0

A little background of what I am trying to do, but am having no luck for various reasons: Windows 2016 Server on site domain join with Azure AD

After receiving some feedback from my colleagues, I may not have the time or assistance from IT to research and integrate that system (Azure AD --> vNet --> Express Route --> On-premise Windows Server 2016). That is what I concluded to be the best option for Single-Sign on purposes that is scalable, but I am receiving some push back. What we essentially want is a server on our own-intranet to map a network drive and host videos via a browser.

What I would like to know now is, what will happen if I install Active Directory on the on-premise server, create a domain and then create accounts for our users. We have one-account established and that is tied to AzureAD. Everything we do is tied to that account.

Can I duplicate those accounts in the on-premise AD? What will happen if I change our Workgroup(WORKGROUP) to a domain on all of our machines, adding the on-premise domain to our machine? Will we lose the ability to authenticate ourselves with Azure AD?

I do not want to say, "Hey, when you want to add something to the share, log-out, switch to the domain, log-in with the new domain account and then try to upload." Maybe I am over thinking this!

I have never worked with a hybrid-infrastructure and all the docs seem to be reverse (on-premise to Azure, not the other way around). My biggest fear is that installing a domain on-premise and changing our machines to that domain will lose our ability to use other apps and log in because our users and devices are already in Azure AD.

Wazzy24
  • 39
  • 1
  • 2

1 Answers1

0

In the scenario you are proposing it sounds like you are talking about using a local domain with the same accounts as Azure AD, but no sync between the two?

If that’s the case then you won’t loose access to your Azure AD accounts and apps, but your users are going to have two separate accounts. Your not going o get any single sign on, users will have to login to their machine and then again to their AAD apps. Also if the passwords differ (which they almost always will after the first round of expireys) then they need to remember two sets of creds.

If your aim here is to have an an prem set of machines you can logon to with domain accounts and then use these same accounts to connect to Azure AD then I really think you need to take a step back and do this properly. Set up a local AD, sync this to AAD and use these new accounts for on prem and AAD auth. Yes there will be disruption to users, they will need to migrate to new accounts, but this is a short one off pain compared to trying to live permanently with a half baked solution.

Sam Cogan
  • 38,158
  • 6
  • 77
  • 113
  • Thanks, Sam. I am trying to avoid this solution (if you can even call it that...). I will continue to push for Azure AD Domain Services as we previously discussed. – Wazzy24 Mar 18 '18 at 00:33