Can i replace on premises domain controller with Azure Active Directory Domain Service

Question

Can i replace on premises domain controller with Azure Active Directory Domain Service

Hrishikesh Joshi 21

One of my customer planning to migrate on premises domain controller to Azure AD DS & they don't want to keep domain controller in premises.

Already they are using O365 account & AD Sync in installed on existing domain controller. Is there any impact on existing setup if we do the migration to AAD DS.
Required best possible support as soon as possible to compete the project in given timeline.

0 comments

3 answers

Your answer

Answer 1

Devaraj G 2,101 Volunteer Moderator

Hi Hrishi,

Its possible. But there are few considerations.

Straight forward approach is to follow the traditional way. Extend your existing on-premises Active Directory infrastructure to Azure, by deploying a VM in Azure that runs AD DS as a Domain Controller with VPN connectivity and decommissioned the on-prem. you can get the Azure AD connected installed in new DC with staging mode.

Azure ADDS only talks with Azure AD. There is no direct relationship with on-prem AD from Azure ADDS (until you create some forest trusts). Azure AD DS replicates identity information from Azure AD, so it works with Azure AD tenants that are cloud-only, or synchronized with an on-premises AD DS environment.
So deploy Azure ADDS and sync with Azure AD and then decommission the on-prem AD and make synced users cloud only , then readd the domain joined machines to azure adds domain. - this step needs through planning and execution .
Note : Azure ADDS is not same as your traditional AD. there are limitations and the way it operates is different since its a Microsoft managed domain.
https://learn.microsoft.com/en-us/azure/active-directory-domain-services/faqs

Hrishikesh Joshi 21 Reputation points

2021-12-24T14:58:06.013+00:00

Hello Dev,

Thank you for answer.

Basically what customer required they wanted to join current windows 10 laptops to Azure AD & user can able to change password while connected to public network.

This laptops must be connected to domain.
Also if we are configuring group policy the policy must deploy on system while connected to public network without VPN
Devaraj G 2,101 Reputation points Volunteer Moderator

2021-12-25T02:56:10.993+00:00

Thanks for the update Hrishi.
So its Azure AD and not Azure ADDS. Both are different services provided by Azure.

Azure AD joined is recommended if your infra ecosystem is cloud first and not much dependencies with on-prem DC (GPO, NTLM, Kerbros etc).

Azure AD Join provides limited functionality compared to AD Join (as there is no Group Policy) and in order to gain fine grained control over the PCs you would then use a Mobile Device Management solution, such as Microsoft Intune. Intune can act as replacement for your GPO.

At the same time, if you have file server, print server, those things cannot by directly supported by Azure AD. you need plan compatibility check with your internal infra with azure ad services before making any decisions.
Devaraj G 2,101 Reputation points Volunteer Moderator

2022-01-02T05:05:53.52+00:00

Hi Hrishi, just checking if there is any update on this thread.

Answer 2

Hrishikesh Joshi 21

Hello Dev,

If you have any documentation share with me it will help me in this case

Devaraj G 2,101 Reputation points Volunteer Moderator

2022-01-06T23:32:05.453+00:00

Hi Hirshi,

There is no straight forward docs. However you can refer MS docs to understand and plan your model.

There is planning and deployment guide for each product service from MS:

https://learn.microsoft.com/en-us/mem/intune/fundamentals/deployment-guide-intune-setup
Devaraj G 2,101 Reputation points Volunteer Moderator

2022-01-14T03:46:30.163+00:00

Hello Hrishi, Do you have any more queries. please let u know.
Vaibhav 1 Reputation point

2022-01-21T09:26:38.26+00:00

Hi rishi, do you have any project plan related document regarding this ..so please share

Answer 3

Hrishikesh Joshi 21

Hello Dev,

Thanks,

This project is still going on. Customer not integrated any legacy application with on prem ad & also not applied any complex GPO in environment hence i am planning to go with Azure AD & Microsoft Intune combination to replace it with the same.

What is your opinion on it??

Devaraj G 2,101 Reputation points Volunteer Moderator

2022-01-02T06:41:11.293+00:00

Hi Hrishi, then I don't see any challenge with Azure AD joined + Intune.
I Have done few deployments for customer wiht Azure AD+ Intune replacing DC to promote cloud only approaches. It works well. Just ensure your application/ printers and etc support.
Foof1ght3r 1 Reputation point

2023-01-10T05:13:37.383+00:00

There are ups and downs to this approach. An, in my opinion, huge benefit would be the Autopilot not relying on any form of connection to the corporate network.

A Downside would be everything NPS and Machine related, like Computer Certificate based Wifi authentication.

Share via

Can i replace on premises domain controller with Azure Active Directory Domain Service

3 answers

Your answer