3

I just recently started my first job in IT and have been tasked with deploying 60 new laptops right off the bat. I have set up WSUS on our server as the first order of business, but there is a problem I am facing with our Active Directory. The person in charge before me decided to remove the local AD and attempt to replace it with an Azure AD. I have come to understand that Azure AD is not a replacement for a local AD and has given me quite the challenge. Using Azure AD Connect, I attempted to sync the directories. This worked, however since our Azure AD is our "main" AD, I cannot seem to pull users and groups from it to assign GPOs for updating via WSUS. Is there something I am missing? Or can a Local AD really not be used as a "secondary" AD only for WSUS/GPO assigning? Thanks in advance for the help!

NikolaiOnABear
  • 31
  • 2

1 Answers1

2

He did what with the old DC ? On my side I would restore an old DC backup, or restart the VM if lucky that he didnt erased that VM in example.

As Azure AD only keep password hash/user in example, it's not a full AD sync.It's a identity and access management service.

Per the doc;

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. Azure AD helps your employees sign in and access resources in:

External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.

Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.

You can use the various Microsoft Cloud for Enterprise Architects Series posters to better understand the core identity services in Azure, Azure AD, and Office 365.

Who uses Azure AD? Azure AD is intended for:

IT admins. As an IT admin, you can use Azure AD to control access to your apps and your app resources, based on your business requirements. For example, you can use Azure AD to require multi-factor authentication when accessing important organizational resources. Additionally, you can use Azure AD to automate user provisioning between your existing Windows Server AD and your cloud apps, including Office 365. Finally, Azure AD gives you powerful tools to automatically help protect user identities and credentials and to meet your access governance requirements. To get started, sign up for a free 30-day Azure Active Directory Premium trial.

Your old admin must probably wanted to migrate the AD to the cloud, then the way a migration to the cloud must be made is to lease a VM on the cloud and build your AD from there or to use Azure ADDS Service | https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-overview

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
  • The old DC is gone as far as I am aware of. And is i possible to migrate the AAD to an AD using a physical machine rather than a VM? I was under the impression that the Azure AD Connect program is capable of syncing the AAD and the AD, but I don't believe that the local AD can be set as a "backup" or "secondary" (kind of like refreshing the local AD with the AAD, rather than the current way it works). If I was mislead, then a VM will work better in conjunction with Azure rather than a local machine? – NikolaiOnABear Mar 04 '19 at 17:32
  • @NikolaiOnABear VM or not, I mean more that Azure AD is not a full Active Directory like the ADDS's role you configure in a Windows Server. You can see there for the feature that was asked, but not yet there; https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/6455327-sync-azure-active-directory-down-to-on-premises-ad – yagmoth555 Mar 04 '19 at 17:35
  • Ah thank you, I was looking at that feature request prior to asking. So with all of our user information being only in the AAD, how would you recommend setting up a Local AD in conjunction with AAD in order to assign Group Policies? Or is this something that is just not possible without complete migration to a primary Local AD using the AAD as a backup? – NikolaiOnABear Mar 04 '19 at 17:44
  • @NikolaiOnABear Make sure if you use AAD or Azure ADDS service, as if only AAD you will be left with the only option to restore, or to build a new AD, and build a new connector to AAD after sadly (not good new). Make me wonder if the last technician did that on purpose – yagmoth555 Mar 04 '19 at 17:46
  • So the best solution would be to just pay for one of the cheaper VMs on Azure to push GPs to domain users? But still host the WSUS/MDT on a local machine and just point the clients to the server with the policies? – NikolaiOnABear Mar 04 '19 at 18:12
  • @NikolaiOnABear No, I mean you are stuck, as Azure AAD can't sync back. I tell some solution that would had been the correct solution to ahve a azure in the cloud, but no in your case, unless someone corrcet me, you are out of luck – yagmoth555 Mar 04 '19 at 18:17
  • Yes, this is an example of an unfortunate thing. If you have a backup of that AD forest, that would be helpful. But any data you seek that isn't simply users/passwords/roles is simply not there in Azure. – Spooler Mar 04 '19 at 19:14
  • I don't believe there was any data other than users/passwords/roles in our AD before I got here. The only thing we use AAD for users logging into other devices and logging in without being on our network (everyone has a laptop and is in and out of the office a lot). If I could just manage the users with GPO then I can do the rest with WSUS and MDT. Another suggestion that was made to me was Intune in collaboration with AAD. I am not sure if Intune can handle WSUS or MDT but I heard there were permission-level caveats with it causing it to not follow the OU>Domain>Site>Local syntax that GPs do – NikolaiOnABear Mar 04 '19 at 19:22
  • @NikolaiOnABear Your AAD on azure will never update from a local AD, you have none now. If your AD is simple, then recreate it, turning back a wrong decision is easier at first step, not after a lot of errors to try to fix error #1. – yagmoth555 Mar 04 '19 at 19:30
  • Thanks for all the help everyone! I have a start in the right direction now, I really appreciate it – NikolaiOnABear Mar 04 '19 at 20:07