As more organizations shift their infrastructure to the cloud, many are wondering if their on-prem domain controller can be migrated to the cloud as well. Even Microsoft is getting into the game with a product called Azure® Active Directory® Domain Services. We know that Azure is Microsoft’s foray into the cloud, so that leads many to think that perhaps Azure Active Directory Domain Services is the analog to Active Directory Domain Services; or in short, a cloud domain controller. As a result, many wonder whether you can migrate on-prem domain controllers to the cloud.
The domain concept gained a great deal of momentum when Microsoft launched Active Directory in 1999. With most organizations physically located in offices their networks were largely contained. The concept of the domain made a great deal of sense since it was really a way to think about everything within the building and on the network. Over time, though, as more IT resources expanded to the cloud and users became more mobile, the construct of the domain started to break down. Microsoft has attempted to extend it with a variety of solutions including Azure AD DS. The question for IT organizations is whether patching the concept of the domain in light of the cloud, remote workers, and increased security is the right way to go or whether the concept of the Domainless Enterprise may be better.
On-Prem Domain Controller to Cloud Migration—In Microsoft’s Words
With the bulk of IT infrastructure moving to the cloud, IT admins are hoping to move one of the most critical components along with it—the domain controller. Unfortunately though, the definition of the on-prem Active Directory domain is not the same as the one Microsoft established for Azure Active Directory Domain Services. That’s where the bulk of the confusion lies. These two domains mean different things because they exist within different environments. Here, a Microsoft rep on Spiceworks lays the scenario out:
Even the recently announced Azure Active Directory Domain Services are not a usual DC as a service that you could use to replicate your existing Active Directory implementation to the cloud. It is a stand-alone service that can offer domain services to your Azure VMs and your directory-aware applications if you decide to move them to Azure infrastructure services. But with no replication to any other on-premises or cloud (in a VM) domain controller.
“If you want to migrate your domain controllers in the cloud to use them for traditional task you could deploy domain controllers in Azure Virtual Machines and replicate via VPN.
“So to conclude, if you would like to extend the reach of your identities to the cloud you can start by synchronizing your Active Directory to Azure AD.”
Simply put, Azure Active Directory is not a standalone replacement for Active Directory. In the same vein, Azure AD Domain Services isn’t a replacement for the on-prem domain controller. As a result, there is no solution for shifting your domain to the cloud in the traditional sense of it. In fact, Microsoft details their reference architecture of how to “extend” your domain to the Azure cloud:
The Domain Concept—Built for a Different Era
The concept of the domain controller made a lot of sense when Active Directory was released. With a host of Windows®-only resources to manage, it was practical to centrally connect them and manage them through AD. Because each resource lived on-prem, it was a snap to connect and manage them. Microsoft designed it that way. But, that was 20+ years ago. The IT landscape has changed dramatically since then, and the concept of the domain has largely become antiquated.
Shifting OS Demographics
Today, as we know, the IT infrastructure is completely different. According to statcounter, the desktop OS market in January of 2009 was dominated by Windows, which had 92% of the market share. At that same time, Mac® systems had 4% and Linux® brought up the rear with less than 1% of the market. Fast forward a hair over 10 years and a different picture is being painted. Microsoft still has a sizeable lead, but it has dwindled considerably. As of January 2021, Windows had dropped to 76% of the market share. macOS® systems rose quite a bit to 17%. Now Linux now accounts for almost 2%.
Those numbers may not strike you as being too vastly different, but when you consider the fact that 72% of enterprise employees choose macOS systems over Windows, the number of Macs is only expected to rise while Windows systems decrease further. Additionally, data centers and infrastructure are moving to the cloud faster than ever. The majority of those systems are Linux-based machines. With that in mind, Windows now finds itself being edged out by two different parties (not to mention the world of mobile as well). Android and iOS devices outnumber systems these days and they are only increasing. None of these are leveraging the Windows operating system.
All told, these non-Windows resources have difficulty connecting to Active Directory and require quite a bit of configuration to make them work out of the box—specifically, with the need to use identity bridges. What good is the domain if you can’t connect your systems to it without extra work and expense?
Welcome to the Cloud. Welcome to the Domainless Enterprise.
Aside from systems, other resources making a home in the cloud include Google Workspaces™, Microsoft 365™, AWS®, Salesforce®, GitHub, Slack, and many others. Another consideration is the fact that the domain used to operate on wired connections; well, we are all aware that WiFi has taken the helm as the preferred network connection solution, but even more so the global pandemic has largely shifted work to be remote and most often from people’s homes.
All of these changes are forcing IT admins to rethink their approach to directory services. So, while the domain controller from Microsoft is an interesting idea, there is a better and more complete approach to cloud identity management—one that works in concert with Zero Trust Security and knows that all IT resources are to be untrusted by default. This concept is known as the Domainless Enterprise.
The Domainless Enterprise is a new, decentralized IT infrastructure approach where each access request is handled in a seamless, zero trust manner without the need to access a central gateway. A user gains secure, role-based access to resources regardless of their or the IT resource’s location. Each part of this transaction is analyzed, secured, and verified from a single cloud-based controller.
In the Domainless Enterprise, a user’s device of any kind is their secure conduit to all of their IT resources. Essentially, leveraging the antiquated analogy of the domain, the domain flexes to whatever devices, applications, servers, and networks that encompass your workforce’s needs. A simple way to think of a domainless enterprise is one without AD.
A core solution capable of implementing the Domainless Enterprise is JumpCloud Directory Platform, and it is securely managing and connecting user identities to the IT resources end users utilize every day. That includes systems (Windows, Mac, Linux), web and on-prem applications, cloud and physical file storage, and WiFi and VPN networks regardless of provider, protocol, platform, and location. Think of this directory-as-a-service as your next generation replacement to Active Directory and the domain controller. And because it’s independent, you aren’t tied to Microsoft or any other vendor for that matter.
Ready to Learn More?
Instead of wondering, “Can you migrate the on-prem domain to the cloud” in the traditional, Microsoft-centric sense, think about what a Domainless Enterprise model might do for you instead. If you have questions, feel free to drop us a line to learn more about your options when it comes to a “cloud domain controller”. Or sign up for a JumpCloud Free account and try it for yourself.
It’s free, requires no credit card, and enables you to manage 10 users and 10 systems with the full-featured version of our cloud directory platform including all of our premium functionality. Once you’ve signed up, navigate over to our Knowledge Base for technical information to help you get the most out of your account. You’ll also have access to our 24×7 Premium in-app chat support for the first 10 days.