question

SeanBritton-1521 avatar image
0 Votes"
SeanBritton-1521 asked ·

Azure AD Domain service trust with AD synced domain

Hello,

I am having difficulty figuring out if it is possible to create a two way trust between an Azure AD DS domain with a pre-existing AD-Sync domain with a local DC?

For a bit of background; recently one of our clients who currently use Azure AD connect with a local DC, acquired a small company with no directory service or server infrastructure in place. Ideally we wish to setup a secondary domain using Azure AD domain services and create a two way trust between the pre-existing domain with a new Azure AD DS domain without requiring a local DC for the new domain.

If so, would this need to be between two sepeare Azure tenants or can this all be completed within our pre-existing Azure tenant used for AD-sync?

azure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

shashishailaj avatar image
0 Votes"
shashishailaj answered ·

Hello Sean,

This is not possible . You may not be able to create a two way trust between azure and domain services instance and Azure and domain services is not a replacement for Active directory environment and it has multiple restrictions . In order to create trust you require domain administrator privileges and in the managed azure and domain services instance no one is given the admin privileges. Since you do not have admin rights so during the trust creation process the trusteddomain object creation will fail and no trust would be created . The admin privileges in azure and domain services environment come only from adding the users to AADDC administrators group which provides limited rights.

In your case if you would want to create a DC for users of acquired compan on their physical location , you may create azure VMs and extend your current AD to the azure .


Since the two companies are now part of same organisation , i suggest to use same active directory to Sync the users to cloud in same tenant . You can differentiate the users by their UPN suffix. Like for company 1 users user @ company 1.com and for company 2 user @ company 2.com

I hope the above clarifies your query. If the information provided helped , please do mark it as answer so that it can help other community members . Should you have any further query , please let us know and we will be happy to help.

Thank you.


· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for such a clear response.

small follow up question:

To extend a current domain into azure to accomplish this scenario, would the recommendation be to setup a DC virtual machine in Azure or to extend the current domain into Azure AD DS without the VM?

Thank you,
Sean

0 Votes 0 ·

Hello Sean,
My apologies for delayed reply on this as i was away. The recommendation would be to setup a Domain controller on Azure VM in Azure. You can not extend the current domain into Azure ADDS without the VM. The ADDS sync is as follows.

on-Prem Active Diretcory >> Synced to Azure AD using AAD Connect >> Users are now in Azure AD >> Once AAD Domain Services is enabled , the users are synced to AAD domain Services.

Have you checked that the newly acquired company does not use AzureAD or Office365 services because if they use office365 services then they already would have a Azure AD tenant . In that case There is no way to transfer user objects from one tenant to another and you would have to create the users again in the parent organization tenant . I would always suggest to keep one single azure AD tenant for all the users.

Hope this helps.





0 Votes 0 ·