Share via

Migrating On Prem DC to Azure

Fahad Memon 61 Reputation points
2024-06-26T02:06:53.2333333+00:00

We are planning to decommission our on-prem physical Domain controller and have a DC in cloud. AD Sync is already set up and all the data has been syncing to Azure AD. We are planning to move away from this old physical server which has 2012 installed on it. What is the best approach to perform the migration?

A high level plan is:

  • Site 2 Site VPN to on-prem
  • Create VM in Azure
  • Install AD and make it a Domain Controller.
  • Join it to the domain (on-prem)
  • Replicate DC and make sure replication completed successfully.
  • Update DNS entries in Azure Network (vNet)
  • Update DNS entries on physical on-prem DC
  • Shutdown on-prem DC for couple of hours and perform testing
  • If no issue found, move the FSMO roles from on-prem to new Azure VM
  • Elevate new DC(Azure VM) to primary domain
  • Shutdown old DC for couple of hours/days and perform testing
  • If no issue found, permanently shutdown physical servers (DCs)

I hope I do not need to rejoin my machines to this new domain.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,228 questions
Accepted answer
  1. Andreas Baumgarten 111.5K Reputation points MVP
    2024-06-26T04:23:18.5+00:00

    Hi @Tabani ,

    your high level plan looks good overall.

    There should be one minor difference in the plan:

    • Site 2 Site VPN to on-prem
    • Create VM in Azure
    • Join it to the domain (on-prem)
    • Install AD and make it a Domain Controller (use the option "additional DC to an existing domain").
    • Replicate DC and make sure replication completed successfully.
    • Update DNS entries in Azure Network (vNet)
    • Update DNS entries on physical on-prem DC
    • Shutdown on-prem DC for couple of hours and perform testing
    • If no issue found, move the FSMO roles from on-prem to new Azure VM
    • Elevate new DC(Azure VM) to primary domain
    • Shutdown old DC for couple of hours/days and perform testing
    • If no issue found, permanently shutdown physical servers (DCs)

    If the tests passed successful there is no need to join the machines again because you still use the same AD domain.

    In addition:

    Be aware if there is an outage on the VPN Site 2 Site connection between on-premises and Azure for any reason you have no DC on-premises.

    It's maybe an option after all steps in the list are done to install a new DC on-premises (additional DC to an existing domain) to get at least on DC on-premises.

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ALI Mrehach 15 Reputation points
    2024-06-26T07:47:39.4866667+00:00

    If you are migrating a DC. Then you should be sure the FSMOz rules will be transferred to the new server before you move forward and decom the old one.

    suggested steps.

    • setup new VM in Azure.
    • update windows and be sure its fully patch.
    • upgrade the server to DC.
    • Be sure DNS records has been replicated and the new DC can fully see the AD users and computers.
    • move FSMOz rules from the old to new server. this is a very important point as missing this will leave you without rules.
    • Be sure FSMOz rules has been moved.
    • Downgrade the Old DC as it will need to be removed from the Domain controllers OU
    • Wait for some days then decom this old server.

    You will need to still work with ADsync as you have a DC and the environment will still work same if the user is not in cloud. the idea here you still in the on-prem environment.

    All the best!

    Ali.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.