Hi @Mohamed Gamal ,
To join your PCs to the Azure Active Directory Domain Service (AAD DS), you don't necessarily need to create a VPN tunnel to Azure. However, you do need to ensure that your PCs can communicate with the AAD DS domain controllers over the network.
If your PCs are on-premises, you can use ExpressRoute or VPN to connect your on-premises network to Azure. This will allow your PCs to communicate with the AAD DS domain controllers in Azure.
Regarding your second question, if you want to create additional on-premises domain controllers for your AAD DS domain, you can do so by deploying domain controllers in your on-premises environment and then configuring them to replicate with the AAD DS domain controllers in Azure. This will allow you to have additional domain controllers for your AAD DS domain that are located on-premises.
However, keep in mind that you will need to ensure that the domain controllers are properly configured and secured to ensure that they can communicate with the AAD DS domain controllers in Azure.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James