AVD with .local Domain and AD Connect?

Question

AVD with .local Domain and AD Connect?

Vanessa P 1

Hi Everyone, I have a client that wants to migrate from on prem to hybrid to eventually cloud only and they have a few apps that I want to run via Azure Virtual Desktop as opposed to RDS (licensing for avd is bundled into their M365 licensing) but I'm having an issue with the authentication because of how their domain is setup. They currently have a .local domain on prem that self routes to the domain controller as the DNS server, and they have a .com that is associated and validated with M365. It was my understanding that So long as you have Azure AD Connect you can join a AD DS domain to a vm for avd and then have that authenticate using Azure AD Credentials. But because their domain is not routable I'm stuck. If I put the vm's involved on the .com domain then they can't access resources (at least I don't think they can) from the .local and I'm not sure how to to make the .local domain routable in a way that M365/Azure AD will accept so that everything talks to each other.

I currently have a DC on prem that is .local, that same DC extended into a VM in azure, my app server in azure and then the avd vm. With a Ipsec tunnel between the vnet and the company network.

Thoughts?

Thank you in advance!

Givary-MSFT 22,726 Reputation points Microsoft Employee

2022-11-02T04:03:23.78+00:00

@Vanessa P

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Vanessa P 1 Reputation point

2022-11-02T15:30:16.96+00:00

Hi, no I haven't gotten a helpful response. And sadly the thread seems to have dried up. I'll keep working on it and posting in other forums.
Givary-MSFT 22,726 Reputation points Microsoft Employee

2022-11-02T15:45:12.933+00:00

@Vanessa P sorry to hear this.. let's connect offline to discuss further on this.

Givary-MSFT 22,726 Reputation points Microsoft Employee

2022-11-02T04:03:23.78+00:00

@Vanessa P

Just checking in to see if below information was helpful. If you have any further updates on this issue, please feel free to post back.
Vanessa P 1 Reputation point

2022-11-02T15:30:16.96+00:00

Hi, no I haven't gotten a helpful response. And sadly the thread seems to have dried up. I'll keep working on it and posting in other forums.
Givary-MSFT 22,726 Reputation points Microsoft Employee

2022-11-02T15:45:12.933+00:00

@Vanessa P sorry to hear this.. let's connect offline to discuss further on this.

Answer 1

Justin Verstijnen 196

We are using Azure Virtual Desktop in the exact same setup. We have 2 domain controllers on-premises with an company.local domain. In the cloud (Azure AD) we have a company.com domain. With AD Connect we sync all users from company.local to company.com. Also, it is possible in your on-premises AD to create a UPN suffix. Here you can configure the users to also use the company.com domain in your on-premises AD.

For more redundancy we also have 2 domain controllers in Azure to handle sign-in requests done by Azure Virtual Desktop.

When you have this configured your users will be able to use AVD with their synced Microsoft 365 account.

Vanessa P 1 Reputation point

2022-10-25T16:08:31.02+00:00

Hi JustinVers, Thank you for the response, however I have a question. For your VM for AVD I am assuming that you are joining it to the .com domain since M365 requires a routable domain, but then how are you able to have the rest of the VMs in the cloud see the .local domain? I did update the UPN suffix to include the .com domain and synced with A AD Connect (and changed the domain of the users that need the AVD connection to the .com domain) but I'm still running into issues. If I put the domain controller that has been extended into azure, the vm that houses the database and the vm that is the AVD source, there is a disconnect between the .local domain and the .com domain. Or perhaps I am misunderstanding the intended result. I feel like I am missing something super simple. Is what I'm saying making sense? I'm happy to provide screenshots. Thank you!

When I originally set this up I added the upn prefix and joined the DC and data VM (that are both in azure) to the .local domain. and installed A AD connect and synced. but when I tried to domain join the AVD vm I of course couldn't join it to the .local domain and if I join it to the .com, it acts as if it is on a separate domain to the other two VMs. Does there need to be DNS forward lookup to the .com domain on the domain controller?
Justin Verstijnen 196 Reputation points

2022-10-26T17:50:12.16+00:00

Hey VanessaP-0590,

It is possible to domain-join the Azure Virtual Desktop session hosts to your on-premises AD with using a Site-to-Site VPN and then configuring your Azure Virtual Network to have use the DNS-servers from your on-premises AD. That is the way we configured it. When this doesnt work, can you please provide some screenshots? Of course you can hide critical information due to privacy.
Vanessa P 1 Reputation point

2022-10-27T15:13:19.693+00:00

Hi Justin, here are some screenshots. Let me know if you need something specific. I'm unable to join a multisession vm to the .local domain when creating it. And if I try to join it to the .com domain (because I have no other options) I get a conflict error and it won't join. I've gone in and .local domain joined the multisession vm but then I can't add it to the host pool either. I feel like it should work at the setup of the multisession vm if I've done the .local and .com domain work correctly.

Azure topology (showing the ipsec tunnels)

UPN suffix

DNS on azure server/.local DC not .com server

proof azure vm is domain joined to .local

reverse look up zone (do I need one for the .com server?)

Answer 2

Hi,

Thank you for posting your query.

Kindly follow the steps provided below to resolve your issue.

Azure AD Connect only synchronizes users to domains that are verified by Office 365. If your internal AD DS only uses a non-routable domain, this can't possibly match the verified domain you have on Office 365. You can fix this issue by either changing your primary domain in your on premises AD DS, or by adding one or more UPN suffixes.

Here is the nice article explains, how to add UPN suffixes and to move forward with the directory synchronization.
https://learn.microsoft.com/en-us/office365/enterprise/prepare-a-non-routable-domain-for-directory-synchronization#add-upn-suffixes-and-update-your-users-to-them

Go to this link for your reference https://learn.microsoft.com/en-us/answers/questions/27357/configuring-azure-ad-connect-with-a-local-domain-u.html

---------------------------------------------------------------------------------------------------------------------------------------------------

If the answer is helpful kindly click "Accept as Answer" and upvote it. Thanks.

AVD with .local Domain and AD Connect?

2 answers

Activity