|
|
Options to consider:
□ Domain Controller (AD DS/AD CS/AD FS)
□ SQL Server Database
□ Web Server (IIS/Apache/Nginx)
□ Application Server (custom applications)
□ File Server / File Share host
□ Certificate Authority (Enterprise/Standalone)
□ PKI Infrastructure (OCSP/CRL/NDES)
□ Print Server
□ DHCP/DNS Server (non-DC)
□ Backup Server
□ Monitoring/Management Server
□ Legacy Application Host
□ Jump Box/Bastion Host
□ Development/Test Environment
⚠️ CRITICAL: Domain Controllers and Certificate Authorities require special migration considerations
□ Tier 0 - Critical (< 1 hour downtime acceptable)
□ Tier 1 - High Priority (< 4 hours acceptable)
□ Tier 2 - Medium Priority (< 8 hours acceptable)
□ Tier 3 - Low Priority (> 24 hours acceptable)
RTO (Recovery Time Objective): _____ hours
RPO (Recovery Point Objective): _____ hours
⚠️ Determines migration window, testing requirements, and rollback strategy
List all applications with versions:
1. _____________________________ (Version: _____)
2. _____________________________ (Version: _____)
3. _____________________________ (Version: _____)
For each application, answer:
□ Is it licensed per machine/per core/per user?
□ Does licensing allow cloud deployment?
□ Does it require specific hardware (USB dongles, etc.)?
□ Does it have Azure-compatible alternatives?
⚠️ CRITICAL: Some legacy applications may not be Azure-compatible
Database dependencies:
□ SQL Server (Instance: _____, Database: _____)
□ Oracle (TNS: _____)
□ MySQL/PostgreSQL (Host: _____)
□ Other: _____
Service dependencies:
□ Active Directory (DCs: _____)
□ File Servers (UNC paths: _____)
□ Web Services (URLs: _____)
□ Message Queues (MSMQ/RabbitMQ)
□ SCOM/SCCM
□ Backup infrastructure
Network dependencies:
□ Specific on-prem IP addresses (list: _____)
□ Specific ports (list: _____)
□ Multicast traffic
□ Broadcast requirements
⚠️ All dependencies must be accessible post-migration (VPN/ExpressRoute)
Upstream dependencies (what calls this VM):
□ Other VMs (list: _____)
□ User workstations (how many: _____)
□ External applications/APIs
□ Scheduled jobs from other systems
□ Load balancers (F5, Citrix NetScaler, etc.)
□ Reverse proxies (list: _____)
Access methods:
□ Direct IP access (hardcoded IPs exist?)
□ DNS name access (name: _____)
□ Load balancer VIP
□ Published through reverse proxy
⚠️ CRITICAL: Hardcoded IP addresses will break post-migration
□ Windows Failover Cluster (Cluster name: _____)
□ SQL Server Always On Availability Group (AG name: _____)
□ NLB (Network Load Balancing)
□ Third-party clustering (VMware HA, etc.)
□ Standalone (no HA)
If clustered:
- Cluster node names: _____
- Shared storage: □ Yes □ No (Type: _____)
- Quorum configuration: _____
- Virtual IP addresses: _____
⚠️ CRITICAL: Clusters require special migration planning - may need rebuild in Azure
List all scheduled tasks:
Task Name | Schedule | Account | Command | Dependencies
__________|__________|_________|_________|______________
| | | |
| | | |
Questions per task:
□ Does it access on-prem resources? (UNC paths, databases)
□ Does it use domain service accounts?
□ Does it send emails? (SMTP server: _____)
□ Does it write to specific paths?
