troubleshooting Question

Local Domain Controller with Azure

Avatar of YaYangTeah
YaYangTeahFlag for Malaysia asked on
Microsoft 365Active DirectoryAzure
12 Comments1 Solution91 ViewsLast Modified:
We are using email services hosted in office365 and application with is hosted in our HQ .Our HQ application are authenticate(SSO) from

Both services we do not have any access for the administration and now my company want to implement domain controller for our site only .After we finish the proposal then suddenly change the direction local AD must sync with Azure .I have now idea for this .

Now we notice that ,HQ are using azure connect in office365 to archive the SSO for email and application. I am confusing what they said ,hopefully

Below is the msg send from them:
They request us sync the local domain controller to our global domain control .

Premise of SSO between Local AD and Azure AD]
- Migrate Office 365 authentication infrastructure from Secioss to Azure AD
- Configure seamless SSO with Azure AD Connect and link Local AD and Azure AD

[Constraint condition]
A user is only able to synchronize between Local AD and Azure AD on a 1:1 basis.
Users between Global AD (Tomato AD) and Azure AD (Office 365 users) already have a 1: 1 relationship.
So, for example, to synchronize Tomato users between Tomato and Azure AD, we have to terminate the synchronization of Tomato users between global AD and Azure AD. Then you need to synchronize Tomato users between Tomato AD and Azure AD.
Local AD and Azure AD do not have to be the same forest.

There are three.
1. Reliability of ID managed on Local AD
There is a possibility that Local AD includes administrator ID, test ID, user who retired in addition to real user.
It is necessary to synchronize with Azure AD only for real users.
# The license fee becomes higher as the number of users increases
2. Control so that IDs do not overlap globally
3. Continue Azure AD (Office 365) users in case of personnel change across company with AD

[Subsidiary to introduce AD from now on]
It might be a good to duplicate the global AD domain controller and delegate to TomatoAsia so that you can only manage users and groups that belong to TomatoAsia OU.
We will consider what's good from now on.
Join our community to see this answer!
Unlock 1 Answer and 12 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 12 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros