question

tripski-0727 avatar image
0 Votes"
tripski-0727 asked StevenLee-1574 answered

Can we replace old on prem DC with Azure Domain Services?

Hi All, I am hoping for a little clarification. The scenario is we are a small MSP, and have a few small clients with aging on prem Domain Controllers. Is it possible to use Azure instead of the on prem servers for authentication, group policy and so forth? Essentially moving them 100% cloud and not having the outlay or new server hardware?

We are migrating them to 0365 for email, and will use one drive and/or share point for their on prem file hosting. The things I am reading says this is not possible, but the threads were from 5 years ago or so and I am struggling to find anything more recent. They are a simple setup, laptops and desktops and random phones/tablets for email.

If this is possible, could someone share some resources as to what steps we should take? If its not immediately obvious we are new to Azure, so trying to figure this out as we go. I have been trying to research, I think its doable with a VPN link to azure, but I am getting a bit overwhelmed and going in circles here.

Thanks all

azure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DominikDudczak-1665 avatar image
0 Votes"
DominikDudczak-1665 answered tripski-0727 commented

Good Day @tripski-0727,

First of all to answer the main question: It would be possible to completely move your customers to M365 and Azure AD. I work in an IT company and over the last 2 Years we completely moved everything to the Cloud (Appart from a few Ressources).

Now don't understand me wrong: It is possible but that doesn't mean it is easy or done just like that. Azure AD is not yet ready to completely replace Active Directory(https://jumpcloud.com/blog/can-i-replace-ad-with-azure-ad). To establish a complete move from Active Directory to Azure AD you would have to look at a lot of things, here are some of them:

-Do they have applications that authenticate via Domain controllers (LDAP etc.)?
-How would you handle those applications, do you need to adjust the code?
-Which features of the DC are they using and do they really need them?
-How do they authenticate to their CRM and other important tools? Can those be switched to use the Azure AD as authentication
-Which services and therefore licenses will they need for Azure (Intune, Azure AD Premium P2...)
-Are they willing to pay the price for those licenses (you were talking about small clients)
-What services of Active Directory are they using currently and how can we replace them with Azure/Azure AD/M365
-And a lot more..

I am not able to give you a clear yes or no answer here since it depends on the customer, the environment, their field and money.

I can only give you some keywords and links you could look into and maybe find an answer:

-Azure AD Connect (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect)
-Differences between Azure AD DS and AD DS on prem (https://ramprasadtech.com/difference-between-azure-ad-azure-ad-ds-and-ad-ds/)
-Microsoft Intune


If you only want to migrate your domain controllers into the cloud, to use them traditionally, you could simply deploy Domain controllers in Azure Virtual Machines and replicate via VPN. VPN would need an Azure Network Gateway to be setup. Regarding the costs I am not sure if it would be much cheaper for the client, you would have to calculate that. You can find the price lists by simply typing in your Azure resource and adding pricing at the end (example: Azure Network Gateway pricing)

Hope I could help.

Best regards
Dominik

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That is actually very helpful, thanks for taking the time to reply. That's what i have been seeing, a lot of contrasting posts saying yes it can, no it cant, your explanation helped clear that up. The only thing they use their DC for is authenticating their machines for AD, group policy and a file server. Files will be going to either a NAS or the cloud. The main thing they are interested in keeping is group policy for their workstations, which i understand Azure should be able to handle, seems using a VM/VPN may be the way to go, or put an inexpensive workstation on site to handle AD authentication the gp updates depending on costs.

Lots to think about though, and again thanks for taking the time, super helpful and appreciated.

1 Vote 1 ·
StevenLee-1574 avatar image
0 Votes"
StevenLee-1574 answered

Hi Dominik,

Good day. May I know what type of license you purchased for AZ Domain Services?

Thanks.

Steven Lee

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.