2nd DC in the cloud for local and remote users

Thanks in Advance!

I have a customer that has a very small environment with 1 windows server with AD on it.  (about 10-15 users and most of them remote).
They don't have the funds for a second DC, currently, i have backups of file level and am using windows server backup for image backups.  
was thinking about this scenario  but wanted to run it by the experts to get their thoughts on it:     would like to create an Active directory server in the cloud that can, 1. sync with the onprem AD (so we have a copy of ACTIVE Directory in the cloud).   or 2. sync once a day while firing up the cloud server to allow syncing and then turn it off---to save on cost--incase cost is an issue.   3. have a scenario where the remote users can authenticate and not use cached profiles (besides using vpn).

question on the above scenario:   I'm sure Im not the first one thinking about this scenario---wanted to get your thoughts on how you guys are handling it for small businesses.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Probably not a good fit for what you want.

1) Having a VM in the cloud with a site-to-site VPN is not a bad solution for some DR scenarios where having two on-prem servers is prohibitive.  But it does NOT REPLACE BACKUPS.   There are failures that can take down AD where restoring a backup works, but where replicating DCs replicate the damage.  Don't think that spinning up a cloud VM replaces your need for system-state backups.  It doesn't.

2) Don't introduce a DC if you plan on having it in a disconnected (powered off) state most of the time.  AD was not designed for this and you'll have performance (and other) problems.  As mentioned in #1, you'd want a valid site-to-site VPN running.

3) Users would still need a VPN.  AD is not a design meant for public internet authentication.  While it is secure, it is chatty and is meant for LAN speeds.  Newer "cloud friendly" protocols have since evolved (SAML, etc) and is why Azure AD uses these instead of Kerberos, and is why windows 10 was extended to support native Azure AD sign-in.  For traditional AD authentication, you'd still want that over a secure tunnel, full stop.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cloud Computing

From novice to tech pro — start learning today.