question

GauravD-9045 avatar image
0 Votes"
GauravD-9045 asked soumi-MSFT commented

Integration of Azure Active directory Domain controller with Oracle cloud Infra

I have below use-case -
Currently in my OCI infra one of the region datacenter is using RW AD domain controllers which further going to connect customer tenancies through VPNs and each customer tenancy have their RO ADDC, now that datacenter is declared as legacy and all resources in that region/DC to migrate somewhere else so I'm looking Azure support in following way -

  1. Can existing RW DC migrate/synchronize with Azure ADDS?

  2. If it can migrate then how Azure AD DS can integrate with OCI customer tenancies?

Thanks in advance!

azure-active-directory
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered GauravD-9045 commented

@GauravD-9045, There is no way to sync/migrate your on-prem Azure AD environment to Azure AD Domain Services. Azure AD Domain Services is a PaaS instance where two DCs get created in the backend and maintained by Azure. Only few limited functionalities are provided by this service to help you go on supporting your legacy apps that use LDAP or Kerberos.

You can read more on Azure AD Domain Services here.

Now coming, when you setup Azure AD DS service, it only syncs with the current Azure AD Tenant and it pulls details from there. The following options are available:

  1. You can sync your on-prem domain with Azure AD initially and then let the objects from AAD sync to Azure AD Domain Services instance.

  2. the best way would be to create a new VM in Azure and install the Azure AD Domain Services role in it and make it a normal DC as you currently have in your on-prem Datacenter.

In case you go by the first option I provided, you would still need to deploy a VM and connect it to the VNET that the Azure AD DS service is a part of and on that VM you can install the RSAT tools and manage the Azure AD DS, in other words manage your domain. Also, how to integrate it with OCI, we are not sure as that being a third party product. But I can say the steps would be similar to how you set it up with your on-prem DC, just that the networking is what you would have to take care.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.




· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GauravD-9045 avatar image GauravD-9045 ·

Thanks @soumi-MSFT for your prompt response, I would like to go with option-2 though the challenge is only how to sync/migrate my existing DC data, I believe with Azure' AD-connect we can sync both AD DC data, let me know if that is not the case.

https://www.assistanz.com/steps-to-migrate-users-from-on-premises-active-directory-to-azure/

0 Votes 0 ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered soumi-MSFT commented

@GauravD-9045, In case you would like to go with option tow, the best way that I can suggest is, the DC that you deploy in Azure as a Azure VM, make that DC as the secondary DC and connect it to your on Prem-DC. Now you would have to take care of the networking between your on-prem DC and the DC on Azure, and for that you can refer to the following documentation:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain

For for info:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/

Once you DC in Azure has all the data replicated from your on-prem DC then you can go ahead and slowly make that Azure DC as the Primary and make sure all your FSMO roles are also on that Azure DC and then you can de-commission the on-prem DC gracefully.


In that way all your users, and other objects present in the on-prem DC would get replicated to the DC in Azure and once you make the DC in Azure as the primary DC with all the FSMO roles on it, you would be in a position where you would be no-longer depend on your on-prem DC any more and thats when you can de-commission it gracefully.

Note: Microsoft always recommends taking a proper backup of you on-prem DC before you perform any of these steps so that in case of a disaster your data remains safe.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.



· 5
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GauravD-9045 avatar image GauravD-9045 ·

Thanks @soumi-MSFT wanted to confirm after deploying our in-house Azure DC instance do our customer would need read only domain controllers as right now as per our architecture we have two center read write domain container which further connect to customer tenancies hosted readonly DCs.

0 Votes 0 ·
soumi-MSFT avatar image soumi-MSFT GauravD-9045 ·

@GauravD-9045, The first DC that you would be deploying in Azure using the Azure VM should be a Read Write DC. It should be the exact replica of the on-prem DC. Once you have that Azure DC in the same state as that of the On-Prem Primary DC (PDC), then you can make the DC on Azure as PDC after making sure all the replication are done properly between your on-prem PDC and the new Azure DC.

Once you have a working PDC in Azure running on an Azure VM then you can deploy RODCs as per the client's requirement to the specific sites as per the need.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.



0 Votes 0 ·
soumi-MSFT avatar image soumi-MSFT soumi-MSFT ·

@GauravD-9045, I wanted to followup and wanted to understand if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·
Show more comments