⚠️ Tasks accessing on-prem resources need VPN connectivity
□ Part of DR plan (documented procedure: _____)
□ Has backup VM in DR site
□ No DR role
Current backup method:
□ Veeam (Repository: _____)
□ Windows Server Backup (Target: _____)
□ Acronis/CommVault
□ VMware snapshots
□ Other: _____
Backup schedule: _____
Retention period: _____
Last successful backup: _____
⚠️ Backup strategy must be migrated to Azure Backup or equivalent
□ Yes, domain: _____._____ (FQDN)
□ No (Workgroup)
If domain-joined:
- Domain functional level: _____
- Forest functional level: _____
- Site: _____
- OU path: CN=VM-NAME,OU=_____,DC=_____
- Domain Controllers (list all):
Primary: _____ (IP: _____)
Secondary: _____ (IP: _____)
⚠️ CRITICAL: Domain connectivity required post-migration (VPN/ExpressRoute mandatory)
Select all that apply:
□ Windows Authentication / Integrated Windows Authentication (IWA)
- Applications using: _____
- Kerberos or NTLM? _____
□ Forms Authentication
- User database location: _____
□ Certificate-based Authentication
- Certificate source: _____
- CA: _____
□ Basic Authentication
- Over HTTPS? □ Yes □ No
□ SAML/OAuth/OIDC
- Identity Provider: _____
□ RADIUS/LDAP
- Server: _____
□ Smart Card Authentication
- Card readers? □ Yes □ No
⚠️ CRITICAL: IWA/Kerberos requires proper DNS, SPN configuration, and domain connectivity
□ Yes (CRITICAL - requires special configuration)
□ No
□ Unknown (MUST verify before migration)
If Yes:
- Delegation type:
□ Unconstrained delegation (⚠️ security risk)
□ Constrained delegation
□ Resource-based constrained delegation
- Service Principal Names (SPNs) registered:
setspn -L VM-NAME
Output: _____
- Delegated to which services: _____
- Application scenarios using delegation:
□ IIS application accessing SQL Server as user
□ SharePoint
□ SSRS (SQL Server Reporting Services)
□ Custom application
□ Other: _____
⚠️ CRITICAL: SPNs must be updated post-migration with new Azure IPs
⚠️ Kerberos constrained delegation requires on-prem DC connectivity
List all service accounts:
Account Name | Services Using | Password Managed By | Permissions Required
_____________|________________|_____________________|_____________________
| | |
| | |
For each account:
□ Domain account (DOMAIN\username)
□ Local account (.\username)
□ Built-in account (LocalSystem, NetworkService)
□ Group Managed Service Account (gMSA) - ⚠️ Recommended
□ Managed Service Account (MSA)
Password details:
□ Password expires (Date: _____)
□ Password never expires
□ gMSA (no password management needed)
Permissions:
□ Local admin rights
□ Database permissions (SQL login: _____)
□ File share access (UNC: _____)
□ Registry keys
□ Other: _____
⚠️ CRITICAL: Service account passwords must be documented for migration
⚠️ gMSA requires AD schema 2012+ and proper configuration
□ Yes
□ No
If Yes, what resources:
□ File shares (as logged-in user)
- Paths: _____
□ SQL Server (Windows Auth as logged-in user)
- Instance: _____
□ Web services (Windows Auth)
- URLs: _____
□ Other systems: _____
Authentication flow:
User → [This VM] → [Resource]
⚠️ CRITICAL: Requires Kerberos delegation and proper DNS/networking
⚠️ Double-hop authentication issues common in cloud migrations
List all local administrators:
Username | Purpose | Password Documented | Remove Before Migration
_________|_________|_____________________|________________________
| | |
| | |
□ Built-in Administrator account enabled?
- Password documented: □ Yes □ No
- Required post-migration: □ Yes □ No
□ Any applications using local accounts?
- Which: _____
⚠️ Best practice: Disable unnecessary local admin accounts, use Azure AD-based access
□ Smart card logon (CAC/PIV)
- Card readers present: □ Yes □ No
- Azure support: ⚠️ Limited - requires Bastion or VPN
□ MFA via RADIUS
- RADIUS server: _____
□ MFA via DUO/Okta
- Integration method: _____
□ Azure MFA
- Already configured: □ Yes □ No
□ No MFA
⚠️ Physical smart card readers don't work in Azure
⚠️ Consider Azure AD MFA as replacement
Who has admin access:
□ Domain Admins (⚠️ reduce this)
□ Specific admin group (Name: _____)
□ Local administrators
□ Service desk (via jump server)
How is admin access granted:
□ Direct RDP
□ Jump server/Bastion host
□ PAM solution (CyberArk, etc.)
□ Just-in-time access
Access logging:
□ Yes (where: _____)
□ No (⚠️ implement logging)
⚠️ Implement Azure Bastion + Just-in-time VM access post-migration
□ Yes - Full disk encryption
□ Yes - Only OS drive
□ Yes - Only data drives
□ No
If Yes:
- Encryption method:
□ TPM only (⚠️ TPM not available in Azure)
□ TPM + PIN (⚠️ not supported)
□ Password/Recovery Key (✓ Azure compatible)
- Recovery key stored:
□ Active Directory (⚠️ MUST backup before migration)
□ Printed/documented
□ Azure Key Vault
□ Unknown (⚠️ CRITICAL - locate before migration)
- BitLocker status per drive:
Drive | Encrypted | Protection Method | Recovery Key Backed Up
______|___________|___________________|_______________________
C: | | |
D: | | |
⚠️ CRITICAL ACTION REQUIRED:
1. Backup recovery keys: manage-bde -protectors -get C: > C:\bitlocker-keys.txt
2. If TPM-only: Change to password protection before migration
3. Consider Azure Disk Encryption post-migration
4. SUSPEND BitLocker before replication: manage-bde -protectors -disable C:
5. RESUME after migration: manage-bde -protectors -enable C:
Product: _____ (Version: _____)
Management method:
□ Centrally managed (Server: _____)
□ Standalone
Update source:
□ On-prem update server (IP/FQDN: _____)
□ Internet
□ WSUS
Real-time protection:
□ Enabled
□ Disabled (Why: _____)
Exclusions configured:
Path/Process | Reason
_____________|_______
|
|
⚠️ ACTIONS REQUIRED:
1. Can on-prem AV server reach Azure? □ Yes (VPN) □ No (migrate to cloud AV)
2. Consider: Microsoft Defender for Cloud (formerly Security Center)
3. Test AV compatibility with Azure environment
4. Verify AV doesn't block Azure agents (Azure Monitor, Azure Backup)
Security agents installed:
Agent Type | Product | Version | Management Server | Azure Compatible
___________|_________|_________|___________________|__________________
HIPS | | | |
EDR | | | |
DLP | | | |
Firewall | | | |
Questions per agent:
□ Requires on-prem management server?
