- Article
Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. With an Azure AD DS managed domain, you can provide domain join and management functions for virtual machines (VMs) in Azure. This tutorial shows you how to create a Windows Server VM and then join it to a managed domain.
In this tutorial, you will learn how to:
- Create a Windows Server virtual machine
- Connect the Windows Server virtual machine to an Azure virtual network
- Join the virtual machine to the managed domain
If you don't have an Azure subscription,Create an accountbefore you start.
previous requirements
To complete this tutorial, you need the following resources:
- An active Azure subscription.
- If you don't have an Azure subscription,Create an account.
- An Azure Active Directory tenant associated with your subscription, either synced to an on-premises directory or a cloud-only directory.
- If required,create an Azure Active Directory tenantoassociate an Azure subscription with your account.
- An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
- If required,create and configure an Azure Active Directory Domain Services managed domain.
- A user account that is part of the managed domain.
- Make sure that Azure AD Connect password hash synchronization or self-service password reset has been performed before the account can sign in to the managed domain.
- An Azure Bastion host deployed in your Azure AD DS virtual network.
- If required,create an Azure Bastion host.
If you already have a virtual machine that you want to join the domain, skip to the section forjoin the virtual machine to the managed domain.
Sign in to the Azure portal
In this tutorial, you'll create a Windows Server VM to join your managed domain using the Azure portal. To get started, first log in to theblue portal.
Create a Windows Server virtual machine
To see how to join a computer to a managed domain, let's create a Windows Server VM. This virtual machine is connected to an Azure virtual network that provides connectivity to the managed domain. The process for joining a managed domain is the same as joining a regular on-premises Active Directory Domain Services domain.
If you already have a virtual machine that you want to join the domain, skip to the section forjoin the virtual machine to the managed domain.
From the Azure portal menu or from theHomepage, selectcreate a resource.
OfBegin, chooseWindows Server 2016 Data Center.
In itThe essentialwindow, configure the basic settings for the virtual machine. Leave the defaults foravailability options,Image, ySize.
Parameter suggested value resource group Select or create a resource group, such asmyResourceGroup Virtual machine name Enter a name for the virtual machine, such asmiVM Region Choose the region to create your VM, such asEastern US Username Enter a username for the local administrator account to create on the VM, such asuser Password Enter and then confirm a strong password for the local administrator to create on the virtual machine. Do not specify the credentials of a domain user account. By default, virtual machines created in Azure can be accessed from the Internet using RDP. When RDP is enabled, automated login attacks are likely to occur, which can disable accounts with common names such asadministrationoadministratordue to several successive failed login attempts.
RDP should only be enabled when necessary and limited to a set of authorized IP ranges. This configuration helps to improve the security of the virtual machine and reduces the area of possible attack. Or, create and use an Azure Bastion host that allows access only through the Azure portal over TLS. In the next step of this tutorial, you'll use an Azure Bastion host to securely connect to the virtual machine.
Lowpublic ports of entry, selectNone.
When you are done, selectNext: Discs.
From the drop down menu foroperating system disk type, choosestandard SSD, then selectNext: Networks.
Your virtual machine must be connected to an Azure Virtual Network subnet that can communicate with the subnet where your managed domain is deployed. We recommend that a managed domain be deployed on its own dedicated subnet. Do not deploy your VM on the same subnet as your managed domain.
There are two main ways to deploy your virtual machine and connect to a suitable virtual network subnet:
- Create a subnet, or select an existing one, in the same virtual network where your managed domain is deployed.
- Select a subnet in an Azure virtual network that is connected to it usingAzure virtual network peering.
If you select a virtual network subnet that isn't connected to your managed domain subnet, you can't join the virtual machine to the managed domain. For this tutorial, we are going to create a new subnet in the Azure virtual network.
In itNetworkspanel, select the virtual network in which your managed domain is deployed, such asaaads-vnet
In this example, the existingaaads-subnetThe managed domain is shown to be connected. Do not connect your virtual machine to this subnet. To create a subnet for the virtual machine, selectManage subnet settings.
In the menu on the left of the virtual network window, selectAddress space. The virtual network is created with a single address space of10.0.2.0/24, which uses the default subnet. Other subnets, such as forworkloadso Azure Bastion can also exist.
