How to migrate from Windows Server Active Directory to Azure AD and Microsoft 365 Business (including Teams) in 5 easy stepsAlex Fields
Microsoft 365 Business is a very compelling platform for the small business, particularly those that are “born in the cloud,” or, those who have shed most of their on-premises server weight already, by moving their line of business apps to cloud-based alternatives. I can’t tell you how many clients I have these days who have ditched QuickBooks Pro for QuickBooks Online, or Dynamics on-premises for a 365 flavor of the same. So if this sounds like you (or any of your own customers), then listen up:
I am here to tell you that it is completely possible to leave your on-premises server behind, and get out of the datacenter business in your small office. Forever.
For small organizations, it is going to become increasingly difficult to justify having even a small server sit in the wiring closet, when the alternative is a $20.00 USD / user / month subscription (plus managed services of course). Yes, you are still going to need your firewall, yes you are still going to have switches and WiFi access points and printers. Yes, you will still have security needs and IT support for normal trouble tickets as well as proactive maintenance of your devices. But no server. Not. Ever. Again.
The pre-requisites for this solution are:
- Line of business apps are all cloud-based or hosted elsewhere by third parties
- You are coming from Windows Server (SBS or Standard), probably with file and printer shares
- Exchange on-premises is possibly also in the picture (but it could be hosted elsewhere)
- You should already have “Pro” versions of Windows 7, 8, 8.1 or 10 (and you WILL be upgrading to 10)
- You have to be willing to make changes and adopt new software such as OneDrive for Business and Teams
So without further ado, let’s get started. Here’s how you move your infrastructure from an on-premises Windows Server and Active Directory, to Azure Active Directory and Microsoft 365 Business (including Teams), in five easy steps. Note: this post won’t have every screen and detail, just the big strokes, with some helpful links to more detail.
Step 1. Provision Microsoft 365 Business and Exchange Online
First thing is first: Go get yourself signed up for a Microsoft 365 Business account. There are a few setup screens to walk through where you pick how you want to manage devices and so on. I also recommend, before migration, to provision your Exchange Online and Advanced Threat Protection subscription with the security defaults that you would like to have in place.
Step 2. Migrate Email to Exchange Online
Almost every organization starts their journey to the 365 cloud with a migration to Exchange Online. These days, there are a lot of options to get your email, contacts and calendars moved over from a legacy system such as an older Exchange Server (whether hosted at a third-party, or on-premises). If you have your own Exchange Server on-premises, consider using the native hybrid functionality to migrate your users initially. Once you are fully migrated, you can remove both Azure AD Connect and Exchange hybrid. Normally Exchange server is kept in place for “hybrid” organizations, but since your intention is to get rid of all remaining servers, there is no reason to keep it active once the mailboxes are moved. As an alternative, and certainly if you are hosted elsewhere, consider using BitTitan’s MigrationWiz product–I have been using it for the last couple of years, and absolutely love it.
Step 3. Setup Microsoft Teams for your SMB organization
Most SMB’s can start adopting Teams very quickly: just go to teams.microsoft.com to get started.. It is easy-to-use software with built-in chat/instant messaging, file sharing (SharePoint), notebooks (OneNote), and more. The main reason we want to provision this app is because you can quickly create new cloud-hosted file shares based around the core teams within the organization. Each “Team” will represent a “file share” (think mapped drive) such as Accounting, Executive team or Sales department. You can have multiple “channels” or discussion threads underneath, and each of these will get a sub-folder for storing files within that Team. Of course, there are many ways to leverage and structure Teams, but this is one that I recommend simply because it maps well to what we see in a lot of Small Business environments.
Step 4. Migrate file shares to OneDrive for Business and SharePoint Online
Microsoft has a migration tool available which can help you to migrate existing file shares. But, there is a good chance that your organization doesn’t necessarily want to migrate everything. Most file servers are a giant clutter mess. So this is a great opportunity for Organizations to clean house and shed weight. It is possible for example, to copy over only active files that people really need or “care about” and then dump everything that remains to a NAS or similar solution, for backup/archive purposes. This way, old files are still available if users need to go back and pull “missed items” into OneDrive or SharePoint. Once you have everything in its right place, shut off the old file shares.
Step 5. Upgrade to Windows 10 Pro and Join Azure AD
To take full advantage of Azure Active Directory and your Microsoft 365 Business subscription, you will want to join your computers to the Azure AD cloud–that way users can sign in to their PC’s using their cloud identities & passwords. Hopefully your small organization is already using Windows 7, 8, or 8.1 Pro–if so, then you qualify for an upgrade to Windows 10 Business using your Microsoft 365 Business subscription. Once you have installed Windows 10, or if your computers already meet the requirement, it is time to join Azure Active Directory, so you can take advantage of the slick Device Management features built-in to Windows 10 and Microsoft 365 Business.
If you previously belonged to an on-premises Active Directory domain, then you will need to dis-join the machines first before joining up to Azure AD (but my favorite method is to start with new or freshly imaged Windows 10 Pro computers that were never part of a domain). Settings > Accounts > Access work or school > Connect. Choose the option below to Join this device to Azure Active Directory.
Once your users are signed into their devices using Azure Active Directory credentials, make sure to setup OneDrive for Business, so you’re taking advantage of Files On-Demand and Known Folder Move (protecting Desktop, Pictures and Documents). Install the Office apps (autopilot can do this for you actually) and Microsoft Teams, and then sync your Teams document libraries using the OneDrive client. Now you can see all those files in your file explorer, and in Teams!
In case you missed it, at this point, you no longer need your on-premises domain controller–so go ahead and turn that sucker off. Other network services such as DHCP and DNS should live on the firewall or router at the edge of the network, and printer drivers will just be installed locally on each machine rather than on the server.
Further notes on security and management of devices
There is an older generation of folks out there who do not yet grasp how beneficial this type of infrastructure can be–for end users and IT alike. The truth of the matter is, most small businesses never really leveraged Active Directory and tools like Group Policy correctly, or to the fullest extent anyway. At most, the technology probably provided mapped drives, printer shares, and of course the shared login capabilities that come with a centralized security boundary. Enterprise IT departments are usually tied into a lot more of the functionality and feature sets of Windows Server Active Directory: Certificate Services, Rights Management Services, Remote Desktop Services and so forth. This means that migrating a larger organization can be quite a bit more complex than this.
But for the SMB of say 25 users (give or take) who have small server footprints, this move is not that hard to do. Resistance to it is mostly mental / emotional.
Once you are moved over to this platform I encourage you to check out the modern device management features, which are a great improvement over GPO. For example, you can see when a policy has been successfully applied, or when it has failed to apply, and which endpoints were impacted.
So the way I see it, Microsoft 365 Business represents a huge opportunity for Managed Services IT Providers, because these companies can manage all of the cloud resources and identities centrally for their customers within the Microsoft 365 Admin portal, and supplement that suite with their own support and security tools. These are things they were going to do anyway, but now they can do it without having to spend their time deploying, updating, replacing and generally toying with servers. I for one will be glad to see that part of the business go away. What do you think?