I'm considering setting up a windows domain controller in MS Azure within an Azure virtual network. Goal is to be able to centrally manage GPs and users.
Is this even feasible, since the client computers would need to essentially be on the VPN before being able to authenticate?
I guess I could set up a site-to-site VPN connection to our office, but we have some nomadic users that are almost always mobile.
Best Answer
It is definitely feasible and supported to run a domain controller in Azure. It depends on what you're looking to achieve as to whether that's the best option. If you're primarily looking to manage client PC policy and provide authentication, then you generally want a DC close to the machines it services. If most of the users are in an office and you have infrastructure there, it is still a good idea to keep your DC in the office near them. The main reason to put another DC in Azure would be to service applications that you are also putting in Azure VMs that require AD authentication or directory access.
If you are looking to get away from on premise infrastructure and still need traditional group policy and identity management, you could go with DCs in Azure and provide access via a VPN as you said. There is the site-to-site option to extend your network into Azure, or you can take a look at the new point-to-site VPN capability that allows direct VPN access into Azure using an agent installed on each client. This could work well for a small user base.
https://azure.microsoft.com/documentation/articles/vpn-gateway-point-to-site-create/
Remember too that Windows caches credentials, so as long as you get a user authenticated once through the VPN, they won't need to have it running to log in subsequently. Of course, they'll need to log in periodically to apply the latest policy, which might be enforced or encouraged through a logon script, etc.
Hope that helps.