Can Azure Active Directory or Entra ID be used to move an existing AD domain to the cloud?

Ken Morley 21 Reputation points
2024-06-12T20:18:24.58+00:00

I am interested in moving an existing Active Directory forest into the cloud - gradually over time and without disjoining Windows desktops and notebooks...

The scenario involves a single existing on-premise Windows Server 2012 that is a DC that currently supports the forest. The network also has a number of Windows 10 and Windows 11 computers that are domain-joined. The users have Microsoft 365 subscriptions they are currently using for all file storage. As result, the Windows 2012 server is not currently being used for anything other than AD.

I would like to implement Azure AD - now known as Microsoft Entra ID -to move the existing Active Directory forest into the cloud. I would initially use Entra Connect to move the existing AD to the cloud and keep the two in synch. Eventually, I would demote the on-premise Windows Server 2012 and remove it from the network altogether.

Here are my questions:

  1. Is it feasible to use Entra ID in the scenario described above to eventually replace on-premise AD altogether?
  2. Can Windows Server 2012 R2 be used in the process or must I implement a Windows Server 2016 temporarily? Prerequisites in the documentation are vague and/or conflicting.
  3. Once the on-premise server is demoted and decommissioned, what provides AD connectivity between the local network, it's computers, off-site notebooks and Microsoft's cloud?

To expand on the third question, I understand that Entra ID hybrid deployments involve the Entra Connect agent installed on a Windows Server. But if I eventually eliminate that server, how do the computers (Windows desktops on the on-premise network and Windows notebooks being used by travelling personnel) connect to AD running in Microsoft's cloud? Do I have to install an agent on each device? Is there some mechanism built into the Window 10/11 OS?

I've read a lot of documentation thoroughly and watched several of the Microsoft videos on this subject. I've even successfully deployed Entra ID and Entra Connect on a lab network. I thought that all of that would help me figure it out, but I guess I'm overly dense...

I very much appreciate any enlightenment you can provide.

Thanks!

KMorley

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. William Nieto 545 Reputation points
    2024-06-12T20:53:45.02+00:00

    Moving an existing Active Directory (AD) forest to the cloud using Microsoft Entra ID (formerly Azure AD) is a common and feasible scenario. Let’s address your questions:

    Integrate on-premises AD with Azure

    1. Feasibility of Replacing On-Premises AD with Entra ID

    Yes, it is feasible to eventually replace your on-premises AD with Entra ID. Many organizations are transitioning to cloud-based identity and access management. Entra ID offers features like self-service password reset (SSPR), conditional access, and dynamic groups, making it a powerful choice for modernizing your directory services.

    1. Using Windows Server 2012 R2 in the Process

    While Windows Server 2012 R2 can be used, it is recommended to use a more recent version like Windows Server 2016 or later. This ensures better compatibility and support throughout the migration process. Microsoft’s documentation provides guidance on prerequisites and setup.

    1. AD Connectivity After Demoting the On-Premises Server

    Once you demote and decommission the on-premises server, Entra ID will handle AD connectivity:

    • Windows 10/11 Devices: These can seamlessly connect to Entra ID in the cloud without requiring an additional agent on each device. The built-in mechanisms in the Windows OS handle authentication and communication with Entra ID.
    1. Role of Entra Connect Agent

    Initially, you’ll use Entra Connect to synchronize your existing AD with Entra ID. After the migration:

    • Eliminating Entra Connect Agent: Post-migration, you can eliminate the Entra Connect agent and rely on native Windows functionality. Devices will authenticate directly with Entra ID using protocols like OAuth and OpenID Connect.

    By following these steps, you can ensure a smooth transition from on-premises AD to Entra ID, leveraging modern cloud-based identity management capabilities.

    For more detailed guidance, check Azure AD Connect documentation and Hybrid Azure AD Join documentation. Youtube : Microsoft Entra ID Beginner's Tutorial (Azure Active Directory)

    and Microsoft Entra ID: Application and identity migration to Azure AD B2C


1 additional answer

Sort by: Most helpful
  1. Marcin Policht 50,895 Reputation points MVP Volunteer Moderator
    2024-06-12T20:41:35.9066667+00:00

    You cannot join Windows servers (other than Windows Server 2022 running in Azure) to Entra ID - so that would be your primary blocker (unless you are ready to decommission or upgrade all of them).

    You can use Entra Domain Services as a replacement for your on-premises AD.


    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.