On-Premises Server Migration to Azure IaaS

Engagement Overview

Cybernerds was engaged to plan and execute the migration of a mid-market professional services firm's on-premises server infrastructure to Microsoft Azure. The organization operated aging physical servers nearing end-of-life, with no disaster recovery capability and growing maintenance costs. The engagement began with IRIS to assess the current environment and migration readiness, followed by PDS to design, migrate, and validate the Azure infrastructure.

Initial State

The organization operated a traditional on-premises server room with physical hardware running critical workloads. Key findings during IRIS included:

• ✓Three physical servers (2× Windows Server 2016, 1× Windows Server 2019) — all past or approaching end of extended support
• ✓File server with 2.4 TB of shared data — no redundancy, single disk array
• ✓On-premises Active Directory domain controller with no secondary DC
• ✓Line-of-business application (accounting/ERP) running on a single server with no failover
• ✓No backup solution — only periodic manual copies to an external USB drive
• ✓No disaster recovery plan — estimated recovery time from hardware failure: 3-5 business days
• ✓Annual server maintenance and replacement costs escalating — two hardware incidents in the past 18 months
• ✓ISP providing a single static IP with no failover connectivity

Key Challenges

• ✓Business Continuity: Single points of failure across every critical workload — any hardware failure would halt operations
• ✓Data Risk: 2.4 TB of business data with no proper backup or redundancy
• ✓Legacy Applications: LOB accounting application required specific Windows Server version and SQL Server configuration
• ✓Downtime Window: Firm could not tolerate extended downtime — migration needed to occur over a weekend
• ✓Identity: On-premises AD needed to be preserved for LOB app compatibility while extending to cloud
• ✓Cost Sensitivity: Migration budget constrained — needed to demonstrate clear ROI versus hardware replacement
• ✓Knowledge Gap: Internal IT had no Azure experience — solution needed to be manageable post-migration

Solution Design — PDS Framework

• ✓Azure Landing Zone: Subscription with resource groups organized by workload, RBAC, and tagging standards
• ✓Compute: Azure VMs sized to match current workloads — B-series for DC, D-series for LOB application server
• ✓File Services: Azure Files Premium with SMB access replacing on-premises file server — Azure File Sync for staged migration
• ✓Identity: Existing AD domain controller migrated to Azure VM with Entra ID Connect maintaining hybrid identity
• ✓Backup: Azure Backup vault protecting all VMs and file shares with 30-day retention
• ✓Disaster Recovery: Azure Site Recovery configured for cross-region replication of the LOB application server
• ✓Networking: VNet with subnets by workload, NSGs enforcing least-privilege, Azure Bastion for secure admin access
• ✓Connectivity: Site-to-site VPN from office to Azure VNet for transparent user access during transition period
• ✓Migration Strategy: Azure Migrate for server assessment and replication — staged cutover with rollback plan

Implementation — PDS Execution

The migration was executed over a single weekend with a documented rollback plan. Users connected Monday morning via VPN with no changes to their mapped drives or application access.

• ✓Deployed Azure landing zone with subscription structure, RBAC, and resource naming conventions
• ✓Configured VNet with workload subnets, NSGs, and Azure Bastion for administrative access
• ✓Established site-to-site VPN between office network and Azure VNet
• ✓Used Azure Migrate to assess on-premises servers and begin replication to Azure
• ✓Migrated domain controller to Azure VM — validated AD replication, DNS, and Group Policy
• ✓Migrated LOB application server — performed pre-cutover testing with vendor during business hours
• ✓Deployed Azure Files Premium and used Azure File Sync to replicate 2.4 TB file share
• ✓Configured Azure Backup policies for all VMs and file shares
• ✓Set up Azure Site Recovery for LOB server with cross-region failover
• ✓Executed weekend cutover — DNS updates, VPN route changes, user acceptance testing
• ✓Decommissioned on-premises servers after two-week parallel operation period

Validation — PDS Validation Phase

• ✓All VMs running in Azure with performance meeting or exceeding on-premises baselines
• ✓Azure Files accessible via existing mapped drive letters — users reported no difference in experience
• ✓AD domain controller operating normally — DNS resolution, Group Policy, and Entra ID Connect sync validated
• ✓LOB application functional — vendor confirmed compatibility and performance during UAT
• ✓Azure Backup completing nightly backups with successful test restore verified
• ✓Azure Site Recovery failover tested — LOB server recovered in secondary region within RPO/RTO targets
• ✓Azure Bastion providing secure admin access — no RDP exposed to the internet
• ✓NSG rules validated — only required traffic permitted between subnets
• ✓Cost tracking confirmed monthly Azure spend within projected budget

Outcome

• ✓All critical workloads migrated from aging on-premises hardware to Azure
• ✓Disaster recovery capability established for the first time — cross-region replication with defined RPO/RTO
• ✓Automated backup replacing manual USB copies — 30-day retention with tested restore procedures
• ✓Hardware dependency eliminated — no more server room maintenance, cooling, or replacement cycles
• ✓User experience preserved — mapped drives, application access, and authentication unchanged
• ✓Monthly Azure cost lower than annualized on-premises hardware maintenance and replacement budget
• ✓Scalable infrastructure — adding capacity no longer requires hardware procurement
• ✓Secure remote administration via Azure Bastion — no exposed RDP or management ports
• ✓Complete migration documentation and operational runbook delivered to internal IT