alz checklist updates #569
Conversation
checklists/alz_checklist.en.json
Outdated
| @@ -530,7 +531,7 @@ | |||
| { | |||
| "category": "Resource Organization", | |||
| "subcategory": "Subscriptions", | |||
| "text": "If AD on Windows Server, establish a dedicated identity subscription in the Indentity management group, to host Windows Server Active Directory domain controllers", | |||
| "text": "If Entra Domain Services on Windows server, establish a dedicated identity subscription in the Identity management group, to host the domain controllers", | |||
There was a problem hiding this comment.
Question on this and a few other sections - I am not aware that Windows Server Active Directory is being changed to Entra Domain Services. The product documentation still refers to it as AD. I thought Entra Domain Services was a replacement name for the Azure AD Domain Services.
Some of these recommendations are agnostic to which approach, and some are dependent, so I think we would want to be clear here.
There was a problem hiding this comment.
For this section, could we change this to:
If servers will be used for Identity services, like domain controllers, establish a dedicated identity subscription in the Identity management group to host the services.
There was a problem hiding this comment.
Good spotting here, I'll update based on recent comment
| @@ -916,17 +917,6 @@ | |||
| "training": "https://learn.microsoft.com/learn/modules/design-implement-azure-expressroute/", | |||
| "link": "https://learn.microsoft.com/azure/expressroute/designing-for-disaster-recovery-with-expressroute-privatepeering#challenges-of-using-multiple-expressroute-circuits" | |||
| }, | |||
| { | |||
There was a problem hiding this comment.
I'm not sure why we would remove this. Is there a reason we would not want the domain controllers to be in the more fault-tolerant configuration?
There was a problem hiding this comment.
I think this is being consolidated into B03.11
There was a problem hiding this comment.
I was reading B03.11 as being just for Entra Domain Services - I think this might be tied to my other comment thread then.
I am thinking the sheet should be agnostic to the provider used, and we can treat Active Directory Domain Services and Entra Domain Services with the same recommendations - the same HA for DCs applies to both. Although I may be missing some roadmap items here.
There was a problem hiding this comment.
Correct, consolidating under the identity design area
checklists/alz_checklist.en.json
Outdated
| @@ -321,7 +322,7 @@ | |||
| { | |||
| "category": "Identity and Access Management", | |||
| "subcategory": "Identity", | |||
| "text": "If AD on Windows server in use, are the resources in Azure using the correct domain controller?", | |||
| "text": "If Microsoft Entra Domain Services on Windows server is in use, are the resources in Azure using the correct domain controller?", | |||
There was a problem hiding this comment.
Could we change this to:
If domain controllers are being used, ensure that resources are set to use the correct domain controller.
small updates around product naming and consolidation of couple checks