Tutorial: Create an outbound forest trust to an on-premises domain in Azure Active Directory Domain Services

In environments where you can't synchronize password hashes, or where users exclusively sign in using smart cards and don't know their password, you can use a resource forest in Azure Active Directory Domain Services (Azure AD DS). A resource forest uses a one-way outbound trust from Azure AD DS to one or more on-premises AD DS environments. This trust relationship lets users, applications, and computers authenticate against an on-premises domain from the Azure AD DS managed domain. In a resource forest, on-premises password hashes are never synchronized.

Diagram of forest trust from Azure AD DS to on-premises AD DS

In this tutorial, you learn how to:

  • Configure DNS in an on-premises AD DS environment to support Azure AD DS connectivity
  • Create a one-way inbound forest trust in an on-premises AD DS environment
  • Create a one-way outbound forest trust in Azure AD DS
  • Test and validate the trust relationship for authentication and resource access

If you don't have an Azure subscription, create an account before you begin.

Prerequisites

To complete this tutorial, you need the following resources and privileges:

Sign in to the Azure portal

In this tutorial, you create and configure the outbound forest trust from Azure AD DS using the Azure portal. To get started, first sign in to the Azure portal. Global administrator permissions are required to modify an Azure AD DS instance.

Networking considerations

The virtual network that hosts the Azure AD DS resource forest needs network connectivity to your on-premises Active Directory. Applications and services also need network connectivity to the virtual network hosting the Azure AD DS resource forest. Network connectivity to the Azure AD DS resource forest must be always on and stable otherwise users may fail to authenticate or access resources.

Before you configure a forest trust in Azure AD DS, make sure your networking between Azure and on-premises environment meets the following requirements:

  • Use private IP addresses. Don't rely on DHCP with dynamic IP address assignment.
  • Avoid overlapping IP address spaces to allow virtual network peering and routing to successfully communicate between Azure and on-premises.
  • An Azure virtual network needs a gateway subnet to configure an Azure site-to-site (S2S) VPN or ExpressRoute connection.
  • Create subnets with enough IP addresses to support your scenario.
  • Make sure Azure AD DS has its own subnet, don't share this virtual network subnet with application VMs and services.
  • Peered virtual networks are NOT transitive.
    • Azure virtual network peerings must be created between all virtual networks you want to use the Azure AD DS resource forest trust to the on-premises AD DS environment.
  • Provide continuous network connectivity to your on-premises Active Directory forest. Don't use on-demand connections.
  • Make sure there's continuous name resolution (DNS) between your Azure AD DS resource forest name and your on-premises Active Directory forest name.

Configure DNS in the on-premises domain

To correctly resolve the managed domain from the on-premises environment, you may need to add forwarders to the existing DNS servers. If you haven't configured the on-premises environment to communicate with the managed domain, complete the following steps from a management workstation for the on-premises AD DS domain:

  1. Select Start > Administrative Tools > DNS.

  2. Select your DNS zone, such as aaddscontoso.com.

  3. Select Conditional Forwarders, then right-select and choose New Conditional Forwarder...

  4. Enter your other DNS Domain, such as contoso.com, then enter the IP addresses of the DNS servers for that namespace, as shown in the following example:

    Screenshot of how to add and configure a conditional forwarder for the DNS server.

  5. Check the box for Store this conditional forwarder in Active Directory, and replicate it as follows, then select the option for All DNS servers in this domain, as shown in the following example:

    Screenshot of how to select All DNS servers in this domain.

    Important

    If the conditional forwarder is stored in the forest instead of the domain, the conditional forwarder fails.

  6. To create the conditional forwarder, select OK.

Create inbound forest trust in the on-premises domain

The on-premises AD DS domain needs an incoming forest trust for the managed domain. This trust must be manually created in the on-premises AD DS domain, it can't be created from the Azure portal.

