Active Directory Migration Services RRS feed

  • Question

  • Hey Everyone i am looking for information on Active Directory Migration Services. I have a client with 100 users which are breaking off into 2 different companies. They are currently using 1 domain controller. So i was thinking of migrating our client roughly 50 users to AADDS. Can i use Active Directory Migration Services to move the users AADDS and will it also switch the desktop domain and profiles like ADMT could do. 

    The client also has one server which is for an applicaiton which requires ldap can i connect the application server to the ldap in AADDS?

    thanks in advance

    Thursday, October 10, 2019 1:25 PM

All replies

  • Hello ageless40

    No You cannot migrate the users from an on-premise domain to AAD domain services. AAD domain services is not designed to be similar to on-premise active directory . AAD DS was created solely to provide Kerberos and NTLM support for LOB applications(which cant use modern auth protocols like oauth) which could use life and shift using direct movement to azure without any changes. For example by virtualizing the machine to a VM where application server was running and moving to the cloud to run this as a Azure VM with a proper Traditional auth protocol support. Users from on-premise have to be synced to Azure AD first and from there you need to activate AAD domain services instance after which the users will get synced from Azure AD to AAD DS. AAD DS is a managed domain environment which means you will not have direct access to the domain controllers and you can not add any new domain controller. No changes to the configuration partition and limited changes to domain partition are possible so creating a trust for ADMT operation is not possible . 

    No,  the switching of Desktop domain and profiles with ADMT/USMT do not apply here. What you are trying to do is technically not possible by design. 

    If your client is ready to move to a completely cloud environment where they have all SaaS solutions available in azure marketplace which they use and run windows 10 for client machines for all their users where users can work remotely from anywhere then they can join all the windows 10 directly to Azure AD . Since they are 50 users we are talking about these can be easily created in Azure AD. If you have older windows clients then you may need to upgrade it to Windows 10 for the proposed solution to work. Also I am assuming that the client does have Office365 licenses. 

    The users can logon to their windows 10 clients with AAD credentials AD using AzureAD\<> once the machines are Azure AD joined. The group policy functionality to control management of the client mahcines will be lost but similar capabilities can be added by using Intune for device management and Azure RMS for data security .

    Hope this clarifies your query and possibly provides an alternate solution. Please let us know in case you have any further queries. In case the details provided in this post are helpful , please do mark it as answer so that it is helpful to other members searching for similar answers. 

    Thank you. 

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Thursday, October 10, 2019 9:20 PM
  • Thank you very much for the info. My Client has one physical server that needs to remain on premise it doesn't need to be domain joined but it needs ldap. would i be able to just open up the ports and use AADDS ldap?


    Friday, October 11, 2019 12:00 PM