I have a small on premise AD environment comprising two Windows Server 2012 domain controllers. They run AD, DNS, DHCP, GP etc.
I want to migrate this to the AWS Managed Microsoft AD.
All the articles I have read suggest that the two AD environments need to be in different domains and you have to use a migration tool, and then re-add all your user PCs to this new domain.
Ideally I want to do the following:
- Configure AWS Managed AD in the same domain as my on prem AD
- Make the AWS AD servers part of the on prem domain, and promote them to domain controllers
- All users start using the AWS AD servers
- Demote and decom the old on prem AD servers
Is this possible, or am I being stupid?
Short answer is no. One thing to realize is that the managed AD in AWS has specific use cases and isn't meant to be a replacement of your AD that sits onprem: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_use_cases.html
You can't just go into managed AD and start promoting DCs and extending the schema - you won't have those privileges. indeed that's why it's managed by AWS and you have a delegated privileged account with which you can work that has limited permissions.
What I would recommend is setting up a managed AD in AWS and orienting yourself and you will quickly realize what you can't and can do. My clients mainly use it to create a one way trust back on the on-prem AD to provide SSO for workspaces and other services such as RDS.
Yeah we have such configuration. DC on EC2 and connected via S2SVPN to on-prem. No problem there as long as you have stable and resiliant internet connection. Otherwise you will have problems. We have 2 leased lines primary and backup.