Off-Site AD and Group Policy

zeegy · 30 Jul 2019 at 09:00

Morning all,

I am getting asked more and more about off-site ad and group policy.

Customers on-prem domain controllers are ageing and with the invent of the cloud a lot of people are wanting to lease cloud services rather than procure and rely on local services.

Azure AD doesnt seem to do the job with group policy, so what other options are there?

Site-to-Site VPN with site and the cloud with a cloud based DC? seems a little janky really

Are there any solutions or recommendations to pull off what I'm wanting to do?

Webster · 30 Jul 2019 at 09:06

I have physical DCs onsite and offsite DCs / servers in Amazon.

d_brennen · 30 Jul 2019 at 09:10

I'm probably behind the curve but I'd run a mile at off site AD. Azure AD Domain Services (not the same as Azure AD) is what you want to be looking at but they can pry my local hosts and VMs from my cold, dead hands.

zeegy · 30 Jul 2019 at 09:13

d_brennen said:
I'm probably behind the curve but I'd run a mile at off site AD. Azure AD Domain Services (not the same as Azure AD) is what you want to be looking at but they can pry my local hosts and VMs from my cold, dead hands.

This is it, and I agree completely. if they just needed to be domain with no other control then AADS would be a solution, physical DC on site (even just a microserver) and on cloud would be what i would consider too, but they want cloud completely.

Sadly, this is not what people want any more, which, is a shame.

Throrik · 30 Jul 2019 at 18:21

Just spin up VMs in your cloud and promote them to be a DC, as long as the networking is right you'll be fine.

LizardKing · 30 Jul 2019 at 22:53

Throrik said:
Just spin up VMs in your cloud and promote them to be a DC, as long as the networking is right you'll be fine.

This, people want cloud but ask them what it means to them and you will get a different answer for everyone you ask. Migrating from on-prem to cloud requires a whole different mind set to how you achieve things. of course you can just copy/paste your environment or live in perpetual hybrid buts its neither cost effective nor what the "cloud" is about, even though it does satisfy most peoples understanding of "cloud"

Azure ad and Intune will get there eventual negating the need for AD/GPO as we know it but its not there yet for anything other than very specific use cases in my experience.

TechMinerUK · 10 Aug 2019 at 11:16

Webzta said:
I have physical DCs onsite and offsite DCs / servers in Amazon.

This is the general solution we try and push for in the office.

We have had customers try AADDS (AD in the cloud with no DC, not to be confused with Azure AD) but it's just too limited and once you reach a certain amount of clients it becomes stupidly expensive and annoying to administer.

So far in the deplpoyments we have done the site to site is the best with Azure as we have never really seen a situation where it's unstable even with various brands of firewall (SonicWALL, Watchguard, Baracuda etc)

For some sites who are moving from workgroups we are trialling AAD and Intune, whilst this is not as mature or feature rich as GPOs and standard AD it does provide central management (Password policy, corporate backgrounds, application install push out, device management etc)

Caged · 10 Aug 2019 at 18:30

You will at some point come up against something that needs an Active Directory - wanting to do WPA Enterprise, directory lookups for printers etc. and a real AD is a lot nicer than Azure AD Domain Services. Just make sure you have the same resiliency in place that you'd want if you weren't doing this in the public cloud - e.g. deploy into multiple regions or at least use Availability Sets, have multiple Internet connections and/or private links using ExpressRoute if you're big enough for that.