Tutorial: Create an outbound forest trust to an on-premises domain in Azure Active Directory Domain Services (preview)

In environments where you can't synchronize password hashes, or you have users that exclusively sign in using smart cards so they don't know their password, you can use a resource forest in Azure Active Directory Domain Services (AD DS). A resource forest uses a one-way outbound trust from Azure AD DS to one or more on-premises AD DS environments. This trust relationship lets users, applications, and computers authenticate against an on-premises domain from the Azure AD DS managed domain. Azure AD DS resource forests are currently in preview.

Diagram of forest trust from Azure AD DS to on-premises AD DS

In this tutorial, you learn how to:

  • Configure DNS in an on-premises AD DS environment to support Azure AD DS connectivity
  • Create a one-way inbound forest trust in an on-premises AD DS environment
  • Create a one-way outbound forest trust in Azure AD DS
  • Test and validate the trust relationship for authentication and resource access

If you don’t have an Azure subscription, create an account before you begin.

Prerequisites

To complete this tutorial, you need the following resources and privileges:

Sign in to the Azure portal

In this tutorial, you create and configure the outbound forest trust from Azure AD DS using the Azure portal. To get started, first sign in to the Azure portal.

Networking considerations

The virtual network that hosts the Azure AD DS resource forest needs network connectivity to your on-premises Active Directory. Applications and services also need network connectivity to the virtual network hosting the Azure AD DS resource forest. Network connectivity to the Azure AD DS resource forest must be always on and stable otherwise users may fail to authenticate or access resources.

Before you configure a forest trust in Azure AD DS, make sure your networking between Azure and on-premises environment meets the following requirements:

  • Use private IP addresses. Don't rely on DHCP with dynamic IP address assignment.
  • Avoid overlapping IP address spaces to allow virtual network peering and routing to successfully communicate between Azure and on-premises.
  • An Azure virtual network needs a gateway subnet to configure a site-to-site (S2S) VPN or ExpressRoute connection
  • Create subnets with enough IP addresses to support your scenario.
  • Make sure Azure AD DS has its own subnet, don't share this virtual network subnet with application VMs and services.
  • Peered virtual networks are NOT transitive.
    • Azure virtual network peerings must be created between all virtual networks you want to use the Azure AD DS resource forest trust to the on-premises AD DS environment.
  • Provide continuous network connectivity to your on-premises Active Directory forest. Don't use on-demand connections.
  • Make sure there's continuous name resolution (DNS) between your Azure AD DS resource forest name and your on-premises Active Directory forest name.

Configure DNS in the on-premises domain

To correctly resolve the Azure AD DS managed domain from the on-premises environment, you may need to add forwarders to the existing DNS servers. If you haven't configure the on-premises environment to communicate with the Azure AD DS managed domain, complete the following steps from a management workstation for the on-premises AD DS domain:

  1. Select Start | Administrative Tools | DNS
  2. Right-select DNS server, such as myAD01, select Properties
  3. Choose Forwarders, then Edit to add additional forwarders.
  4. Add the IP addresses of the Azure AD DS managed domain, such as 10.0.1.4 and 10.0.1.5.

Create inbound forest trust in the on-premises domain

The on-premises AD DS domain needs an incoming forest trust for the Azure AD DS managed domain. This trust must be manually created in the on-premises AD DS domain, it can't be created from the Azure portal.

To configure inbound trust on the on-premises AD DS domain, complete the following steps from a management workstation for the on-premises AD DS domain:

  1. Select Start | Administrative Tools | Active Directory Domains and Trusts

  2. Right-select domain, such as onprem.contoso.com, select Properties

  3. Choose Trusts tab, then New Trust

    Note

    If you don't see the Trusts menu option, check under Properties for the Forest type. Only resource forests can create trusts. If the forest type is User, you can't create trusts. There's currently no way to change the forest type of an Azure AD DS managed domain. You need to delete and recreate the managed domain as a resource forest.

  4. Enter name on Azure AD DS domain name, such as aadds.contoso.com, then select Next

  5. Select the option to create a Forest trust, then to create a One way: incoming trust.

  6. Choose to create the trust for This domain only. In the next step, you create the trust in the Azure portal for the Azure AD DS managed domain.

  7. Choose to use Forest-wide authentication, then enter and confirm a trust password. This same password is also entered in the Azure portal in the next section.

  8. Step through the next few windows with default options, then choose the option for No, do not confirm the outgoing trust.

  9. Select Finish

Create outbound forest trust in Azure AD DS

With the on-premises AD DS domain configured to resolve the Azure AD DS managed domain and an inbound forest trust created, now created the outbound forest trust. This outbound forest trust completes the trust relationship between the on-premises AD DS domain and the Azure AD DS managed domain.

To create the outbound trust for the Azure AD DS managed domain in the Azure portal, complete the following steps:

  1. In the Azure portal, search for and select Azure AD Domain Services, then select your managed domain, such as aadds.contoso.com

  2. From the menu on the left-hand side of the Azure AD DS managed domain, select Trusts, then choose to + Add a trust.

  3. Enter a display name that identifies your trust, then the on-premises trusted forest DNS name, such as onprem.contoso.com

  4. Provide the same trust password that was used when configuring the inbound forest trust for the on-premises AD DS domain in the previous section.

