Azure AD Domain service trust with AD synced domain

Sean Britton 21 Reputation points
2020-01-20T20:40:14.247+00:00

Hello,

I am having difficulty figuring out if it is possible to create a two way trust between an Azure AD DS domain with a pre-existing AD-Sync domain with a local DC?

For a bit of background; recently one of our clients who currently use Azure AD connect with a local DC, acquired a small company with no directory service or server infrastructure in place. Ideally we wish to setup a secondary domain using Azure AD domain services and create a two way trust between the pre-existing domain with a new Azure AD DS domain without requiring a local DC for the new domain.

If so, would this need to be between two sepeare Azure tenants or can this all be completed within our pre-existing Azure tenant used for AD-sync?

Microsoft Entra
0 comments
Accepted answer
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2020-01-21T03:12:04.82+00:00

    Hello Sean,

    This is not possible . You may not be able to create a two way trust between azure and domain services instance and Azure and domain services is not a replacement for Active directory environment and it has multiple restrictions . In order to create trust you require domain administrator privileges and in the managed azure and domain services instance no one is given the admin privileges. Since you do not have admin rights so during the trust creation process the trusteddomain object creation will fail and no trust would be created . The admin privileges in azure and domain services environment come only from adding the users to AADDC administrators group which provides limited rights.

    In your case if you would want to create a DC for users of acquired compan on their physical location , you may create azure VMs and extend your current AD to the azure .

    Since the two companies are now part of same organisation , i suggest to use same active directory to Sync the users to cloud in same tenant . You can differentiate the users by their UPN suffix. Like for company 1 users user @ company 1.com and for company 2 user @ company 2.com

    I hope the above clarifies your query. If the information provided helped , please do mark it as answer so that it can help other community members . Should you have any further query , please let us know and we will be happy to help.

    Thank you.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest