The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Active Directory!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 locked
Adding VM domain controllers to Azure Domain RRS feed

  • Question

  • I would like to create the following setup and would like some guidance.

    Azure AD

    VM in Azure that is a DC

    On Premise Server that is also a DC

    All working together with Azure being the primary source.

    Do I need to have two separate forests and use the Azure Connect tool even on the VM in Azure?

    Or can I join the servers to the Azure Domain and then promote them to Domain Controllers?
    When I try to do that I get a message saying that the credentials (for the global admin) doesn't let me.

    Friday, September 6, 2019 5:20 PM

All replies

  • Hi,

    I've never tried it that way round (joining on prem to Azure rather than extending on-prem) but if I was doing it with Azure and on-prem, I would create an on-prem domain and extend to Azure as you get more control.

    What do you have on-prem and in Azure and what are the requirements?

    Thanks,

    Matt


    Friday, September 6, 2019 7:42 PM
  • I would like to create the following setup and would like some guidance.

    Azure AD

    VM in Azure that is a DC

    On Premise Server that is also a DC

    All working together with Azure being the primary source.

    Do I need to have two separate forests and use the Azure Connect tool even on the VM in Azure?

    Or can I join the servers to the Azure Domain and then promote them to Domain Controllers?
    When I try to do that I get a message saying that the credentials (for the global admin) doesn't let me.

    We would suggest you to go through this document to understand which type of environment you are looking ot achieve - https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/identity/

    Also, as Matt asked as well, "What do you have on-prem and in Azure and what are the requirements?"

    -----------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Thursday, September 19, 2019 9:16 AM
    Moderator
  • Hi,

    You cannot join servers to the Azure Domain (assuming you mean Azure AD) as 'members', it's not possible.

    Azure AD Connect is only used to synchronise between a Active Directory Domain Services (AD DS - typically on premise) domain and Azure AD. It does not support the scenario of synchronising 2 separate forests, where one in on premise and the other on an IaaS VM.

    Your proposed setup does not seem possible, as Matt mentioned the usual pattern is to extend on premise AD DS to Azure AD using Azure AD Connect as the sync engine.

    You could deploy an IaaS VM as a DC in Azure, then by allowing the relevant firewall ports access you can promote it to a DC as part of the on premise AD DS - giving you a DC in Azure to which other VMs can join as members if needed.

    Good luck

    Z.

    Thursday, September 19, 2019 2:16 PM
  • @Zulf_kar Thanks for the update. It would help the forum community members as well.

    @sillykat Let us know if you need further assistance.

    Monday, September 30, 2019 8:01 AM
    Moderator