  5. Provide at least two DNS servers for the on-premises AD DS domain, such as 10.0.2.4 and 10.0.2.5

  6. When ready, Save the outbound forest trust

    Create outbound forest trust in the Azure portal

Validate resource authentication

The following common scenarios let you validate that forest trust correctly authenticates users and access to resources:

On-premises user authentication from the Azure AD DS resource forest

You should have Windows Server virtual machine joined to the Azure AD DS resource domain. Use this virtual machine to test your on-premises user can authenticate on a virtual machine.

  1. Connect to the Windows Server VM joined to the Azure AD DS resource forest using Remote Desktop and your Azure AD DS administrator credentials. If you get a Network Level Authentication (NLA) error, check the user account you used is not a domain user account.

    Note

    To securely connect to your VMs joined to Azure AD Domain Services, you can use the Azure Bastion Host Service in supported Azure regions.

  2. Open a command prompt and use the whoami command to show the distinguished name of the currently authenticated user:

    whoami /fqdn
    
  3. Use the runas command to authenticate as a user from the on-premises domain. In the following command, replace userUpn@trusteddomain.com with the UPN of a user from the trusted on-premises domain. The command prompts you for the user’s password:

    Runas /u:userUpn@trusteddomain.com cmd.exe
    
  4. If the authentication is a successful, a new command prompt opens. The title of the new command prompt includes running as userUpn@trusteddomain.com.

  5. Use whoami /fqdn in the new command prompt to view the distinguished name of the authenticated user from the on-premises Active Directory.

Access resources in the Azure AD DS resource forest using on-premises user

Using the Windows Server VM joined to the Azure AD DS resource forest, you can test the scenario where users can access resources hosted in the resource forest when they authenticate from computers in the on-premises domain with users from the on-premises domain. The following examples show you how to create and test various common scenarios.

Enable file and printer sharing

  1. Connect to the Windows Server VM joined to the Azure AD DS resource forest using Remote Desktop and your Azure AD DS administrator credentials. If you get a Network Level Authentication (NLA) error, check the user account you used is not a domain user account.

    Note

    To securely connect to your VMs joined to Azure AD Domain Services, you can use the Azure Bastion Host Service in supported Azure regions.

  2. Open Windows Settings, then search for and select Network and Sharing Center.

  3. Choose the option for Change advanced sharing settings.

  4. Under the Domain Profile, select Turn on file and printer sharing and then Save changes.

  5. Close Network and Sharing Center.

Create a security group and add members

  1. Open Active Directory Users and Computers.

  2. Right-select the domain name, choose New, and then select Organizational Unit.

  3. In the name box, type LocalObjects, then select OK.

  4. Select and right-click LocalObjects in the navigation pane. Select New and then Group.

  5. Type FileServerAccess in the Group name box. For the Group Scope, select Domain local, then choose OK.

  6. In the content pane, double-click FileServerAccess. Select Members, choose to Add, then select Locations.

  7. Select your on-premises Active Directory from the Location view, then choose OK.

  8. Type Domain Users in the Enter the object names to select box. Select Check Names, provide credentials for the on-premises Active Directory, then select OK.

    Note

    You must provide credentials because the trust relationship is only one way. This means users from the Azure AD DS can't access resources or search for users or groups in the trusted (on-premises) domain.

  9. The Domain Users group from your on-premises Active Directory should be a member of the FileServerAccess group. Select OK to save the group and close the window.

Create a file share for cross-forest access

  1. On the Windows Server VM joined to the Azure AD DS resource forest, create a folder and provide name such as CrossForestShare.
  2. Right-select the folder and choose Properties.
  3. Select the Security tab, then choose Edit.
  4. In the Permissions for CrossForestShare dialog box, select Add.
  5. Type FileServerAccess in Enter the object names to select, then select OK.
  6. Select FileServerAccess from the Groups or user names list. In the Permissions for FileServerAccess list, choose Allow for the Modify and Write permissions, then select OK.
  7. Select the Sharing tab, then choose Advanced Sharing…
  8. Choose Share this folder, then enter a memorable name for the file share in Share name such as CrossForestShare.
  9. Select Permissions. In the Permissions for Everyone list, choose Allow for the Change permission.
  10. Select OK two times and then Close.

Validate cross-forest authentication to a resource

  1. Sign in a Windows computer joined to your on-premises Active Directory using a user account from your on-premises Active Directory.

  2. Using Windows Explorer, connect to the share you created using the fully qualified host name and the share such as \\fs1.aadds.contoso.com\CrossforestShare.

  3. To validate the write permission, right-select in the folder, choose New, then select Text Document. Use the default name New Text Document.

    If the write permissions are set correctly, a new text document is created. The following steps will then open, edit, and delete the file as appropriate.

  4. To validate the read permission, open New Text Document.

  5. To validate the modify permission, add text to the file and close Notepad. When prompted to save changes, choose Save.

  6. To validate the delete permission, right-select New Text Document and choose Delete. Choose Yes to confirm file deletion.

Next steps

In this tutorial, you learned how to:

  • Configure DNS in an on-premises AD DS environment to support Azure AD DS connectivity
  • Create a one-way inbound forest trust in an on-premises AD DS environment
  • Create a one-way outbound forest trust in Azure AD DS
  • Test and validate the trust relationship for authentication and resource access

For more conceptual information about forest types in Azure AD DS, see What are resource forests? and How do forest trusts work in Azure AD DS?