-2

Hi Serverfault / Stack Exchange Community,

I was looking for a few points of view on a solution that I am working on for a SMB to be more mobile that is about 40-50 people in size.

They are currently running a hub and spoke style network with an on site DC replicating locally to another “redundant” DC (that sits next to it). I am unable to access the DC as it is currently maintained by another service provider. Therefore I am unable to determine if it is a primary domain and if it is the maintainer of the FSMO roles and if that is the domains forest primary or if the forest primary is offsite.

They do not use many of the features of AD to a granular level like GPO, OU’s, or federation services due to their size. Most of their day to day business is conduct with their presence on client sites and they have the need to access unified resources that are up to date in real time that office 365 provides OOTB like Office 365, Delve and OneDrive.

I was therefore looking at solution where I could transfer out the current domain or replace it with a better solution so that they can do the following;

- Have unified access to a cloud storage provider for realtime unified document access.

- Have exchange / outlook email accounts with a custom domain name.

- Up to 5 shared printers within the LAN.

- Local logon to windows hardware with local roaming profile

- 2 custom programs currently running locally that make a connection over LAN to client terminals.

**- Ability to VPN to the 2 custom programs as well as some in office

hardware for occasional querying and log examination**

So far I have scoped out one potential offering or the office / collaboration side of things which is the following, Office 365 enterprise E3 Tier Solution:

https://products.office.com/en-us/business/office-365-enterprise-e3-business-software

This does however leave me with some points that I am unsure of and what is the best to achieve all of the above functionality and meet the requirements.

These include the best way to do single SSO logon on local hardware while also staying in sync with the O365 offering. Is it best to do a Microsoft Azure active directory and export the current domain out through ADMT? If so how would I connect the client site/ branch to the Azure cloud AD? Does anyone have a preferred client router / gateway? i want the user to be able to logon locally and have all their Office 365 files there and the Exchange Mail but also be able to work offline if they were to lose the cloud or be in an unconnected region.

  • Is the cleanest way to pull the plug on the on-site AD instance to rebuild the domain in the Microsoft cloud. Then point the active directory to the office 365 part which has the custom domain name records attached to it. Am I able to migrate out to any offsite solution without losing emails if they are currently stored in office 365 or an exchange instance?

  • Has anyone tried Azure Active Directory for print serving? Is it possible? What were the results?

  • If I migrate the custom programs to a cloud hosting solution would I have to VPN site to site to make the local connection and then VPN into the local site to access them when workers were on site or could workers connect directly to the cloud cluster via VPN when out of the office? Does anyone have preferred hardware for this? I would need to make the programs appear locally on the clients site but also accessible out of the office.

  • Has anyone ever backed up their hosted OneDrive or have it replicating to a NAS or more likely SAN or another off-cloud solution as a business contingency and “business as usual” backup. I know it may sound crazy as if Office 365 was to become unreachable it would probably a bigger deal than this, but as a plan for every eventuality does anyone know if this is possible.

This is still in the early stages but any feedback or advice from someone who may of done something similar before would be much appreciated as there are many different offering out there for in cloud products and I want something that is straight forward to use for field users as well as power users and wanted to make sure I was doing it the best way in this day and age, as I am predominantly an enterprise / large business on site hosting maintainer.

Thanks so much in advance,

user4657
  • 129
  • 2
  • 1
    You're asking a LOT of questions that show that you're not equipped to undertake the project that you're proposing to this customer. You'd be doing them a disservice by pitching any of this until you get more training with a better understanding of the platform. – MDMarra May 01 '15 at 22:16
  • Agreed, you need to do a lot more research into what Azure AD is and isn't. It is not a replacement for on premises AD and it is not going to do what you think it is. Go away, do some research, do some testing then come up with a plan. – Sam Cogan May 09 '15 at 18:12
  • This site isn't a good platform for this sort of open question, you'd get more feedback on a discussion forum style page. – BlueCompute May 12 '15 at 15:05

1 Answers1

1

Azure AD (today) is simply not a replacement for an on-site AD. Machines cannot join it, so you can't do a lot of the things you're asking for. End of story.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • Thanks for your response @mfinni. If I was to keep one forest and primary onsite and use Azure to expand and extend the AD out, this would allow me to have a smoother user journey surely for example? Like I said this is in early stages and is still being knitted together as a solution. So bouncing some ideas of MS cloud experts such as yourself. – user4657 May 01 '15 at 21:49
  • The fact that you're using this terminology leads me to believe you don't know as much about AD as you should. There's no such things as "primary", unless you're referring to the holder of a FSMO role that's important for NTP and NT 4.0 clients and not much else. – mfinni May 01 '15 at 21:51
  • You can't "expand" an on-premise AD with Azure in the way I think you want. – mfinni May 01 '15 at 21:51
  • You can take a simple Windows VM in Azure (or AWS, or Rackspace, etc) and dcpromo it, of course. You'll want a VPN solution. This probably won't do what you think you want. – mfinni May 01 '15 at 21:52
  • Yes sorry mfinni I mean the FSMO role holder when I say primary, my bad. Thanks. Your input on this is much appreciated :-) ! – user4657 May 01 '15 at 21:55
  • That's part of my point. The PDCe role holder (really, any of the role-holders) require very little architectural consideration. The fact that you're even mentioning it here worries me, in regards to all the things you don't know (to be blunt.) If you're a service provider for a client, you're not qualified to be billing someone for the work you're doing. – mfinni May 01 '15 at 22:03