Unable to implment ACL on Azure File Share because of non-routable domain (.local)

Syed Salman Jawaid Najmi 1 Reputation point
2022-12-11T10:54:59.343+00:00

I have a domain controller that has non routable domain like example.local, I have added an alternative UPN Suffix that is example.com. Synchronized the AD using Azure AD Connect and have domain joined the Azure File Share.

After implementation I am unnable to access the Azure File Share using example.com ID and getting the following error.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Error-specific details:
Error: DfsMapCacheAdd(Domain), 0x8007054b, The specified domain either does not exist or could not be contacted.

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,170 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,721 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
675 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,930 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,732 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 16,986 Reputation points MVP
    2022-12-11T13:19:01.787+00:00

    I guess, you can set the azure file ACL by the following cmdlets and no need to go for setting up an alternative UPN Suffix. After applying the ACL changes try to mount the file and see if it helps 

    $Guid = (Get-ADDomain -Identity "adname").ObjectGuid.Guid  
$Sid = (Get-ADDomain -Identity "adname").DomainSID.Value  
$StgaccountSid = (Get-ADComputer -Identity "ADComputerName").SID.Value  
$Params = @{  
    ResourceGroupName = "RGName"  
    Name = "azurefilename"  
    EnableActiveDirectoryDomainServicesForFile = $true  
    ActiveDirectoryDomainName = "adname.local"  
    ActiveDirectoryNetBiosDomainName = "adname"  
    ActiveDirectoryForestName = "adname"  
    ActiveDirectoryDomainGuid = $Guid  
    ActiveDirectoryDomainsid = $Sid  
    ActiveDirectoryAzureStorageSid = $StgaccountSid  
}  
Set-AzStorageAccount $Params

    ----------

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    0 comments
  2. Syed Salman Jawaid Najmi 1 Reputation point
    2022-12-11T21:44:36.997+00:00

    I am getting this error.

    Get-ADComputer : Cannot find an object with identity: "azurefilename" under: 'DC=adname,DC=local'.

  3. Syed Salman Jawaid Najmi 1 Reputation point
    2022-12-13T19:24:37.537+00:00

    @Manu Philip thank you for your response, but these commands did not resolve the issue.

    The issue was because I domain joined the Azure File Share with .local domain and was trying to access the Azure File Share with the .com ID.

    Following are the action items that resolved the issue.

    1. On-prem AD had forest with name adname.local
    2. Added alternative UPN Suffix with adname.com
    3. Configured AD Connect to sync on-prem users to Azure AD.
    4. Logged in to windows 10 machine using ID name.com
    5. Domain joined Azure File Share using this link https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable
    6. Migrated data from on-prem File Server to Azure File Share using RoboCopy because Azure File Sync was not supported to the OS of on-prem File Server.
    7. ACLs were transferred to Azure File Share.
    8. ACLs were working when logging in to Azure File Share using on-prem AD credentials.

    Thank you.

    0 comments