- Article
Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as Domain Join, Group Policy, LDAP authentication, Kerberos/NTLM that are fully compatible with Windows Server Active Directory. With an Azure AD DS managed domain, you can provide domain-join and VM management capabilities in Azure. This guide shows you how to create a Windows Server VM and then join it to a managed domain.
In this guide, you'll learn how to:
- Create a Windows Server VM
- Connect the Windows Server VM to the Azure virtual network
- Join the VM to the managed domain
If you don't have an Azure subscription,Create an accountbefore you start.
Prerequisites
To complete this tutorial, you'll need the following resources:
- An active Azure subscription.
- If you don't have an Azure subscription,Create an account.
- An Azure Active Directory tenant associated with your subscription, synced to an on-premises or cloud-only directory.
- if necessary,create an Azure Active Directory tenanttheassociate your Azure subscription with your account.
- The Azure Active Directory Domain Services managed domain is enabled and configured in your Azure AD tenant.
- if necessary,create and configure an Azure Active Directory Domain Services managed domain.
- A user account that is part of a managed domain.
- Make sure that Azure AD Connect password hash synchronization or self-service password reset has been performed so that the account can connect to the managed domain.
- An Azure Bastion host deployed in an Azure AD DS virtual network.
- if necessary,create an Azure Bastion host.
If you already have a VM you want to join the domain, skip to the dedicated sectionjoin the VM to the managed domain.
Sign in to the Azure portal
In this tutorial, you'll create a Windows Server VM to join a managed domain using the Azure portal. To get started, first sign in toBrama Azurni.
Create a Windows Server VM
To see how you can join a computer to a managed domain, let's create a Windows Server virtual machine. This VM is connected to an Azure virtual network that connects to a managed domain. The process of joining a managed domain is the same as joining a regular local Active Directory Domain Services domain.
If you already have a VM you want to join the domain, skip to the dedicated sectionjoin the VM to the managed domain.
From the Azure portal menu or fromDompage, selectCreate a resource.
Zstart, to chooseWindows Server 2016 Data Center.
uBasicswindow, configure the basic settings of the virtual machine. Leave the default settings forAvailability options,Picture, AndSize.
Parameter suggested price Resource group Select or create a resource group, for examplemyResourceGroup The name of the virtual machine Enter the virtual machine name, for examplemy virtual machine Area Select the region where you want to create the VM, for exampleeastern United States User Name Enter the username for the local administrator account that you will create in the VM, for exampleblue user Password Enter and then confirm a strong password that will be generated on the VM by the local administrator. You are not providing domain user account credentials. By default, VMs created in Azure are accessible from the internet using RDP. When RDP is enabled, automatic login attacks are likely to occur that can disable accounts with common names such asAdmintheAdmindue to multiple consecutive failed connection attempts.
RDP should be enabled only when necessary and limited to a set of authorized IP address ranges. This configuration helps improve the security of the VM and reduces the attack surface. Or create and use an Azure Bastion host that only allows access through the Azure portal over TLS. In the next step of this tutorial, use the Azure Bastion host to securely connect to the VM.
BelowPublic ports of entry, To chooseNO.
When you're done, selectNext: Disks.
From the drop-down menu forOperating system disk type, to chooseStandard SSD, then selectNext: networking.
The VM must be connected to an Azure virtual network subnet that can communicate with the subnet where the managed domain is located. We recommend placing the managed domain in its own dedicated subnet. Don't deploy a VM in the same subnet as the managed domain.
There are two main ways to deploy a virtual machine and connect it to the appropriate virtual network subnet:
- Create or select an existing subnet in the same virtual network where the managed domain is configured.
- Select a subnet in the Azure virtual network connected to it usingAzure virtual network peering.
If you select a virtual network subnet that is not connected to the subnet of the managed domain, you cannot connect the virtual system to the managed domain. For this tutorial, we'll create a new subnet in an Azure virtual network.
uNetworkingin the window, select the virtual network where the managed domain is configured, for exampleaaads-vnet
Existing in this exampleaaads subnetappears with which the managed domain is associated. Do not connect the VM to this subnet. To create a subnet for the virtual machine, selectSubnet configuration management.
