-1

Presently, we have a Windows 2012 R2 Server acting as our PDC and it is physically located in our HQ location. It serves the HQ location as well as 5 other branch locations. Our president has inquired with me if there is any way we can move that server into a cloud rather than physically hosting it.

Server roles are as follows:

  • DNS Server
  • AD for company-wide local network authentication and LDAP authentication for web application.
  • DHCP & Static IP assignments
  • File Server

My first thoughts on this were to establish a VPN tunnel between our HQ location and the cloud location. Currently, we use AWS for hosting of our linux web hosts and we have a VPN tunnel to our HQ office so the web application to make use of LDAP for authentication. I also believe that the VPN is providing file services, but not clear on that. However, not sure how this setup would work for our other branch locations.

So, are my thoughts about this a proper approach or is there a better way to achieve this?

Thanks!

Skittles
  • 421
  • 1
  • 7
  • 16
  • 1
    `Our president has inquired with me if there is any way we can move that server into a cloud rather than physically hosting it.` Rather than "if" you should ask him "why". There are arguments for and against moving the PDC to the cloud. You are asking for the best way to achieve this, instead of asking if you should. Without knowing the details it's hard to review your approach. – Daniel Jun 23 '21 at 18:19
  • Based on Fizgriz's response, I informed him that the technical risks would prove far to prohibitive for us to make such a move and that having our BDC at a datacenter would still provide the best alternative to a catastrophic failure of our onsite PDC. But thank you for your input also. – Skittles Jun 23 '21 at 18:21
  • Well, that's the point I was trying to make. Putting the PDC to a datacenter or into the cloud is not always a bad idea. It all depends on the entirety of the infrastructure. – Daniel Jun 23 '21 at 22:16
  • I want to point out that 21 year ago Windows NT 4.0 was replaced by Windows 2000 and now **there is no PDCs or BDCs in MS Active Directory technology**. Some DCs will host FSMO roles, but you may assign different roles to different servers, so no one will be a "complete primary". Where it is best to have which role depends on your network structure. There is also a reduced DC called RODC, which doesn't count as a DC in a full right, because it doesn't store some of directory data. It is used in remote branch offices to speed up directory lookup operations (it acts like a cache). – Nikita Kipriyanov Jun 24 '21 at 14:17

1 Answers1

1

The main issue with implementing this is that your company's domain controller is in a cloud environment that then heavily relies on a stable secure connection.

I think its not best practice to move a DC especially a PDC into the cloud because if the connection to the internet or datacenter fails then your network is S.O.L.

If this is direction you want to go I think best practice would be to establish redundant connections from each branch to the cloud, and have a plan and procedure in place in the event of connection outages.

I suggested having all branches have the connection because if one of the branches loses connection to HQ, or if HQ suffers an outage all branches are inoperable.

FizzyH
  • 26
  • 2