Add an additional IP address range to the virtual network. The size of this address range and the actual IP address range to be used depends on other network resources already in place. The IP address range must not overlap with any existing address range in your on-premises or Azure environment. Be sure to size the IP address range large enough for the number of virtual machines you expect to deploy on the subnet.
In the following example, an additional range of IP addresses from10.0.5.0/24It is added. When you are ready, selectSave.
Then, in the menu on the left of the virtual network window, selectsubnets, then choose+ subnetto add a subnet.
Select+ subnet, then enter a name for the subnet, such asmanagement. provide aAddress range (CIDR block), as10.0.5.0/24. Make sure this IP address range does not overlap with any other existing Azure or on-premises address ranges. Leave the other options at their default values, then selectOK.
It takes a few seconds to create the subnet. Once created, select theXto close the subnet window.
return in theNetworkspanel to create a virtual machine, choose the subnet you created from the dropdown menu, such asmanagement. Again, make sure you choose the correct subnet and don't deploy your VM on the same subnet as your managed domain.
Forpublic IP, selectNonefrom the drop down menu. Because you're using Azure Bastion in this tutorial to connect to management, you don't need a public IP address assigned to the virtual machine.
Leave the other options at their default values, then selectManagement.
To placeboot diagnosticsaOff. Leave the other options at their default values, then selectreview + create.
Review the virtual machine settings, then selectCreate.
It takes a few minutes to create the virtual machine. The Azure portal shows the status of the deployment. Once the virtual machine is ready, selectgo to resource.
Connect to the Windows Server virtual machine
To securely connect to your virtual machines, use an Azure Bastion host. With Azure Bastion, a managed host is deployed in your virtual network and provides web-based RDP or SSH connections to the virtual machines. Public IP addresses are not required for virtual machines, and there is no need to open NSG rules for external remote traffic. You connect to virtual machines through the Azure portal from your web browser. If required,create an Azure Bastion host.
To use a Bastion host to connect to your VM, complete the following steps:
In itGeneral descriptionfor your VM, selectTo connect, soBastion.
Enter the credentials for your VM that you specified in the previous section, then selectTo connect.
If necessary, allow your web browser to open popup windows to display the Bastion connection. It takes a few seconds to establish the connection to your virtual machine.
Join the virtual machine to the managed domain
With the virtual machine created and a web-based RDP connection established using Azure Bastion, let's now join the Windows Server virtual machine to the managed domain. This process is the same as for a computer connecting to a regular local Active Directory Domain Services domain.
Andserver administratordoes not open by default when you log in to the virtual machine, select theBeginmenu, then chooseserver administrator.
In the left panel of theserver administratorwindow selectlocal server. LowPropertiesin the right pane, chooseworkgroup.
In itSystem propertieswindow selectChangeto join the managed domain.
In itDomainbox, specify the name of your managed domain, such asaaddscontoso.com, then selectOK.
Enter the domain credentials to join the domain. Provide the credentials of a user who is part of the managed domain. The account must be part of the managed domain or Azure AD tenant: External directory accounts associated with your Azure AD tenant cannot successfully authenticate during the domain join process.
Account credentials can be specified in one of the following ways:
- UPN format(recommended): Enter the User Principal Name (UPN) suffix for the user account, as configured in Azure AD. For example, the user's UPN suffixcontosoadminI would be
contosoadmin@aaddscontoso.onmicrosoft.com. There are a couple of common use cases where the UPN format can be used reliably to log in to the domain instead of theSAMA account nameFormat:- If a user's UPN prefix is long, such asdeehasareallylongname, heSAMA account namecan be self-generated.
- If multiple users have the same UPN prefix in your Azure AD tenant, such asdee, areSAMA account namethe format can be generated automatically.
- SAMA Account Name Format- Enter the account name in theSAMA account nameFormat. For example, himSAMA account nameof usercontosoadminI would be
AADDSCONTOSO\contosoadmin.
- UPN format(recommended): Enter the User Principal Name (UPN) suffix for the user account, as configured in Azure AD. For example, the user's UPN suffixcontosoadminI would be
It takes a few seconds to join the managed domain. When complete, the following message welcomes you to the domain:
SelectOKContinue.
To complete the join process to the managed domain, reboot the virtual machine.
Advice
You can join a domain from a VM using PowerShell with theadd computercmdlet. The following example joins theADDCONTOUSdomain and then restart the virtual machine. When prompted, enter the credentials of a user who is part of the managed domain:
Add Computer -DomainName AADDSCONTOSO -Reboot
To join a domain of a VM without connecting to it and manually configure the connection, you can use theSet-AzVmAdDomainExtensionCmdlet de Azure PowerShell.
After the Windows Server VM has been rebooted, any policies applied in the managed domain are pushed to the VM. You can now also log in to the Windows Server virtual machine with the appropriate domain credentials.
clean resources
In the following tutorial, you will use this Windows Server virtual machine to install the administration tools that allow you to administer the managed domain. If you do not wish to continue with this tutorial series, please review the following cleaning steps fordelete virtual machine. Otherwise,continue with the next tutorial.
Separate the virtual machine from the managed domain
To remove the virtual machine from the managed domain, follow the steps again tojoin the virtual machine to a domain. Instead of joining the managed domain, choose to join a workgroup, such as the defaultWORKGROUP. After the virtual machine has been rebooted, the computer object is removed from the managed domain.
If youdelete virtual machinewithout disconnecting from the domain, an orphaned computer object is left in Azure AD DS.
Delete the virtual machine
If you will not be using this Windows server virtual machine, delete the virtual machine using the following steps:
- In the menu on the left, selectresource groups
- Choose your resource group, such asmyResourceGroup.
- Choose your virtual machine, such asmiVM, then selectDelete. SelectYeahto confirm the deletion of the resource. It takes a few minutes to remove the virtual machine.
- When the virtual machine is removed, select the operating system disk, network interface card, and any other resources with themiVM-prefix and delete them.
Troubleshoot domain join
The Windows Server VM should join the managed domain successfully, in the same way that a normal local computer would join an Active Directory Domain Services domain. If the Windows Server VM cannot join the managed domain, it indicates that there is a problem with connectivity or credentials. Please review the following troubleshooting sections to successfully join the managed domain.
connectivity issues
If you do not receive a message asking for credentials to join the domain, there is a connectivity problem. The VM cannot reach the managed domain in the virtual network.
After trying each of these troubleshooting steps, try joining the Windows Server virtual machine to the managed domain again.
- Verify that the virtual machine is connected to the same virtual network where Azure AD DS is enabled or has a peering network connection.
- Try to ping the DNS domain name of the managed domain, such as
ping aaddscontoso.com.- If the ping request fails, try pinging the managed domain IP addresses, such as
ping 10.0.0.4. The IP address of your environment is displayed on thePropertieswhen you select the managed domain from your list of Azure resources. - If you can ping the IP address but not the domain, the DNS may be configured incorrectly. Confirm that the managed domain IP addresses are configured as DNS servers for the virtual network.
- If the ping request fails, try pinging the managed domain IP addresses, such as
- Try flushing the DNS resolver cache on the virtual machine using the
ipconfig /flushdnsdomain.
Credential related issues
If you get a prompt asking for credentials to join the domain, but then get an error after entering those credentials, the virtual machine can connect to the managed domain. The credentials you provided do not allow the virtual machine to join the managed domain.
After trying each of these troubleshooting steps, try joining the Windows Server virtual machine to the managed domain again.
- Make sure the user account you specify belongs to the managed domain.
- Confirm that the account is part of the managed domain or Azure AD tenant. External directory accounts associated with your Azure AD tenant cannot successfully authenticate during the domain join process.
- Try using the UPN format to specify the credentials, such as
contosoadmin@aaddscontoso.onmicrosoft.com. If there are many users with the same UPN prefix in your tenant or if your UPN prefix is too long, theSAMA account namefor your account may be generated automatically. In these cases, theSAMA account nameYour account format may be different from what you expect or use on your local domain. - Check that you havepassword sync enabledto your managed domain. Without this configuration step, the required password hashes will not be present in the managed domain to successfully authenticate your login attempt.
- Wait for the password sync to complete. When the password of a user account is changed, an automatic background synchronization of Azure AD updates the password in Azure AD DS. It takes some time for the password to be available for use in joining a domain.
Next steps
In this tutorial, you learned how to:
- Create a Windows Server virtual machine
- Connect the Windows Server virtual machine to an Azure virtual network
- Join the virtual machine to the managed domain
To manage your managed domain, set up a management VM using the Active Directory Administrative Center (ADAC).
Install administration tools on an administration virtual machine