This post is a great continuation of the post we had earlier about creating an Azure ADDS instance. You can check out the post on the following link.
The trust doesn't use Azure AD connect to achieve it's goal, rather it passes through a Site-to-Site VPN between Azure and the on-premise environment.
For this article, I'am going to use a domain controller that is deployed in a VNet that is separate from the VNet used by my Azure ADDS to achieve the same result that we would for connecting to the on-premise environment. VNet peering is the method of choice in this scenario. If you don't know how to setup VNet peering, please check out one of my previous articles here.
To get started, am going to set up a new domain using an Azure quick start template as show below.
And then we setup our new domain by inserting the values that fit our environment.
The template can also be accessed from the GitHub repo below.
After deploying the new Active directory domain in a separate VNet (Remember VNet peering helps us emulate the Site-to Site VPN setup), we will go ahead to attempt the two objectives below:
- Create a one-way inbound forest trust in an on-premises ADDS environment.
- Create a one-way outbound forest trust in Azure ADDS.
To proceed, we need to setup the DNS forwarders to point to our Azure ADDS by configuring them in the DNS Manager of our on-premises server as shown below.
The two IP Addresses above represent the private addresses of our Azure ADDS instance.
Next thing is to configure Active Directory Domains and Trusts. To set this up, right click on our Active Directory Domains and Trusts in the console and then select properties, then select trusts and click on create a new trust.
Next, insert the name of the domain we want to create the new trust.
From there we create a one-way incoming trust from our trusted domain and create the password and finish creating our trust on the on-premise side.
From there, we then head to our Azure ADDS and create a new trust.
We then define our out-going trust with the forest domain, trust password and the DNS servers for our on-premises domain and save the new trust.
To confirm that our trust relationship is okay, I will into remote desktop into one of the domain controllers that are joined to the Azure ADDS domain using the user credentials of one domain user of my local domain (on-premises domain).