There has recently been some discussion about migrating your on-prem domain controller to the cloud. That’s bound to happen because Microsoft® features a product called Azure® Active Directory® Domain Services. We know that Azure is Microsoft’s foray into the cloud, so that leads many to think that perhaps Azure Active Directory Domain Services is the analog to Active Directory Domain Services. As a result, many wonder whether you can migrate on-prem domain controllers to the cloud.
On-Prem Domain Controller to Cloud Migration—In Microsoft’s Words
With the bulk of IT infrastructure moving to the cloud, IT admins are hoping to move one of the most critical of components along with it—the domain controller. Unfortunately though, the definition of the on-prem Active Directory domain is not the same as the one Microsoft established for Azure Active Directory Domain Services. That’s where the bulk of the confusion lies. These two domains mean different things because they exist within different environments. Here, a Microsoft rep on Spiceworks lays the scenario out:
“Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.
“That’s why there is no actual “migration” path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc.
“As you can see here Azure Active Directory is an identity and access management solution for hybrid or cloud-only implementations. It can extend the reach of your on-premises identities to any SaaS application hosted in any cloud. It can provide secure remote access to on-premises applications that you want to publish to external users. It can be the center of your cross-organization collaboration by providing access for your partners to your resources. It provides identity management to your consumer-facing application by using social identity providers. Cloud app discovery, Multi-Factor Authentication, protection of your identities in the cloud, reporting of Sign-ins from possibly infected devices, leaked credentials report, user behavioral analysis are a few additional things that we couldn’t even imagine with the traditional Active Directory on-premises.
“Even the recently announced Azure Active Directory Domain Services are not a usual DC as a service that you could use to replicate your existing Active Directory implementation to the cloud. It is a stand-alone service that can offer domain services to your Azure VMs and your directory-aware applications if you decide to move them to Azure infrastructure services. But with no replication to any other on-premises or cloud (in a VM) domain controller.
“If you want to migrate your domain controllers in the cloud to use them for traditional task you could deploy domain controllers in Azure Virtual Machines and replicate via VPN.
“So to conclude, if you would like to extend the reach of your identities to the cloud you can start by synchronizing your Active Directory to Azure AD.”
Simply put, Azure Active Directory is not a standalone replacement for Active Directory. In the same vein, Azure AD Domain Services isn’t a replacement for the on-prem domain controller. As a result, there is no solution for shifting your domain to the cloud.
The Domain Concept—Built for a Different Era
The concept of the domain controller made a lot of sense in the late 90’s when Active Directory was released. With a host of Windows®-only resources to manage, it was practical to centrally connect them and manage them through AD. Because each resource lived on-prem, it was a snap to connect and manage them. Microsoft designed it that way. But, that was 20 years ago. Things, particularly systems, in IT have really changed, and the concept of the domain has become old hat.
Shifting OS Demographics
Today, as we know, the IT infrastructure is completely different. According to statcounter, the desktop OS market in January of 2009 was dominated by Windows, which had 92% of the market share. At that same time, Mac® systems had 4% and Linux® brought up the rear with less than 1% of the market. Fast forward a hair over 10 years and a different picture is being painted. Microsoft still has a sizeable lead, but it has dwindled considerably. As of February 2019, Windows had dropped to 74% of the market share. macOS® systems rose quite a bit to 13%. Now Linux now accounts for 1.5%.
Those numbers may not strike you as being too vastly different, but when you consider the fact that 72% of enterprise employees choose macOS systems over Windows, the number of Macs is only expected to rise while Windows systems decrease further. Additionally, data centers and infrastructure are moving to the cloud faster than ever. The majority of those systems are Linux-based machines. With that in mind, Windows now finds itself being edged out by two different parties. All told, these non-Windows resources have difficulty connecting to Active Directory and require quite a bit of configuration to make them work out of the box—specifically, with the need to use identity bridges. What good is the domain if you can’t connect your systems to it without extra work and expense?
Welcome to the Cloud
Aside from systems, other resources making a home in the cloud include G Suite™, Office 365™, AWS®, Salesforce® and many others. Another consideration is the fact that the domain used to operate on wired connections; well, we are all aware that WiFi has taken the helm as the preferred network connection solution. All of these changes are forcing IT admins to rethink their approach to directory services. So, while the domain controller from Microsoft is an interesting idea, there is a better and more complete approach to cloud identity management—one that works in concert with Zero Trust Security and knows that all IT resources are to be untrusted by default.
The solution we’re talking about is called JumpCloud® Directory-as-a-Service®, and it is securely managing and connecting user identities to the IT resources they utilize every day. That includes systems (Windows, Mac, Linux), applications, file storage, and networks regardless of provider, protocol, platform, and location. Think of Directory-as-a-Service as your next generation replacement to Active Directory. And because it’s independent, you aren’t tied to Microsoft or any other vendor for that matter.
Ready to Learn More?
Instead of wondering, “Can you migrate on-prem domains to the cloud” in the traditional, Microsoft-centric sense, think about your identity management solution instead. If you have questions, feel free to drop us a line to learn more about your options when it comes to cloud identity management. Or sign up for a JumpCloud account and try it for yourself. It’s free, requires no credit card, and enables you to manage 10 users with the full-featured version of Directory-as-a-Service. Once you’ve signed up, navigate over to our Knowledge Base for technical information to help you get the most out of your account.