Q: Can I run my Active Directory FSMO roles on my Windows Azure IaaS DCs?

A: Ultimately Windows Azure IaaS is providing you with a virtual machine (VM), and the Windows Azure services can be connected to your on-premises infrastructure by using the site-to-site VPN.

Many times domain controllers (DCs) are created in Windows Azure IaaS to support services running in Windows Azure that are domain joined or leverage Active Directory (AD). There is nothing stopping making any of these DCs Flexible Single-Master Operations (FSMO) (aka operations master) role holders; however, remember that the point of a FSMO server is that it holds a role of which there is only one in the domain and forest, depending on the role.

Some of the FSMO roles are rarely used, such as the schema master and domain naming roles, while others are highly used, such as the PDC emulator.

If the entire domain is in Windows Azure, then it makes sense for the FSMO roles to be in Windows Azure. If the domain is split between on-premises and Windows Azure, then you should assess the pros and cons of moving certain FSMO roles to Windows Azure.

Where are most of the domain members located? This would drive the decision of where to place FSMO roles. Windows Azure is just another site, and the decision to place FSMO roles should be treated the same as you'd treat any other multi-site environment.