I have a love-hate relationship with Windows Server Essentials. It’s a great product with a lot of goodness baked in, but there are some real limits to it as well. On the one hand, Remote Web Access, Client PC backup, the Azure Recovery plugins, and so on, add a TON of value to Windows Server in the small (and even larger/mid-sized) business space. However, when it comes to synchronizing user accounts and passwords into Azure AD / Office 365, I don’t like Essentials–Azure AD Connect is the clear winner, and my most preferred tool (and the market’s as well).
Unlike Azure AD / Office 365 integration from the Windows Server Essentials Dashboard, Azure AD Connect is a true directory synchronization engine, and can provide a seamless Single Sign-On experience (SSO) to end users. Not to mention, you can light up password write-back and self-service password resets for on-premises accounts with Azure AD Premium (P1) or Enterprise Mobility & Security E3.
With Essentials, you don’t get true SSO, you don’t have the option for password write-back, and in fact you don’t even have a true directory sync. Instead, you just have “cloud-only” accounts, and on-premises ones, which just so happen to be editable from the same on-premises UI. So it’s better than nothing, but I always lead with Azure AD Connect on Windows Server Standard, falling back to Essentials if Standard just isn’t in the budget. If you are a Non-profit, just do Standard, it costs you basically nothing. If you are for-profit… suck it up–don’t be penny wise and pound foolish!
Standard Edition is the solution to a very simple problem
You see, unfortunately Azure AD Connect is not supported on Windows Server Essentials. However, all of the other great Windows Server Essentials features are still available to you on Windows Server Standard, since you can install the Essentials Experience as a role. I don’t like being constrained. Standard solves both issues at once–support for Azure AD Connect, and the ability to keep all the other great Essentials features.
Furthermore, when you upgrade* your existing Essentials license to Standard, you lose basically nothing–because you can add and join a Standard Edition Windows Server to your Essentials-based domain, and no further migration is really required. You can continue to use Essentials just as it is for file & printer sharing, remote access, backup, or whatever. Therefore, the Windows Server Standard edition server can be put into place with no downtime or interruption, to become a “hybrid” server that stands between your Essentials domain and Office 365, giving you richer cloud-enabled services with:
- Exchange 2016 Server (free hybrid installation) for better management of on-prem accounts & cloud mailboxes
- Azure AD Connect for Directory & password hash synchronization, as well as seamless Single Sign-On
Optionally, you could promote this new server before installing the above items, if you are intending to add redundancy or just migrate completely off Essentials someday, but again that is completely optional in many cases where you already have a newer Essentials 2012 R2 or 2016 system in place.
*NOTE: When you upgrade licensing from Essentials to Standard, you must also buy the Windows Server CAL’s–they are not included like they were with the Essentials SKU.
The procedure, outlined
Here are the steps we can take:
- Install Windows Server Standard edition & join the domain
- Promote the server using Server Manager (optional)*
- Install Exchange Server 2016 (free hybrid edition)
- Migrate from Essentials Azure AD integration to Azure AD Connect
- Run the Hybrid Configuration Wizard
- Optionally, migrate other services
*Installing Exchange on a Domain Controller is in fact supported by Microsoft, even though it is not necessarily recommended (just think of this as your new “DIY SBS”)
This is not difficult to accomplish, and it opens more doors for your customers. I recommend this upgrade, if it is in the budget. In a brand new deployment, I would lead with Windows Server Standard edition on physical hardware, enabling the Hyper-V role, and installing 2x virtual machines. Alternatively, this can be deployed in Azure for around USD $300/month. For example:
- SRV-DC : AD/DNS, File/Print, Exchange 2016, Azure AD Connect
- SRV-RDS: Remote Access (accomplished via the RDS quick deployment or Essentials Experience role)
Note: You can still run the Essentials Experience role on either VM (can be installed as a DC or Member server)–just do not enable the Azure AD integration (it is not supported to use it alongside Azure AD Connect).