I'm in the process of setting up an on-premises Domain Controller (DC) in an environment that only uses Azure Active Directory and doesn't even have an Azure subscription. I've typically worked the other way around, migrating from on-prem to Azure, but now it seems like I need to create a DC that matches the Azure domain. The plan is to build the DC, set up a Forest that matches the Azure domain, and create groups and organizational units (OUs) while ensuring the user principal names (UPNs) match what's in Azure. It feels like there's something crucial I might be overlooking, and I'm worried this setup could lead to conflicts or disrupt the existing environment.
2 Answers
This might be a bit confusing, but I don't see how you can have an on-prem DC along with only Azure AD without an active Azure subscription. Can you clarify what you mean by that?
I think what you’re trying to do sounds like a job for Entra ID Domain Services. It allows you to handle domain-based scenarios while still leveraging Azure AD. You might want to check out the details on the official Microsoft documentation to see if this fits your needs!
I wish that were an option, but the client doesn't want to budget for Azure Domain Services. It's been a rough project!
What I mean is that it’s strictly Entra ID and Office 365 with no additional services. No on-prem DC currently and no Entra Domain Services, just flat-out Azure AD.