Active Directory – Hybrid Deployment Architecture

Active Directory – Hybrid Deployment Architecture

Active Directory – Hybrid Deployment Architecture

Core principle of any Infrastructure design is “keep it simple”. Management of Identity Solution is never easy. Organizations around the world have different business / compliance requirements that make Active Directory Architecture “complex”. In this article we will see Active Directory Hybrid Deployment Architecture, Isolation, Security and Governance.

You may have Applications that are accessed by Internal and External Users, Applications managed by different vendors and Applications that allow currency transactions. Each of these applications will need to be protected from attacks including Identity, and to reduce Blast radius of any attack.

While Network and Application provide security at their layer, Active Directory or your Identity Management system may also play important role in securing the Infrastructure. Before we begin with possible Active Directory layouts, there is need to recall that primary purpose of Active Directory is Authentication and not Authorization. Authorization is provided by Applications.

Possible Active Directory Layouts for Applications –

  1. Single Forest Single Domain
  2. Single Forest Multi Domain
  3. Multi Forest Multi Domain

Of course, I have missed Azure Active Directory here. It will be covered later in this article.

Now, why would you pick one over the other. The answer lies within your business requirements and what level of Isolation is required.

Pros and Cons of different AD Deployment options

Single Forest Single Domain Single Forest Multi Domain Multi Forest Multi Domain
Pros 1. Simple Management

2. Centralized Group management for all computers

3. Easy Backup and Restore

 1. Provides cleaner and segregated Administrative boundary

2. Default trust between domains allows resources access across domain

1. Provides cleaner isolation between AD Forests with no trust between them

2. No dependency on other forests on replication

Cons  1. Loose Isolation Administrative boundary

2. Prone to human errors in providing access to resources

1. Requires more Domain Controllers footprint for each domain

2. Complex Backup and Recovery

 1. Complex User life cycle management

2. Complex SSO Integrations

3. Complex Group Policy Management

** For business reasons, these domains or forests can be deployed in On-Premises or in Cloud (Azure/AWS)

There is another major challenge of Administration with multi-forest architecture, monitoring and auditing. It can be addressed by introducing another “Admin or Infra” forest that will have one way trust with all Application forests. See below


In the diagram above, you have one Infra Forest that can manage your Production and Non-Production Forests.

Single Forest Single Domain and Single Forest Multi Domain deployment diagrams are simple and hence not shown here

Extend Identity to Cloud

Now that Core-Foundation of Identity has been laid out, extend the Identity to Azure Active Directory using Azure AD Connect (not covered in this post). The domain Controllers or forests can be deployed from the above architecture either On-Premise and on the Cloud.

The Diagram below shows various options of Azure and AWS IAM Logins, replication, Site Links, MFA and SSO Integrations.


Security and Governance on Identity System

Now in Active Directory – Hybrid Deployment Architecture and Isolation , we will cover different areas where Security can be deployed to secure Applications, attack prevention and various tools that can be leveraged.

Feature Description
Encryption Active Directory Certificate Services, SSL for ADFS
Firewall Allow AD Specefic ports on Windows Firewall
Branch Office Read-Only Domain Controllers
Access Control Delegated Access on Active Directory resources to Administrators
Auditing Tools from Manage Engine (
Policies on Computers and Users Group Policies
Identity Life Cycle Management Microsoft Identity Manager 2016 (Part of Azure AD Premium)
Logins (Cloud and Apps) Linked to Enterprise AD using ADFS and MFA
Attack Prevention Account Lockout policies, SSL for ADFS, Allow traffic from trusted sources, Logon To specific computer option
Authorization AD Group based, Azure RBAC, AWS IAM
Monitoring SCOM, Manage Engine tools
Domain Security Keep Domain and Schema Admins group empty
Service Accounts Use “Managed Service Accounts”, change passwords periodically
Quick Recovery Make use of lagged AD Domain Controller replication for authoritative restrore
File Shares Remove permission for everyone and provide access to specific AD Groups

Hope this post would help in making decision in laying out Active Directory Infrastructure and guide through Security and Logical flow in your design decision. Any questions, please feel free to write to me. Thank you.

About The Author

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *