Our organization is currently in the middle phase of Azure migration, using AD Connect to sync all user accounts from local AD to Azure AD with all endpoints joined directly to Azure AD. We're trying to figure out what a post-on-prem AD domain config should look like for our next phase but keep coming back to the need for at least one "services" server on-prem at each of our sites.
Is this the model that others are following? If so, how are these local servers to be managed? Should they be legacy domain-joined to Azure AD DS? The goal is to ultimately decom our legacy AD DS domain, but I'm having trouble finding outlines of this scenario where a server remains at each site in an otherwise all-Azure world. We will have Azure AD DS in the mix for the foreseeable future for legacy LOB apps (across a tunnel to Azure).
Why do we need on-prem services servers?:
- Azure File Sync local file caching to each site for performant access to Azure file shares (doesn't this still rely on NTLM via AD DS?)
- Universal Print connector to connect our older printers to the cloud
- Backup servers running Veeam to local SAN storage (backing up these on-prem servers and snapshots of Azure file shares?)
- NPS/RADIUS services for our wifi authentication (this one may deserve its own separate thread due to some MFA complications)
Thanks for any insight you can provide, and please let me know if I'm approaching this wrong. There's a big push in the organization to make the old domain and all its servers go away, but I'm not certain this is the only path forward.
