04-19-2017 06:10 AM
04-19-2017 06:10 AM
After extensive reading I became just a bit more confused and can't answer the question...
Live environment has Windows Server AD on-premises with Azure AD Connect and all mailboxes in the Office 365. What we are trying to achive is completely get rid of the Exchange server and DCs on premises. Would be the following scenario possible/eligible and supported by Microsft or not?
Office 365 is already using Azure AD free version, would it be possible to utilize the Azure AD DS without spinning extra VMs in Azure (Domain controllers) and then cancel the Azure AD Connect, remove DCs and Exchange servers.
Would all users have synced mailboxes and all attributes in the cloud or not? Would this work or are there any limitations?
Also, would then Win 10 machines be able to join to Azure AD (or Azure AD DS) via Azure AD Join and be managed via Group Policy or not?
Hope to get some clarification,
04-19-2017 09:27 AM
Have you seen this discussion, https://blogs.msdn.microsoft.com/vilath/2015/05/25/office-365-and-dirsync-why-should-you-have-at-lea... ?
04-19-2017 09:40 AM
I hesitate to comment because I know that I don't have enough information to know how much damage I could do by giving incorrect advice. For that reason, I think you should have someone who knows AAD, AADConnect, Exchange, etc. come in and work through the issues to create a documented plan to remove on-premises servers. Care and attention is needed to make sure that objects are homed in the right place (cloud long-term).
04-19-2017 10:56 AM
Azure AD is not a replacement for "traditional" AD, and neither is Azure AD DS. It's way too limiting IMO, but I'm definitely not an expert on the subject, so dont take my word for it :)
Still, the FAQ pretty much sums up my impressions with it - pretty much all the questions have "not available" as answer :) https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-faqs
04-20-2017 06:23 AM
Thank you for your answers :)
The problem here is that the whole Azure portfolio is developing so quickly that it's hard to stay on top of it and even reading the article, forum, post... only 1 year old can meen it's obsolete and out of date.
I am aware that you can't just replace the AD, make sense, what I am trying to find is the following
- Azure AD DS allows joining to its domain Azure VMs, however would it be possible to create VPN tunnel between the Azure network and on-site network and join client machines through VPN
- If we use Azure AD Connect, can I disconnect it then and all objects will stay in the cloud (Azure) without any issues? Such as source of authority be still on-premises, like it's the case with Exchange and hybrid.
08-25-2017 11:13 AM
@Gregor Jus We are also looking to do this. I have seen small business, around 30 or so employees sucessfully migrate their domain controllers to VM's in azure and setup a site to site vpn and keep the DC's off primise. My concerns about removing the AD Connect is that in the past when I have disconnected the AD Connect, I get synchornization errors. It seems that the GC is still noted as the on primise DC, and thus the Azure AD service is still looks for the DC that holds the master FSMO role. I think if maybe you can promote the DC on the Azure AD Services to the schema master and demote the on primise DC then maybe it wouldn't gripe anymore, however this is entirely conjecture. I haven't found any documentation stating that this is possible so I would test, test and retest, but this is what we are tyring to accomplish now. I have a bit of time before everything is to be docommisioned on site, so we can keep an on-site DC for around 6 months or so.
09-14-2017 12:58 PM
Moving the servers to VM's over VPN is pretty straightforward but only replicates what you currently have with additional latency in the form of VPN overhead to Azure VM's. Then you've also got two (or more) additional server instances to pay for.
I too have been waiting for Azure ADDS to be able to replicate *most* of what we get from on prem AD so we have a couple less servers to worry about and can transition to managing AD object lifecycle completely in Azure. It's almost there but as many have pointed out it is not a like for like swap. If you're not GPO heavy and primarily use AD for authentication you might be able to swing it.
Map out your requirements, identify the gaps and that will help guide a go no-go decision.