none
Join Azure AD directly from on-prem device RRS feed

  • Question

  • Hi All,

    I have search on internet, seems an approach is using Azure AD Connect to sync on-prem AD to Azure AD. But this approach is need an AD server exist at on-prem.

    May i know is it possible a on-prem, new deployed, window server vm join Azure AD directly if i do not have any existing AD at on-prem?

    Wednesday, October 16, 2019 8:40 AM

Answers

All replies

  • Calvin Hung, Yes, you can get your device (Windows Server VM) joined to Azure AD. This is not similar to domain-join concept as is present in On-Prem. Regarding Azure AD join you can read more here:

    In case you would like to go the traditional way of domain joining the VM, the you can refer to the following article

    https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm

    For this, you would need to deploy the Azure AD Domain Services in your AAD tenant prior to domain joining the VM.

    Hope this helps. Incase of any query regarding this, please feel free to reach out to us so that we can help you better.

     

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, October 16, 2019 10:16 AM
    Moderator
  • Calvin Hung, Yes, you can get your device (Windows Server VM) joined to Azure AD. This is not similar to domain-join concept as is present in On-Prem. Regarding Azure AD join you can read more here:

    In case you would like to go the traditional way of domain joining the VM, the you can refer to the following article

    https://docs.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm

    For this, you would need to deploy the Azure AD Domain Services in your AAD tenant prior to domain joining the VM.

    Hope this helps. Incase of any query regarding this, please feel free to reach out to us so that we can help you better.

     

    ---------------------------------------------------------------------------------------------------------------------------------------

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Thanks for your reply. I would like to know more about domain join to Azure in traditional way.

    The link you provided are a example of Azure VM join domain on cloud. But what if i join domain from on-prem? Any additional component is needed? e.g. VPN / DNS for on-prem device to resolve azure domain name

    Because we are planning to deploy Window File Server VM on Azure. All on-prem device will access the SMB Share on cloud and map as network drive. If i use this approach, is the file level permission also support?

    It is great if you can share more information to me, many thanks.

    Thursday, October 17, 2019 2:03 AM
  • Hi,

    To start with I would recommend you going through the response on this link: https://social.msdn.microsoft.com/Forums/en-US/56da8059-7370-4293-95ff-8db441683ca0/azure-setup-and-user-login?forum=WindowsAzureAD

    Here, I have provided a brief understanding about the different components of AAD and in case you already have an On-Prem AD, how you can connect the On-Prem AD and Azure AD.

    Now coming to your query, In case you have an On-Prem domain, where you have some Windows Servers deployed that are joined to that domain. Now if you want to domain join those to Windows machines to Azure, there is not such option available. On the contrary, on Azure we have a service called, Azure AD Domain Services (AAD DS). Azure AD Domain Services, is a service available in azure, that gives you the feel of an on-prem domain, but it has very limited features as compared to the On-Prem AD. But if you deploy this service on Azure, then you can deploy VMs in Azure and can do domain join with Azure AD Domain Services. In this case, no additional VPN is needed. You just need to make sure that the VM on Azure and the Azure AD Domain Services are able to speak to each other using VNET deployed on Azure.

    Regarding Azure AD Domain Services, you can read more here: https://docs.microsoft.com/en-in/azure/active-directory-domain-services/

    One more thing you can consider, that is if you already have an operation On-Prem AD environment, and you want to just deploy a Windows File Server VM on Azure, then you can consider the steps mentioned in this article: https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/adds-extend-domain

    Hope I am able to provide you with information to get you plan your deployment. DO let me know if you have any more queries around this, so that we can help you further with those queries.

    ---------------------------------------------------------------------------------------------------------------------------------------

       Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Thursday, October 17, 2019 2:42 PM
    Moderator
  • Hi Sourav Mishra,

    Thanks again for you detail explanation. But something still confusing me, and hope you can clarify.

    Assumed that no AD server exist at on-prem, and will not deploy in future.

    By your advise, there should be two approach can host a file server on Azure that SMB Share to on-prem VM:

    1. Deploy VM on cloud, which act as both AD server and file server

    2. Deploy VM on cloud, which act as a file server only. AD role are offloaded to AAD

    Below are my understanding, please correct me if i am wrong.

    For Case 1, domain is created and managed by the cloud VM. on-prem user is required VPN to communicate with cloud VM and join the domain. Then use the domain account to map the SMB share, all folder/file lever permission are able to controlled by the cloud VM.

    For Case 2, domain is created and managed by ADDS. on-prem user is directly communicate with AAD to join the domain. Then on-prem user can use the domain account map the SMB Share directly, all folder/file lever permission are able to controlled by the AAD.

    In both of the case, no AD Server is needed at on-prem. And no AD Connect, since no information needed to sync from on-prem to cloud.


    Friday, October 18, 2019 8:04 AM
  • Hi Calvin,

    Yes, you are correct partially. So let me try to simply further.

    Few points to note here, i.e there is no Azure Active Directory (AAD) in picture here for your scenario. Now, there are two cases:

    Case 1: You deploy a VM on Azure as Azure VM for installing the File Server Role on it and you deploy another VM on Azure with with the Active Directory Role on it to act as a Domain Controller, hence in this case you create a own domain (eg: contoso.local) and you can domain-join the file server VM to the contoso.local domain. In this case you will have no dependency on Azure Active Directory. This would act like an on-prem Domain but just sitting on VMs running on the cloud.

    Case 2: You can deploy Azure AD Domain Services (Azure AD DS) in your Azure and then spin up an Azure VM and domain join that Azure VM to the Azure AD Domain Services. Once the Azure VM is domain joined to Azure AD Domain Services, you can install the File Server role on it.

    I hope i was able to clarify the deployment types in the above two cases. Do let me know if there are still more doubts around it so that I can further clarify.

    ---------------------------------------------------------------------------------------------------------------------------------------

       Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!


    Monday, October 21, 2019 4:47 PM
    Moderator
  • Hi Sourav Mishra,

    Sorry that still have some question on your answer and need your clarify.

    Case 1: Obviously, this case have no dependency on Azure AD. But for on-prem VM, is VPN gateway an essential component to join the domain on cloud? Or it can directly join the domain thought internet without any special setting?

    Case 2: I am not sure why this case have no Azure AD is needed. Without Azure AD, how the user can authenticated to their domain account and applied file level permission at SMB share? And how on-prem VM join Azure AD DS? Can you share some steps to me if any? I have no idea on this part. Many thanks.

    Tuesday, October 22, 2019 7:33 AM
  • Calvin Hung, No issues at all. We can revisit the points you mentioned once again and clarify the points.

    Now to start with lets get some clarity from your end regarding you plan of places you would like to deploy the VMs.

    1. Where would your File Server VM get deployed? On-Prem DataCenter (Not Azure) or as Azure VM on Azure.
    2. Where you would like to deploy you Domain Controller? On-Prem DataCenter (Not Azure) or as Azure VM on Azure or using Azure AD Domain Services.

    Because the requirement of the VPN can be discussed based on the answers to the above questions. In case you are planning to use either Azure AD Domain Services or deploy a VM on Azure with Domain Controller role on it and your File Server VM resides On-Prem, then you would need to setup the VPN to make sure the ports that are needed for the domain join to work are enabled through the VPN. Ideally over Internet these ports wont be available.

    In-case you File Server VM resides on an Azure VM, and you plan to use either Azure AD Domain Services or deploy a VM on Azure with Domain Controller role on it, then a VPN wont be needed as everything is on Azure and hence you can setup the network on Azure using the Azure VNets and allow the required ports for Domain join on the Azure VNets only.

    Now once you share the answers to the above two queries one of the descriptions mentioned above would fit in. Also if still issues, do share you contact details on azcommunity@microsoft.com, so that we can take this offline and discuss on this further.

    Tuesday, October 22, 2019 9:23 AM
    Moderator
  • Hello Calvin Hung,

    Thank you for sharing the details and I apologize for the delay in my response, as it was holiday for us yesterday.

    So in this scenario, where the client machine (a Windows VM sitting on-prem) has to be connected to the domain that is hosted on Azure, be it the Azure AD Domain Services or the Domain Controller VM on Azure. For this On-Prem Client Windows Machine, you will have to setup a VPN connection and make sure that this client machine is also on the same VNET as that of the File Server and the Domain Controller, so that they all can easily speak to each other on the same vnet and also the client VM sitting on-Prem as to be domain joined to the DC sitting on Azure or to Azure AD Domain Services, so that the permissions can flow from the DC level.

    In case you just have one client machine sitting on-prem, then please use Point-To-Site VPN, and if there are going to be a bunch of client VMs sitting on-prem, then you would have to setup a site-To-site VPN.

    You can refer to the following links for setting up the VPNs:

    Hope these links and the description shared on above would help you in understanding the deployment. Do let me know if any more queries.

    ---------------------------------------------------------------------------------------------------------------------------------------

       Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    • Marked as answer by Calvin Hung Friday, November 8, 2019 8:08 AM
    Thursday, October 31, 2019 9:23 AM
    Moderator
  • Hello Calvin Hung,

    Do not forget to mark the response as “Answered” if the above response helped answering your query, so that it helps others in the community too.

    Thursday, November 7, 2019 7:12 AM
    Moderator
  • Hi Sourav,

    Your response is helpful, thanks for your great help!!!

    Friday, November 8, 2019 8:09 AM