Use a Windows Server 2019 domain controller or go to Azure?
Adding a Windows Server 2019 domain controller is not complicated, but deciding whether to move this integral infrastructure component to a new version of Windows Server or put it in the cloud is another matter.
There are many ways to perform identity and access management in the enterprise, but the pervading choice for most organizations over the last 20 years has been Active Directory in Windows Server. Active Directory, introduced with Windows 2000 Server, is the umbrella name for the directory service platform that stores sensitive information, organizes users, devices, applications and data across your organization and determines the access level of each. Active Directory helps facilitate single sign-on, which takes your domain credentials and handles the authorization -- this determines which resources you have a right to use -- for things such as a particular printer on the network or a certain cloud service.
Domain controllers handle user authentication in Active Directory and store key data, such as security certificates, that the Active Directory Domain Services role needs to function. The domain controller is the gateway for administrators to manage Active Directory, which makes it an attractive target for anyone trying to get inside your network.
Microsoft's push to the cloud
One major initiative from Microsoft is its cloud-based directory listing product called Azure Active Directory (AD). The name might imply this offering is simply Active Directory with an Azure stamp, but that's not entirely accurate.
Azure AD forms one part of Microsoft's identity management puzzle in the cloud. It controls authentication for cloud-based resources such as Office 365 and other SaaS apps. Organizations with a Windows Server 2019 domain controller -- or one based on earlier Windows Server versions -- have the option to sync on-premises data with Azure AD to streamline the authentication process.
To fully emulate on-premises Active Directory in the cloud, customers must have a separate service called Azure Active Directory Domain Services (Azure AD DS). This enables them to set up a managed domain in the cloud. Azure AD DS offers many of the same features as on-premises Active Directory, including domain joins, organizational unit structure and Group Policy.
If Azure AD DS does not have feature parity with on-premises Active Directory, why would an administrator want to switch to a domain controller as a service? For one, Azure has more active platform development with quicker rollout of fixes and new features. Unlike a Windows Server 2019 domain controller, Azure AD DS does not require hands-on management from IT. Microsoft controls the security update deployment process and resource administration. Azure AD DS integrates with Microsoft's cloud security products, such as the Azure Security Center, for presumably better protection from hack attempts.
However, relying on Microsoft for critical identity and authentication needs can introduce different problems once you relinquish your control. Outages still occur no matter where you locate your infrastructure. On-premises Active Directory systems can avoid or mitigate outages by failing over to a geo-distributed deployment in the event of a disaster, but Azure AD DS doesn't have this capability. Organizations seeking to emulate this failover ability must put the domain controllers in an Azure IaaS VM. Many organizations are still bound by data governance and other regulatory concerns and cannot risk exposure of sensitive data, even with Azure's extensive compliance certifications.
Then, consider the potential cost difference: When you set up a Windows Server 2019 domain controller, the licensing fee covers your usage. Microsoft bills the use of Azure AD DS by the hour and, unlike an Azure VM, you can't push the pause button on a domain Azure AD DS manages. Once you create the domain in Azure, the charges don't stop until you delete the managed domain.
Windows Server 2019 benefits, caveats
Although Windows Server 2019 turns 2 years old in October, many IT admins still have reservations about moving their Active Directory setup to the new server OS. There is a prevailing attitude that older OSes have been battle-tested and, therefore, should be more reliable. In addition, with older systems, another customer has likely experienced a particular issue you might run up against, so a quick Google search could find a remedy.
While you won't encounter any Active Directory forest and domain-functional level changes from Windows Server 2016 to Windows Server 2019, a migration to the new operating system comes with overall security improvements and added resiliency to the Hyper-V platform. For example, Microsoft introduced a new feature in virtualized environments that enables administrators to move failover clusters from one domain to another during consolidation efforts. This option didn't exist prior to Windows Server 2019 and required administrators to remove and rebuild the cluster on the new domain from scratch.
Organizations that use on-premises Exchange should avoid migrating to Windows Server 2019 Active Directory unless they have Exchange 2016 or newer. While this configuration might work with earlier versions of Exchange, it isn't supported by Microsoft.
This video tutorial by contributor Brien Posey explains how to set up the Windows Server 2019 domain controller. The transcript of these instructions follows.
Transcript - Use a Windows Server 2019 domain controller or go to Azure?
In this video, I will show you how to set up a domain controller in Windows Server 2019.
I'm logged into the Windows Server 2019 desktop. I'm going to go ahead and open Server Manager.
The process of setting up a domain controller is really similar to what you had in the previous Windows Server version.
Go up to Manage and select Add roles and features. This launches the wizard.
Click Next to bypass the Before you begin screen. I'm taken to the Installation type menu. I'm prompted to choose Role-based or feature-based installation or Remote Desktop Services installation. Choose the role-based or feature-based installation option and click Next.
I'm prompted to select my server from the pool. There's only one server in here. This is the server that will become my domain controller. One thing I want to point out is to look at the operating system. This is Windows Server 2019 Datacenter edition; in a few minutes, you'll see why I'm pointing this out. Click Next.
At the Server Roles menu, there are two roles that I want to install: Active Directory Domain Services and the DNS roles. Select the checkbox for Active Directory Domain Services. When I select that checkbox, I'm prompted to add some additional features. I'll go ahead and select the Add Features button.
I'm also going to select the DNS Server checkbox and, once again, click on Add Features. Click Next.
Click Next on the Features menu. Click Next again on the AD DS menu. Click Next on the DNS menu.
I'm taken to the confirmation screen. It's a good idea to take a moment and just review everything to make sure that it appears correct. Click Install. After a few minutes, the installation completes.
I should point out that the server was provisioned ahead of time with a static IP address. If you don't do that, then you're going to get a warning message during the installation wizard. Click Close.
The next thing that we need to do is to configure this to act as a domain controller. Click on the notifications icon. You can see there is a post-deployment configuration task that's required. In this case, we need to promote the server to domain controller. Do that by clicking on the link, which opens Active Directory Domain Services configuration wizard.
I'm going to create a new forest, so I'll click the Add a new forest button. I'm going to call this forest poseylab.com and click Next.
On the domain controller options screen, you'll notice that the forest functional level is set to Windows Server 2016. There is no Windows Server 2019 option -- at least, not yet. That's the reason that I pointed out earlier that we are indeed running on Windows Server 2019. Leave this set to Windows Server 2016. Leave the default selections on the domain controller capabilities. I need to enter and confirm a password, so I'll do that and click Next.
Click Next again on the DNS options screen.
The NetBIOS domain name is populated automatically. Click Next.
Go with the default paths for AD DS database, logs and SYSVOL. Click Next.
Everything on the Review options screen appears to be correct, so click Next.
Windows will do a prerequisites check. We have a couple of warnings, but all the prerequisite checks completed successfully, so we can go ahead and promote the server to a domain controller. Click Install to begin the installation process.
After a few minutes, the Active Directory Domain Services and the DNS roles are configured. Both are listed in Server Manager.
Let's go ahead and switch over to a Windows 10 machine and make sure that we can connect that machine to the domain. Click on the Start button and go to Settings, then go to Accounts. I'll click on Access work or school then Connect. I'll choose the option Join this device to a local Active Directory domain. I'm prompted for the domain name, which is poseylab.com. Click Next.
I'm prompted for the administrative name and password. I'm prompted to choose my account type and account name. Click Next and Restart now.
Once the machine restarts, I'm prompted to log into the domain. That's how you set up an Active Directory domain controller in Windows Server 2019.