May 01 2021 07:58 AM - edited May 01 2021 08:01 AM
Hi,
I have an onpremises domain (company.com.br) where all my users used to login.
however now with home office users I want them to authenticate to Azure ADDS using the same credentials as my ADDS onpremises.
I read in the documentation that there is a scenario with a hybrid name that is an extension of my domain using adconnect to synchronize users.
I did the whole procedure, I created the domain in Azure ADDS but when trying to join a computer from my case at (addscompany.com) he says he didn't find the domain controller for that domain.
I saw that there is an option to enable secure LDAP for Internet, do I need to enable this option? It requires a certificate.
What is wrong?
Besides, I was left with the following doubt?
If I am going to register the computer in the domain (addscompany.com) the user profile will be created for that domain. But when the user goes to the office and there he can log into (company.com). If so, does the user continue to log in to (addscompany.com)?
That is, the user will be able to choose which domain to log in to? Or not, will it be fixed in the domain you joined?
What was lacking in the explanation of the Microsoft documentation is the simulation of a scenario so that we can better understand how this process works in practice.
Thanks.
May 01 2021 09:19 AM
May 01 2021 07:29 PM
Hi,
I understand what you say, but I have a friend who said that in his company the machines were joined to the domain via the Internet.
I believe that to do this I need to enable secure LDAP for the internet.
He does not use GPO to protect computers, he uses Itune to enforce policies.
Thanks.
May 03 2021 06:00 AM
Hi,
If you study the documentation for AAD DS service, you find out that this service is not designed for "anywhere / any device purpose". Moreover, it is not encouraged to domain join machines that are not running in Azure to this domain (e.g. endpoint devices, VMs running on-prem). The managed domain is a stand-alone domain. It isn't an extension of an on-premises domain.
You should think about AADS as a cloud "equivalent" to your WS ADDC service you are hosting on-prem. You don't expose it to the Internet (it is protected behind a perimeter network), and machines joined to this domain are in the same network (or connected via a VPN, if they are portable).
Keep in mind that you need much more than just LDAP port to be available outside your perimeter. Active Directory and protocols it uses was not designed as "internet-friendly". Even if you could enable 'secure LDAP' and choose to expose it to the Internet, it is not recommended for "all source IPs", but only some specific ranges and use Network Security Groups, difficult to achieve in your scenario).
Your scenario is about remote users (working from home). Their endpoints are currently joined to your on-prem AD, I presume. "Switching" to AAD DS is really not a good idea, among many things it would require you to join all the endpoint devices to AADDS domain (instead of your on-prem AD). In the documentation you will see, this option (joining W10 / client devices) is not even there.
Most of my customers use a different strategy instead: