Replace Azure active directory domain services for on-premise server.

Question

Hi Everyone. I have some questions about using Azure ADDS to replace on-premise server.

• My company have 6 sites and connected to Domain Controller by VPN in main office. My manager want to using Azure ADDS services to replace DC for make sure high availability. Is it possible ? and what is pros and cons?

• I already read and research about it. But i'm still have some concerns :

            What cost i need to pay for a month :

   -Azure Active Directory Domain Services ~$109.50/month/set
   -VPN Gateway type Basic for 6 sites is ~$26.28/month or $26.28/month for only 1 site.
   -Is that all costs i have to pay forusing a month?Anythingelse?
Migration: - Can i migrate current users to continue log in and work without lost user profile.
How can i manage computers in my domain ? And can i still using Unifi Radius with Azure ADDS?
Sorry for my English.

Answer 1

@Thien Lan, Thank you for reaching out and I apologize for the delay in our response here. In case you are planning to move your on-prem environment to Azure cloud, the best recommended way would be:

1. Create a VM on Azure and configure this VM as a Domain Controller.
2. Create either a VPN (Site-To-Site) connection or ExpressRoute connection between Azure and your on-prem datacenter, so that the VM on Azure configured as DC can speak to your on-prem DCs and replicate.
3. Once this setup is done and once the DC on Azure is up-to-date with the on-prem environment, you can remove the on-prem DCs and create more DCs on Azure VMs and distribute it according to your sites. 
4. Once the DCs are setup, you can get the on-prem servers or workstations get joined to these DCs by making them available for the Site-To-Site VPN or the Express Route using which they would be able to speak to the DCs on Azure.

Regarding the steps mentioned above, you can refer to the following article for more info: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain

This is the recommended way, as for Azure ADDS, we do not recommend joining on-prem workstations to is. Only VMs hosted on Azure are recommended for domain join to Azure AD DS. Also for Azure AD DS, you would first need to sync all your users and other objects like groups, devices etc to Azure AD and from Azure AD, Azure ADDS would sync those objects.

Regarding the pricing, Azure AD DS, you can find the details here and calculate it accordingly.

For Azure AD DS: https://azure.microsoft.com/en-in/pricing/details/active-directory-ds/

For VNET Gateways, there needs to be only one VNET Gateway deployed for all 6 sites, as traffic from all 6 sites would converge to one VNET Gateway and then internally that Gateway would connect to a specific VNET that would be connecting to the DC hosted on Azure VM or the Azure AD DS.

Hence VPN Gateway cost would be approx $26.28/month

More details can be found here: https://azure.microsoft.com/en-in/pricing/details/vpn-gateway/

Note: If you are using single forest in Azure AD DS and using a Standard SKU, the your per month pricing would be somewhere around $109.50 /month/set for 2 DCs provided that are spread across two availability zones.

---------------------------------------------------------------------------------------------------------------------------------------

Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

 

We're migrating from MSDN to Microsoft Q&A as our new forums and Azure Active Directory has already made the move!  In future, you can ask and look for the discussion for Azure Active Directory related questions here:   https://docs.microsoft.com/answers/topics/azure-active-directory.html.

We are actively working to onboard remaining Azure services on Microsoft Q&A. We will make a public announcement once complete. Want to Learn more about new platform: Microsoft Q&A Getting Started

Answer 2

Thanks you so much for you kindly respon.

Now i'm not understand how i can calculator the cost monthly if i use Azure VM for Domain Controller and sharing file with NTFS permission . Could you help me to explain ?

- First, i would like to create a VM on Azure as a Domain Controller and using this VM to set up File Sharing like on-prem server. Is it possible ? Which cost i have to pay monthly :

1) Azure VM B4MS ~ $110 with 1 year reserved

2) Premium SSD P40 2048GB ~ $260

3) VPN Gateways VPNGw1 ~ $140. How can i calculator "outbound Inter-VNET data transfers" ? Now our file server approximately 1.3TB. and our users use documents in file server daily.

 If users open a file with 4MB size, is it 4MB outbound data calculated ?

4) Do i have to pay extra cost for bandwidth of Outbound data transfer ? Or it is included in VPN Gateways .

- Second, is there any latency to open the file in Azure VM, it is base on internet speed or VPN Gateways Bandwidth ?

- Third, if i want to backup data file in Azure VM can i use Azure Backup and how much cost i need to pay if our file server is 1.3TB 

@ SouravMishra-MSFT

Thanks you so much for your time.

Answer 3

Active Directory takes advantage of the DNS protocol and the Lightweight Directory Access Protocol (LDAP), alongside Microsoft’s proprietary version of Kerberos.

Many people ask why AD doesn’t support more protocols, such as SAML and RADIUS. We won’t speculate on their reasoning, but we do believe that a multi-protocol approach is the future of IAM.

Why is Active Directory called active?
Our best guess is that AD is called Active Directory because it actively updates information stored in the directory. For example, when an administrator adds or subtracts a user from the organization, Active Directory automatically replicates that change to all of the directory servers. This happens at a regular interval so that the information always remains up-to-date and synchronized.

Today, this “active” type of behavior is expected in IT systems. But, before the era of computerized directory services, the concept of a directory that kept itself up to date was pretty innovative. Keep in mind that when the Active Directory moniker was coined, physical encyclopedia were still commonly used and the “active” Wikipedia hadn’t yet launched.

Who uses Active Directory?
Generally speaking, when an organization leverages Active Directory, every single employee uses Active Directory every day without even knowing it. People use Active Directory when they log in to their work machines and when they access apps, printers, and file shares.

But the primary users of Active Directory are the admins. These people actually operate, manage, and configure AD. AD admins likely include all of the IT team and may also include members of the security, DevOps, or engineering teams.

Why does Active Directory matter?
Whether people realize it or not, Active Directory has been making the business world go ‘round since the turn of the century. AD is in place at almost every large organization. It’s just such a foundational tool (always humming away quietly in the background) that many people who use AD every day don’t even realize what AD is—or that it’s the key to their secure access to their laptop and files.

Looking for a more in-depth answer. We also have a full blog covering why AD is important.

Active Directory Terminology
What are Active Directory objects?
An object is the generic term for any unit of information stored within Active Directory’s database. Objects can include users, laptops, servers, and even groups of other objects (explained below).

What are Active Directory groups?
AD enables admins to manage sets of multiple objects and these sets are known as groups. Using GPOs (group policy objects), an admin can make a change on one group and have that change apply to all objects within that group. They’re often used to segment users or systems by department or clearance.

The bottom line is that group-based management makes IT administration more efficient.