My company has their entire user/group architecture in the cloud using Azure. We recently purchased a Windows 2016 Server machine and I have been asked to set it up so that we can use our Azure accounts. I need to do simple things like file sharing and set up a vpn. Now, I have been reading that Azure AD Connect is NOT an option for me: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-existing-tenant
If I can not sync Azure AD users/groups to my new AD on the server, then what do I do? I do not want to create new accounts and have people give me their passwords. I have heard about Azure AD Domain Services, but it seems like I need to spin up a virtual machine on Azure with Windows Server 2016, but I do not think that would help my case, since my server is on-site! How do I join this local domain (I have not set it yet) to the Azure domain that already exists with all of our accounts and machines in its AD?
I have been pouring through this and am not sure what I should do:
Best Answer
Azure AD by itself is not a classic AD, you can't join machines to it in the same way as on prem AD. You can join Win 10 machines to it, but not server OS.
Your solution here is going to be Azure AD Domain Services, what this service does is extend Azure AD to provide full AD services (with some restrictions). It does not require you to spin up a new VM, it is a PaaS service, you just need to turn it on for your domain, it does however require an Azure vNet to be deployed into.
Once you do this you will have a full AD domain that your server 2016 machine can join, so long as the network that machine is on is connected to the vNet in Azure that you created for AAD DS (this can be VPN, Express Route etc.).
If that isn't feasible then you can use AAD connect sync, but you would have to recreate all your user accounts in your full AD and then sync up to AAD.