• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 99
  • Last Modified:

Azure/AWS windows domain controller for external on prem workstations ?

I have a company that has about 50 users , they all login locally with a local account to Windows 10 workstations .

There is not any infrastructure except the workstations in this company

They are interested in a domain controller and was you have it in AWS or AZURE with nothing else on the site as they would be using a FULL VM with a DC in AZURE or AWS .

Is this a good idea , it there latency issues ? or if the link goes down to AWS or azure will they be able to log in ?
0
NAMEWITHELD12
Asked:
NAMEWITHELD12
  • 4
  • 2
  • 2
  • +3
7 Solutions
 
dmcgurimanCommented:
A.) YOu will need a VPN between the prem and AWS
B.) How is DNS configuring on prem now? Because DNS is everythign with AD
C.) If the VPN goes down the creds would be cached on the machine, Just like if you leave with your laptop your creds still work.  
d.) why do you want this dc in the cloud, just get 2 crappy pc's for 2 dc's.  
e.) latency will depend on what region you chose and it shouldn't be an issue.
0
 
MaheshArchitectCommented:
if you have site to site VPN, DNS configuration would not be an issue because it is as good as DC in same network (remote location - AWS) and in that case client should be configured with DC server IPs as there preferred DNS
If VPN tunnel is down, still clients can logon to workstation with cached credentials as long as they have successfully logged on to domain at least once while DCs are online.
I have assumed that you don't need any application which need DC/GC connectivity and there you might face latency issues
0
 
Adelaido JimenezDevOpsCommented:
We've setup two domain controller in AWS with a VPN connection to our corporate location and its been working just fine. Like Mahesh and dmcguriman said, the credentials get cached so logging in shouldn't be an issues if they've signed in to the workstation at least once while connected to the domain.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Jesse BruffettM&F-ing SorcererCommented:
If you have O365, and if you don't you probably should, use AzureAD. Its packed into O365, and unless you need a lot of security settings, its great for basic user/machine authentication. It will be simpler and most likely much cheaper than spinning up true DC's in the cloud, plus no VPN's or anything else to worry about.
0
 
Prabhin MPEngineer-TechOPSCommented:
HI,
I have got the perfect answer for you, because from past one month I'm also researching on this to aquire the same infra.
If you are deploying the DC as a service in Azure/AWS then you will face few glitches,
0. VPN connection required for Joining AD server.
1.AWS/Azure doesn't provide access the server as it is a managed service.
2.Bigger GPO's will not work.
3.Changing on schema is not possible.
4.No storage specifications.

On the other hand if you are going for DC as VM based then these are problems,
1.VPN connection require for joining the domain.
2.In your office all the dns request will be forwarded to DC VM via VPN which will reduce the browsing speed, in other words it will increase the latency.
3.If you want to push policy to users who out of office then you need VPN connection to office firewall -> VPN AWS. Where routing may be difficult.


If the link goes down you can use the  previous password where the password will cache.


Hope you got a clear idea
0
 
NAMEWITHELD12Author Commented:
do I need at VPN connection if I use Azure active directory ?
0
 
NAMEWITHELD12Author Commented:
thanks for all the help on this

my recommendation might be for this is to have a local "server" that is really a desktop class pc with tons of RAM and stuff.

i dont want to slow down logins and they can use this for other future things like maybe a print server etc
0
 
Prabhin MPEngineer-TechOPSCommented:
hi,
If you are going apart from on premises installation  you always need a VPN connection to  join the domain,


hope all this information is helpful for your initial setup of infra..
0
 
MaheshArchitectCommented:
U don't need tons of ram
For 50 machines you can survive with 2 cores and 4 gb even, max to max 4 cores with 8 gb
On premise dc is always welcome and best  option
Otherwise Setting up site to site vpn is one time task, there is nothing panic about it,
Once setup, clients even don't come to know that they are connected through vpn there are companies who operates remote locations over site to site vpn for years
0
 
NAMEWITHELD12Author Commented:
{
0
 
NAMEWITHELD12Author Commented:
did a pair of LOCAL domian controllers
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now