Azure/AWS windows domain controller for external on prem workstations ?

I have a company that has about 50 users , they all login locally with a local account to Windows 10 workstations .

There is not any infrastructure except the workstations in this company

They are interested in a domain controller and was you have it in AWS or AZURE with nothing else on the site as they would be using a FULL VM with a DC in AZURE or AWS .

Is this a good idea , it there latency issues ? or if the link goes down to AWS or azure will they be able to log in ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

A.) YOu will need a VPN between the prem and AWS
B.) How is DNS configuring on prem now? Because DNS is everythign with AD
C.) If the VPN goes down the creds would be cached on the machine, Just like if you leave with your laptop your creds still work.  
d.) why do you want this dc in the cloud, just get 2 crappy pc's for 2 dc's.  
e.) latency will depend on what region you chose and it shouldn't be an issue.
if you have site to site VPN, DNS configuration would not be an issue because it is as good as DC in same network (remote location - AWS) and in that case client should be configured with DC server IPs as there preferred DNS
If VPN tunnel is down, still clients can logon to workstation with cached credentials as long as they have successfully logged on to domain at least once while DCs are online.
I have assumed that you don't need any application which need DC/GC connectivity and there you might face latency issues
Adelaido JimenezDevOpsCommented:
We've setup two domain controller in AWS with a VPN connection to our corporate location and its been working just fine. Like Mahesh and dmcguriman said, the credentials get cached so logging in shouldn't be an issues if they've signed in to the workstation at least once while connected to the domain.
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

Jesse BruffettM&F-ing SorcererCommented:
If you have O365, and if you don't you probably should, use AzureAD. Its packed into O365, and unless you need a lot of security settings, its great for basic user/machine authentication. It will be simpler and most likely much cheaper than spinning up true DC's in the cloud, plus no VPN's or anything else to worry about.
Prabhin MPEngineer-TechOPSCommented:
I have got the perfect answer for you, because from past one month I'm also researching on this to aquire the same infra.
If you are deploying the DC as a service in Azure/AWS then you will face few glitches,
0. VPN connection required for Joining AD server.
1.AWS/Azure doesn't provide access the server as it is a managed service.
2.Bigger GPO's will not work.
3.Changing on schema is not possible.
4.No storage specifications.

On the other hand if you are going for DC as VM based then these are problems,
1.VPN connection require for joining the domain.
2.In your office all the dns request will be forwarded to DC VM via VPN which will reduce the browsing speed, in other words it will increase the latency.
3.If you want to push policy to users who out of office then you need VPN connection to office firewall -> VPN AWS. Where routing may be difficult.

If the link goes down you can use the  previous password where the password will cache.

Hope you got a clear idea
NAMEWITHELD12Author Commented:
do I need at VPN connection if I use Azure active directory ?
NAMEWITHELD12Author Commented:
thanks for all the help on this

my recommendation might be for this is to have a local "server" that is really a desktop class pc with tons of RAM and stuff.

i dont want to slow down logins and they can use this for other future things like maybe a print server etc
Prabhin MPEngineer-TechOPSCommented:
If you are going apart from on premises installation  you always need a VPN connection to  join the domain,

hope all this information is helpful for your initial setup of infra..
U don't need tons of ram
For 50 machines you can survive with 2 cores and 4 gb even, max to max 4 cores with 8 gb
On premise dc is always welcome and best  option
Otherwise Setting up site to site vpn is one time task, there is nothing panic about it,
Once setup, clients even don't come to know that they are connected through vpn there are companies who operates remote locations over site to site vpn for years

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NAMEWITHELD12Author Commented:
NAMEWITHELD12Author Commented:
did a pair of LOCAL domian controllers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.