Home

Can One Azure VNet support 2 different AD Forest?

%3CLINGO-SUB%20id%3D%22lingo-sub-918487%22%20slang%3D%22en-US%22%3ECan%20One%20Azure%20VNet%20support%202%20different%20AD%20Forest%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918487%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22_2FCtq-QzlfuN-SwVMUZMM3%20_2v9pwVh0VUYrmhoMv1tHPm%20t3_dhipzk%22%3E%3CDIV%20class%3D%22y8HYJ-y_lTUHkQIc1mdCq%20_2INHSNB8V5eaWp4P0rY_mE%22%3E%3CDIV%20class%3D%22_2SdHzo12ISmrC8H86TgSCp%20_29WrubtjAcKqzJSPdQqQ4h%20%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_1hLrLjnE1G_RBCNcN9MVQf%22%3E%3CSPAN%3EIs%20it%20Possible%20to%20have%202%20different%20AD%20forest%20part%20of%20same%20Azure%20VNet%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_1hLrLjnE1G_RBCNcN9MVQf%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22_1hLrLjnE1G_RBCNcN9MVQf%22%3E%3CSPAN%3EExample%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_1hLrLjnE1G_RBCNcN9MVQf%22%3E%3CSPAN%3ECurrent%20%3C%2FSPAN%3E%3CSPAN%3EOnpremise%20Domain%20controllers%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_3xX726aBn29LDbsDtzr_6E%20_1Ap4F5maDtT1E1YuCiaO0r%20D3IL3FD0RFy_mkKLPwL4%22%3E%3CDIV%20class%3D%22_292iotee39Lmt0MkQZ2hPV%20RichTextJSON-root%22%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Edomain%20controller%201%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fabc.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eabc.com%3C%2FA%3E%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3Edomain%20contoller%202%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fxyz.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Exyz.com%3C%2FA%3E%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EI%60m%20extending%20the%20AD%20to%20Azure%20and%20is%20it%20possible%20to%20have%20the%20the%20IP%20address%20of%20both%20added%20to%20the%20Azure%20DNS%20(custom)%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EOr%20to%20have%20to%20a%20separate%20VNet%20for%20domain%20controller%202%3A%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fxyz.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Exyz.com%3C%2FA%3E%3F%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22_1qeIAgB0cPwnLhDF9XSiJM%22%3EAny%20assistance%20will%20be%20deeply%20appreciated.%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-918487%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-918977%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20One%20Azure%20VNet%20support%202%20different%20AD%20Forest%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-918977%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F180469%22%20target%3D%22_blank%22%3E%40Admin%20O365%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20run%20two%20forests%20in%20a%20single%20VNET%20but%20you%20need%20to%20use%20your%20DC's%20as%20DNS.%20When%20a%20DC%20in%20a%20domain%20starts%20it%20uses%20DNS%20to%20find%20all%20the%20DC%20in%20the%20domain.%20If%20you%20are%20using%20a%20single%20DNS%20like%20Azure%20DNS%20to%20manage%20your%20vnet%20names%2C%20then%20one%20forest%20will%20not%20work%20correctly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20to%20set%20the%20DNS%20manually%20on%20the%20VM's%20NICs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-921639%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20One%20Azure%20VNet%20support%202%20different%20AD%20Forest%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-921639%22%20slang%3D%22en-US%22%3ETks.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-934891%22%20slang%3D%22en-US%22%3ERe%3A%20Can%20One%20Azure%20VNet%20support%202%20different%20AD%20Forest%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-934891%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20love%20to%20understand%20the%20business%20case%20for%20doing%20it%20that%20way.%20Is%20it%20simply%20to%20avoid%20paying%20for%20more%20than%20on%20VPN%20Gateway%3F%20Even%20if%20you%20needed%20those%20two%20domains%20to%20talk%20to%20each%20other%20you%20could%20do%20VNET%20peering%20to%20allow%20that%20to%20take%20place.%20You%20could%20certainly%20manage%20the%20DNS%20on%20the%20NIC's%20themselves%20in%20the%20VM's%20but%20that%20is%20not%20best%20practice.%20Also%20depending%20on%20how%20many%20resources%20you%20deploy%20that%20could%20get%20tricky%20to%20manage.%20I%20would%20suggest%20deploying%20a%20second%20VNET%20to%20accomplish%20this%20over%20managing%20the%20DNS%20at%20the%20VM%20level%20and%20even%20over%20a%20second%20subnet%20on%20the%20same%20VNET.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F180469%22%20target%3D%22_blank%22%3E%40Admin%20O365%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor
 
Is it Possible to have 2 different AD forest part of same Azure VNet?
 
Example:
Current Onpremise Domain controllers:

domain controller 1: abc.com

domain contoller 2: xyz.com

 

I`m extending the AD to Azure and is it possible to have the the IP address of both added to the Azure DNS (custom)

Or to have to a separate VNet for domain controller 2: xyz.com?

 

Any assistance will be deeply appreciated.

3 Replies

@Admin O365 

 

You can run two forests in a single VNET but you need to use your DC's as DNS. When a DC in a domain starts it uses DNS to find all the DC in the domain. If you are using a single DNS like Azure DNS to manage your vnet names, then one forest will not work correctly.

 

Best to set the DNS manually on the VM's NICs.

 

Highlighted

I would love to understand the business case for doing it that way. Is it simply to avoid paying for more than on VPN Gateway? Even if you needed those two domains to talk to each other you could do VNET peering to allow that to take place. You could certainly manage the DNS on the NIC's themselves in the VM's but that is not best practice. Also depending on how many resources you deploy that could get tricky to manage. I would suggest deploying a second VNET to accomplish this over managing the DNS at the VM level and even over a second subnet on the same VNET. @Admin O365 

Related Conversations
Calendar not available for older AD accounts
_jancis in Microsoft Teams on
0 Replies
Azure Files with adfs
Stephane KLOIS in Azure on
0 Replies
What is a native non-object synchronised Azure AD instance?
Pn1995 in Azure on
0 Replies
Developer support?
Deleted in Microsoft Teams on
1 Replies
Azure Automation connecting to Exchange with MFA enforced
Chris Johnston in Azure on
13 Replies
Intune Win32 apps error 0x80070002
bjornmertens in Microsoft Intune on
5 Replies