Domain controller migration to Azure

HASSAN BIN NASIR DAR 306 Reputation points

Hi all

I have a question.

My client has On-premise domain controller and read only domain controller. Now he want to migrate his primary domain controller to Azure But read only domain controller should be stay on on-premise datacenter.

What is best practice?

First Step:

Should I deploy Azure AD DS? Can I do, create a VM with Windows Server and install Active directory domain services tools only? then I will manage Azure Active Directory domain services on that VM. Is it correct?


Should I create Azure VM and promote domain controller ?

Second Step:

I will install Azure AD connect and sync all object from on-premise AD to Azure AD?

Should I deploy site 2 site VPN and promote Additional Active directory in Azure VM and then transfer FSMO roles?

and tell me how primary domain controller on azure and Read only Domain Controller on-premise will synchronize to each other?


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,537 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Sandeep G-MSFT 16,691 Reputation points Microsoft Employee


    You will have to create a site to site VPN
    You will have to deploy site to site VPN and then you can create a VM in Azure and install Active Directory in VM. Post this you can transfer the roles to active directory in Azure.

    With this you will not have any downtime in your environment.

    If you use Azure AD DS, you will not have any control over DC's. Also, there is no option of adding your present DC to Azure AD DS.

    Azure AD DS is a feature where there are 2 domain controllers gets deployed and both the domain controllers are managed/maintained by Microsoft.

    Do let me know if you have any further questions

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Godwin Daniel 1 Reputation point

    An RODC is designed primarily to be deployed in remote or branch office environments, which typically have relatively few users, poor physical security, relatively poor network bandwidth to a hub site, and personnel with limited knowledge of information technology (IT). Deploying RODCs results in improved security and more efficient access to network resources. So you are treating the on-prem datacenter as less secure ?
    Personally prefer to have a writable DC on my datacentre.

    0 comments No comments