□ Blocks Azure infrastructure communication?
□ Has Azure-specific configuration?
⚠️ Common issues:
- HIPS blocking Azure Monitor agent
- DLP blocking Azure Backup
- Host firewall blocking Azure metadata service (169.254.169.254)
- Test in isolated environment first
Firewall profiles:
□ Domain Profile: Enabled / Disabled
□ Private Profile: Enabled / Disabled
□ Public Profile: Enabled / Disabled
Custom rules count: _____
Export current rules:
netsh advfirewall export "C:\firewall-rules.wfw"
Critical rules to review:
Rule Name | Direction | Port | Source | Destination
__________|___________|______|________|_____________
| | | |
⚠️ Azure-specific rules needed:
- Allow 168.254.169.254 (Azure metadata service)
- Allow 169.254.169.253 (Azure DNS)
- Allow Azure Load Balancer health probes (if behind LB)
- Allow monitoring agent ports
Computer certificate store audit:
Store: Personal
Certificate | Purpose | Issuer | Expiry | Private Key | Exportable
____________|_________|________|________|_____________|___________
| | | | |
| | | | |
Store: Trusted Root Certification Authorities
Certificate | Type | Issuer | Added Manually | Internal CA
____________|______|________|________________|____________
| | | |
| | | |
Commands to audit:
Get-ChildItem Cert:\LocalMachine\My
Get-ChildItem Cert:\LocalMachine\Root | Where {$_.Subject -like "*CORP*"}
For each certificate:
□ Used for SSL/TLS bindings (IIS, app)
□ Used for code signing
□ Used for authentication
□ Used for encryption
Export requirements:
□ Private key must be exported (password: _____)
□ Certificate must be re-imported post-migration
□ Binding must be reconfigured (IIS, app)
⚠️ CRITICAL: Export private keys BEFORE migration (may be non-exportable)
⚠️ Internal CA certificates must remain trusted post-migration
□ This VM is a Certificate Authority (CA)
- Type: □ Root CA (⚠️ DO NOT MIGRATE - rebuild)
□ Subordinate CA (⚠️ Complex migration)
□ Issuing CA
- CA name: _____
- CA hierarchy position: _____
- CRL/OCSP publishing locations: _____
⚠️ STOP: CA migration requires specialized procedure
□ This VM hosts CRL Distribution Point (CDP)
- CDP URL: http://___/CertEnroll/
- Accessible from Internet: □ Yes □ No
□ This VM hosts OCSP Responder
- OCSP URL: http://___/ocsp
□ This VM uses certificates from internal CA
- For what purpose: _____
- Auto-enrollment enabled: □ Yes □ No
- Certificate will auto-renew in Azure: □ Yes (if VPN) □ No
□ This VM hosts NDES (Network Device Enrollment Service)
- Used for: _____
⚠️ CRITICAL PKI CONSIDERATIONS:
1. CRL/OCSP URLs embedded in certificates are static
2. If this VM hosts CDP/OCSP, URL must remain reachable
3. Options:
a) Keep CDP/OCSP on-prem (point to Azure via reverse proxy)
b) Migrate CDP/OCSP to Azure (requires public IP and DNS)
c) Use Azure Application Gateway / Traffic Manager
4. Test certificate validation paths after migration
5. CAs should typically NOT be migrated to IaaS - rebuild or use managed PKI
Data at Rest:
□ BitLocker (covered above)
□ EFS (Encrypted File System)
- Files encrypted: List paths: _____
- Recovery certificates backed up: □ Yes □ No
⚠️ EFS recovery agent must be available post-migration
□ SQL TDE (Transparent Data Encryption)
- Databases encrypted: _____
- Certificate/key backed up: □ Yes □ No
⚠️ CRITICAL: Backup TDE certificate before migration
□ Application-level encryption
- Application: _____
- Key storage: _____
Data in Transit:
□ SSL/TLS (IIS, applications)
- Certificate: _____
- TLS version: _____
□ IPsec
- Policies configured: _____
□ SMB Encryption
- Enabled on shares: □ Yes □ No
⚠️ ACTIONS:
- Backup all encryption keys/certificates
- Document key recovery procedures
- Test decryption post-migration
Applicable regulations:
□ HIPAA (Healthcare)
□ PCI-DSS (Payment cards)
□ SOX (Financial)
□ GDPR (EU data)
□ FISMA/FedRAMP (US Government)
□ ISO 27001
□ Other: _____
Data classification:
□ Public
□ Internal
□ Confidential
□ Restricted/Highly Confidential
Audit requirements:
□ Access logging required
□ Change auditing required
□ Compliance scanning required
□ Data retention period: _____ years
Azure compliance features needed:
□ Azure Policy
□ Azure Security Center
□ Azure Sentinel (SIEM)
□ Azure compliance reports
□ Encryption at rest (Azure Disk Encryption)
□ Customer-managed keys (Azure Key Vault)
⚠️ Ensure Azure region meets data sovereignty requirements
⚠️ Document compliance controls pre/post migration
Access methods (check all):
□ RDP (Port: 3389)
- Accessible from: □ Internal network □ VPN □ Internet (⚠️ risk)
- Network-level Authentication: □ Enabled □ Disabled
□ SSH (Port: 22)
- Key-based or password: _____
□ HTTP (Port: 80)
- Accessible from: □ Internal □ Internet
□ HTTPS (Port: 443)
- Certificate: _____
- Accessible from: □ Internal □ Internet
□ SMB/CIFS File Shares (Port: 445)
- Share names: _____
- Accessed by: (list systems/users)
□ Custom application ports
- Ports: _____
- Protocol: TCP / UDP
- Accessed by: _____
□ Through jump server/bastion
- Bastion server: _____
□ Through VPN only
□ Through VDI (Citrix/VMware Horizon)
Current source IP restrictions:
□ No restrictions (⚠️ implement in Azure NSG)
□ Restricted to: _____
⚠️ POST-MIGRATION ACCESS PLAN:
Recommended: Azure Bastion + Just-in-time VM access
Avoid: Public IP with RDP/SSH open to Internet
□ Yes
□ No
If Yes:
- Load balancer type:
□ Hardware (F5, Citrix NetScaler, etc.)
□ Software (HAProxy, nginx)
□ Windows NLB
□ VMware NSX Load Balancer
- Load balancer name/IP: _____
- VIP (Virtual IP): _____
- Load balancing algorithm: _____
- Health probe configuration:
- Probe type: TCP / HTTP / HTTPS
- Probe port: _____
- Probe path: _____
- Interval: _____
- Unhealthy threshold: _____
- Other VMs in pool:
VM Name | IP | Status
________|____|_______
| |
| |
- Session persistence:
□ None
□ Source IP affinity
□ Cookie-based
- SSL offloading:
□ Yes (certificate on LB)
□ No (end-to-end SSL)
⚠️ MIGRATION IMPACT:
- Option 1: Migrate to Azure Load Balancer (Layer 4)
- Option 2: Migrate to Azure Application Gateway (Layer 7, WAF)
- Option 3: Keep on-prem LB, route to Azure via VPN (temporary)
- VIP will change unless using hybrid load balancing
- Update DNS after migration
□ Yes - DMZ
□ Yes - Isolated segment
□ No - Internal network
If DMZ/Isolated:
Network zone: _____
VLAN: _____
IP subnet: _____
Firewall rules protecting this VM:
Source | Destination | Port | Protocol | Purpose
_______|_____________|______|__________|________
| | | |
| | | |
Network flow:
Internet → [Firewall] → [Reverse Proxy] → [This VM] → [Database]
Security controls:
□ IDS/IPS monitoring
□ WAF (Web Application Firewall)
□ DDoS protection
□ Network segmentation
□ Air-gapped from internal network
⚠️ AZURE EQUIVALENT ARCHITECTURE:
- DMZ → Azure subnet with NSG
- Firewall → Azure Firewall or NVA (Network Virtual Appliance)
- IDS/IPS → Azure Sentinel + NSG Flow Logs
- WAF → Azure Application Gateway with WAF
- Network segmentation → Azure VNet with subnets and NSGs
□ Yes
□ No
If Yes:
- Reverse proxy product:
□ IIS ARR (Application Request Routing)
□ nginx
□ Apache mod_proxy
□ F5
□ Citrix ADC
□ HAProxy
□ Other: _____
- Reverse proxy hostname: _____
- Public URL: https://_____
- Backend URL: http://this-vm:_____
- SSL/TLS termination:
□ At proxy (SSL offload)
□ End-to-end encryption
- Headers added by proxy:
□ X-Forwarded-For (client IP)
□ X-Forwarded-Proto (HTTPS)
□ X-Forwarded-Host
□ Custom headers: _____
- Authentication at proxy:
□ Yes (type: _____)
□ No
⚠️ POST-MIGRATION OPTIONS:
1. Keep on-prem reverse proxy, proxy to Azure VM (hybrid)
2. Migrate reverse proxy to Azure
3. Replace with Azure Application Gateway
4. Replace with Azure Front Door (global load balancing)
⚠️ Application may rely on headers - test thoroughly
□ Yes - Static IP required
□ No - DHCP acceptable
If static:
Current IP: _____
Subnet mask: _____
Gateway: _____
DNS servers: _____
Why static IP required:
□ Hardcoded in other applications
□ Firewall rules reference this IP
□ Monitoring/management tools use IP
□ Certificates bound to IP
□ License tied to IP (⚠️ may break)
□ Other: _____
Systems referencing this IP:
System/App | Reference Type | Can Use DNS Instead?
___________|________________|_____________________
| |
| |
⚠️ MIGRATION PLAN:
- Azure allows static private IPs within VNet
- Public IPs in Azure are different - plan accordingly
- Update all hardcoded references to use DNS names
- Pre-migration: Document all IP references
- Post-migration: Update firewall rules, monitoring, etc.
DNS records (A records):
Hostname | Zone | TTL | Points to IP
_________|______|_____|______________
| | |
| | |
CNAME records:
Alias | Points to | Zone
______|___________|_____
| |
Special records:
□ SRV records (service discovery)
□ PTR records (reverse DNS)
DNS registration method:
□ Static (manually created)
□ Dynamic (DDNS)
□ DHCP-registered
External DNS (public):
□ Yes - Public DNS records exist
- Hostname: _____
- Hosted where: _____
- TTL: _____
⚠️ PRE-MIGRATION ACTIONS:
1. Lower TTL to 300 seconds (5 min) 24-48 hours before migration
2. Document all DNS records
3. Plan DNS cutover (update A record to Azure IP)
4. Consider using CNAME to Azure public DNS name for flexibility
⚠️ POST-MIGRATION:
1. Update A record to new Azure private IP
2. Update public DNS to Azure public IP (if applicable)
3. Verify DNS propagation
4. Restore normal TTL after verification
□ Broadcast traffic required
- Purpose: _____
- Protocol: _____
⚠️ Azure VNets don't support broadcast beyond subnet
□ Multicast traffic required
- Purpose: _____
- Multicast group: _____
⚠️ Azure doesn't support multicast
□ No broadcast/multicast
If Yes to either:
⚠️ CRITICAL: Application may not work in Azure without redesign
Alternatives:
- Redesign application to use unicast
- Use service discovery (Azure Service Bus, Redis)
- Keep this component on-premises
Current metrics:
- Average bandwidth: _____ Mbps
- Peak bandwidth: _____ Mbps
- Latency to key resources: _____ ms
Bandwidth requirements:
- To on-prem resources: _____ Mbps (requires VPN/ExpressRoute capacity)
- To Internet: _____ Mbps
- Between Azure VMs: _____ Mbps
Latency requirements:
- Maximum acceptable latency to database: _____ ms
- Maximum acceptable latency to file shares: _____ ms
- Maximum acceptable latency for user access: _____ ms
⚠️ PERFORMANCE CONSIDERATIONS:
- VPN Gateway bandwidth: 650 Mbps (VpnGw1) to 1.25 Gbps (VpnGw3)
- ExpressRoute: 50 Mbps to 10 Gbps
- Latency over VPN: typically 20-100ms depending on distance
- Latency over ExpressRoute: typically 5-20ms
- Recommendation: ExpressRoute for latency-sensitive workloads
⚠️ WARNING: Domain Controller migration is COMPLEX and HIGH-RISK
DC Role: □ Primary DC (PDC Emulator) ⚠️⚠️⚠️ DO NOT MIGRATE
□ Additional DC (safer to migrate)
□ RODC (Read-Only DC)
FSMO Roles held:
□ Schema Master (⚠️ Never migrate - transfer first)
□ Domain Naming Master (⚠️ Transfer first)
□ RID Master (⚠️ Transfer first)
□ PDC Emulator (⚠️⚠️ Transfer first)
□ Infrastructure Master (Transfer first)
Command to check: netdom query fsmo
Other AD roles:
□ Global Catalog server
□ DNS server
□ Certificate Services (CA) - ⚠️ STOP - Do not migrate CA
□ AD FS (Federation Services)
Domain statistics:
- Number of domain controllers: _____
- Domain functional level: _____
- Sites configured: _____
⚠️⚠️⚠️ RECOMMENDED APPROACH: DO NOT MIGRATE EXISTING DC
INSTEAD:
1. Deploy NEW domain controller in Azure
2. Promote as DC
3. Replicate
4. Transfer FSMO roles if needed
5. Decommission on-prem DC
6. Never migrate PDC Emulator or FSMO role holders
7. Never migrate the ONLY DC
⚠️ If you MUST migrate DC:
1. Transfer ALL FSMO roles to another DC first
2. Verify AD replication healthy
3. Demote DC
4. Migrate as member server
5. Promote to DC in Azure
6. Transfer FSMO roles back if needed
SQL Server version: _____ (Edition: Standard/Enterprise)
Instance information:
- Instance name: _____ (Default / Named)
- Port: _____ (Default 1433 or custom)
- Authentication: □ Windows only □ Mixed mode
High availability configuration:
□ Standalone
□ Always On Availability Group (⚠️ complex migration)
- AG name: _____
- Replicas: _____
- Listener: _____ (DNS name)
□ Always On Failover Cluster Instance (⚠️ requires shared storage)
- Cluster name: _____
- Shared storage: _____
□ Log Shipping
- To: _____
□ Database Mirroring (deprecated)
Databases:
Database Name | Size | Recovery Model | Last Backup | Critical?
