When talking about Directory, we are referring to the users, groups, distribution lists, and contacts information that’s part of every IT system. The Directory is where user authentication information is stored (i.e. username and password), along with group membership, email aliases, etc. The most common type of Directory used by MSPs’ customers is Microsoft’s Active Directory.
Active Directory is a fundamental and critical topic to ensure a successful cloud migration. Before diving in, it is important to understand the terminology Microsoft uses to refer to various types of Active Directory - like Azure Active Directory, Server Active Directory, and Azure Active Directory Directory Services - which, as you can see, tends to be confusing.
To demystify these various types of directories and understand when each should be used, we’ve written a guide on the topic:
Source Directory Environment
When planning an Active Directory migration, we must assess what’s in place today and what is the desired final state once everything is migrated to Azure. Often, the source environment uses an existing Active Directory running on a server. Sometimes, this Server Active Directory is synchronized with Azure Active Directory via ADConnect.
On rare occasions, born-in-the-cloud organizations do not have a local Active Directory and all the user information lives in Azure AD. This might be the case where the customer is using Office 365 and other Microsoft cloud products, and is not using a local or legacy IT environment.
When it comes to Azure AD, it is important to remember that it is a cloud-native directory designed for storing user, group, and mailbox information. Any customer that wants to use virtual desktops or Server VMs in general will need to connect those to Active Directory (Server AD or AAD DS), as Azure AD by itself won’t be enough.
This should partially guide your decision on what the final state should look like. Can the customer organization operate 100% in SaaS and PaaS environment without any virtual desktops, RemoteApps, or Server VMs? If so, then Azure AD “Cloud Only” directory model is probably the way to go. If you can’t confidently answer this question, or if there is a possibility that the answer may change over time, you’ll have to plan for Active Directory capability on top of Azure AD. Azure AD is always necessary for Microsoft cloud services like Office 365, so it’s not a matter of choosing one OR the other; it’s a matter of choosing Azure AD only, or Azure AD + Active Directory.
Destination Directory Environment
Now that we know what the source Directory looks like, we need to decide what the desired final state in the cloud should be. Let’s assume the most likely scenario; the source environment uses Active Directory, the destination cannot be cloud-only with Azure AD, and will need Active Directory as part of the deployment.
There are two ways to deploy Active Directory with Nerdio in Azure: Greenfield and Hybrid. Let’s look at each one in detail.
Greenfield AD Deployment
Imagine that the source environment AD is not in an ideal state. Maybe you inherited it from another MSP and it’s not configured according to best practices. Maybe the customer went through an acquisition or another significant change, and the AD has several unnecessary objects. In all such similar situations, you may want to take the Azure migration as an opportunity to start with a fresh and clean AD and follow best practices. In this situation, you’ll start with a new, empty AD and then populate it with such objects.
There are three ways to achieve this with Nerdio for Azure:
- Create new user objects using the Nerdio Admin Portal (NAP) GUI
- New users added in the NAP will be created on DC01 (Server AD domain controller) and automatically sync to Azure AD via pre-configured ADConnect.
- New users can have a password of your choosing, or a randomly generated password. The initial user object will be created with a random password, but you can click the “Reset Password” button to change it.
- Once added in NAP, user objects can be fully managed in one place and all other directories (AD and Azure AD) will be automatically updated.
- Use NAP’s Bulk add/import tool to import users using a CSV file
- Every aspect of a user can be pre-configured in a CSV file spreadsheet and then imported into the Nerdio Admin Portal. This includes Office 365 licensing, email addresses, group memberships, passwords, and even desktop information.
- You can export users from the existing on-premises Active Directory using Nerdio’s AD Export tool (Onboard>AD Export) into a CSV file and use this as the foundation for building your user import file. You can also export and import groups and distribution lists.
- User passwords cannot be exported from the existing AD, but can be set in the import CSV file before importing.
- Import users from Office 365
- If the customer does not have an on-premises AD or if all user information is already in Office 365, this is the best option to use.
- Users imported from Office 365 will have their password reset in the process since it’s not possible to extract the password from Office 365 and import it into Nerdio.
- Once imported, users will be fully functional objects in Nerdio and will be synched to their original Office 365 counterparts. Any changes made to the user object in Nerdio will automatically sync to Azure AD / Office 365.
Greenfield AD deployment is best for simple environments, where taking the opportunity to clean things up outweighs the work involved in re-creating or importing directory objects.
Hybrid AD Deployment
It is difficult to migrate most large and complex IT environments in a cutover fashion, so most such projects happen in a phase-in approach, where individual IT components are migrated to Azure over time. This means that from the time the project begins, months or even years can pass until everything has been migrated to the cloud.
In the interim, a hybrid environment must exist. Because Active Directory is such a fundamental component of any IT environment, the existing environment and the new Azure cloud environment must be fully connected so that VMs and users can move easily from one to the other without disruption and password changes.
Additionally, even if an environment will be migrated in a cutover fashion, but the source AD is large, complex and in relatively good state, it may not make sense to go through the effort to recreate everything in Azure.
This is where Nerdio Hybrid Active Directory™ comes in. Nerdio fully automates the extension of an existing AD into Azure, and allows VMs to move from the on-premises environment to Azure without the need to rejoin a new AD domain. It also allows existing user accounts to be entitled to resources in Azure without the need to re-create the user object or even reset the password.
Extending AD into Azure allows the Nerdio Admin Portal to see into the existing Active Directory, manage user objects, and assign virtual desktops – all without any changes to the existing environment. Once the AD is extended from the existing environment to Azure, it spans both locations and allows seamless movement of servers from one to the other.
Once the migration process is complete and you want to convert the Azure environment to be Pure Cloud and not Hybrid Active Directory, FSMO roles can be transitioned from the on-premises domain controllers to the new domain controller VM in Nerdio. The existing AD VMs can be de-provisioned.
Active Directory is an important consideration in any cloud migration project, and there are options and features in Nerdio to enable almost any scenario. With over a thousand cloud deployments and migrations under our belt, we’ve seen it all. If you'd like to see how Nerdio for Azure works for yourself, you can start a free trial whenever you'd like - no credit card necessary.
Customers often have Line-of-Business (LOB) servers and applications too, so we'll need to know how to migrate these from on-premises to the cloud. We're taking a deep dive on how to do that on the next page.