Cloud based Domain

Peerzy

Peerzy

Peerzy

Soldato
Joined
9 Nov 2008
Posts
7,122
Hello all,

Just wanted to see if anybody else has come across a situation I'm being asked to look into.

A very small company (currently 10-15 staff using a wide range of standalone devices) have asked me to setup a Domain for them (which I have no problem doing) but they've absolutely insisted it must be 100% 'in the Cloud'. They have a bit of IT experience within the company so this is driving it, if I can't 'Cloud' the solution they'll go elsewhere.

They want a hosted DC (with all the benefits of an on prem solution - so network shares etc...). This would likely be an Azure based VM running Server 2016.

To complicate things slightly these resources (mainly network shares, but eventually AD accounts and other bits and pieces) need to be shared with 7 other sites (different physical locations and LANs). Each site has it's own different on prem DC and domain with varying setups. The company has agreements with these sites to allow me whatever access I require so with my 'on prem' hat on I had considered setting up trusts between each site and the Azure based DC (over newly created VPN links).

I've already gone through the list of reasons why I don't feel they should put everything into the Cloud but they are dead set on it so with this in mind have any of you done similar? Do you have any advice or can see anything that jumps out as being difficult / impossible?

I've been using the below Microsoft link to base my plan on;

https://blogs.technet.microsoft.com...1-days-of-servers-in-the-cloud-part-20-of-31/

Edit: the company are based at one of the 7 sites so currently the server from that site (which I setup) is providing DNS and DHCP (and can continue to do so).

Any potential tie ins to Office365 would also be welcomed as they'll be eventually moving all sites over to this for email.
 
nightmare99 said:
Can you not just move the lot of it over to Office 365 and AzureAD? That may remove a lot of the over complication if it meets their needs.
Click to expand...

From my (limited) understanding of AzureAD it's not going to give me what is required. I need to be able to use group policy to manage the users and PCs. They want traditional Windows Server features as there won't be anyone from IT Support on site to help the users (who are very basic, office admin type people).

It's also going to have to link in with the existing 7 domains to allow users on those systems access to resources.

Finally for legal reasons the solution must be hosted within the UK (due to GDPR and the data they will be working on) and AzureAD cannot currently be run out of UK South or UK West. Although I guess Azure AD could be hosted in another DC providing all the data is hosted within the UK.
 
I'd be interested in any opinions on this too, as more and more people are bringing up the same subject thinking they can go all-cloud just as you say. AzureAD is nowhere near the equivalent of full AD, it's suitable only in certain cases imho, and in those cases it works well to be fair. The suggestion of the Azure-based VM running AD in the OP's link is provided as an extension of the on-prem AD, not a replacement - if the only DC was in Azure, how would login speeds and general DNS queries be. If there's any sort of file sharing from an Azure-based VM, how could that work over an everyday FTTC connection with the latencies that carries.
 
There's something called a "hybrid Azure AD" join which may achieve what you need, in so far as it appears to continue to support group policy etc; https://docs.microsoft.com/en-us/az...anagement-hybrid-azuread-joined-devices-setup

I haven't tried it myself, however, so I have no idea how well it works.

There's also "Azure Active Directory Domain Services" which is a hosted AD DS; https://azure.microsoft.com/en-gb/services/active-directory-ds/ but again, I haven't actually used it myself, so I don't know how it compares to a hybrid Azure AD join.

Personally, it sounds like a massive ballache and I would look to fob it off onto someone else to do :D
 
It should be doable, but you'd need a decent pipe between their site and azure, which if they are a small company could be a problem. I'd probably suggest a backup line for resilience too.
 
Last edited:
I wouldn't bother. Get the users EM+S licenses and have them use Windows 10 Pro machines joined to Azure AD. Manage the endpoints via Intune.
 
Caged said:
I wouldn't bother. Get the users EM+S licenses and have them use Windows 10 Pro machines joined to Azure AD. Manage the endpoints via Intune.
Click to expand...
^ This 100% !! - If they can get the Enterprise Upgrade to get the full features of EMS +Intune..

Rob
 
This definitely sounds like EM+S E3 + O365 E3 territory. AAD Join the Win 10 devices and then manage them with InTune to enforce conditional access policies/security requirements while delivering apps via Windows Store for Business.

Provide "Shares" via O365 Group/MS Team/SharePoint Online synchronised using the OneDrive for Business client.

We're looking at moving this way for 75k users/devices and currently have a PoC with 100 users running and working quite well with this model :)
 
York said:
Provide "Shares" via O365 Group/MS Team/SharePoint Online synchronised using the OneDrive for Business client.
Click to expand...
Just out of curiousity, what do you do for shares that contain hundreds of gigabytes of data? It was the main reason we abandoned our plans for migrating our file servers up into O365/SharePoint Online, as Microsoft have actively discouraged mapping O365/SP libraries as drives, and we can't have all of our clients syncronisng all of this data back and forth with the cloud.
 
You must log in or register to reply here.
Back
Top Bottom