Azure Hybrid Join - Non-Routable Domain

Axio Support 6 Reputation points
2020-02-10T18:16:07.587+00:00

We are looking to continue to move to Azure cloud services, and were looking at including the AAD Connect Hybrid Join feature.

Client is currently and successfully using AAD Connect to sync with Office 365. The current on-prem domain is using a non-routable domain name space: "domain.local". We have previously added a routable domain UPN suffix "domain.com" to the on-prem AD Domains and Trusts that matched the users' public email domain. We set every users' default UPN to this routable domain prior to migrating to Office 365 and configuring the AAD Connect sync. All users use their UPN for Office 365 mailboxes and SharePoint etc., and they can use this successfully to sign-in to on-prem domain joined computers as well.

We also have Exchange Hybrid to Office 365 configuration working successfully. We provision new accounts by creating them on-prem AD and Exchange and then migrating the new mailbox with a remote mailbox move to Office 365 via the Office 365 EAC Migration feature. This has worked well.

However, aside from user accounts and some groups in the on-prem domain using the routable UPN, the on-prem domain and all domain objects (computer objects for instance) are still "domain.local".

We also have two Azure VMs that are joined to the on-prem domain.local via VPN and we would like to have these VMs point to the Azure AD and DNS as well, as I read that the VMs shouldn't have their own NIC IP information manually applied as we have it now; though there are plenty of posts where it's instructed to do exactly as we have done, pointing the Azure VMs to our on-prem domain DNS servers.

Reading through various documentation, it's recommended the Azure domain space use a subdomain like corp.domain.com, however our users' UPN is already simply domain.com. Also, Hybrid Join seems to require a routable domain, but we're still domain.local for on-prem.

So, we're not sure exactly how to move to Azure AD completely. The on-prem domain predates the recommendation to name it with a routable domain, which is common today. I've avoided a domain rename simply because it was always frowned upon and potentially a technical nightmare. However, we have a single forest, single domain, flat namespace, and probably only about 200 users and 200 computer objects.

Please advise.

Thank you,

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,100 questions
0 comments No comments
{count} vote

4 answers

Sort by: Most helpful
  1. Konrad 'Sagus' Sagala 81 Reputation points MVP
    2020-02-11T15:56:36.237+00:00

    By default computers use primary domain suffix and it cannot be simple change to alternate like with users.
    Scenario described in your question is supported only for federated domain - https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

    0 comments No comments

  2. Nagappan Veerappan 576 Reputation points Microsoft Employee
    2020-03-07T00:35:16.307+00:00

    Hi

    as long as you are maintaining on-prem users UPN to routable (domain.com) and domain.com is verified in AAD tenant. it will work with computers are on-prem domain joined and having suffix like computer1.domain.local.

    Hybrid Azure AD join completely supported in the above case. your machine can perform Hybrid Azure AD join with domain.local.

    Once user login with Domain \netBios name, logon process finds the UPN of the user in AD (domain.com) , which passed to Azure AD and that will match user relam discovery.

    This doc UPN non/routable table is for users - NOT for computers
    https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

    Regards
    Nagappan V

    0 comments No comments

  3. Axio Support 6 Reputation points
    2020-03-07T01:06:06.11+00:00

    This is interesting. AAD Connect seems to allow us to continue with Hybrid Join configuration, though we opted to not, until this is clear. Microsoft support has verbally told us it should work, but couldn't provide any documentation confirming it. And now NagappanVeerappan-MSFT seems to be saying the same.

    Meanwhile, what's also interesting is the use of UPN and Join, here. As we all know, UPN is user principle name, and should refer to user accounts. As far as I know, computer account objects do not have a UPN; ASDI does not show any field with a UPN value that matches the routable UPN suffix we added. Also, the term Join is a computer object term, not a user term; computer accounts join a domain.

    So, it's interesting to me how that online doc https://learn.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan uses UPN at all, in relation to a discussion on Hybrid Join. As stated, our domain has a routable UPN that we added for user accounts, and it matches their Office 365/Azure Tenant, and we sync our user AD on-prem accounts including passwords.

    Why is this so hard to get clear documentation on this issue, a guide on how to get from non-routable domain AD to Azure AD, computers and users etc. If your goal is to get to Azure only environment, Federation isn't it. that makes the situation worse by making all authentication dependent upon on on prem system.

    0 comments No comments

  4. Nagappan Veerappan 576 Reputation points Microsoft Employee
    2020-03-07T01:33:30.11+00:00

    I have placed PR https://github.com/MicrosoftDocs/azure-docs/pull/49710 request to update the public doc that UPN , we meant here for on-prem AD users not the computer domain suffix.

    Hope this helps

    Thank you
    Nagappan V

    0 comments No comments