Azure AD Sync / AD Connect in a split zone DNS environment
Users will not be able to sign-in to Azure AD with on-premises credentials if the UPN suffix does not match a verified domain
BUT
What if you have followed the Microsoft best practice and you have a split scope DNS with a local zone like WESTERNMOTORS.LOCAL and public domain is something like WESTERNMOTORS.NET
Let’s peel this back a bit.
Split Zone DNS -
Split DNS (Domain Name System) is a configuration where a single DNS infrastructure is used to manage domain name resolution for a given domain, but different sets of DNS servers are used to resolve those domain names based on the location or network segment of the client making the DNS query. The purpose of split DNS is to provide different DNS responses for the same domain based on specific criteria, typically separating internal and external network traffic. This can enhance security, performance, and control in network environments.
Internal and External Zones: In a split DNS configuration, a domain is divided into two or more DNS zones: one for internal network usage and another for external/public network usage. These zones can have the same domain name but contain different DNS records.
Internal Zone looks like this
External Zone is likely hosted with a 3’rd party and looks like this:
If you are setting up Azure AD Sync with SSO (Single Sign On) you will get this error
Here are the steps to add a DNS suffix:
Access Active Directory Domains and Trusts:
Add DNS Suffix:
Recommended by LinkedIn
In the "Active Directory Domains and Trusts" window, right-click on the root node (the top-level item in the left-hand pane) and select "Properties."
Add DNS Suffix:
In the "Active Directory Domain and Trust Properties" window, go to the "UPN Suffixes" tab.
Here, you can add a new UPN suffix (User Principal Name suffix), which will be used for the synchronization with Azure AD.
Apply Changes:
Click "Add" and enter the DNS suffix you want to add.
Click "Add" again for any additional suffixes you want to include.
Click "Apply" and then "OK" to save the changes.
Sync Changes to Azure AD:
Once you've added the DNS suffix in your on-premises AD environment, Azure AD Sync (or Azure AD Connect) should pick up the changes during the next synchronization cycle. You don't need to make any specific changes in Azure AD itself for this configuration.
Verify the Configuration:
To ensure that the DNS suffix has been applied successfully in Azure AD Sync, monitor your synchronization logs for any errors or issues. You can use tools like "Synchronization Service Manager" to view the synchronization status and logs.
Full Stack .Net Developer @ The DNA Company | Team Lead
1yI missed