Salonge
asked on
Migrating on-premise Domain controller to the Cloud
My CIO came to me and suggested we investigate moving our domain controller to the cloud. His rational is that we use it for authentication from all of our devices. We have several sites that have their own internet connection, but we have a VPN connection from each of the sites for authentication. He thinks that when people log in it slows down our internet, so with that said he wants us to look into it.
I have done some research and everyone says AWS or Microsoft Azure AD Services, but I have no clue where to start. I also understand that this migration does not take into affect the GPO's which we rely on. Our domain server houses not only our AD, but our DHCP and DNS. Can someone point me in the right direction so I can at least start to make some sense out of this project.
I have done some research and everyone says AWS or Microsoft Azure AD Services, but I have no clue where to start. I also understand that this migration does not take into affect the GPO's which we rely on. Our domain server houses not only our AD, but our DHCP and DNS. Can someone point me in the right direction so I can at least start to make some sense out of this project.
ASKER
I agree, but he really thinks the cloud is better. I do too, not for the internet speed, but for maintenance.
So, your question is fairly complicated and has a lot of dependencies. If you rely heavily on Group Policy, Azure AD may not be the way to go. What you could do is set up an Azure VM environment and migrate the DC(s) to that, then set up a site-to-site VPN link to your on-prem systems. This would, however, work exactly as it does today and ultimately increase your costs, since you already have hardware for a DC and are using it (hardware's paid for). Unless that system is about to die, moving to a cloud-based VM doesn't make financial, strategic, or operational sense.
Understand that Azure AD does not support Group Policies. You can manage devices with Intune, but Intune has its own technique for deploying settings and policies. Probably a more effective solution would be Azure AD with hybrid join, which will allow you to monitor and manage devices in the cloud or onprem as needed. This is probably a good intermediate step, but the cloud service availability may not meet your needs. You can do a lot with an Azure AD Connected environment, but most of the good features (Custom conditional access policies, Risk based automation and response, privileged identity management, etc) require Azure AD Premium licensing (P1 or P2), which runs 6-9 dollars per user per month on its own, or it can be purchased with the Enterprise Mobility +Security suite.
Understand that Azure AD does not support Group Policies. You can manage devices with Intune, but Intune has its own technique for deploying settings and policies. Probably a more effective solution would be Azure AD with hybrid join, which will allow you to monitor and manage devices in the cloud or onprem as needed. This is probably a good intermediate step, but the cloud service availability may not meet your needs. You can do a lot with an Azure AD Connected environment, but most of the good features (Custom conditional access policies, Risk based automation and response, privileged identity management, etc) require Azure AD Premium licensing (P1 or P2), which runs 6-9 dollars per user per month on its own, or it can be purchased with the Enterprise Mobility +Security suite.
ASKER
Thank you. So there is no other way this could be done? What are your thoughts on AWS?
Is speed the primary deciding factor in this scenario?
ASKER
Yes, speed but mostly maintenance.
I would actually suggest running a POC and test the speed both as the current setup and also using a remote service like AzureAD
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Second, if you only have ONE DC, this is bad. Especially if you have a multi-site environment. You should have a second DC in another site. Pick one. Or the cloud could work too. But keep in mind, cloud costs over time can be MORE EXPENSIVE than on-premises costs. Do the math. Especially if you plan on implementing other redundancies, such as file server functionality through DFS.