Home

On-premises AD migration to Azure AD

%3CLINGO-SUB%20id%3D%22lingo-sub-63264%22%20slang%3D%22en-US%22%3EOn-premises%20AD%20migration%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63264%22%20slang%3D%22en-US%22%3E%3CP%3EAfter%20extensive%20reading%20I%20became%20just%20a%20bit%20more%20confused%20and%20can't%20answer%20the%20question...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELive%20environment%20has%20Windows%20Server%20AD%20on-premises%20with%20Azure%20AD%20Connect%20and%20all%20mailboxes%20in%20the%20Office%20365.%20What%20we%20are%20trying%20to%20achive%20is%20completely%20get%20rid%20of%20the%20Exchange%20server%20and%20DCs%20on%20premises.%20Would%20be%20the%20following%20scenario%20possible%2Feligible%20and%20supported%20by%20Microsft%20or%20not%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOffice%20365%20is%20already%20using%20Azure%20AD%20free%20version%2C%20would%20it%20be%20possible%20to%20utilize%20the%20Azure%20AD%20DS%20without%20spinning%20extra%20VMs%20in%20Azure%20(Domain%20controllers)%20and%20then%20cancel%20the%20Azure%20AD%20Connect%2C%20remove%20DCs%20and%20Exchange%20servers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20all%20users%20have%20synced%20mailboxes%20and%20all%20attributes%20in%20the%20cloud%20or%20not%3F%20Would%20this%20work%20or%20are%20there%20any%20limitations%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20would%20then%20Win%2010%20machines%20be%20able%20to%20join%20to%20Azure%20AD%20(or%20Azure%20AD%20DS)%20via%20Azure%20AD%20Join%20and%20be%20managed%20via%20Group%20Policy%20or%20not%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20to%20get%20some%20clarification%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3EG%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-63264%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-140739%22%20slang%3D%22en-US%22%3ERe%3A%20On-premises%20AD%20migration%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-140739%22%20slang%3D%22en-US%22%3E%3CP%3EDo%20we%20have%20real%20steps%20for%20migrating%20On-prem%26nbsp%3BAD%20to%20CLOUD%2C%20cutover%20no%20hybrid%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-106523%22%20slang%3D%22en-US%22%3ERe%3A%20On-premises%20AD%20migration%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-106523%22%20slang%3D%22en-US%22%3E%3CP%3EMoving%20the%20servers%20to%20VM's%20over%20VPN%20is%20pretty%20straightforward%20but%20only%20replicates%20what%20you%20currently%20have%20with%20additional%20latency%20in%20the%20form%20of%20VPN%20overhead%20to%20Azure%20VM's.%20Then%20you've%20also%20got%20two%20(or%20more)%20additional%20server%20instances%20to%20pay%20for.%3C%2FP%3E%3CP%3EI%20too%20have%20been%20waiting%20for%20Azure%20ADDS%20to%20be%20able%20to%20replicate%20*most*%20of%20what%20we%20get%20from%20on%20prem%20AD%20so%20we%20have%20a%20couple%20less%20servers%20to%20worry%20about%20and%20can%20transition%20to%20managing%20AD%20object%20lifecycle%20completely%20in%20Azure.%20It's%20almost%20there%20but%20as%20many%20have%20pointed%20out%20it%20is%20not%20a%20like%20for%20like%20swap.%20If%20you're%20not%20GPO%20heavy%20and%20primarily%20use%20AD%20for%20authentication%20you%20might%20be%20able%20to%20swing%20it.%26nbsp%3B%3C%2FP%3E%3CP%3EMap%20out%20your%20requirements%2C%20identify%20the%20gaps%20and%20that%20will%20help%20guide%20a%20go%20no-go%20decision.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-100886%22%20slang%3D%22en-US%22%3ERe%3A%20On-premises%20AD%20migration%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-100886%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F51527%22%20target%3D%22_blank%22%3E%40Gregor%20Jus%3C%2FA%3E%26nbsp%3BWe%20are%20also%20looking%20to%20do%20this.%20I%20have%20seen%20small%20business%2C%20around%2030%20or%20so%20employees%20sucessfully%20migrate%20their%20domain%20controllers%20to%20VM's%20in%20azure%20and%20setup%20a%20site%20to%20site%20vpn%20and%20keep%20the%20DC's%20off%20primise.%20My%20concerns%20about%20removing%20the%20AD%20Connect%20is%20that%20in%20the%20past%20when%20I%20have%20disconnected%20the%20AD%20Connect%2C%20I%20get%20synchornization%20errors.%20It%20seems%20that%20the%20GC%20is%20still%20noted%20as%20the%20on%20primise%20DC%2C%20and%20thus%20the%20Azure%20AD%20service%20is%20still%20looks%20for%20the%20DC%20that%20holds%20the%20master%20FSMO%20role.%20I%20think%20if%20maybe%20you%20can%20promote%20the%20DC%20on%20the%20Azure%20AD%20Services%20to%20the%20schema%20master%20and%20demote%20the%20on%20primise%20DC%20then%20maybe%20it%20wouldn't%20gripe%20anymore%2C%20however%20this%20is%20entirely%20conjecture.