Remove domain controller with AD connect enabled in Azure

Rex Li 0 Reputation points
2023-02-08T09:26:59.82+00:00

In my current environment, there is a VM running as domain controller in Azure, and it has AD Connect enabled to sync with Azure AD, this kind of setup doesn't make sense to me since this DC is not on-prem, so I want to move to pure cloud solution to use AAD and AADS instead.

What is the best practice to remove this DC and use AAD only?

Appreciate your help!

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,457 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Khurram Rahim 1,841 Reputation points
    2023-02-08T19:22:06.6333333+00:00

    Here are the steps to move from an on-premise Domain Controller (DC) and Azure AD Connect to a pure cloud solution using Azure Active Directory (AAD) and Azure AD Domain Services (AADS):

    1. Disable Azure AD Connect: To prevent any changes made to the on-premise AD from syncing to AAD, disable Azure AD Connect.
    2. Verify that all on-premise services are running correctly with AAD: Before removing the DC, make sure all on-premise services that rely on it are working properly with AAD.
    3. Remove the Domain Controller: You can either deprovision the DC or decommission it, depending on your specific requirements.
    4. Verify all users, devices, and resources have been moved to AAD: Ensure that all identities, devices, and resources that were previously synced from on-premise AD to AAD have been moved to AAD.
    5. Enable Azure AD Domain Services: If you have any legacy applications that require an on-premise domain, you can enable AADS, which provides managed domain services in the cloud.
    6. Verify the applications are working correctly with AADS: Test your applications to make sure they are working as expected with AADS.
    7. Optionally, implement multifactor authentication (MFA) for added security: To enhance the security of your environment, consider enabling MFA for all users.

    Note: These steps may vary depending on your specific environment, and it is recommended to perform a thorough backup of your data and configuration before making any changes.

    1 person found this answer helpful.
    0 comments
  2. David Broggy 5,681 Reputation points MVP
    2023-02-08T18:03:41.8466667+00:00

    Hi Rex,

    Before getting rid of your AD VM, have you looked at the cost of AADS (might be more than your AD VM):
    https://azure.microsoft.com/en-ca/pricing/details/active-directory-ds/

    If you're saying you don't need AD anymore (either as a VM or as AADS) then you have to consider the architectural differences between AD and AAD. John Savill gives a great architecture review of it here:

    https://www.youtube.com/watch?v=uts0oy8NlUs&t=14s&ab_channel=JohnSavill%27sTechnicalTraining

    If you don't have any 'legacy issues' like on-prem file servers that users need to access and everything they use is already in the cloud (OneDrive, Sharepoint, O365, etc) then yes you may at least be able to start moving large groups of your users to AAD, Intune etc.

    I would suggest you look into Azure Autopilot for migration of users/workstations to AAD:

    https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad/device-migration-from-on-prem-ad-to-azure-ad/m-p/1165192

    https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot

  3. Konstantinos Passadis 17,286 Reputation points
    2023-02-08T18:18:18.5733333+00:00

    Hello @Rex Li !

    The AD Connect Sync Agent is the mechanism that Syncs Objects (Users , Devices etc ) that exist in your Active Directory to Azure AD. It does not matter where is located. It is a different approach to move to Azure AD ( Named CLOUD ONLY ) or to just disable syncing.

    So you have to carefully design the process .

    Do you want to move to Cloud only environment ? It is NOT the same thing as Azure AD Services !!!

    Do you want Azure Domain Services ? It is another Active Directory hosted on Azure , you only need a Server to manage the AD as it is exactly like the Active Directory On premises.

    Please check this Link : https://techcommunity.microsoft.com/t5/itops-talk-blog/what-are-the-differences-between-azure-active-directory-and/ba-p/917392

    It will help you make the correct decision!

    In case this was helpful please mark the answer as Accepted !

    Best regards!

  4. Thameur-BOURBITA 32,501 Reputation points
    2023-02-08T18:40:13.3566667+00:00

    Hi @Rex li

    What is the best practice to remove this DC and use AAD only?

    Before demoting the last domain controller, check if there is any Group Policy Object still using to apply some settings on member machines.

    If you want remove the on-premise domain and keep user identities in AAD you should flow those steps:

    • Disable Directory synchronisation as mentioned in the following link: Turn off directory synchronization for Microsoft 365
    • Wait 72 hours at least to be able to manage user Azure AD account from azure portal
    • Demote the last domain controller and adconnect server

    Please don't forget to mark helpful answer as accepted

  5. Konstantinos Passadis 17,286 Reputation points
    2023-02-09T18:14:54.01+00:00

    Hello @Rex Li !

    Thank you for the information!

    So it is quite clear

    The steps ar also clear and described by @Khurram Rahim

    You just dont need steps from 5 to 7

    You have to stop Ad Connect and Unistall , then decomission the DC and finally verify login of users correctly

    I suggest also to implement Endpoint Configuration (Intune) so you will be avle to manage User PCs and Devices in General!

    Hope that helped !

    Best regards !