Tutorial: Join a Windows Server virtual machine to a managed domain

Azure Active Directory Domain Services (Azure AD DS) provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that is fully compatible with Windows Server Active Directory. With an Azure AD DS managed domain, you can provide domain join features and management to virtual machines (VMs) in Azure. This tutorial shows you how to create a Windows Server VM then join it to an Azure AD DS managed domain.

In this tutorial, you learn how to:

  • Create a Windows Server VM
  • Connect the Windows Server VM to an Azure virtual network
  • Join the VM to the Azure AD DS managed domain

If you don't have an Azure subscription, create an account before you begin.

Prerequisites

To complete this tutorial, you need the following resources:

If you already have a VM that you want to domain-join, skip to the section to join the VM to the Azure AD DS managed domain.

Sign in to the Azure portal

In this tutorial, you create a Windows Server VM to join to your Azure AD DS managed domain using the Azure portal. To get started, first sign in to the Azure portal.

Create a Windows Server virtual machine

To see how to join a computer to an Azure AD DS managed domain, let's create a Windows Server VM. This VM is connected to an Azure virtual network that provides connectivity to the Azure AD DS managed domain. The process to join an Azure AD DS managed domain is the same as joining a regular on-premises Active Directory Domain Services domain.

If you already have a VM that you want to domain-join, skip to the section to join the VM to the Azure AD DS managed domain.

  1. From the Azure portal menu or from the Home page, select Create a resource.

  2. From Get started, choose Windows Server 2016 Datacenter.

    Choose to create a Windows Server 2016 Datacenter VM in the Azure portal

  3. In the Basics window, configure the core settings for the virtual machine. Leave the defaults for Availability options, Image, and Size.

    Parameter Suggested value
    Resource group Select or create a resource group, such as myResourceGroup
    Virtual machine name Enter a name for the VM, such as myVM
    Region Choose the region to create your VM in, such as East US
    Username Enter a username for the local administrator account to create on the VM, such as azureuser
    Password Enter, and then confirm, a secure password for the local administrator to create on the VM. Don't specify a domain user account's credentials.
  4. By default, VMs created in Azure are accessible from the Internet using RDP. When RDP is enabled, automated sign in attacks are likely to occur, which may disable accounts with common names such as admin or administrator due to multiple failed successive sign in attempts.

    RDP should only be enabled when required, and limited to a set of authorized IP ranges. This configuration helps improve the security of the VM and reduces the area for potential attack. Or, create and use an Azure Bastion host that allows access only through the Azure portal over TLS. In the next step of this tutorial, you use an Azure Bastion host to securely connect to the VM.

    Under Public inbound ports, select None.

  5. When done, select Next: Disks.

  6. From the drop-down menu for OS disk type, choose Standard SSD, then select Next: Networking.

  7. Your VM must connect to an Azure virtual network subnet that can communicate with the subnet your Azure AD DS managed domain is deployed into. We recommend that an Azure AD DS managed domain is deployed into its own dedicated subnet. Don't deploy your VM in the same subnet as your Azure AD DS managed domain.

    There are two main ways to deploy your VM and connect to an appropriate virtual network subnet:

    • Create a, or select an existing, subnet in the same the virtual network as your Azure AD DS managed domain is deployed.
    • Select a subnet in an Azure virtual network that is connected to it using Azure virtual network peering.

    If you select a virtual network subnet that isn't connected to the subnet for your Azure AD DS instance, you can't join the VM to the managed domain. For this tutorial, let's create a new subnet in the Azure virtual network.

    In the Networking pane, select the virtual network in which your Azure AD DS-managed domain is deployed, such as aaads-vnet

  8. In this example, the existing aaads-subnet is shown that the Azure AD DS managed domain is connected to. Don't connect your VM to this subnet. To create a subnet for the VM, select Manage subnet configuration.

    Choose to manage the subnet configuration in the Azure portal

  9. In the left-hand menu of the virtual network window, select Address space. The virtual network is created with a single address space of 10.0.2.0/24, which is used by the default subnet. Other subnets, such as for workloads or Azure Bastion may also already exist.

    Add an additional IP address range to the virtual network. The size of this address range and the actual IP address range to use depends on other network resources already deployed. The IP address range shouldn't overlap with any existing address ranges in your Azure or on-premises environment. Make sure that you size the IP address range large enough for the number of VMs you expect to deploy into the subnet.

    In the following example, an additional IP address range of 10.0.5.0/24 is added. When ready, select Save.

    Add an additional virtual network IP address range in the Azure portal

  10. Next, in the left-hand menu of the virtual network window, select Subnets, then choose + Subnet to add a subnet.

  11. Select + Subnet, then enter a name for the subnet, such as management. Provide an Address range (CIDR block), such as 10.0.5.0/24. Make sure that this IP address range doesn't overlap with any other existing Azure or on-premises address ranges. Leave the other options as their default values, then select OK.

    Create a subnet configuration in the Azure portal

  12. It takes a few seconds to create the subnet. Once it's created, select the X to close the subnet window.

  13. Back in the Networking pane to create a VM, choose the subnet you created from the drop-down menu, such as management. Again, make sure you choose the correct subnet and don't deploy your VM in the same subnet as your Azure AD DS managed domain.

