefly examine each:

Windows AD: Organizations have used this on-premises directory service for over two decades. It supports various authentication protocols and services, such as Kerberos, NTLM, LDAP, DNS, and Group Policies.
Entra ID: A cloud-based directory service by Microsoft, catering to Microsoft online services such as Office 365 and Azure, supporting web-based authentication protocols like Open ID Connect, OAuth 2, and SAML.
Entra DS: Positioned as a Windows AD-compatible service hosted in Azure, offering similar functionalities to Windows AD, including support for Kerberos and NTLM authentication, LDAP, DNS, and Group Policies.

Reasons for Considering Entra DS

Before delving into its limitations, let’s first understand why someone might consider using Entra DS:

Management Overhead: Organizations may seek to offload the management of domain controllers to a cloud-based service, reducing the need for patching, upgrading, and backups.
Cloud Migration: Entra DS offers a pathway to move Windows AD functionalities to the cloud for organizations transitioning to a cloud-only model.
Small Organizations: Smaller entities may require Active Directory Domain Services without the infrastructure overhead of traditional domain controllers.

Limitations of Entra DS

Despite its appeal, Entra DS comes with several limitations that might hinder its suitability as a Windows AD replacement:

1. Lack of Admin Accounts: Unlike Windows AD, Entra DS doesn’t provide domain or enterprise admin accounts, restricting capabilities like installing services that require administrative accounts, such as Certificate Services and AD FS.
2. No Smart Card Authentication: No Certificate services mean no smart card authentication. Entra DS does not support smart card authentication.
3. Incompatibility with Entra Hybrid Join: Devices joined to Entra DS cannot be Entra Hybrid joined and will not be represented in Entra ID. These devices cannot leverage services that require the device to be hybrid or Entra ID joined. For example, functionalities like Universal Print or using devices as part of Conditional access policies are not supported.
4. No Intune Enrollment Support: Devices joined to Entra DS cannot be Entra hybrid joined, so the device will not be represented in Entra ID and cannot be enrolled into Intune.
5. No MSIX App Attach Support: For those of you using Azure Virtual Desktop (AVD), MSIX App Attach and the newer “App Attach” will not work with Entra DS. Both require the Session Host to be joined or hybrid joined to Entra ID.
6. No Schema Extension: Entra DS doesn’t support extending the directory schema, which impacts applications reliant on schema extensions. Adding Exchange attributes to user accounts or using third-party applications that require schema extensions is not supported with Entra DS.
7. Private Network Only: Active Directory Domain Services, either Entra DS or Windows AD, should never be exposed to the Internet. Entra DS is deployed on a private virtual network in Azure. With VPN connections or ExpressRoute, the private network can extend to on-premises networks or even other clouds. Clients can only join the domain if there is private connectivity to the Entra DS domain.
8. No Premises Domain Controllers: Adding remote DC’s is not supported with Entra DS. Additional Entra DS replicas sets can be added to Azure. All replica sets in an Entra DS domain must exist in the same subscription.
9. Networking Dependencies: Computers joined to Entra DS, including those on-premises, require Entra DS DNS and will be unavailable should there be WAN disruptions. If the VPN or ExpressRoute connection to Entra DS is not available, the client’s DNS will also not be available along with their ability to access the internet. There are options to overcome this limitation such as conditional DNS forwarders on-premises, but that creates a complex DNS network design.
10. Namespace Differences: Entra DS operates in a separate forest and domain, distinct from Windows AD and Entra ID, complicating user management and resource sharing. Identities and password hashes can be synchronized between the directories, but they are independent directories.
11. Trust Limitations: Entra DS only supports a one-way outbound trust, limiting collaboration with other domains. This may not seem like a significant limitation if the organization has no plans for using domain or forest trusts. However, they are common during mergers and acquisitions to share resources. In the event of M&A activity, a two-way trust with a partner is not an option. Correction, Entra DS with the Enterprise SKU now supports a two-way trust.
12. Availability Concerns: While replica sets offer high availability, migration across subscriptions or tenants is not an option. Entra DS replica sets must be in the same subscription.
13. No Migration Options: An organization may see the limitations above as an acceptable risk. However, needs change over time and should they reach one of the limitations, there is no back out plan to migrate from Entra DS to Windows AD. Even leveraging a two-way trust as part of a migration strategy is not an option. The only solution is to export the users, groups, and other settings and rebuild a domain in Windows AD.

What is Entra DS For?

Entra DS was not intended as a replacement for Windows AD. It is intended to support legacy applications moved to Azure that require Windows AD for security. Below is an excerpt from the documentation.

“A Domain Services managed domain lets you run legacy applications in the cloud that can’t use modern authentication methods, or where you don’t want directory lookups to always go back to an on-premises AD DS environment. You can lift and shift those legacy applications from your on-premises environment into a managed domain, without needing to manage the AD DS environment in the cloud.”

-What is Microsoft Entra Domain Services

Conclusion

Despite its compatibility with Windows AD, Entra DS is not a good option for most organizations seeking to transition from Windows AD to a cloud-based solution. Its inherent limitations, ranging from administrative constraints to networking dependencies, underscore the importance of evaluating alternatives thoroughly. As technology evolves, staying informed and adaptable remains paramount in navigating the complexities of directory service management.

Given the limitations, the better option is to use IaaS servers in Azure to host Windows AD. Multiple servers can be deployed across regions, subscriptions, and even tenants to provide high availability. For example, two B-series VM’s cost about the same, or less then an instance of Entra DS. Self-hosted Windows AD removes the above limitations but does require ongoing server management.

References

• YouTube Video: Why Entra DS Shouldn’t Replace Windows AD
• Microsoft Documentation on Entra DS