______________|______|________________|_____________|__________
| | | |
| | | |
Linked servers:
- List: _____
- Connection method: _____
SQL Agent jobs:
- Count: _____
- Depen
on local resources: □ Yes □ No
Authentication:
Encryption: □ TDE (Transparent Data Encryption) enabled
□ Column-level encryption □ Always Encrypted
Replication: □ Transactional replication □ Merge replication □ Snapshot replication
⚠️ MIGRATION CONSIDERATIONS:
⚠️ ALTERNATIVE: Consider Azure SQL Database / Azure SQL Managed Instance
35. **If this is an IIS Web Server: (Skip if not applicable)**
IIS version: _____
Websites hosted: Site Name | Binding | Port | Certificate | App Pool |_|||______ | | | | | | | |
Application pools:
SSL/TLS certificates: Certificate | Friendly Name | Expires | Exportable | Bound to Site |||____|___________ | | | |
Application dependencies: □ ASP.NET version: _____ □ .NET Framework version: _____ □ PHP version: _____ □ URL Rewrite rules (export: appcmd list config -section:rewrite) □ Custom ISAPI filters □ COM components
Authentication methods: □ Anonymous □ Windows Authentication (⚠️ requires domain connectivity + proper SPNs) □ Forms Authentication □ Client Certificate Mapping
Content locations:
Web.config settings:
ARR (Application Request Routing): □ Configured (reverse proxy settings must migrate)
⚠️ MIGRATION CHECKLIST:
⚠️ ALTERNATIVE: Consider Azure App Service (PaaS) for simpler management
36. **If this is a File Server: (Skip if not applicable)**
File Server role: □ Traditional File Server □ DFS (Distributed File System) member
Shares hosted: Share Name | Path | Permissions | Access-Based Enum | Accessed Via |__||_________________|_________ | | | | | | | |
Total data size: _____ TB
Share permissions:
Access methods: □ SMB 2.x / 3.x
DFS configuration:
Quotas: □ FSRM (File Server Resource Manager) quotas configured
File screening: □ File screens configured (blocked extensions: _____)
Shadow copies: □ Enabled (schedule: _____, retention: _____)
Users/systems accessing:
⚠️ MIGRATION CONSIDERATIONS:
⚠️ ALTERNATIVE: Azure Files with AD integration (simpler, managed)
37. **If this VM hosts databases (non-SQL): (Skip if not applicable)**
Database platform: □ Oracle (Version: _____, Edition: _____) □ MySQL (Version: _____) □ PostgreSQL (Version: _____) □ MongoDB □ DB2 □ Other: _____
Instance configuration:
Database files: Total size: _____ GB File locations: _____ Tablespaces: _____
High availability: □ Standalone □ Oracle RAC (⚠️ complex - requires shared storage) □ Oracle Data Guard □ MySQL Replication □ PostgreSQL Streaming Replication □ Other: _____
Authentication:
Backup method:
Connectivity:
Licensing:
⚠️ MIGRATION CONSIDERATIONS:
⚠️ Test database performance in Azure thoroughly before production migration
38. **If this VM is a web proxy or gateway:**
Proxy type: □ Forward proxy (outbound traffic) □ Reverse proxy (inbound traffic) □ Both
Product: □ Squid □ Microsoft TMG/Forefront (deprecated) □ nginx □ Apache □ F5 □ Other: _____
Configuration:
Users/systems:
PAC file:
Bypass rules:
⚠️ MIGRATION CONSIDERATIONS:
39. **If this VM is a print server:**
Print server role: □ Print Management □ Print spooler service
Printers hosted: Printer Name | Driver | Share Name | Port | Location ____________|__||| | | | | | | | |
Total printers: _____
Printer connections: □ IP-based (direct to printer) □ Port-based □ WSD (Web Services for Devices)
Driver installation:
User deployment: □ Group Policy deployment □ Manual
Print Management features: □ Printer pooling □ Print job routing □ Custom forms
⚠️ AZURE CONSIDERATIONS:
40. **If this VM hosts legacy or custom applications:**
Application name: _____ Version: _____ Vendor: _____ Vendor support status: □ Supported □ End-of-life □ Unknown
Application architecture: □ Client-server (thick client) □ Web-based □ Service-based □ Terminal Services / Remote Desktop Services
Installation method: □ MSI installer □ Custom installer □ Manual installation □ No installation (portable)
Dependencies: □ Specific OS version (Which: _____) □ .NET Framework (Version: _____) □ Java (Version: _____) □ Visual C++ Redistributables (Version: _____) □ COM/DCOM components (registered OCX/DLL files) □ ODBC/OLEDB drivers □ Hardware dongles (⚠️ won't work in Azure) □ Specific printer drivers □ Local hardware access (⚠️ problematic in cloud)