In the left menu of the virtual network window, selectAddress space. The virtual network is created with a single address space10.0.2.0/24, used by the default subnet. Other subnets like forworkloador Azure Bastion may already exist.
Add an additional IP address range to the virtual network. The size of this address range and the actual range of IP addresses to use depends on other configured network resources. The IP address range cannot overlap with an existing address range in your Azure or on-premises environment. Make sure the IP address range is large enough for the number of VMs you want to deploy in the subnet.
In the following example, an additional range of IP addresses10.0.5.0/24is added. Choose when you're readyRescue.
Then in the left menu of the virtual network window, selectSubnets, then select+ Subnetto add a subnet.
to choose+ Subnet, then enter the subnet name, for examplemanagement. DefineAddress range (CIDR blocks), Such as10.0.5.0/24. Make sure this IP address range doesn't overlap with other existing Azure or on-premises address ranges. Leave other options as default, then selectAll right.
It takes a few seconds to create a subnet. Once created, selectXto close the subnet window.
Come back toNetworkingto create a virtual machine, select the created subnet from the drop-down menu, for examplemanagement. Double check that the correct subnet is selected and don't deploy the VM in the same subnet as the managed domain.
ForPublic IP, To chooseNOfrom the drop-down menu. Since you're using Azure Bastion to connect to management in this guide, you don't need the public IP assigned to the VM.
Leave other options as default, then selectManagement.
he would beBoot diagnosticsI am doingFrom gave from. Leave other options as default, then selectBrowse + Create.
Check the virtual machine settings, then selectcreate.
Creating a virtual machine takes a few minutes. The Azure portal displays the deployment status. When the virtual machine is ready, selectWhen will he find again.
Log in to the Windows Server VM
Use Azure Bastion host to securely connect to VMs. With Azure Bastion, a managed host is deployed in your virtual network and provides RDP or SSH internet connections to your VMs. Virtual machines don't require public IP addresses, and you don't need to open NSG rules for external remote traffic. You connect to the VM using the Azure portal in your browser. if necessary,create an Azure Bastion host.
To use bastion host to connect to a VM, do the following:
uReviewwindow for the virtual machine, select itI connect, LaterBastion.
Enter the credentials for the VM registered in the previous section, then selectI connect.
If necessary, allow your browser to open pop-ups to display the Bastion link. It takes a few seconds to connect to the virtual machine.
Join the VM to the managed domain
Now that we've created the VM and established an Internet RDP connection using Azure Bastion, let's now join the Windows Server VM to the managed domain. This process is the same as joining a computer to a regular local Active Directory Domain Services domain.
IServer administratordoes not open by default when you connect to a virtual machine, select itPrinciplemenu, then selectServer administrator.
In the left windowServer administratorwindow, selectlocal server. Belowreal estatein the right pane, selectGrupa Radna.
uSystem propertieswindow, selectTo changeto join the managed domain.
uSectorenter the name of the managed domain, e.gaddcontoso.com, then selectAll right.
Enter your domain credentials to join the domain. Provide credentials for a user that is part of the managed domain. The account must be in a managed domain or Azure AD tenant - Accounts from external directories associated with the Azure AD tenant cannot be properly authenticated during the domain join process.
Account credentials can be specified in one of the following ways:
- UPN format(recommended) - Enter the user principal name (UPN) suffix for the user account as configured in Azure AD. For example, the user's UPN suffixcontosoadminit would be
contosoadmin@aaddscontoso.onmicrosoft.com. There are a few common cases where the UPN format can be reliably used to connect to a domain and notSAMA account nameform:- If the user's UPN is long, e.gdee has a very long name,SAMA account namecan be generated automatically.
- If multiple users have the same UPN prefix in the Azure AD tenant, for exampleDee, ISAMA account nameformat can be generated automatically.
- SAMA account name format- Enter the account nameSAMA account nameform. For example,SAMA account nameusercontosoadminit would be
AADDSCONTOSO\contosoadmin.
- UPN format(recommended) - Enter the user principal name (UPN) suffix for the user account as configured in Azure AD. For example, the user's UPN suffixcontosoadminit would be
It takes a few seconds to connect to the managed domain. When you're done, the domain will greet you with the following message:
to chooseAll rightto continue.
To complete the managed domain join process, restart the VM.
She works
You can connect to the VM using PowerShell fromAdd computercmdlets. The following example linksADDSCONTOSOdomain and then restarts the VM. When prompted, enter the credentials of a user who is part of the managed domain:
Add Computer - Domain Name AADDSCONTOSO - Reboot
To connect a domain to a virtual machine without logging into it and configure the connection manually, you can useSet-AzVmAdDomainExtensionpolecenia cmdlet Azure PowerShell.
After the Windows Server VM restarts, all policies applied to the managed domain are sent to the VM. You can also now log into the Windows Server VM with the appropriate domain credentials.
Resource cleaning
In the following tutorial, you'll use this Windows Server VM to install management tools that allow you to manage your managed domain. If you do not want to continue with this series of guides, please read the cleaning steps belowdelete the virtual machine. Otherwise,go to the next tutorial.
Disconnect the VM from the managed domain
To remove the VM from the managed domain, follow the steps againjoin the VM to the domain. Instead of joining a managed domain, choose to join a workgroup, which is the default settingWORKING GROUP. After the VM restarts, the compute object is removed from the managed domain.
if youdelete the virtual machinewithout domain separation, the abandoned compute object remains in Azure AD DS.
Delete the virtual machine
If you do not intend to use this VM with Windows Server, delete the VM by following these steps:
- Choose from the menu on the leftResource groups
- Select your resource group, for examplemyResourceGroup.
- Select your virtual machine, e.gmy virtual machine, then selectDelete. to chooseIto confirm the deletion of the resource. Deleting a virtual machine takes a few minutes.
- After deleting the VM, select the OS disk, network interface card, and any other resources frommyVM-prefix and delete them.
Troubleshoot domain join issues
The Windows Server VM should be successfully joined to the managed domain in the same way that a normal local computer would be joined to an Active Directory Domain Services domain. If the Windows Server VM is unable to join the managed domain, there is a connectivity or credential issue. Read the troubleshooting sections below to successfully join the managed domain.
Problems with connection
If you don't receive a message asking for credentials to join the domain, there's a connection problem. The virtual machine cannot connect to the managed domain in the virtual network.
After completing each of these troubleshooting steps, try rejoining the Windows Server VM to the managed domain.
- Make sure the VM is connected to the same virtual network where Azure AD DS is enabled or has a direct network connection.
- Try to ping the DNS domain name of a managed domain such as
ping aaddscontoso.com.- If the ping request fails, try ping the IP addresses of a managed domain such as
ping 10.0.0.4. The IP address of your environment is displayed atreal estateafter selecting the managed domain from the list of Azure resources. - If you can ping the IP address but not the domain, DNS may be misconfigured. Confirm that the IP addresses of the managed domain are configured as DNS servers for the virtual network.
- If the ping request fails, try ping the IP addresses of a managed domain such as
- Try flushing the DNS resolver cache on the VM with
ipconfig /flushdnsmandate.
Credential issues
If you receive a message asking for domain-join credentials, but you get an error after entering these credentials, the VM may be joining the managed domain. The provided credentials do not allow the VM to join the managed domain.
After completing each of these troubleshooting steps, try rejoining the Windows Server VM to the managed domain.
- Make sure the specified user account belongs to a managed domain.
- Confirm that the account is part of an Azure AD managed domain or tenant. Accounts from external directories associated with an Azure AD tenant cannot be properly authenticated during the domain join process.
- Try using the UPN format to specify credentials such as
contosoadmin@aaddscontoso.onmicrosoft.com. If there are multiple users in the tenant with the same UPN prefix, or if the UPN prefix is too long,SAMA account namefor your account may be created automatically. In these cases,SAMA account nameyour account format may be different from what you expect or use for your local domain. - Check if you havepassword synchronization is enabledin a managed domain. Without this configuration step, the necessary password hashes will not exist in the managed domain to properly authenticate the connection attempt.
