This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 3%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEF%3C/text%3E%3C/svg%3E)
Hey All,
Long time listener, first time caller.
My question is regarding a situation I'm put in. I have always worked in an on-prem or hybrid environment. The company I'm in, has an almost 100% remote workforce. They brought me in to create a 100% cloud environment.
The first roadblock I'm encountering is joining all users to a domain. I have set up an Entra AADDS, and created a site-to-site VPN. I've managed to communicate with the DC VM that I created in Azure. I'm able to even test-join a VM that I created on-prem with the DC in the cloud.
What I haven't been able to do is join a non-prem machine to the cloud. I've created a VPN to HQ (fortigate) for the remote users, but they cannot seem to reach the DC. I can ping the DC, but it does not want to join the domain.
Is it something that's not supported? Do I have to do Azure Join? I much rather do domain join, because it much easier to manage than the mess in configuring InTune. I can't deal with the group policies that way. It's so frustrating.
I know that Entra has improved a lot with some the issues that ADDS used to have. I do not have plans or budget to put in an on-prem DC.
Any assistance would be helpful.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept Answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
In short, you cannot join non-Azure hosted systems to Entra Domain Services domain. This is exclusively for Azure VMs
hth
Marcin
But with a Site-to-Site connection to my on-prem, and the users connecting to the company VPN. With everything networked correctly, they "should" be able to access shared file services from an Azure file server I'm going to create, correct? I just don't want to paint myself into a corner if I don't have to. The disconnect/limitation only applies to EDS, correct?
If you don't intend to have AD DS in your on-premises environment, you'll need to resort to Entra join (or registration) instead
hth
Marcin
Thanks, I hate InTune. Any recommendations on best practices for InTune configuration? I need to be as granular as possible to meet standards close to group policy controls. We need to meet all sorts of compliancies and governance for security.
Intune does provide this functionality (and more). As a matter of fact, you can use Group Policy templates if you prefer. More at https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-windows
hth
Marcin
Thanks! I'll check it out. It's just every time I've run into InTune in the past it's been such a headache, and created a bigger problem than the one we were trying to solve, lol.
It's quite powerful (certainly more than Group Policies) - it's also the Microsoft strategic solution for MDM - so it's worth taking another look
hth
Marcin
Hi Eddie
If this answers your question, pls mark the question as answered
thnx
Marcin