Question

DBell78 on Thu, 15 Sep 2016 16:28:08


We wish to have a Cloud only Domain as most of our employee's work from home.  We want the computer/laptops to authenticate to a Cloud only Domain Controller. 

Currently, we do have an on premise domain controller for the 6 office employee's we have but desire to fully decommission it and use only the Cloud Domain Controller.

Is this possible?  If so, how?

Thank you for any and all assistance & guidance.


Sponsored



Replies

Sakthis Kumar on Thu, 15 Sep 2016 17:25:32


Hi it is possible to implement, Below is rough high level things that you need to do 

Server End 

- Create virtual machine/s for hosting the cloud domain controller role. If you plan to remove all you on-prem DC it better to have 2 virtual machines configured as DC.

- Create IPsec Site to Site VPN connection from Azure Virtual Network to on-prem network (https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-site-to-site-resource-manager-portal)

- Promote the virtual machine as domain controller for existing Active Directory (https://azure.microsoft.com/en-us/documentation/articles/active-directory-install-replica-active-directory-domain-controller)

- Configure Point to Site VPN in the Azure to make your users connect from home (https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpngateways), please note that there are some minor changes in the way you configure this in Azure Portal

now the Azure infrastructure is ready to facilitate the infrastructure to achieve your mentioned objectives.

Client End 

Step 1: Force "Ctrl+Alt+Del".
1. Open Local Security Policy (or in your policy which gets applied to users), switch to Security Settings--> Local Policies--> Security Options--> Interactive logon: Do not require CTRL+ALT+DEL. 
2. Set this policy to disabled which will force the use of “Ctrl+Alt+Del”.

Step 2: Create VPN connection
Note: check “Allow other people to use this connection” option.

Once completed you will see the option to "Network Sign-in" from the user logon screen 

Once you manage to get all the users to use the Point to Site VPN and then you can decommission the existing DC 

Hope this helps

DBell78 on Thu, 15 Sep 2016 19:19:31


Thank you Sakthis for the response.  This is the most direct answer I've received from anyone.  I wish I would have posted on this forum awhile ago.

I do have one more question in which I'm sure I know the answer but need to ask just to be sure.  Is there a way of performing this work without spinning up virtual servers?  I have been led to believe this and so this is what I've been attempting to figure out and perform.  For example: Is this possible to just use Azure AD Domain services? 

Thanks again for your time Sakthis.

Sakthis Kumar on Thu, 15 Sep 2016 19:33:17


Hi, Azure AD Domain Services is still evolving and have some limitations like targeted Group policy getting applied to specific OUs and lot more 

Some info on that 

https://blogs.technet.microsoft.com/askpfeplat/2015/01/05/azure-active-directory-for-the-old-school-ad-admin

I believe your best bet at this point is to spin VMs and make them as DCs and in the future version of Azure Active Directory may have all required features.. Hope this helps.