Configuration storage: □ Registry (keys: _____) □ Configuration files (paths: _____) □ Database (connection: _____) □ INI files
Licensing: □ Machine-based (tied to hardware ⚠️ may break) □ MAC address-based (⚠️ will change) □ IP address-based (⚠️ will change) □ License server (server: _____) □ User-based □ Subscription-based
Known issues:
⚠️ CRITICAL ASSESSMENT:
---
## Section 6: Patching and Updates (Questions 41-44)
41. **How is this VM currently patched?**
Patching method: □ WSUS (Windows Server Update Services)
□ SCCM (System Center Configuration Manager)
□ Windows Update (directly from Microsoft)
□ Third-party patching solution (product: _____)
□ Manual patching (⚠️ not recommended)
Patch schedule:
Patch testing: □ Tested before production (test environment: _____) □ Deployed directly to production (⚠️ risky)
Patch exclusions: □ Specific KBs excluded: _____
Third-party application updates:
Current patch level:
⚠️ POST-MIGRATION PATCHING: Option 1: Continue WSUS/SCCM (requires VPN connectivity)
Option 2: Azure Update Management (recommended)
Option 3: Windows Update (simplest but least control)
Recommendation: Azure Update Management for centralized hybrid patching
42. **Are there any applications that break with updates?**
Application incompatibilities: Application | Incompatible with | Version Known to Work | Workaround |_________________|________|_______ | | | | | |
Patch history issues:
Testing requirements: □ Patches must be tested in non-prod first □ Application vendor must approve patches □ Change control required before patching □ User acceptance testing required
Rollback plan:
⚠️ Azure Update Management allows:
43. **What is the change management process for this VM?**
Change control requirements: □ All changes require change ticket
□ Emergency change process exists
□ Maintenance windows defined
□ No formal change control (⚠️ implement for Azure)
Documentation requirements: □ Pre-change backup required □ Change documentation required □ Post-change validation required □ Rollback plan required
Notification requirements:
⚠️ For Azure migration:
44. **What monitoring and alerting is configured?**
Monitoring tools: □ SCOM (System Center Operations Manager)
□ Nagios/Zabbix/Icinga
□ SolarWinds
□ PRTG
□ Custom scripts/scheduled tasks
□ None (⚠️ implement Azure Monitor)
Metrics monitored: □ CPU utilization (threshold: ____%) □ Memory utilization (threshold: ____%) □ Disk space (threshold: ____%) □ Disk I/O □ Network bandwidth □ Service status (services: _____) □ Event log errors □ Application-specific metrics
Alert destinations:
Agent installed:
⚠️ POST-MIGRATION MONITORING: Recommended: Azure Monitor + Log Analytics
Migration checklist:
---
## Section 7: Backup and Disaster Recovery (Questions 45-48)
45. **What is the current backup configuration?**
Backup solution: □ Veeam Backup & Replication
□ Windows Server Backup
□ Acronis □ CommVault □ Veritas Backup Exec □ Azure Backup (already) □ Snapshots only (⚠️ not a backup) □ None (⚠️⚠️ CRITICAL - implement immediately)
Backup schedule:
Backup retention:
What is backed up: □ Full VM (recommended) □ System state only □ Specific folders: _____ □ Specific databases: _____
Backup validation:
Backup storage:
Recovery testing:
⚠️ PRE-MIGRATION CRITICAL ACTIONS:
⚠️ POST-MIGRATION BACKUP: Recommended: Azure Backup
46. **What is the disaster recovery plan for this VM?**
DR strategy: □ VM is replicated to DR site
□ Backup-based recovery only
□ No DR plan (⚠️ critical VMs need DR)
Recovery objectives:
DR testing:
Failover procedure:
Dependencies during failover:
⚠️ AZURE DR OPTIONS:
Recommendation: Azure Site Recovery for critical VMs
47. **How quickly must this VM be recovered in case of failure?**
Business impact analysis:
Recovery priority: □ Tier 0 - Critical (< 1 hour recovery)
□ Tier 1 - High (< 4 hours recovery)
□ Tier 2 - Medium (< 24 hours recovery)
□ Tier 3 - Low (> 24 hours recovery)
Acceptable data loss:
⚠️ Map to Azure services:
48. **Are there any compliance requirements for backup/retention?**
