migrating from on-prem AD to Azure AD - Exchange and other road blocks

Question

Hi all

I've been asked why we can't do away from on-prem AD to just use Azure AD and want to ensure i understand all the Reasons before i go back to my senior managment.

the situation is this we currently have 12 Ad domain controllers in 7 locations.
we have 3000 devices currently co-managed ~(sccm/intune currently) but moving to Intune only in the near future.
150+ servers still on-prem but that number is shrinking.
we are in an exchange hybrid step-up but all mailboxes are in O365 with on-prem exchane no used purely for management.
DNS is provided by AD
we are using ADFS and AADconnect to synchronise the environments currently.

my understanding is that azure AD needs to have a directory service linked to exist (this maybe an old understanding,) but that you can now use an azure AD DS webservice to fill this need.
I'm not sure if the On-prem servers can join that and that research says azure AD direct join isn't supported by servers currently (but that it's coming in the future for new OS versions).
Making the on-prem machines the first road block.

the second I foresee is the hybrid exchange environment. We were advised when we put it in that as long as we have mailboxes from the on-prem environment in O365 we would need to maintain at least one on-prem exchange server and a domain controller to provide full functionality/control of those old mailboxes. (we often had to manage older mailboxes from on-prem as the options are greyed out in O365)
we have approximately 1000 shared mailboxes that existed before the migration so that's a lot of recreation if necessary.

is my understanding correct? is there another road blocks i'm missing?
i'm trying to read up but this is a fast changing area so it's hard to understand.

My current suggestion to the business if to upgrade from our 2012r2 environments to the most up to date versions. as this will help with any future migrations and review from there.

Answer 1

Hello @Michael Groombridge , in your scenario, Azure Active Directory Domain Services cannot be used as a backfill since schema changes need to be done by Exchange. In order to keep on-premises Exchange you will need at least 1 domain controller and 1 exchange server. That being said nothing stops you from hosting them on the cloud as Azure VM's or from doing a cutover migration which is suitable for less than 2,000 mailboxes. Although end of life for support is expected to arrive on Oct 13, 2026, upgrading Windows Server 2012R2 is always a good idea.

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.

Answer 2

Hello @Michael Groombridge

Thank you for bringing this out here.

I would not deny that this is time consuming task which requires enough planning. Besides that, just thinking of which decision making is the accurate choice for this case scenario.

I want to provide some humble observations on this... Since it is related to Hybrid environment or Cloud based only needs so, let me paste this great info below:

This picture below is just for Cloud only environment.

Having said that, you can start using Azure AD connect or AD Join and also, LDAP/Kerberos as well. The following articles below can give you more insights on how to get this going properly.

https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad

https://learn.microsoft.com/en-us/exchange/plan-and-deploy/virtualization?view=exchserver-2016 >> Migration Exchange server doc

Hoping this was in some way useful for you.

Looking forward to your feedback,

Best Regards,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.