%20I%20haven't%20found%20any%20documentation%20stating%20that%20this%20is%20possible%20so%20I%20would%20test%2C%20test%20and%20retest%2C%20but%20this%20is%20what%20we%20are%20tyring%20to%20accomplish%20now.%20I%20have%20a%20bit%20of%20time%20before%20everything%20is%20to%20be%20docommisioned%20on%20site%2C%20so%20we%20can%20keep%20an%20on-site%20DC%20for%20around%206%20months%20or%20so.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-63591%22%20slang%3D%22en-US%22%3ERe%3A%20On-premises%20AD%20migration%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63591%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20your%20answers%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20here%20is%20that%20the%20whole%20Azure%20portfolio%20is%20developing%20so%20quickly%20that%20it's%20hard%20to%20stay%20on%20top%20of%20it%20and%20even%20reading%20the%20article%2C%20forum%2C%20post...%20only%201%20year%20old%20can%20meen%20it's%20obsolete%20and%20out%20of%20date.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20aware%20that%20you%20can't%20just%20replace%20the%20AD%2C%20make%20sense%2C%20what%20I%20am%20trying%20to%20find%20is%20the%20following%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20Azure%20AD%20DS%20allows%20joining%20to%20its%20domain%20Azure%20VMs%2C%20however%20would%20it%20be%20possible%20to%20create%20VPN%20tunnel%20between%20the%20Azure%20network%20and%20on-site%20network%20and%20join%20client%20machines%20through%20VPN%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-%20If%20we%20use%20Azure%20AD%20Connect%2C%20can%20I%20disconnect%20it%20then%20and%20all%20objects%20will%20stay%20in%20the%20cloud%20(Azure)%20without%20any%20issues%3F%20Such%20as%20source%20of%20authority%20be%20still%20on-premises%2C%20like%20it's%20the%20case%20with%20Exchange%20and%20hybrid.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%2C%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-63347%22%20slang%3D%22en-US%22%3ERe%3A%20On-premises%20AD%20migration%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63347%22%20slang%3D%22en-US%22%3E%3CP%3EAzure%20AD%20is%20not%20a%20replacement%20for%20%22traditional%22%20AD%2C%20and%20neither%20is%20Azure%20AD%20DS.%20It's%20way%20too%20limiting%20IMO%2C%20but%20I'm%20definitely%20not%20an%20expert%20on%20the%20subject%2C%20so%20dont%20take%20my%20word%20for%20it%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%2C%20the%20FAQ%20pretty%20much%20sums%20up%20my%20impressions%20with%20it%20-%20pretty%20much%20all%20the%20questions%20have%20%22not%20available%22%20as%20answer%20%3A)%3C%2Fimg%3E%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Factive-directory-ds-faqs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Factive-directory-ds-faqs%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-63334%22%20slang%3D%22en-US%22%3ERe%3A%20On-premises%20AD%20migration%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63334%22%20slang%3D%22en-US%22%3E%3CP%3EI%20hesitate%20to%20comment%20because%20I%20know%20that%20I%20don't%20have%20enough%20information%20to%20know%20how%20much%20damage%20I%20could%20do%20by%20giving%20incorrect%20advice.%20For%20that%20reason%2C%20I%20think%20you%20should%20have%20someone%20who%20knows%20AAD%2C%20AADConnect%2C%20Exchange%2C%20etc.%20come%20in%20and%20work%20through%20the%20issues%20to%20create%20a%20documented%20plan%20to%20remove%20on-premises%20servers.%20Care%20and%20attention%20is%20needed%20to%20make%20sure%20that%20objects%20are%20homed%20in%20the%20right%20place%20(cloud%20long-term).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-63331%22%20slang%3D%22en-US%22%3ERe%3A%20On-premises%20AD%20migration%20to%20Azure%20AD%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63331%22%20slang%3D%22en-US%22%3E%3CP%3EHave%20you%20seen%20this%20discussion%2C%20%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Fvilath%2F2015%2F05%2F25%2Foffice-365-and-dirsync-why-should-you-have-at-least-one-exchange-server-on-premises%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.msdn.microsoft.com%2Fvilath%2F2015%2F05%2F25%2Foffice-365-and-dirsync-why-should-you-have-at-least-one-exchange-server-on-premises%2F%3C%2FA%3E%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%26nbsp%3Bor%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bmay%20be%20able%20to%20provide%20some%20additional%20thoughts%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Gregor Jus
New Contributor