- Wait for password synchronization to complete. When a user account password is changed, automatic background sync from Azure AD updates the password in Azure AD DS. It takes some time before the password becomes available to use the domain connection.
Next steps
In this guide, you've learned how to:
- Create a Windows Server VM
- Connect the Windows Server VM to the Azure virtual network
- Join the VM to the managed domain
To manage a managed domain, set up a management VM using the Active Directory Admin Center (ADAC).
Install management tools on the management VM
FAQs
How do I connect my Windows VM to Azure AD? ›
- For Resource Group, select the resource group that contains the VM and its associated virtual network, network interface, public IP address, or load balancer resource.
- Select Access control (IAM).
- Select Add > Add role assignment to open the Add role assignment page.
- Assign the following role.
- If Server Manager doesn't open by default when you sign in to the VM, select the Start menu, then choose Server Manager.
- In the left pane of the Server Manager window, select Local Server. ...
- In the System Properties window, select Change to join the managed domain.
To deploy an Azure AD-joined VM, open the Virtual Machines tab, then select whether to join the VM to Active Directory or Azure Active Directory. Selecting Azure Active Directory gives you the option to enroll VMs with Intune automatically, which lets you easily manage your session hosts.
Can I join a Windows Server to Azure AD? ›Since Windows Server VMs cannot be directly joined to Azure AD, you need to set up an Azure AD Domain Service (AAD DS). It will be synchronized with your Azure AD and allow the VM to join the domain.
How do I enable Azure AD login for existing Windows VM? ›- In the Azure Portal, from the Virtual machine's blade, select your Windows VM and then click on Access Control (IAM).
- Select Role assignments, then click + Add and then choose to Add role assignment.
- Navigate to your SQL virtual machines resource in the Azure portal.
- Select Security configuration under Settings.
- Choose Enable under Azure AD authentication.
Open Windows PowerShell. Enter dsregcmd /status . Verify that both AzureAdJoined and DomainJoined are set to YES. You can use the DeviceId and compare the status on the service using either the Azure portal or PowerShell.
How do I know if my VM is joined a domain? ›- Open Command Prompt. Press Windows Key + R then enter cmd in the Run window that appears. ...
- Enter systeminfo | findstr /B "Domain" in the Command Prompt window, and press Enter.
- If you are not joined to a domain, you should see 'Domain: WORKGROUP'.
Log onto device. Open a command prompt (does not need to be as an administrator). Type the following command: dsregcmd /status. At the top of the output, the device should say "YES" for both Azure AD Joined and Domain Joined.
Does Azure AD requires domain controllers on Azure virtual machines? ›Azure Active Directory Domain Services (Azure AD DS), part of Microsoft Entra, enables you to use managed domain services—such as Windows Domain Join, group policy, LDAP, and Kerberos authentication—without having to deploy, manage, or patch domain controllers.
How do I connect to Azure VM from local machine? ›
- Go to the Azure portal to connect to a VM. Search for and select Virtual machines.
- Select the virtual machine from the list.
- Select Connect from the left menu.
- Select the option that fits with your preferred way of connecting. The portal helps walk you through the prerequisites for connecting.
Azure AD join: Supports Windows 10 and Windows 11 devices. Isn't supported on previous versions of Windows or other operating systems. If you have Windows 7/8.1 devices, you must upgrade at least to Windows 10 to deploy Azure AD join.
How do I manually join my computer to Azure AD? ›Join Windows to Azure AD
The steps to join an existing corporate device to Azure AD are as follows: Open the Settings app, and then go to Accounts. And again you must connect to your account. On the next window, click Join this device to Azure Active Directory and then complete the login using your credentials.
- Go to the Azure portal to connect to a VM. ...
- Select the virtual machine from the list.
- At the beginning of the virtual machine page, select Connect.
- On the Connect to virtual machine page, select RDP, and then select the appropriate IP address and Port number.
Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later.
How do I add a virtual machine to Active Directory? ›- Step 1: Create the Windows Server virtual machine. ...
- Step 2: Connect to the Windows Server virtual machine using the local administrator account. ...
- Step 3: Join the Windows Server virtual machine to the AAD-DS managed domain.