Not able to create external trust in Azure ADDS

Not able to create external trust in Azure ADDS 1 Reputation point
2021-12-05T13:26:31.81+00:00

I am not able to create external trust in Azure ADDS as I am getting the below error.

Unable to resolve "webshot.ml" using the provided DNS addresses.

Below is the setup

  1. I have create on-premises domain with the name "webshot.ml" with two DCs in VMWorkstation.
  2. Then I created AD Tenant in Azure AD and configured the register custom domain name "webshot.ml".
  3. Then I established the connection between Azure AD and on-premises AD with ADConnect with "Pass-Through" authentication.
  4. Then I created Azure ADDS with the name "azurewebshot.ml".
  5. Then I created a Azure VM solo3071 and joined with the Azure ADDS domain "azurewebshot.ml".
  6. Then I created a Certificate VPN after which I was able to ping the private IP of VM solo3071 from the laptop.
  7. Then I enabled NAT on on-premises DC's in after which on-premises DCs were able to ping the VM solo3071 in the Azure.
  8. I am able to ping the Azure VM solo3071 with its private IP Address from the on-premises DCs (Running on VMWorkstation)
  9. I configured the on-premises, "webshot.ml" DNS forwarders with the Azure ADDS DCs and created "one way incoming trust" with respect to Azure ADDS "azurewebshot.ml".
  10. After that I am not able to create external trust from Azure ADDS to on-premises DC's as I get the error Unable to resolve "webshot.ml" using the provided DNS addresses.

Please help.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,668 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shashi Shailaj 7,581 Reputation points Microsoft Employee
    2021-12-06T16:13:14.607+00:00

    @Not able to create external trust in Azure ADDS ,

    The error states that you may not have DNS resolution working properly . I read through all the steps you mentioned and I think you may need to create a conditional forwarding in the DNS on the Azure AD DS side with your on-prem DC's as well for webshot.ml zone and make sure that incoming requests on port 53 are allowed on your on-premise DCs in VMware workstation through the certificate VPN tunnel .

    This should take care of your external trust issue . Please check the article https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/config-firewall-for-ad-domains-and-trusts for list of ports which will need to be open in your case allowing the incoming requests . since you have been able to get the incoming trust working on the on-prem side , I think you would not have issue with ports and they should be open through your VPN tunnel . In all probability it is a DNS error as per the details provided by you . I think setting up conditional forwarding on the DNS as suggested will make it work for you . Do let us know in case you still get any other error and we will continue to help you .

    Thank you.

    ----------------------------------------------------------------------------------------------------------------------------------------------------------

    • Please don't forget to click on 130616-image.png or upvote 130671-image.png button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
    • Want a reminder to come back and check responses? Here is how to subscribe to a notification
    • If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
    0 comments