Regulatory requirements: □ HIPAA (healthcare) - 6 year retention □ SOX (financial) - 7 year retention □ PCI-DSS (payment) - 3 month minimum □ GDPR (EU data) - right to erasure □ Industry-specific: _____
Retention requirements:
Backup encryption: □ Required □ Not required
Backup location restrictions: □ Must remain on-premises □ Must remain in specific geography □ Can be cloud-based
Access controls:
⚠️ Azure Backup compliance features:
---
## Section 8: Migration Logistics (Questions 49-50)
49. **What is the acceptable migration window?**
Business constraints:
Downtime tolerance:
Migration approach based on downtime: □ Can take VM offline (simplest)
□ Minimal downtime required (< 1 hour)
□ Near-zero downtime required
Migration phases: Phase 1 (Pre-migration):
Phase 2 (Migration day):
Phase 3 (Post-migration):
Rollback plan:
Communication plan:
50. **What is the post-migration validation checklist?**
Technical validation (complete within 1 hour): □ VM is running in Azure □ VM has network connectivity (ping gateway) □ VM can reach on-premises (ping DC, file server) □ DNS resolution working (nslookup domain.com) □ Domain connectivity (nltest /dsgetdc:domain) □ Services are running (Get-Service | Where Status -eq 'Running') □ Scheduled tasks exist and are enabled □ Disk space adequate □ Performance acceptable (CPU, memory, disk)
Application validation (complete within 2 hours): □ Application starts successfully □ Application can connect to database □ Application can access file shares □ Authentication working (Windows Auth, etc.) □ Web application accessible (HTTP/HTTPS) □ API endpoints responding □ Background jobs running □ Data integrity verified
User acceptance testing (complete within 4 hours): □ Users can access application □ Users can authenticate □ Core business functions work □ Reports generate correctly □ No performance degradation □ No error messages
Security validation: □ Antivirus running and updated □ Windows Firewall enabled □ Azure Monitor agent installed and reporting □ Azure Backup configured and first backup successful □ NSG rules correct □ No unnecessary open ports
Integration validation: □ Monitoring alerts configured □ Backup job successful □ Patch management configured □ DNS records updated □ Load balancer health check passing (if applicable) □ Dependent systems can reach this VM
Documentation updates: □ Asset inventory updated □ Network diagram updated □ Runbooks updated with new IP/FQDN □ DR plan updated □ Change ticket closed
Success criteria (all must be TRUE to declare success): □ Zero critical errors □ All users can access □ Performance meets SLA □ No data loss □ Backup successful □ Monitoring operational □ Stakeholder acceptance
If ANY success criteria is FALSE: → Initiate rollback procedure → Restore on-prem VM from backup → Investigate root cause → Schedule re-migration
Final sign-off:
---
## Summary: Critical Questions by Risk Level
🔴 CRITICAL (Migration blocker if not addressed):
- Q1: VM role (DC, CA, clustered systems need special handling)
- Q9: Domain-joined (VPN/ExpressRoute mandatory)
- Q17: BitLocker (recovery keys must be backed up)
- Q21: Certificates (export private keys before migration)
- Q22: PKI role (CAs should NOT be migrated via lift-and-shift)
- Q33: Domain Controller (DO NOT migrate PDC/FSMO holders)
- Q34: SQL TDE (backup certificates or data is permanently lost)
- Q45: Backup validation (test restore before migration)
🟠 HIGH IMPACT (Requires significant planning):
- Q4: Dependencies (map all, ensure reachable post-migration)
- Q6: Clustering (rebuild in Azure, don't migrate)
- Q10-13: Authentication methods (Kerberos, IWA need special config)
- Q25-28: Network access patterns (LB, DMZ, reverse proxy architecture)
- Q41: Patching strategy (Azure Update Management vs. on-prem WSUS)
- Q49: Migration window (business alignment critical)
🟡 MEDIUM IMPACT (Affects functionality):
- Q7: Scheduled tasks (may need reconfiguration)
- Q12: Service accounts (document passwords)
- Q18-20: Security agents (may block Azure services)
- Q29: Static IPs (update hardcoded references)
- Q44: Monitoring (migrate to Azure Monitor)
This comprehensive questionnaire ensures all critical aspects are considered before migration, preventing irreversible mistakes and critical outages.