We are setting up a trust between a stand-alone on-premise domain (DMZ from now on) and a corporate domain which is AD/AAD (synched) (CORP from now on) so that users from CORP can log into servers joined to DMZ. To be clear, they're on separate forests.
My intention is to set up an external, non-transitive trust from DMZ to CORP.
Now, the thing is – the CORP domain has two domain controllers on-premise, and two domain controllers as VMs in Azure… I would like to avoid having to add two firewall rules (one for the on-premise DCs, one for the Azure DCs.)
How could I limit any AD traffic from DMZ to CORP to only hit the on-premise CORP DCs, or would that not be desirable for any reason besides redundancy?
I'm guessing if possible this will have to do with the CORP AD configuration under sites and services, in which case I may have a few follow-up questions 🙂
Thanks in advance and apologies for the noob-ness.
Best Answer
If AAD you mean Azure AD, then you have nothing to worry about. AD and AAD are two completely different systems, they use an intermediate tool (AD connect) to sync data between them. Basically, your DNZ domain controllers will know nothing about AAD.