Integration of Azure Active directory Domain controller with Oracle cloud Infra

Question

I have below use-case -
Currently in my OCI infra one of the region datacenter is using RW AD domain controllers which further going to connect customer tenancies through VPNs and each customer tenancy have their RO ADDC, now that datacenter is declared as legacy and all resources in that region/DC to migrate somewhere else so I'm looking Azure support in following way -

1. Can existing RW DC migrate/synchronize with Azure ADDS?
2. If it can migrate then how Azure AD DS can integrate with OCI customer tenancies?

Thanks in advance!

Answer 1

@Gaurav D , There is no way to sync/migrate your on-prem Azure AD environment to Azure AD Domain Services. Azure AD Domain Services is a PaaS instance where two DCs get created in the backend and maintained by Azure. Only few limited functionalities are provided by this service to help you go on supporting your legacy apps that use LDAP or Kerberos.

You can read more on Azure AD Domain Services here.

Now coming, when you setup Azure AD DS service, it only syncs with the current Azure AD Tenant and it pulls details from there. The following options are available:

1. You can sync your on-prem domain with Azure AD initially and then let the objects from AAD sync to Azure AD Domain Services instance.
2. the best way would be to create a new VM in Azure and install the Azure AD Domain Services role in it and make it a normal DC as you currently have in your on-prem Datacenter.

In case you go by the first option I provided, you would still need to deploy a VM and connect it to the VNET that the Azure AD DS service is a part of and on that VM you can install the RSAT tools and manage the Azure AD DS, in other words manage your domain. Also, how to integrate it with OCI, we are not sure as that being a third party product. But I can say the steps would be similar to how you set it up with your on-prem DC, just that the networking is what you would have to take care.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

Answer 2

@Gaurav D , In case you would like to go with option tow, the best way that I can suggest is, the DC that you deploy in Azure as a Azure VM, make that DC as the secondary DC and connect it to your on Prem-DC. Now you would have to take care of the networking between your on-prem DC and the DC on Azure, and for that you can refer to the following documentation:
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain

For for info:
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/

Once you DC in Azure has all the data replicated from your on-prem DC then you can go ahead and slowly make that Azure DC as the Primary and make sure all your FSMO roles are also on that Azure DC and then you can de-commission the on-prem DC gracefully.

In that way all your users, and other objects present in the on-prem DC would get replicated to the DC in Azure and once you make the DC in Azure as the primary DC with all the FSMO roles on it, you would be in a position where you would be no-longer depend on your on-prem DC any more and thats when you can de-commission it gracefully.

Note: Microsoft always recommends taking a proper backup of you on-prem DC before you perform any of these steps so that in case of a disaster your data remains safe.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.