question

AxioSupport-9943 avatar image
AxioSupport-9943 asked ·

Azure Hybrid Join - Non-Routable Domain

We are looking to continue to move to Azure cloud services, and were looking at including the AAD Connect Hybrid Join feature.

Client is currently and successfully using AAD Connect to sync with Office 365. The current on-prem domain is using a non-routable domain name space: "domain.local". We have previously added a routable domain UPN suffix "domain.com" to the on-prem AD Domains and Trusts that matched the users' public email domain. We set every users' default UPN to this routable domain prior to migrating to Office 365 and configuring the AAD Connect sync. All users use their UPN for Office 365 mailboxes and SharePoint etc., and they can use this successfully to sign-in to on-prem domain joined computers as well.

We also have Exchange Hybrid to Office 365 configuration working successfully. We provision new accounts by creating them on-prem AD and Exchange and then migrating the new mailbox with a remote mailbox move to Office 365 via the Office 365 EAC Migration feature. This has worked well.

However, aside from user accounts and some groups in the on-prem domain using the routable UPN, the on-prem domain and all domain objects (computer objects for instance) are still "domain.local".

We also have two Azure VMs that are joined to the on-prem domain.local via VPN and we would like to have these VMs point to the Azure AD and DNS as well, as I read that the VMs shouldn't have their own NIC IP information manually applied as we have it now; though there are plenty of posts where it's instructed to do exactly as we have done, pointing the Azure VMs to our on-prem domain DNS servers.

Reading through various documentation, it's recommended the Azure domain space use a subdomain like corp.domain.com, however our users' UPN is already simply domain.com. Also, Hybrid Join seems to require a routable domain, but we're still domain.local for on-prem.

So, we're not sure exactly how to move to Azure AD completely. The on-prem domain predates the recommendation to name it with a routable domain, which is common today. I've avoided a domain rename simply because it was always frowned upon and potentially a technical nightmare. However, we have a single forest, single domain, flat namespace, and probably only about 200 users and 200 computer objects.

Please advise.

Thank you,

azure-ad-connectazure-ad-device-management
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sagus avatar image
sagus answered ·

By default computers use primary domain suffix and it cannot be simple change to alternate like with users.
Scenario described in your question is supported only for federated domain - https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NagappanVeerappan-MSFT avatar image
NagappanVeerappan-MSFT answered ·

Hi


as long as you are maintaining on-prem users UPN to routable (domain.com) and domain.com is verified in AAD tenant. it will work with computers are on-prem domain joined and having suffix like computer1.domain.local.

Hybrid Azure AD join completely supported in the above case. your machine can perform Hybrid Azure AD join with domain.local.

Once user login with Domain \netBios name, logon process finds the UPN of the user in AD (domain.com) , which passed to Azure AD and that will match user relam discovery.

This doc UPN non/routable table is for users - NOT for computers
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

Regards
Nagappan V

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AxioSupport-9943 avatar image
AxioSupport-9943 answered ·

This is interesting. AAD Connect seems to allow us to continue with Hybrid Join configuration, though we opted to not, until this is clear. Microsoft support has verbally told us it should work, but couldn't provide any documentation confirming it. And now NagappanVeerappan-MSFT seems to be saying the same.

Meanwhile, what's also interesting is the use of UPN and Join, here. As we all know, UPN is user principle name, and should refer to user accounts. As far as I know, computer account objects do not have a UPN; ASDI does not show any field with a UPN value that matches the routable UPN suffix we added. Also, the term Join is a computer object term, not a user term; computer accounts join a domain.

So, it's interesting to me how that online doc https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan uses UPN at all, in relation to a discussion on Hybrid Join. As stated, our domain has a routable UPN that we added for user accounts, and it matches their Office 365/Azure Tenant, and we sync our user AD on-prem accounts including passwords.

Why is this so hard to get clear documentation on this issue, a guide on how to get from non-routable domain AD to Azure AD, computers and users etc. If your goal is to get to Azure only environment, Federation isn't it. that makes the situation worse by making all authentication dependent upon on on prem system.

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NagappanVeerappan-MSFT avatar image
NagappanVeerappan-MSFT answered ·

I have placed PR https://github.com/MicrosoftDocs/azure-docs/pull/49710 request to update the public doc that UPN , we meant here for on-prem AD users not the computer domain suffix.

Hope this helps

Thank you
Nagappan V

Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.