Forum Discussion
Azure ADDS extension of my onpremises domain
Hi, I have an onpremises domain (company.com.br) where all my users used to login. however now with home office users I want them to authenticate to Azure ADDS using the same credentials as m...
The client has to have access to the Azure AD DS domain and Azure AD DS DNS servers to find the domain. You would likely need a VPN solution for the clients as it’s not recommended to expose AD DS, Windows or Azure, to the internet.
You can configure the on-premises Windows AD DS to sync user’s legacy NTLM password hash from Windows AD to Azure AD. The legacy password hash is different from the password hash sync used to sync passwords with AD Connect. This way, the passwords will be the same for the on-premises domain and the Azure AD DS domain.
Based on your description, I sounds like you are looking for behavior similar to a multi-domain forest or trust relationship between a Windows AD Domain and an Azure AD DS domain. Identities can replicate from Windows AD to Azure AD DS (not the other way), but they are two serrate domains. Also, Azure AD DS will not support trust relationships. So a computer added to one domain will not be trusted by the other. Other than sharing user names and passwords, they are two distinct domains.
From my experience, Azure AD DS is really meant for standing up a hosted, isolated AD DS environment to support a cloud service that requires AD DS. Extending it to remote users will have all the complexities of extending on-premises AD DS to remote users with the limitations of Azure AD DS (no trust relationships, only available in one site, can’t extend the schema)
If you are looking to manage remote desktops, Azure AD join and Intune may be a better option.
-Travis
You can configure the on-premises Windows AD DS to sync user’s legacy NTLM password hash from Windows AD to Azure AD. The legacy password hash is different from the password hash sync used to sync passwords with AD Connect. This way, the passwords will be the same for the on-premises domain and the Azure AD DS domain.
Based on your description, I sounds like you are looking for behavior similar to a multi-domain forest or trust relationship between a Windows AD Domain and an Azure AD DS domain. Identities can replicate from Windows AD to Azure AD DS (not the other way), but they are two serrate domains. Also, Azure AD DS will not support trust relationships. So a computer added to one domain will not be trusted by the other. Other than sharing user names and passwords, they are two distinct domains.
From my experience, Azure AD DS is really meant for standing up a hosted, isolated AD DS environment to support a cloud service that requires AD DS. Extending it to remote users will have all the complexities of extending on-premises AD DS to remote users with the limitations of Azure AD DS (no trust relationships, only available in one site, can’t extend the schema)
If you are looking to manage remote desktops, Azure AD join and Intune may be a better option.
-Travis
Hi,
I understand what you say, but I have a friend who said that in his company the machines were joined to the domain via the Internet.
I believe that to do this I need to enable secure LDAP for the internet.
He does not use GPO to protect computers, he uses Itune to enforce policies.
Thanks.
