Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Leaving On-prem Active Directory

Copper Contributor
I’ve drunk the cool-aid and keen to fully embrace Azure, though I’m wondering is it possible to completely abandon the traditional On-prem or IaaS Active Directory instanced and purely use Azure AD & Azure Active Directory Services(Azure PaaS).

Is there a useful blog on how to go down this path ?

I have two forests and 8 domains with 7 of them in one of the forests.
I’m wondering if it makes more sense to flatten those domains down to a single domain and Sync the new clean domain into Azure, or could I (should I) just sync all 8 domains into a single Azure directory?

I’d be happy to see any blogs as what I’m stuck on is that I could easily enough break this out into multiple steps such as Consolidate and then migrate but looking for ideas for a better approach to take.

Ideal endpoint - Purely using Azure AD and Azure Directory services and no longer reliant of an IaaS Active Directory Instance.
5 Replies
Hi Yuukan,

I have done similar migration with two forests. You have three options here:

1. Using AD migration tool to migrate all domains into one, and then migrate to AAD domain services with clean Domain and sync to cloud. I can send you blogs on how to do it.

2. Move all forests and domains AAD Domain services, then sync all domains to the cloud. You pay a lot more with this method.

3. Use only AAD without traditional AD but you have to migrate group policies to Intune. You can use Securitly Baseline, Administrative Template and OMI profiles.

I would definitely go with take number 1 because cleaner and cheaper because you’re using only one domain. I don’t have blog with summarize all the steps but happy to answer any questions.
So Option 1 is the approach I'm planning to do at the moment and would be happy to see this one. I'd be happy to look at some of those blogs you suggested.

I was a bit thrown by some colleagues saying that the intermediate domain domain would be a waste of time and effort if we are anyway going to sync up into AAD DS.
In my head it is an extra step, but you are setting yourself a fall back safety net should the initial migration run into any troubles.

Have you ever had to do this with a client that already has a somewhat partial footprint in Azure & O365 ?

@Yuukan what services are currently using Active Directory? Azure AD has a new provisioning service that allows you to take several domains in to one AAD tenant. Are you using Dot1x network security either wired or wireless? 

 

What services are using your AD environment? VPN? File Shares? Does everything you use work with AAD?

best response confirmed by Yuukan (Copper Contributor)
Solution

@Yuukan 

 

I used the articles below to migrate the domains, hope it helps as well.

 
The client was already using O365 and Azure in Hybrid Environment, multiple domains were syncing with ADConnect to one MSFT Tenant. 
 
Let me know if you have any questions.. Good Luck!

 

@Moe_Kinani 
That sounds like a similar setup to the environment I'm  working on at the moment.

1 best response

Accepted Solutions
best response confirmed by Yuukan (Copper Contributor)
Solution

@Yuukan 

 

I used the articles below to migrate the domains, hope it helps as well.

 
The client was already using O365 and Azure in Hybrid Environment, multiple domains were syncing with ADConnect to one MSFT Tenant. 
 
Let me know if you have any questions.. Good Luck!

 

View solution in original post