After extensive reading I became just a bit more confused and can't answer the question...

 

Live environment has Windows Server AD on-premises with Azure AD Connect and all mailboxes in the Office 365. What we are trying to achive is completely get rid of the Exchange server and DCs on premises. Would be the following scenario possible/eligible and supported by Microsft or not?

 

Office 365 is already using Azure AD free version, would it be possible to utilize the Azure AD DS without spinning extra VMs in Azure (Domain controllers) and then cancel the Azure AD Connect, remove DCs and Exchange servers.

 

Would all users have synced mailboxes and all attributes in the cloud or not? Would this work or are there any limitations? 

 

Also, would then Win 10 machines be able to join to Azure AD (or Azure AD DS) via Azure AD Join and be managed via Group Policy or not? 

 

Hope to get some clarification, 

 

Thanks, 

G

7 Replies

I hesitate to comment because I know that I don't have enough information to know how much damage I could do by giving incorrect advice. For that reason, I think you should have someone who knows AAD, AADConnect, Exchange, etc. come in and work through the issues to create a documented plan to remove on-premises servers. Care and attention is needed to make sure that objects are homed in the right place (cloud long-term).

Azure AD is not a replacement for "traditional" AD, and neither is Azure AD DS. It's way too limiting IMO, but I'm definitely not an expert on the subject, so dont take my word for it :)

 

Still, the FAQ pretty much sums up my impressions with it - pretty much all the questions have "not available" as answer :) https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-faqs

 

Thank you for your answers :) 

 

The problem here is that the whole Azure portfolio is developing so quickly that it's hard to stay on top of it and even reading the article, forum, post... only 1 year old can meen it's obsolete and out of date.

 

I am aware that you can't just replace the AD, make sense, what I am trying to find is the following

 

- Azure AD DS allows joining to its domain Azure VMs, however would it be possible to create VPN tunnel between the Azure network and on-site network and join client machines through VPN

 

- If we use Azure AD Connect, can I disconnect it then and all objects will stay in the cloud (Azure) without any issues? Such as source of authority be still on-premises, like it's the case with Exchange and hybrid. 


Thanks, :)

@Gregor Jus We are also looking to do this. I have seen small business, around 30 or so employees sucessfully migrate their domain controllers to VM's in azure and setup a site to site vpn and keep the DC's off primise. My concerns about removing the AD Connect is that in the past when I have disconnected the AD Connect, I get synchornization errors. It seems that the GC is still noted as the on primise DC, and thus the Azure AD service is still looks for the DC that holds the master FSMO role. I think if maybe you can promote the DC on the Azure AD Services to the schema master and demote the on primise DC then maybe it wouldn't gripe anymore, however this is entirely conjecture. I haven't found any documentation stating that this is possible so I would test, test and retest, but this is what we are tyring to accomplish now. I have a bit of time before everything is to be docommisioned on site, so we can keep an on-site DC for around 6 months or so. 

Moving the servers to VM's over VPN is pretty straightforward but only replicates what you currently have with additional latency in the form of VPN overhead to Azure VM's. Then you've also got two (or more) additional server instances to pay for.

I too have been waiting for Azure ADDS to be able to replicate *most* of what we get from on prem AD so we have a couple less servers to worry about and can transition to managing AD object lifecycle completely in Azure. It's almost there but as many have pointed out it is not a like for like swap. If you're not GPO heavy and primarily use AD for authentication you might be able to swing it. 

Map out your requirements, identify the gaps and that will help guide a go no-go decision.

 

 

Do we have real steps for migrating On-prem AD to CLOUD, cutover no hybrid?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies