Solution for AD on-premise AD to Azure AD

Precheck list for the AD migration

• On premise machine configuration Details

→ What is storage capacity
→ RAM utility
→ CPU speed
→ Where they want to keep machine in Azure
• Domain health condition
DC DIAG is Microsoft utility that is used analyze Domain controller and a forest or enterprise
you can't analyze single domain controller you can analyze all of them at once in your forest
or enterprise

• Trust relation

To Establishes, verifies, or resets a trust relationship between domains. Netdom is a

command-line tool It is available if you have the Active Directory Domain Services (AD DS)
server role installed. It is also available if you install the Active Directory Domain Services
Tools that are part of the Remote Server Administration Tools (RSAT).
 • Migrate FSMO roles to the new domain controllers
→ Schema Master – one per forest
→ Domain Naming Master – one per forest
→ Relative ID (RID) Master – one per domain
→ Primary Domain Controller (PDC) Emulator – one per domain
→ Infrastructure Master – one per domain

Schema Master: The Schema Master role manages the read-write copy of your Active Directory
schema. The AD Schema defines all the attributes – things like employee ID, phone number,
email address, and login name – that you can apply to an object in your AD database.

Domain Naming Master: The Domain Naming Master makes sure that you don’t create a
second domain in the same forest with the same name as another. It is the master of your
domain names. Creating new domains isn’t something that happens often, so of all the roles,
this one is most likely to live on the same DC with another role.

RID Master: The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs
they can use for newly created objects. Each object in AD has an SID, and the last few digits of
the SID are the Relative portion. In order to keep multiple objects from having the same SID,
the RID Master grants each DC the privilege of assigning certain SIDs.

PDC Emulator: The DC with the Primary Domain Controller Emulator role is the authoritative DC
in the domain. The PDC Emulator responds to authentication requests, changes passwords, and
manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s
good to be the PDC.

Infrastructure Master: The Infrastructure Master role translates Globally Unique Identifiers
(GUID), SIDs, and Distinguished Names (DN) between domains. If you have multiple domains in
your forest, the Infrastructure Master is the Babelfish that lives between them. If the
Infrastructure Master doesn’t do its job correctly you will see SIDs in place of resolved names in
your Access Control Lists (ACL)
• Creating a site-to-site VPN connection from an on-premises location

A VPN gateway is a type of virtual network gateway that sends encrypted traffic between
your virtual network and your on-premises location across a public connection. You can also
use a VPN gateway to send traffic between virtual networks across the Azure backbone.

• Migration plan for on-premise AD to Azure (IAAS)

We are going create the a VM in azure the and then roles will be migrated from the on-
premise machine so this will similar like rehost the migration
Step:1 create new resource group for creating VM in Azure with new VNET and Log in to
windows server machine as domain administrator

Step: 2 Check the IP address details and put the local host IP address as the primary DNS
and another AD server as secondary DNS. This is because after AD install, server itself will
act as DNS server
Step: 3 open the server manager dashboard and then click on add role and features, it will
open the wizard, click next to continue and select installation type we will be using the role
based or feature based installation
Step:4 check on Active Directory Domain Services, then it will prompt with the features
needs for the role. Click on add features. Then click next to proceed in next window, it will
give brief description about AD DS, click next to proceed
Step: 5 Once installation completed, click on promote this server to a domain controller
option It will open up the Active Directory Domain Service configuration wizard, leave the
option Add a domain controller to existing domain selected and click next. In next window
define a DSRM password and click next

Step :6 In next windows, it asks from where to replicate domain information. You can select
the specific server or leave it default. Once done click nextThen it shows the paths for AD DS
database, log files and SYSVOL folder. You can change the paths or leave default. In demo, I
will keep default and click next to continue

Step :7 In next windows, it will explain about preparation options. Since this is first windows
server AD on the domain it will run forest and domain preparation task as part of the
configuration process. Click next to proceed. Then it will run prerequisite check, if all good
click on install to start the configuration process
Step :8 now Log in to windows server AD as enterprise administrator Open up the
PowerShell as administrator. Then type netdom query FSMO. This will list down the FSMO
roles.
Step:9 the on-premise DC server holds all 5 FSMO roles. Now to move FSMO roles over,
type

Move-ADDirectoryServerOperationMasterRole -Identity REBELTEST-PDC01 -

OperationMasterRole SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster,
InfrastructureMaster
Step:10 Once its completed, type netdom query fsmo again and you can see now its
windows server DC is the new FSMO roles
Step:11Now we moved FSMO roles but we still running system on windows 2012 R2 domain
and forest functional levels. In order to upgrade it, first we need to decommission by using
the below powershell command
Uninstall-ADDSDomainController -DemoteOperationMasterRole -
RemoveApplicationPartition
Step:12 we need to create tunnel between on premise to azure for that need the
information like WAN IP or firewall gateways IP from the customer side from azure portal
need create the separate VNET for VPN gateway