Moving on-prem AD DS to AAD DS - migration required?

Question

Existing AD DS domain, considering moving to AAD DS with the goal of eliminating our own DCs.

What I think I've understood from https://azure.microsoft.com/en-us/services/active-directory-ds/ is that I can't just add AAD DS DCs to my existing AD DS domain & forest, transfer FSMOs and demote the existing DCs...I have to do a domain/forest migration to a new AAD DS domain/forest.

Is that correct?

Answer 1

Hi,

If you want to migrate your domain controllers in the cloud to use them for traditional task you could deploy domain controllers in Azure Virtual Machines and replicate via VPN.

If you would like to extend the reach of your identities to the cloud you can start by synchronizing your Active Directory to Azure AD.

This post below gives you a pretty rough idea:
https://jumpcloud.com/blog/can-i-replace-ad-with-azure-ad

Best regards,
Leon

Answer 2

Hi,

You proceed like this.

1. Synchronise you AD on premises with Azure AD with password hash synchronisation.
2. Create an Azure AD Domain Service.
3. Synchronise your Azure AD with the Azure AD Domain Service.
4. user will be have to change their password once before to be able to use Azure AD Domain Service because of the way synchronisation works.

Check this link:
https://learn.microsoft.com/en-us/learn/modules/implement-hybrid-identity-windows-server/10-implement-configure-azure-active-directory-domain-services

"Previously domain-joined VMs or users won't be able to immediately authenticate - Azure AD needs to generate and store the password hashes in the new Azure AD DS managed domain."

https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance-advanced

Check the Pricing details:
https://azure.microsoft.com/en-us/pricing/details/active-directory-ds/

Please mark this as answer if it solve your issue.
Thank you.
Ken

Answer 3

The process you're referring me to is very much a migration, so you've confirmed the net is that I'd be doing a cross-forest domain migration.

I understand AAD Sync, which we're doing now, gives me a head start. But I'll have to rebuild Group Policy. I'll have to rebuild ACLs (unless I get SID History with this...although relying on SID History indefinitely is problematic, too) and join all the computers to the new domain. And the password change Ken mentions. Fortunately, no Exchange is involved.

So the analysis in my original post was correct: "I can't just add AAD DS DCs to my existing AD DS domain & forest, transfer FSMOs and demote the existing DCs...I have to do a domain/forest migration to a new AAD DS domain/forest."

I've done enough cross-forest domain migrations to know it's expensive and disruptive. The AAD sync headstart is even less of a headstart than I'd get with ADMT!

[Edit] I also note with interest that in the screenshot of GPMC in the AAD DS documentation, the Group Policy Modeling node is conspicuous by its absence. That's an essential tool I'd miss. Though, by itself, it is not a dealbreaker.

But I also realized there's no SID History without ADMT and a Trust, so, yes, I'd have to rebuild ACLs, too.

I will give them a rough estimate of the $1000s it will cost them to "save money" with AAD DS, and the months of character-building pain and suffering they'll endure to get there. On the plus side, cross-forest domain migrations--WHICH IS EXACTLY WHAT THIS IS--are complex and interesting IT projects I enjoy! But I doubt they'll let me have that much fun when they learn the down side.

Answer 4

Thanks, Leon, but the client is requesting a move to Azure AD Domain Services, and specifically not moving DCs to Azure VMs, which we've already proposed. I need to advise them on the cost ramifications...which will be substantial if a cross-forest domain migration is involved.