Migrating on-premise Domain Controller to Azure

Michal Sumega 41 Reputation points
2020-08-13T08:26:54.277+00:00

Hello,

I would like to migrate a standard on-premise Domain Controller to Azure and get rid of the on-premise one. Trying to clarify few things in advance.

On-premise DC:

  • AD DS
  • DNS & DHCP
  • GPO - the client want to keep using GPO for now
  • running Azure AD Connect and syncing to AZ AD already
  • S2S VPN to Azure

After doing some research, this is what I've found:

  • the best way is to run a new VM in Azure, promote to DC and sync with the on-prem DC? or is there any other way that is more recommended?
  • couldn’t find any guidance about how to modify DNS. Will just point end users to the new DC in Azure. Is this the right way?
  • read few topics about that a DHCP role is not supported in Azure. Does it mean that DHCP can't be configured on the VM DC in Azure at all? It is not a big issue as I can configure DHCP on an on-prem FW.
  • what about Azure AD Connect and AZ AD relationship with AD running on the VM DC? Should I install it again on the new VM DC in Azure and setup synchronisation with AZ AD? This seems to be the most tricky part that I'm quite confused still.

thanks in advance for all your advise....

Mike

Azure Migrate
Azure Migrate
A central hub of Azure cloud migration services and tools to discover, assess, and migrate workloads to the cloud.
709 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,106 questions
0 comments No comments
{count} votes

Accepted answer
  1. Sam Cogan 10,077 Reputation points MVP
    2020-08-13T08:50:22.397+00:00
    1. Yes, if you are looking to keep the existing domain then you would want to create a VM in Azure, join it to the domain and then promote it. You need to ensure there is a secure network connection between Azure and your DC (VPN, Express Route).
    2. You need to ensure DNS is up and running on your Azure DC, and then repoint client DNS server IP to this machine (or machines, as you should really have more than one DC).
    3. Yes DHCP is not supported, so cannot be running on that DC
    4. If you are getting rid of the old DC, and it ran AD connection then yes you would need to setup AD connect on another machine, using your new DC as the source

4 additional answers

Sort by: Most helpful
  1. Thameur-BOURBITA 31,916 Reputation points
    2020-08-13T20:48:52.44+00:00

    Hi,

    the best way is to run a new VM in Azure, promote to DC and sync with the on-prem DC? or is there any other way that is more recommended?

    If you want keep your local domain , yes you have to install new VM Azure to migrate your old domain controller to this VM.

    couldn’t find any guidance about how to modify DNS. Will just point end users to the new DC in Azure. Is this the right way?
    The DNS settings on members machines (servers and workstation ) must pointed on a domain controller (VM azure in your case) to be able to resolve the domain name. You can add a additional forwarder on DNS server setting on VM Azure (your future Domain controller) to forward the client request for external DNS name to another external DNS server.

    read few topics about that a DHCP role is not supported in Azure. Does it mean that DHCP can't be configured on the VM DC in Azure at all? It is not a big issue as I can configure DHCP on an on-prem FW.

    The DHCP is not supported in VM azure , to get more details about the list of supported service in VM azure you can refer to the following link :

    https://support.microsoft.com/en-us/help/2721672/microsoft-server-software-support-for-microsoft-azure-virtual-machines

    what about Azure AD Connect and AZ AD relationship with AD running on the VM DC? Should I install it again on the new VM DC in Azure and setup synchronisation with AZ AD? This seems to be the most tricky part that I'm quite confused still.

    It's not recommended to install Azure AD connect on same machine with domain controller, it's recommended to create new VM for Azure AD connect.

    ******Don't forget to mark this reply as answer if it help you to resolve your issue******************

    1 person found this answer helpful.
    0 comments No comments

  2. James Hamil 21,151 Reputation points Microsoft Employee
    2020-08-31T19:05:31.583+00:00

    Hi, are there any updates with this case? If not, please select the appropriate response as "Answered." Otherwise please let us know how we can assist you.

    0 comments No comments

  3. Didier3001 961 Reputation points Microsoft Employee
    2020-09-06T12:49:00.897+00:00

    Hi @Michal Sumega

    Very important point, make 200% that you decommission your existing DC on-prem correctly. Check the FSMO roles and so on. Do not just shut down and delete the existing DC on-prem as you will face issues later on.

    Here is a few resources that I would recommend you to read:
    https://dirteam.com/paul/2012/07/25/how-to-decommission-a-domain-controller/#:~:text=How%20to%20Decommission%20a%20Domain%20Controller%201%20You,is%20a%20DNS%20provider.%20...%20More%20items...%20
    https://social.technet.microsoft.com/wiki/contents/articles/50925.active-directory-checklist-for-decommissioning-a-domain-controller.aspx

    Regards,
    Didier3001


  4. B_Mac710 1 Reputation point
    2020-09-25T02:34:43.59+00:00

    Hi @Sam Cogan or anybody else,

    I am looking to complete a similar setup however my client currently wants to keep using WPA2 Enterprise which runs through their on prem server which they want to do away with as well.

    Has anybody done this yet over a S2S or by other service offerings provided by MS/M365?

    Also, I am fairly new to Azure and was wondering if anybody has any great blogs or documents for setting up a resource group, vnet in order to ensure i get the network built properly?

    Many thanks,

    0 comments No comments