Mar 12 2020
- last edited on
Jul 27 2020
One of my customers is presently using Azure AD and they are syncing with their On Prem AD using Azure AD Connect. The authentication being used is PHS. Now, they would like to get rid of their On Prem AD completely and would like to know what are the implications in doing so and how users would be affected during the cutover. Since there is no straightforward migration option of On Prem AD to Azure AD completely, what options do i have here ? Will it help to setup an IaaS VM in Azure and promote it as a domain controller and sync it with On Prem Domain Controller? Or we can make use of Azure AD DS service. Any help on this would be appreciated
Mar 13 2020 01:38 AM
Mar 13 2020 06:11 AM
@Moe_Kinani So after spinning up an IaaS VM and promoting it to a DC and ensuring it is replicated properly from On Prem DC, can i just go ahead and decommission the On Prem DC ? Will the DC that is in Azure now, can take care of all the authentication of the synchronised users from On Prem? What about the On Prem machines, can they use the new Azure AD DC to authenticate also, will that work?
Mar 13 2020 08:30 AM - edited Mar 13 2020 08:32 AM
Mar 13 2020 08:33 AM
Why are you looking into setting up an Azure IaaS DC?
I know the migration will be much smoother from an on-prem DC, but I would really recommend going with AAD. Creating users in AAD and joining computers to AAD.
Mar 13 2020 08:51 AM
@Thijs Lecomte But my customer already has synced users in Azure AD from On Prem and they have i guess PTA enabled and using AD Connect.So all the authentication is taking place at On Prem. So now if i shut down the On Prem DC suddenly , how will the Azure synced users authentication take place, the users are not born in the cloud but synced to Azure AD
Mar 13 2020 09:02 AM - edited Mar 13 2020 09:03 AM
Mar 13 2020 11:09 AM
Mar 16 2020 08:54 AM
@palchakTo work out what your options are you will need to know what your current dependancies on the on-premis AD is. e.g. what devices are joined, what applications rely on AD for authentication, any changes to the schema. If there are components dependant/integrated in to AD then you will need to look at an IaaS instance in Azure as opposed to just using Azure AD. When considering an IaaS instance then a couple of things to watch out for, latency and also depending on the size of your directory - initial replication could take a while.
Mar 16 2020 12:10 PM
@009GH What about using Azure AD DS, the managed domain service in Azure, to use that, do you still need to keep the Azure Connect Sync intact , because using Azure AD DS you can create customised OUs and even Group Policies, so can AD DS be considered a replacement for On Prem AD DS.
Using the cloud Azure AD DS is a better option as it is a managed service and you don't have to spin up DCs in Azure and patch them and monitor them etc. Any comments please.
Mar 17 2020 01:06 AM
@palchak Yes AD DS could be a good option. I would say keep in mind the limitations with AD DS such as no enterprise admin rights and no ability to extend the schema. Some Applications require extensions to the schema so check those dependencies. Also still keep in mind location of the service and latency, some applications are more sensitive to latency issues than others.
May 27 2020 07:46 AM
@palchak do you know of any MS documentation/guide that describes the high-level steps to achieve this?
May 27 2020 09:12 AM
@Kayak2Not really, I was struggling to find something. Actually AD DS is not a full fledged replacement for On Prem AD and both have separate use cases. But my customer was planning to get rid of On Prem AD and use Azure AD as their primary identity source. Have you checked this blog http://www.blogabout.cloud/2019/08/871/, this throws some light as to how to do the migration, but again, this is just one part, doesn't give you the whole picture, but I think this can be helpful to some extent
Jun 21 2020 02:58 PM
If you do not have lot of group policy dependecy then upgrade to AD premium p2 for joining device to AAD or ntune management.
If you would like to use AADS as managed domain controller then you may have to build another registered domain like .org or .net built trust with .local domain and add domain suffix for azure AD domain the syncs to cloud identity. In other words you are still managing two namespaces until you completely move identity to cloud with intune instead of GPO.
AADS does not support schema extension or sync, it will be created with two OUs initially and you will have to built rest manually and apply policy probably from CSV import or xml import/export or add manually and install azure ad connect server on cloud to sync.
I am planning same considering I do not have lot of group policy for stand alone mac users. I only have to figure out joining VMs directly to Azure AD and not go through building cross forest trust just to survive on old GPO.
First I am looking to convert all server VMs to as much as PAAS solution and work on identity management to AAD after I build complete cloud presence that way I am not reliant on prem hardware when switches of firewall goes down. user can still connect with wifi
Nov 21 2020 01:07 PM
The question still remains what is the best way to migrate from On-Prem to ADD. I inherited an account with some uses in ADD and some in On-Prem AD. They all have email accounts O365, so they have an ADD account but manages On-Prem. I'm trying to get them all managed in ADD but haven't figured out how. For now it looks like backup the email and Onedrive data. Delete the account in both places. Then recreated the account in ADD and restore email and data.
Is there a better way?
Nov 25 2020 10:26 AM
May 17 2021 12:46 PM
Hi @palchak, did you manage to make it work using only Azure AD DS?
We are about to upgrade our on premise Windows Server Essential 2012r2 to Standard 2019 (we reach max users limit) and are looking for options , since all of our users are working remotely and using Office365.
GPOs are not an concern and would be nice to get rid of our On Prem AD.