When determining whether to decommission or upgrade your Server 2003 Domain Controllers, the question you need to answer is whether you need on-premises central sign on.
The answer to this question depends a lot on the model for resource access your organization has. On-premises central sign on is necessary if you have on-premises resources that your organization’s users need to access, such as an Exchange Server, file servers, or a SharePoint deployment.
If your organization has started to or plans to move these resources to the cloud, or has moved some of these resources to the cloud, the argument for an on-premises domain controller becomes a little less convincing. Even more so if your organization isn’t really doing anything with Group Policy.
Let me explain.
One of the lesser noted features of Windows 10 is the ability to perform Azure Active Directory Domain Join. Rather than signing on to Windows 10 with a traditional domain account, or signing in with a personal Microsoft account such as an outlook.com account, it’s possible to sign in with an Azure Active Directory account – such as one of the accounts used for Office 365. Rather than authenticating to Office 365 separately, Office 365 sign on occurs when the person log on to their computer. Once they’ve done that, access to Exchange Online and OneDrive for Business occurs automatically. Microsoft is even moving to include device management capability with Office 365.
If an organization has Office 365 and is deploying Windows 10, the argument for getting rid of on-premises domain controllers starts to get pretty strong. It all comes down to whether or not there are resources on–premises that you want to control access to using a domain account. If your organization does have substantial file server infrastructure on-premises, then getting rid of the DCs doesn’t make sense. If you are scratching your head trying to think of something on-premises that does require a domain account to access, then perhaps you should consider removing on-premises Active Directory from the equation.
Getting rid of on-premises single sign-on is definitely something that will work a lot better for smaller organizations than it will for larger organizations with a more extensive infrastructure. There will always be a place for on-premises Active Directory, it’s just more likely to be something that medium and large enterprises bother with, with small businesses finally being able to shut down that server that sits in the break room or under the administrative assistant’s desk.