To configure inbound trust on the on-premises AD DS domain, complete the following steps from a management workstation for the on-premises AD DS domain:

  1. Select Start > Administrative Tools > Active Directory Domains and Trusts.
  2. Right-click the domain, such as onprem.contoso.com, then select Properties.
  3. Choose Trusts tab, then New Trust.
  4. Enter the name for Azure AD DS domain name, such as aaddscontoso.com, then select Next.
  5. Select the option to create a Forest trust, then to create a One way: incoming trust.
  6. Choose to create the trust for This domain only. In the next step, you create the trust in the Azure portal for the managed domain.
  7. Choose to use Forest-wide authentication, then enter and confirm a trust password. This same password is also entered in the Azure portal in the next section.
  8. Step through the next few windows with default options, then choose the option for No, do not confirm the outgoing trust.
  9. Select Finish.

If the forest trust is no longer needed for an environment, complete the following steps to remove it from the on-premises domain:

  1. Select Start > Administrative Tools > Active Directory Domains and Trusts.
  2. Right-click the domain, such as onprem.contoso.com, then select Properties.
  3. Choose Trusts tab, then Domains that trust this domain (incoming trusts), click the trust to be removed, and then click Remove.
  4. On the Trusts tab, under Domains trusted by this domain (outgoing trusts), click the trust to be removed, and then click Remove.
  5. Click No, remove the trust from the local domain only.

Create outbound forest trust in Azure AD DS

With the on-premises AD DS domain configured to resolve the managed domain and an inbound forest trust created, now create the outbound forest trust. This outbound forest trust completes the trust relationship between the on-premises AD DS domain and the managed domain.

To create the outbound trust for the managed domain in the Azure portal, complete the following steps:

  1. In the Azure portal, search for and select Azure AD Domain Services, then select your managed domain, such as aaddscontoso.com.

  2. From the menu on the left-hand side of the managed domain, select Trusts, then choose to + Add a trust.

    Note

    If you don't see the Trusts menu option, check under Properties for the Forest type. Only resource forests can create trusts. If the forest type is User, you can't create trusts. There's currently no way to change the forest type of a managed domain. You need to delete and recreate the managed domain as a resource forest.

  3. Enter a display name that identifies your trust, then the on-premises trusted forest DNS name, such as onprem.contoso.com.

  4. Provide the same trust password that was used to configure the inbound forest trust for the on-premises AD DS domain in the previous section.

  5. Provide at least two DNS servers for the on-premises AD DS domain, such as 10.1.1.4 and 10.1.1.5.

  6. When ready, Save the outbound forest trust.

    Create outbound forest trust in the Azure portal

If the forest trust is no longer needed for an environment, complete the following steps to remove it from Azure AD DS:

  1. In the Azure portal, search for and select Azure AD Domain Services, then select your managed domain, such as aaddscontoso.com.
  2. From the menu on the left-hand side of the managed domain, select Trusts, choose the trust, and click Remove.
  3. Provide the same trust password that was used to configure the forest trust and click OK.

Validate resource authentication

The following common scenarios let you validate that forest trust correctly authenticates users and access to resources:

On-premises user authentication from the Azure AD DS resource forest

You should have Windows Server virtual machine joined to the managed domain. Use this virtual machine to test your on-premises user can authenticate on a virtual machine. If needed, create a Windows VM and join it to the managed domain.

  1. Connect to the Windows Server VM joined to the Azure AD DS resource forest using Azure Bastion and your Azure AD DS administrator credentials.

  2. Open a command prompt and use the whoami command to show the distinguished name of the currently authenticated user:

    whoami /fqdn
    
  3. Use the runas command to authenticate as a user from the on-premises domain. In the following command, replace userUpn@trusteddomain.com with the UPN of a user from the trusted on-premises domain. The command prompts you for the user's password:

    Runas /u:userUpn@trusteddomain.com cmd.exe
    
  4. If the authentication is a successful, a new command prompt opens. The title of the new command prompt includes running as userUpn@trusteddomain.com.

  5. Use whoami /fqdn in the new command prompt to view the distinguished name of the authenticated user from the on-premises Active Directory.

Access resources in the Azure AD DS resource forest using on-premises user

Using the Windows Server VM joined to the Azure AD DS resource forest, you can test the scenario where users can access resources hosted in the resource forest when they authenticate from computers in the on-premises domain with users from the on-premises domain. The following examples show you how to create and test various common scenarios.

Enable file and printer sharing

  1. Connect to the Windows Server VM joined to the Azure AD DS resource forest using Azure Bastion and your Azure AD DS administrator credentials.

  2. Open Windows Settings, then search for and select Network and Sharing Center.

  3. Choose the option for Change advanced sharing settings.

  4. Under the Domain Profile, select Turn on file and printer sharing and then Save changes.

  5. Close Network and Sharing Center.

Create a security group and add members

  1. Open Active Directory Users and Computers.

  2. Right-select the domain name, choose New, and then select Organizational Unit.

  3. In the name box, type LocalObjects, then select OK.

  4. Select and right-click LocalObjects in the navigation pane. Select New and then Group.

  5. Type FileServerAccess in the Group name box. For the Group Scope, select Domain local, then choose OK.

  6. In the content pane, double-click FileServerAccess. Select Members, choose to Add, then select Locations.

  7. Select your on-premises Active Directory from the Location view, then choose OK.

  8. Type Domain Users in the Enter the object names to select box. Select Check Names, provide credentials for the on-premises Active Directory, then select OK.

    Note

    You must provide credentials because the trust relationship is only one way. This means users from the Azure AD DS managed domain can't access resources or search for users or groups in the trusted (on-premises) domain.

  9. The Domain Users group from your on-premises Active Directory should be a member of the FileServerAccess group. Select OK to save the group and close the window.

Create a file share for cross-forest access

  1. On the Windows Server VM joined to the Azure AD DS resource forest, create a folder and provide name such as CrossForestShare.
  2. Right-select the folder and choose Properties.
  3. Select the Security tab, then choose Edit.
  4. In the Permissions for CrossForestShare dialog box, select Add.
  5. Type FileServerAccess in Enter the object names to select, then select OK.
  6. Select FileServerAccess from the Groups or user names list. In the Permissions for FileServerAccess list, choose Allow for the Modify and Write permissions, then select OK.
  7. Select the Sharing tab, then choose Advanced Sharing….
  8. Choose Share this folder, then enter a memorable name for the file share in Share name such as CrossForestShare.
  9. Select Permissions. In the Permissions for Everyone list, choose Allow for the Change permission.
  10. Select OK two times and then Close.

Validate cross-forest authentication to a resource

  1. Sign in a Windows computer joined to your on-premises Active Directory using a user account from your on-premises Active Directory.

  2. Using Windows Explorer, connect to the share you created using the fully qualified host name and the share such as \\fs1.aaddscontoso.com\CrossforestShare.

  3. To validate the write permission, right-select in the folder, choose New, then select Text Document. Use the default name New Text Document.

    If the write permissions are set correctly, a new text document is created. The following steps will then open, edit, and delete the file as appropriate.

  4. To validate the read permission, open New Text Document.

  5. To validate the modify permission, add text to the file and close Notepad. When prompted to save changes, choose Save.

  6. To validate the delete permission, right-select New Text Document and choose Delete. Choose Yes to confirm file deletion.

Next steps

In this tutorial, you learned how to:

  • Configure DNS in an on-premises AD DS environment to support Azure AD DS connectivity
  • Create a one-way inbound forest trust in an on-premises AD DS environment
  • Create a one-way outbound forest trust in Azure AD DS
  • Test and validate the trust relationship for authentication and resource access

For more conceptual information about forest types in Azure AD DS, see What are resource forests? and How do forest trusts work in Azure AD DS?