Azure ADDS extension of my onpremises domain

%3CLINGO-SUB%20id%3D%22lingo-sub-2313853%22%20slang%3D%22en-US%22%3EAzure%20ADDS%20extension%20of%20my%20onpremises%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2313853%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20an%20onpremises%20domain%20(company.com.br)%20where%20all%20my%20users%20used%20to%20login.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehowever%20now%20with%20home%20office%20users%20I%20want%20them%20to%20authenticate%20to%20Azure%20ADDS%20using%20the%20same%20credentials%20as%20my%20ADDS%20onpremises.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20read%20in%20the%20documentation%20that%20there%20is%20a%20scenario%20with%20a%20hybrid%20name%20that%20is%20an%20extension%20of%20my%20domain%20using%20adconnect%20to%20synchronize%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20did%20the%20whole%20procedure%2C%20I%20created%20the%20domain%20in%20Azure%20ADDS%20but%20when%20trying%20to%20join%20a%20computer%20from%20my%20case%20at%20(addscompany.com)%20he%20says%20he%20didn't%20find%20the%20domain%20controller%20for%20that%20domain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20saw%20that%20there%20is%20an%20option%20to%20enable%20secure%20LDAP%20for%20Internet%2C%20do%20I%20need%20to%20enable%20this%20option%3F%20It%20requires%20a%20certificate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20wrong%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBesides%2C%20I%20was%20left%20with%20the%20following%20doubt%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20am%20going%20to%20register%20the%20computer%20in%20the%20domain%20(addscompany.com)%20the%20user%20profile%20will%20be%20created%20for%20that%20domain.%20But%20when%20the%20user%20goes%20to%20the%20office%20and%20there%20he%20can%20log%20into%20(company.com).%20If%20so%2C%20does%20the%20user%20continue%20to%20log%20in%20to%20(addscompany.com)%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20is%2C%20the%20user%20will%20be%20able%20to%20choose%20which%20domain%20to%20log%20in%20to%3F%20Or%20not%2C%20will%20it%20be%20fixed%20in%20the%20domain%20you%20joined%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20was%20lacking%20in%20the%20explanation%20of%20the%20Microsoft%20documentation%20is%20the%20simulation%20of%20a%20scenario%20so%20that%20we%20can%20better%20understand%20how%20this%20process%20works%20in%20practice.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2313853%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2313992%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20ADDS%20extension%20of%20my%20onpremises%20domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2313992%22%20slang%3D%22en-US%22%3EThe%20client%20has%20to%20have%20access%20to%20the%20Azure%20AD%20DS%20domain%20and%20Azure%20AD%20DS%20DNS%20servers%20to%20find%20the%20domain.%20You%20would%20likely%20need%20a%20VPN%20solution%20for%20the%20clients%20as%20it%E2%80%99s%20not%20recommended%20to%20expose%20AD%20DS%2C%20Windows%20or%20Azure%2C%20to%20the%20internet.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20configure%20the%20on-premises%20Windows%20AD%20DS%20to%20sync%20user%E2%80%99s%20legacy%20NTLM%20password%20hash%20from%20Windows%20AD%20to%20Azure%20AD.%20The%20legacy%20password%20hash%20is%20different%20from%20the%20password%20hash%20sync%20used%20to%20sync%20passwords%20with%20AD%20Connect.%20This%20way%2C%20the%20passwords%20will%20be%20the%20same%20for%20the%20on-premises%20domain%20and%20the%20Azure%20AD%20DS%20domain.%3CBR%20%2F%3E%3CBR%20%2F%3EBased%20on%20your%20description%2C%20I%20sounds%20like%20you%20are%20looking%20for%20behavior%20similar%20to%20a%20multi-domain%20forest%20or%20trust%20relationship%20between%20a%20Windows%20AD%20Domain%20and%20an%20Azure%20AD%20DS%20domain.%20Identities%20can%20replicate%20from%20Windows%20AD%20to%20Azure%20AD%20DS%20(not%20the%20other%20way)%2C%20but%20they%20are%20two%20serrate%20domains.%20Also%2C%20Azure%20AD%20DS%20will%20not%20support%20trust%20relationships.%20So%20a%20computer%20added%20to%20one%20domain%20will%20not%20be%20trusted%20by%20the%20other.%20Other%20than%20sharing%20user%20names%20and%20passwords%2C%20they%20are%20two%20distinct%20domains.%3CBR%20%2F%3E%3CBR%20%2F%3EFrom%20my%20experience%2C%20Azure%20AD%20DS%20is%20really%20meant%20for%20standing%20up%20a%20hosted%2C%20isolated%20AD%20DS%20environment%20to%20support%20a%20cloud%20service%20that%20requires%20AD%20DS.%20Extending%20it%20to%20remote%20users%20will%20have%20all%20the%20complexities%20of%20extending%20on-premises%20AD%20DS%20to%20remote%20users%20with%20the%20limitations%20of%20Azure%20AD%20DS%20(no%20trust%20relationships%2C%20only%20available%20in%20one%20site%2C%20can%E2%80%99t%20extend%20the%20schema)%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20are%20looking%20to%20manage%20remote%20desktops%2C%20Azure%20AD%20join%20and%20Intune%20may%20be%20a%20better%20option.%3CBR%20%2F%3E%3CBR%20%2F%3E-Travis%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

I have an onpremises domain (company.com.br) where all my users used to login.

 

however now with home office users I want them to authenticate to Azure ADDS using the same credentials as my ADDS onpremises.

 

I read in the documentation that there is a scenario with a hybrid name that is an extension of my domain using adconnect to synchronize users.

 

I did the whole procedure, I created the domain in Azure ADDS but when trying to join a computer from my case at (addscompany.com) he says he didn't find the domain controller for that domain.

 

I saw that there is an option to enable secure LDAP for Internet, do I need to enable this option? It requires a certificate.

 

What is wrong?

 

Besides, I was left with the following doubt?

 

If I am going to register the computer in the domain (addscompany.com) the user profile will be created for that domain. But when the user goes to the office and there he can log into (company.com). If so, does the user continue to log in to (addscompany.com)?

 

That is, the user will be able to choose which domain to log in to? Or not, will it be fixed in the domain you joined?

 

What was lacking in the explanation of the Microsoft documentation is the simulation of a scenario so that we can better understand how this process works in practice.

 

Thanks.

3 Replies
The client has to have access to the Azure AD DS domain and Azure AD DS DNS servers to find the domain. You would likely need a VPN solution for the clients as it’s not recommended to expose AD DS, Windows or Azure, to the internet.

You can configure the on-premises Windows AD DS to sync user’s legacy NTLM password hash from Windows AD to Azure AD. The legacy password hash is different from the password hash sync used to sync passwords with AD Connect. This way, the passwords will be the same for the on-premises domain and the Azure AD DS domain.

Based on your description, I sounds like you are looking for behavior similar to a multi-domain forest or trust relationship between a Windows AD Domain and an Azure AD DS domain. Identities can replicate from Windows AD to Azure AD DS (not the other way), but they are two serrate domains. Also, Azure AD DS will not support trust relationships. So a computer added to one domain will not be trusted by the other. Other than sharing user names and passwords, they are two distinct domains.

From my experience, Azure AD DS is really meant for standing up a hosted, isolated AD DS environment to support a cloud service that requires AD DS. Extending it to remote users will have all the complexities of extending on-premises AD DS to remote users with the limitations of Azure AD DS (no trust relationships, only available in one site, can’t extend the schema)

If you are looking to manage remote desktops, Azure AD join and Intune may be a better option.

-Travis

@Travis Roberts 

 

Hi,

 

I understand what you say, but I have a friend who said that in his company the machines were joined to the domain via the Internet.

 

I believe that to do this I need to enable secure LDAP for the internet.

 

He does not use GPO to protect computers, he uses Itune to enforce policies.

 

Thanks.

Hi,

 

If you study the documentation for AAD DS service, you find out that this service is not designed for "anywhere / any device purpose". Moreover, it is not encouraged to domain join machines that are not running in Azure to this domain (e.g. endpoint devices, VMs running on-prem). The managed domain is a stand-alone domain. It isn't an extension of an on-premises domain.

 

You should think about AADS as a cloud "equivalent" to your WS ADDC service you are hosting on-prem. You don't expose it to the Internet (it is protected behind a perimeter network), and machines joined to this domain are in the same network (or connected via a VPN, if they are portable).

 

Keep in mind that you need much more than just LDAP port to be available outside your perimeter. Active Directory and protocols it uses was not designed as "internet-friendly". Even if you could enable 'secure LDAP' and choose to expose it to the Internet, it is not recommended for "all source IPs", but only some specific ranges and use Network Security Groups, difficult to achieve in your scenario).

 

Your scenario is about remote users (working from home). Their endpoints are currently joined to your on-prem AD, I presume. "Switching" to AAD DS is really not a good idea, among many things it would require you to join all the endpoint devices to AADDS domain (instead of your on-prem AD). In the documentation you will see, this option (joining W10 / client devices) is not even there.

 

Most of my customers use a different strategy instead:

  • use AAD-join or Hybrid AD-join (on-prem AD + AAD)
  • use Intune / Endpoint Manager for management (instead of GPOs and System Center)