Home
Join

Should we move from our on-prem AD DS to Azure AD (and/or an Azure VM)?

Posted by arielbenjamin
Needs answer
Active Directory & GPO Microsoft Azure General SaaS & Cloud Computing

We currently have an on-prem domain controller on a VM (VMWare) of Windows Server 2012r2. We have a second VM of 2012r2 that replicates from the first and acts as a failover. We use it for AD DS, Radius (for VPN connection authentication), DNS, DHCP, and GPO. We then have Azure AD Connect running on another server syncing to the Free Azure AD we use for O365. We have a handful of other systems (Cisco phone system, support ticketing, billing system, etc.) that have LDAP connections to our on-prem AD.

We are in the process of moving more and more of our systems to the cloud and this seems like the right time to move more fully to Azure (though feedback on that thought is welcomed as well). With more and more users tele-commuting we thought it would be wise to reduce potential for downtime (our circuit is a single point of failure whereas Azure AD is far less likely to be unreachable), increased security (like taking advantage of MFA and SSO), and built-in self-service functionality.

I'm looking for advice on a few things. First, is it better to keep a domain controller on-prem or just move entirely to Azure? Second, should I be creating a VM in Azure and moving AD there or is it sufficient to just use premium Azure AD? Third, can anyone point me to a decent step-by-step or article on the process of the move or any other resources I should read on this?  Anything else I should be thinking about in all of this? Thanks!

Spice (9) Reply (4)
arielbenjamin

Popular Topics in Active Directory & GPO

Does your org delete AD user accounts? DHCP Backup folder Issues Locked out of server gpo to limit emptying recycle bin only to admin users Enforce account lockout policy causing users accounts to be locked? View all topics

4 Replies

  • You should always have at least 2 Domain Controllers (DCs) per network.

    Then as to if you need to have DCs on-prem or in the cloud depends on your needs.
    - If you have on=prem servers and on-prem clien machines that need constant Domain authentication and cannot have networking (Internet) issues that disconnect to cloud DCs, then it maybe good to have on-prem DCs as well as cloud DCs for your SAAS services.

    But do read up on the diff between DCs on Azure (or other cloud providers) vs AAD and their limitations.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down

  • to get on-prem experience have DC;s on Azure.

    set up site to site tunnel.

    Spice (2) flagReport
    Was this post helpful? thumb_up thumb_down

  • Thanks for the responses.

    adrian_ych​ I have several machines that rely on the DC for authentication, but I've never given any thought to how often those machines check in with the DC. Is there an easy way to know if something requires constant authentication? Can you give me an example of a server (or service) that might require such?

    JitenSh​ Is there any limitation to this model? For example, will I be able to run DNS and DHCP on a DC that's on azure?

    Was this post helpful? thumb_up thumb_down

  • arielbenjamin wrote:

    Is there any limitation to this model? For example, will I be able to run DNS and DHCP on a DC that's on azure?

    There are no breaking limitations to this model. However, according to my experience, point-to-site VPN works much better than site-to-site and allows your endpoints to work from anywhere, which is excellent. DHCP should still be provided on-premises to be able to establish the VPN connection. Your existing router should do just fine. DNS can be in Azure but ensure you understand that if the internet connection goes down, people won't be able to browse and keep working since DNS will be missing.

    You can proceed with a non-disruptive scenario, which is building a site-to-site VPN with Azure and moving one of the domain controllers to Azure using P2V https://www.hyper-v.io/migrating-cloud-easy-experience-choosing-p2v-converters/ or Azure Migrate https://azure.microsoft.com/en-us/services/azure-migrate/. Keep that "hybrid" option for some period, try temporarily disabling the local instance to see if and how that works, and so on.

    Was this post helpful? thumb_up thumb_down

or sign up to reply to this topic.

Didn't find what you were looking for? Search the forums for similar questions or check out the Active Directory & GPO forum.

Read these next...

  • No Network Access

    No Network Access

    Networking

    Hello,Suddenly, my Windows 2012R server has NO network access through either of its two nic cards; it is a DELL PE T430. It is configured to get IP info from DHCP, and that works ok; both NICs can get an IP just fine, but after I get the IP address,  I am...

  • Understanding VPNs

    Understanding VPNs

    Security

    Hello I'm trying to learn the concept of VPN's and there's some aspect of VPN's I'm not sure about. When I configure a remote access VPN on a Fortigate, I configure the following client range 192.168.3.10-192.168.3.40When the client connects and I do a ro...

  • Snap! Outlook crashes, getting phished, supermoon, CyberOne, DALL·E 2 + SpiceRex

    Snap! Outlook crashes, getting phished, supermoon, CyberOne, DALL·E 2 + SpiceRex

    Spiceworks Originals

    Your daily dose of tech news, in brief. We made it to Friday! Before we consider our weekend plans, let's look back in time. While not the storage we're accustomed to, back on August 12, 1877 (although there appears to be some debate on the actual ...

  • Spark! Pro series – 12th August 2022

    Spark! Pro series – 12th August 2022

    Spiceworks Originals

    I want my… I want my…. Spark!    Just a reminder, if you are reading the Spark!, Spice it up. We like it spicy here! Today in History: The IBM PC Introduced August 12, 1981 IBM introduces its ...

  • Repeated Attacks on my Firewall - What to Do ??

    Repeated Attacks on my Firewall - What to Do ??

    Security

    I've got a UTM Firewall and I'm constantly getting notifications that someone is trying to gain access through an SSL-VPN. The attacking IP address is almost always different, so blocking the IP every time is not a sustainable solution. They haven't got t...