This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 68%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB%3C/text%3E%3C/svg%3E)
Good afternoon, everyone,
Someone could tell me if it is possible to connect two domain controllers to a single Azure AD.
Let me explain:
I work in a IT company and we offer remote offices to our clients. Authentication in our remote offices is done via our domain controller. One of our clients, already having a domain controller in their network, asked us if it was possible to use his AD account to authenticate on our remote offices. So an SSO installation with two remote domain controllers on-premise.
Thank you in advance for your clarification.
comment removed
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Bastien1920 , The requirement is still not clear. Based on the explanation given it looks like you are trying to create a relationship between you local and remote sites, which can pretty much be done using your on-prem Domain Controllers. SSO would be delivered using Kerberos within your org network. I am not sure where Azure AD is coming into picture here.
Do clarify your requirement with AAD, so that we can help better.
Thank you for your response.
For now, let's forget about AzureAD, I thought it might be a good solution.
On my side, I have an Active Directory with a forest called domain-A. Another company has own Active Directory with forest called domain-B.
The users of other company (Domain-B) want to access the remoteapp resources of domain-A (My company) with their login (username, password) from domain-B. Is this possible?
I'm fairly sure that you can set up a forest trust in this case, which I believe has to be a two-way trust. RDS is not my primary field of expertise 😅
If I understand correctly, you're talking about federated identity management. Well, according to this article it is possible: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
I think that better solution for your clients would be separate forest in DMZ or external zone, with ADFS service and federation with your internal AD and AD of your clients. It will work for different clients, even when they don't have local AD. It deliver better protection of your internal resources and better control on access.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 72%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
You tagged the question with "ADFS" so I assume that's an option.
In this scenario, you would install ADFS for your domain, they would install ADFS for their domain and then you would then federate the two ADFS.
The domain-B users can then access domain-A applications using their domain-B credentials.
If this is a possible solution, let me know and I can elaborate.
You would need to setup federated services and also setup SAML authentication on your domain to allow their federated domains credentials. I don't recommend this method unless you want to go through great lengths to manage and secure your companies internal domain, for yours and your customers sake.
I would also suggest a method that involves a stop gap in the case of a credential is compromised by a bad actor or something with the knowledge to harm your internal domain or your customers remote offices. This would involve setting up your domain with 2FA integrations to control desktop sign ons. This would be possible with many 2FA products but my experience has been successful with Duo.
I suggest also looking into moving your own environments into Azure if this is going to be a common practice between you and your customers since this would make your own infrastructure management a breeze and also make you very flexible to integrate with any future customer. Hope this helps!
https://www.appliedis.com/federated-authentication-with-a-saml-identity-provider/