Home

Can One Azure VNet support 2 different AD Forest?

%3CLINGO-SUB%20id%3D%22lingo-sub-918487%22%20slang%3D%22en-US%22%3ECan%20One%20Azure%20VNet%20support%202%20different%20AD%20Forest%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918487%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22_2FCtq-QzlfuN-SwVMUZMM3%20_2v9pwVh0VUYrmhoMv1tHPm%20t3_dhipzk%22%3E%3CDIV%20class%3D%22y8HYJ-y_lTUHkQIc1mdCq%20_2INHSNB8V5eaWp4P0rY_mE%22%3E%3CDIV%20class%3D%22_2SdHzo12ISmrC8H86TgSCp%20_29WrubtjAcKqzJSPdQqQ4h%20%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_1hLrLjnE1G_RBCNcN9MVQf%22%3E%3CSPAN%3EIs%20it%20Possible%20to%20have%202%20different%20AD%20forest%20part%20of%20same%20Azure%20VNet%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_1hLrLjnE1G_RBCNcN9MVQf%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22_1hLrLjnE1G_RBCNcN9MVQf%22%3E%3CSPAN%3EExample%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_1hLrLjnE1G_RBCNcN9MVQf%22%3E%3CSPAN%3ECurrent%20%3C%2FSPAN%3E%3CSPAN%3EOnpremise%20Domain%20controllers%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_3xX726aBn29LDbsDtzr_6E%20_1Ap4F5maDtT1E1YuCiaO0r%20D3IL3FD0RFy_mkKLPwL4%22%3E%3CDIV%20class%3D%22_292iotee39Lmt0MkQZ2hPV%20RichTextJSON-root%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Edomain%20controller%201%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fabc.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eabc.com%3C%2FA%3E%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Edomain%20contoller%202%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fxyz.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Exyz.com%3C%2FA%3E%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%60m%20extending%20the%20AD%20to%20Azure%20and%20is%20it%20possible%20to%20have%20the%20the%20IP%20address%20of%20both%20added%20to%20the%20Azure%20DNS%20(custom)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EOr%20to%20have%20to%20a%20separate%20VNet%20for%20domain%20controller%202%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fxyz.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Exyz.com%3C%2FA%3E%3F%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EAny%20assistance%20will%20be%20deeply%20appreciated.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-918487%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918977%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20One%20Azure%20VNet%20support%202%20different%20AD%20Forest%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918977%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F180469%22%20target%3D%22_blank%22%3E%40Admin%20O365%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20run%20two%20forests%20in%20a%20single%20VNET%20but%20you%20need%20to%20use%20your%20DC's%20as%20DNS.%20When%20a%20DC%20in%20a%20domain%20starts%20it%20uses%20DNS%20to%20find%20all%20the%20DC%20in%20the%20domain.%20If%20you%20are%20using%20a%20single%20DNS%20like%20Azure%20DNS%20to%20manage%20your%20vnet%20names%2C%20then%20one%20forest%20will%20not%20work%20correctly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20to%20set%20the%20DNS%20manually%20on%20the%20VM's%20NICs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-921639%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20One%20Azure%20VNet%20support%202%20different%20AD%20Forest%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-921639%22%20slang%3D%22en-US%22%3ETks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-934891%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20One%20Azure%20VNet%20support%202%20different%20AD%20Forest%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-934891%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20love%20to%20understand%20the%20business%20case%20for%20doing%20it%20that%20way.%20Is%20it%20simply%20to%20avoid%20paying%20for%20more%20than%20on%20VPN%20Gateway%3F%20Even%20if%20you%20needed%20those%20two%20domains%20to%20talk%20to%20each%20other%20you%20could%20do%20VNET%20peering%20to%20allow%20that%20to%20take%20place.%20You%20could%20certainly%20manage%20the%20DNS%20on%20the%20NIC's%20themselves%20in%20the%20VM's%20but%20that%20is%20not%20best%20practice.%20Also%20depending%20on%20how%20many%20resources%20you%20deploy%20that%20could%20get%20tricky%20to%20manage.%20I%20would%20suggest%20deploying%20a%20second%20VNET%20to%20accomplish%20this%20over%20managing%20the%20DNS%20at%20the%20VM%20level%20and%20even%20over%20a%20second%20subnet%20on%20the%20same%20VNET.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F180469%22%20target%3D%22_blank%22%3E%40Admin%20O365%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor
 
Is it Possible to have 2 different AD forest part of same Azure VNet?
 
Example:
Current Onpremise Domain controllers:

domain controller 1: abc.com

domain contoller 2: xyz.com

 

I`m extending the AD to Azure and is it possible to have the the IP address of both added to the Azure DNS (custom)

Or to have to a separate VNet for domain controller 2: xyz.com?

 

Any assistance will be deeply appreciated.

3 Replies

@Admin O365 

 

You can run two forests in a single VNET but you need to use your DC's as DNS. When a DC in a domain starts it uses DNS to find all the DC in the domain. If you are using a single DNS like Azure DNS to manage your vnet names, then one forest will not work correctly.

 

Best to set the DNS manually on the VM's NICs.

 

Highlighted

I would love to understand the business case for doing it that way. Is it simply to avoid paying for more than on VPN Gateway? Even if you needed those two domains to talk to each other you could do VNET peering to allow that to take place. You could certainly manage the DNS on the NIC's themselves in the VM's but that is not best practice. Also depending on how many resources you deploy that could get tricky to manage. I would suggest deploying a second VNET to accomplish this over managing the DNS at the VM level and even over a second subnet on the same VNET. @Admin O365 

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies