Windows 2016 Server on site domain join with Azure AD

active-directory azure windows-server-2016 azure-active-directory
7,164

Azure AD by itself is not a classic AD, you can't join machines to it in the same way as on prem AD. You can join Win 10 machines to it, but not server OS.

Your solution here is going to be Azure AD Domain Services, what this service does is extend Azure AD to provide full AD services (with some restrictions). It does not require you to spin up a new VM, it is a PaaS service, you just need to turn it on for your domain, it does however require an Azure vNet to be deployed into.

Once you do this you will have a full AD domain that your server 2016 machine can join, so long as the network that machine is on is connected to the vNet in Azure that you created for AAD DS (this can be VPN, Express Route etc.).

If that isn't feasible then you can use AAD connect sync, but you would have to recreate all your user accounts in your full AD and then sync up to AAD.

Share:
7,164

Related videos on Youtube

Wazzy24
Author by

Wazzy24

Updated on September 18, 2022

Comments

  • Wazzy24
    Wazzy24 over 1 year

    My company has their entire user/group architecture in the cloud using Azure. We recently purchased a Windows 2016 Server machine and I have been asked to set it up so that we can use our Azure accounts. I need to do simple things like file sharing and set up a vpn. Now, I have been reading that Azure AD Connect is NOT an option for me: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-existing-tenant

    If I can not sync Azure AD users/groups to my new AD on the server, then what do I do? I do not want to create new accounts and have people give me their passwords. I have heard about Azure AD Domain Services, but it seems like I need to spin up a virtual machine on Azure with Windows Server 2016, but I do not think that would help my case, since my server is on-site! How do I join this local domain (I have not set it yet) to the Azure domain that already exists with all of our accounts and machines in its AD?

    I have been pouring through this and am not sure what I should do:

    https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-existing-tenant#create-a-new-on-premises-active-directory-from-data-in-azure-ad

    https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-comparison

    https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-join-windows-vm-portal

  • Wazzy24
    Wazzy24 about 6 years
    Sam, thanks for the quick response. So I install a vNet in my Azure portal, turn on Azure AD Domain Services, and have the local server use ExpressRoute to connect to the Azure AD Domain Services via the vNet? Right? I want to make sure I understand you. Also, will I set the domain on the local machine to its own unique name, or use the Azure domain that is already established, or will that be taken care of in the ExpressRoute/vNet settings?
  • Sam Cogan
    Sam Cogan about 6 years
    If you wanted to use AD sync and recreate the accounts then you would need to setup a domain control on prem (sounded like you wanted to use the server 2016 machine for that) then sync it up to AAD. Then any machines you wanted to join to the domain will talk to the on prem domain controller. To be honest the AAD DS option is probably simpler for you if you can sort out the connectivity.
  • Wazzy24
    Wazzy24 about 6 years
    Sam, thanks! I will try the AAD DS route. I hope to have this up and running tomorrow. One last question: Will myself and my users need to be using a VPN client to connect to the server once I have AAD DS established and connected? We jump around quite often and all of our machines are on a WORKGROUP. Will I need to change their settings to the domain of the Azure AD Domain Services? Since we log-in with username/password and all our users are hosted there, it is a little weird to me that our machines are not in the classic domain setting that I am used to.
  • Sam Cogan
    Sam Cogan about 6 years
    I'm not entirely clear on your setup, but it sounds like your going to RDP onto the server 2016 box on prem? Assuming that is the case then you only need connectivity to that machine, no need for VPN to azure from your local machines.
  • Wazzy24
    Wazzy24 about 6 years
    Okay, I was wondering how we would connect to the on premise server. RDP seems logical. Once I get the on prem server and Azure connected, will the file share settings reflect the users in AAD? The focus is users on site to have access first, then have our remote worker be able to get in and use the file shares. Is there a client that works best for RDP?
  • Sam Cogan
    Sam Cogan about 6 years
    You will be able to permission files on the on prem server using users who are in Azure AD yes
  • Wazzy24
    Wazzy24 about 6 years
    Sam, a few more questions. I started another SF thread. My new angle may be this: serverfault.com/questions/902086/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

On premise Active Directory ObjectId is different than Azure Active Directory ObjectId
Get Azure Active Directory Token with username and password
Field to add employee ID in Azure AD/Office365
After installing RDS on WinServer 2016 I still can only connect with two users?
How to stop syncing Windows Server with Azure Active Directory
Using Azure AD to push Group Policy settings
Password reset not working because password writeback not working in portal.azure.com
Can we sync Employeeid on prem AD property to Azure Ad using Ad Connect?
Get Azure Active Directory password expiry date in PowerShell
In Azure Active directory user disable option is there?