This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 35%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
Hi all
I have a question.
My client has On-premise domain controller and read only domain controller. Now he want to migrate his primary domain controller to Azure But read only domain controller should be stay on on-premise datacenter.
What is best practice?
First Step:
Should I deploy Azure AD DS? Can I do, create a VM with Windows Server and install Active directory domain services tools only? then I will manage Azure Active Directory domain services on that VM. Is it correct?
OR
Should I create Azure VM and promote domain controller ?
Second Step:
I will install Azure AD connect and sync all object from on-premise AD to Azure AD?
OR
Should I deploy site 2 site VPN and promote Additional Active directory in Azure VM and then transfer FSMO roles?
and tell me how primary domain controller on azure and Read only Domain Controller on-premise will synchronize to each other?
Regards
Hi,
Please answer me of this question:
My client has On-premise domain controller and read only domain controller. Now he want to migrate his primary domain controller to Azure But read only domain controller should be stay on on-premise datacenter.
What is best practice?
Should I deploy Azure AD DS? Can I do, create a VM with Windows Server and install Active directory domain services tools only? then I will manage Azure Active Directory domain services on that VM. Is it correct?
OR
Should I create Azure VM and promote domain controller ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
You could establish the on-premises to azure network, then stand up the new azure VM, join existing domain, then promo it.
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.
Sounds like you're asking about this option
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/#ad-ds-in-azure-joined-to-an-on-premises-forest
https://learn.microsoft.com/en-us/microsoft-365/enterprise/connect-an-on-premises-network-to-a-microsoft-azure-virtual-network?view=o365-worldwide
--please don't forget to upvote and Accept as answer if the reply is helpful--
You will have to create a site to site VPN
You will have to deploy site to site VPN and then you can create a VM in Azure and install Active Directory in VM. Post this you can transfer the roles to active directory in Azure.
With this you will not have any downtime in your environment.
If you use Azure AD DS, you will not have any control over DC's. Also, there is no option of adding your present DC to Azure AD DS.
Azure AD DS is a feature where there are 2 domain controllers gets deployed and both the domain controllers are managed/maintained by Microsoft.
Do let me know if you have any further questions
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 42%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGD%3C/text%3E%3C/svg%3E)
An RODC is designed primarily to be deployed in remote or branch office environments, which typically have relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and personnel with limited knowledge of information technology (IT). Deploying RODCs results in improved security and more efficient access to network resources. So you are treating the on-prem datacenter as less secure ?
Personally prefer to have a writable DC on my datacentre.