Bringing SMB clients to "the cloud"

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
Returning member here for the forums, I used to hang around these boards about a decade ago, in the Networking/Security sub forum. Saw this Cloud forum here..thought I'd come back to get some conversation on the topic going.

We we're an SMB IT firm providing IT services to SMBs. We've moved a lot of our clients from the typical SBS server setup, to Office 365. We do quite a few O365 sales, we're in the CSP program

I'm working on wrapping my head around various ways to bring small offices to "the cloud". Many smaller clients of ours are under 10 computers. With cloud services such as O365, OneDrive, Sharepoint, DattoDrive, etc...I'm struggling to find a reason to have these clients maintain some $5,000.00 server on prem, and many businesses don't really have a need for a domain controller.

Are some of you guys spinning up cloud based DCs...or transitioning over to Azure AD, of finding out how to "hybrid" a client.
 
I'm in the security/compliance advisory business and I have a number of clients ranging from the less than 10 person startup all the way to Fortune 500 level scale. For the newer startups, I'm seeing them go exclusively to the cloud and having nothing on-prem other than networking equipment. I have some that are solely using AzureAD and others that are running a virtual Windows server or two in the cloud to handle Windows DC duties. The larger the company gets, the more hybrid the approach becomes. The overwhelming trend is that email/exchange is being moved to Office 365 with the occasional defector to Google Apps, while retaining their on-prem DCs.

In a way, it depends on the use cases for how the networks are being used. For example, if you're looking at an engineering firm with huge CAD files being shared and flung about the network, the all-cloud model will require a huge pipe to the internet. For the less demanding office, there's not a huge reason to have the servers on-prem anymore....
 
How are you finding Azure AD.....in relation to a local 2008R2 or 2012R2 domain controller? Very "watered down"? Still able to to group policies 'n such?
With a "cloud DC"...be it Azure AD, or a spun up Windows server DC....what is the connection mechanism for the workstations? Typically when you have a Windows server running as a DC, it runs DHCP for the LAN, and hands itself and only itself out as the DNS server for the clients. Instead of the usual routers LAN IP or the ISPs DNS servers.
I've seen a bit of the "federated services" to integrate a local login with the O365 accounts...including the more basic O365 connector your see in the Essentials role when you add that to a 2012 server. helps connect local AD user accounts with the cloud accounts, to tie in their password, and give a basic admin function. But without a local DC...how are the clients logging into a DC "up in the cloud"? Customs a DHCP resource on the LAN so it hands out the cloud servers public IP for the DNS? Or is there some special "connector" you download/install on each client?
 
AzureAD is very watered down and really not sufficient for those that need Group Policies and all of the usual AD sorts of control. I think I only have a couple of clients that are using it, and it's mostly for them bopping around their Azure cloud infrastructure.

For the ones running the cloud DCs, Windows 2012R2 can be a bit of a pain to work with, but it is fairly functional when you set up a VPC back to Azure so they are on the same "network". On the LAN side, DHCP/DNS/etc are handled by the on-prem device (i.e. a Meraki). Remote devices can bounce in using a VPN back to the main office. From what I understand, 2012R2 does not like it when everything connecting is remote to it, so this structure makes it think everything is on the same network and happy.

One disclaimer is that I do NOT do this stuff - I work with a company that does, so this is more of an observation of how they do things with their clients that I do compliance work for with them.
 
AzureAD's intent and strong suit is AuthN and AuthZ. If you clients use (mostly) cloud-based applications, then AzureAD is a great way to go. This value can be compounded by O365 since those two products go together anyway. If your client already has on-prem AD and cant migrate to AzureAD without losing any function, then it'll be a tougher sell.

Personally, I think the cloud has tremendous value for a small business. From an infrastructure security standpoint, the upfront cost alone will prevent a business from investing into things like SIEM, load balancing, and roll over, etc. Also, how many small businesses do you support that are simply on antiquated server OS software and hardware? Cloud really helps with a lot of those issues and in most cases, does it for an easier fee (for the business to swallow). This shorter ROI window helps the value case of cloud, but only when compared to doing the same things on-prem (which is why I mentioned that some small business simply wont take even some of the more rudimentary expenditures for IT security).
 
Last edited:
yeah I think about things such as losing Print Manager group policy..where you can push deploy all the printers on the network without visiting any workstations. or folder redirection...to capture /desktop /documents /faves Things to help minimize downtime of a workstations WD Blue hard drive goes belly up. Typically a quick rebuild, join domain, install client apps from the server, log in as user..and BAM, most things are back...that spoils that IT admin. I'm trying to envision how you find an equiv of those, with bringing an office to the cloud.

Or things like, how many offices have a big Xerox or Canon MFP, that has pre programmed destinations for scans...going to specific department folders or user folders or just a common "scans" folder on the server. Bring an office to the cloud, I can't see how MFPs like those can provide the same function. Guess the office has to shift to having the MFP send scans to email.

We use N-Able for our RMM, typically have the "probe" on the server, set to scan, and push agents and software to workstations based on AD authentication. Does that functionality get reduced? Plus the local repository on the probe, for efficiently pushing AV and Windows and 3rd party updates across the LAN. Download once, push to all across the LAN.

Office 365 has the Sharepoint....and I know that is still "maturing", that some offices find it still buggy, and clunky to use as the central repository...the equiv of the "S" drive on a server share. We've played with DattoDrive also, as we're big Datto backup resellers. I'd love to play with other similar services out there, to replicate a "server storage drive" to clients in the office. But would love to get Sharepoint working a lot more, since many clients are already paying for O365.
 
There's different tiers of Azure AD. The lite 'free' version does not have Group Policy integration, but the premium tier does. You can also spin up an Azure VM with your traditional DC in it and link it to on-premise over VPN.
 
OK, so if you do the VPN approach between the cloud server, and the clients office LAN....it's quite similar to having a local DC as far as having ADUC accounts, taking workstations and joining the domain, stuff like that.

So you'd have to factor in the VPN bottleneck, and be cautious about things like folder redirection, and probably even pushing out printers using the print deploy GPO. But other GPOs for controlling typical things like prepopulated desktop shortcuts, how user accounts are secured (complexity, change frequency, etc)...those don't kill bandwidth.

Web browsing response probably suffers a bit, with DNS requests going up through a VPN tunnel to the DNS and back.

I will have to get into those Azure features more, read up on the differences.
 
Depends on what kind of internet is available.
Doing a lot of stuff in the "cloud" is painful over dsl(slow and bad phone lines) and comcast(jitter and not that stable)which for most small business are the only options here.
Even office 365 used only for email gets really painful on a up to 10mb dsl line(5-8mb typical) with 10 users.
 
Even office 365 used only for email gets really painful on a up to 10mb dsl line(5-8mb typical) with 10 users.

I haven't experienced that....and I have many clients on O365 E plans, 20, 50, even 100 users...many with large mailboxes. I have a 25 user accounting office on a symmetrical 3 mg fiber. Outlook is fairly elastic over poor bandwidth. Granted..the migration from their SBS03 was painfully long even doing it from the neutral location of BitTitan MigrationWiz.
 
Back
Top