2nd DC in the cloud for local and remote users

seven45 used Ask the Experts™
Thanks in Advance!

I have a customer that has a very small environment with 1 windows server with AD on it.  (about 10-15 users and most of them remote).
They don't have the funds for a second DC, currently, i have backups of file level and am using windows server backup for image backups.  
was thinking about this scenario  but wanted to run it by the experts to get their thoughts on it:     would like to create an Active directory server in the cloud that can, 1. sync with the onprem AD (so we have a copy of ACTIVE Directory in the cloud).   or 2. sync once a day while firing up the cloud server to allow syncing and then turn it off---to save on cost--incase cost is an issue.   3. have a scenario where the remote users can authenticate and not use cached profiles (besides using vpn).

question on the above scenario:   I'm sure Im not the first one thinking about this scenario---wanted to get your thoughts on how you guys are handling it for small businesses.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Probably not a good fit for what you want.

1) Having a VM in the cloud with a site-to-site VPN is not a bad solution for some DR scenarios where having two on-prem servers is prohibitive.  But it does NOT REPLACE BACKUPS.   There are failures that can take down AD where restoring a backup works, but where replicating DCs replicate the damage.  Don't think that spinning up a cloud VM replaces your need for system-state backups.  It doesn't.

2) Don't introduce a DC if you plan on having it in a disconnected (powered off) state most of the time.  AD was not designed for this and you'll have performance (and other) problems.  As mentioned in #1, you'd want a valid site-to-site VPN running.

3) Users would still need a VPN.  AD is not a design meant for public internet authentication.  While it is secure, it is chatty and is meant for LAN speeds.  Newer "cloud friendly" protocols have since evolved (SAML, etc) and is why Azure AD uses these instead of Kerberos, and is why windows 10 was extended to support native Azure AD sign-in.  For traditional AD authentication, you'd still want that over a secure tunnel, full stop.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial