Local Domain Controller with Azure
We are using email services hosted in office365 and application with is hosted in our HQ .Our HQ application are authenticate(SSO) from abc.com
Both services we do not have any access for the administration and now my company want to implement domain controller for our site only .After we finish the proposal then suddenly change the direction local AD must sync with Azure .I have now idea for this .
Now we notice that ,HQ are using azure connect in office365 to archive the SSO for email and application. I am confusing what they said ,hopefully
Below is the msg send from them:
They request us sync the local domain controller to our global domain control .
Premise of SSO between Local AD and Azure AD]
- Migrate Office 365 authentication infrastructure from Secioss to Azure AD
- Configure seamless SSO with Azure AD Connect and link Local AD and Azure AD
[Constraint condition]
A user is only able to synchronize between Local AD and Azure AD on a 1:1 basis.
Users between Global AD (Tomato AD) and Azure AD (Office 365 users) already have a 1: 1 relationship.
So, for example, to synchronize Tomato users between Tomato and Azure AD, we have to terminate the synchronization of Tomato users between global AD and Azure AD. Then you need to synchronize Tomato users between Tomato AD and Azure AD.
Local AD and Azure AD do not have to be the same forest.
[Concern]
There are three.
1. Reliability of ID managed on Local AD
There is a possibility that Local AD includes administrator ID, test ID, user who retired in addition to real user.
It is necessary to synchronize with Azure AD only for real users.
# The license fee becomes higher as the number of users increases
2. Control so that IDs do not overlap globally
3. Continue Azure AD (Office 365) users in case of personnel change across company with AD
[Subsidiary to introduce AD from now on]
It might be a good to duplicate the global AD domain controller and delegate to TomatoAsia so that you can only manage users and groups that belong to TomatoAsia OU.
We will consider what's good from now on.
Both services we do not have any access for the administration and now my company want to implement domain controller for our site only .After we finish the proposal then suddenly change the direction local AD must sync with Azure .I have now idea for this .
Now we notice that ,HQ are using azure connect in office365 to archive the SSO for email and application. I am confusing what they said ,hopefully
Below is the msg send from them:
They request us sync the local domain controller to our global domain control .
Premise of SSO between Local AD and Azure AD]
- Migrate Office 365 authentication infrastructure from Secioss to Azure AD
- Configure seamless SSO with Azure AD Connect and link Local AD and Azure AD
[Constraint condition]
A user is only able to synchronize between Local AD and Azure AD on a 1:1 basis.
Users between Global AD (Tomato AD) and Azure AD (Office 365 users) already have a 1: 1 relationship.
So, for example, to synchronize Tomato users between Tomato and Azure AD, we have to terminate the synchronization of Tomato users between global AD and Azure AD. Then you need to synchronize Tomato users between Tomato AD and Azure AD.
Local AD and Azure AD do not have to be the same forest.
[Concern]
There are three.
1. Reliability of ID managed on Local AD
There is a possibility that Local AD includes administrator ID, test ID, user who retired in addition to real user.
It is necessary to synchronize with Azure AD only for real users.
# The license fee becomes higher as the number of users increases
2. Control so that IDs do not overlap globally
3. Continue Azure AD (Office 365) users in case of personnel change across company with AD
[Subsidiary to introduce AD from now on]
It might be a good to duplicate the global AD domain controller and delegate to TomatoAsia so that you can only manage users and groups that belong to TomatoAsia OU.
We will consider what's good from now on.
Last Comment
ASKER
I am try to explain what they want to achieve.
1.Setup local non-routable domain eg.mydomain.local
2.Connect local domain to globaldomain.com which is now at azure AD.
*our office365 user now are using globaldomain.com
*application authentication also using SSO which is authenticate using azure AD.
Question:
1.Is that posible our mydomain.local sync the user in azure AD to archive SSO but we still need control out local domain ?
2.Please advice correct way to meet customer requirement which is they want ti have domain controller but don't want control by HQ-IT ?
1.Setup local non-routable domain eg.mydomain.local
2.Connect local domain to globaldomain.com which is now at azure AD.
*our office365 user now are using globaldomain.com
*application authentication also using SSO which is authenticate using azure AD.
Question:
1.Is that posible our mydomain.local sync the user in azure AD to archive SSO but we still need control out local domain ?
2.Please advice correct way to meet customer requirement which is they want ti have domain controller but don't want control by HQ-IT ?
mydomain.local can't be registered with Azure
However if you have ad with this domain name as AD domain name, you can register any internet routable domain with Azure AD and add same with onpremise ad as UPN or as primary smtp address and can sync onpremise identities to Azure by syncing either UPN or primary smtp address
Regarding 2nd question, you need to deploy another forest if gq should not have control on that and build trust between both to maintain cross connectivity
OR
Probably you can deploy child domain / seperate tree domain in existing forest which will give you full control on domain but again hq can control that if wanted to since they have enterprise admin rights
However if you have ad with this domain name as AD domain name, you can register any internet routable domain with Azure AD and add same with onpremise ad as UPN or as primary smtp address and can sync onpremise identities to Azure by syncing either UPN or primary smtp address
Regarding 2nd question, you need to deploy another forest if gq should not have control on that and build trust between both to maintain cross connectivity
OR
Probably you can deploy child domain / seperate tree domain in existing forest which will give you full control on domain but again hq can control that if wanted to since they have enterprise admin rights
ASKER
Let said our HQ is suzuki.com in azure AD which is using as authentication SSO for application and office365. How we can setup the local domain able to using SSO identity in azure AD without control by HQ ?
You need to setup new Onpremise ad at your end and add upn as suzuki.com in that ad
Create users with suzuki.com as upn and add this ad to existing azure ad connect which is run at hq
This way only you can control your AD and sso will work with ad connect password sync
Note that you don't have control on ad connect which must be located at hq but yiu can add your ad there as one more ad
Create users with suzuki.com as upn and add this ad to existing azure ad connect which is run at hq
This way only you can control your AD and sso will work with ad connect password sync
Note that you don't have control on ad connect which must be located at hq but yiu can add your ad there as one more ad
ASKER
let said i setup suzuki.com.my (Local Domain)in our office then add suzuki.com UPN and during user creation we select <user@suzuki.com> and azure AD adding suzuki.com.my and during create user then select <user>@suzuki.com.my ?
That will work as long as you set onpremise user upn to suzuki.com else synced cloud user will sync as Onmicrosoft.com id and sso will not work
ASKER
during create user seem like this method need to in AD and Azure ?
didn't understand what you meant
ASKER
what i mean during we create user is require create in onpremised and azure AD ?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
i will do the lab if anything hope you can help again.Thanks
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Do you want to put separate domain at your place or simply want to add additional domain controller part of global AD ?
In that case everything is already setup and you just need to add ADC at your premise
Confusing:
OR
Do you want to put separate domain at your place
what is Secioss ?