  14. For Public IP, select None from the drop-down menu, as you use Azure Bastion to connect to the management and don't need a public IP address assigned.

  15. Leave the other options as their default values, then select Management.

  16. Set Boot diagnostics to Off. Leave the other options as their default values, then select Review + create.

  17. Review the VM settings, then select Create.

It takes a few minutes to create the VM. The Azure portal shows the status of the deployment. Once the VM is ready, select Go to resource.

Go to the VM resource in the Azure portal once it's successfully created

Connect to the Windows Server VM

To securely connect to your VMs, use an Azure Bastion host. With Azure Bastion, a managed host is deployed into your virtual network and provides web-based RDP or SSH connections to VMs. No public IP addresses are required for the VMs, and you don't need to open network security group rules for external remote traffic. You connect to VMs using the Azure portal from your web browser.

To use a Bastion host to connect to your VM, complete the following steps:

  1. In the Overview pane for your VM, select Connect, then Bastion.

    Connect to Windows virtual machine using Bastion in the Azure portal

  2. Enter the credentials for your VM that you specified in the previous section, then select Connect.

    Connect through the Bastion host in the Azure portal

If needed, allow your web browser to open pop-ups for the Bastion connection to be displayed. It takes a few seconds to make the connection to your VM.

Join the VM to the Azure AD DS managed domain

With the VM created and a web-based RDP connection established using Azure Bastion, now let's join the Windows Server virtual machine to the Azure AD DS managed domain. This process is the same as a computer connecting to a regular on-premises Active Directory Domain Services domain.

  1. If Server Manager doesn't open by default when you sign in to the VM, select the Start menu, then choose Server Manager.

  2. In the left pane of the Server Manager window, select Local Server. Under Properties on the right pane, choose Workgroup.

    Open Server Manager on the VM and edit the workgroup property

  3. In the System Properties window, select Change to join the Azure AD DS managed domain.

    Choose to change the workgroup or domain properties

  4. In the Domain box, specify the name of your Azure AD DS managed domain, such as aaddscontoso.com, then select OK.

    Specify the Azure AD DS managed domain to join

  5. Enter domain credentials to join the domain. Use the credentials for a user that's a part of the Azure AD DS managed domain. The account must be part of the Azure AD DS managed domain or Azure AD tenant - accounts from external directories associated with your Azure AD tenant can't correctly authenticate during the domain-join process. Account credentials can be specified in one of the following ways:

    • UPN format (recommended) - Enter the user principal name (UPN) suffix for the user account, as configured in Azure AD. For example, the UPN suffix of the user contosoadmin would be contosoadmin@aaddscontoso.onmicrosoft.com. There are a couple of common use-cases where the UPN format can be used reliably to sign in to the domain rather than the SAMAccountName format:
      • If a user's UPN prefix is long, such as deehasareallylongname, the SAMAccountName may be autogenerated.
      • If multiple users have the same UPN prefix in your Azure AD tenant, such as dee, their SAMAccountName format might be autogenerated.
    • SAMAccountName format - Enter the account name in the SAMAccountName format. For example, the SAMAccountName of user contosoadmin would be AADDSCONTOSO\contosoadmin.
  6. It takes a few seconds to join to the Azure AD DS managed domain. When complete, the following message welcomes you to the domain:

    Welcome to the domain

    Select OK to continue.

  7. To complete the process to join to the Azure AD DS managed domain, restart the VM.

Tip

You can domain-join a VM using PowerShell with the Add-Computer cmdlet. The following example joins the AADDSCONTOSO domain and then restarts the VM. When prompted, enter the credentials for a user that's a part of the Azure AD DS managed domain:

Add-Computer -DomainName AADDSCONTOSO -Restart

To domain-join a VM without connecting to it and manually configuring the connection, you can use the Set-AzVmAdDomainExtension Azure PowerShell cmdlet.

Once the Windows Server VM has restarted, any policies applied in the Azure AD DS managed domain are be pushed to the VM. You can also now sign in to the Windows Server VM using appropriate domain credentials.

Clean up resources

In the next tutorial, you use this Windows Server VM to install the management tools that let you administer the Azure AD DS managed domain. If you don't want to continue in this tutorial series, review the following clean up steps to delete the VM. Otherwise, continue to the next tutorial.

Un-join the VM from Azure AD DS managed domain

To remove the VM from the Azure AD DS managed domain, follow through the steps again to join the VM to a domain. Instead of joining the Azure AD DS managed domain, choose to join a workgroup, such as the default WORKGROUP. After the VM has rebooted, the computer object is removed from the Azure AD DS managed domain.

If you delete the VM without unjoining from the domain, an orphaned computer object is left in Azure AD DS.

Delete the VM

If you're not going use this Windows Server VM, delete the VM using the following steps:

  1. From the left-hand menu, select Resource groups
  2. Choose your resource group, such as myResourceGroup.
  3. Choose your VM, such as myVM, then select Delete. Select Yes to confirm the resource deletion. It takes a few minutes to delete the VM.
  4. When the VM is deleted, select the OS disk, network interface card, and any other resources with the myVM- prefix and delete them.

Troubleshoot domain-join issues

The Windows Server VM should successfully join to the Azure AD DS managed domain, the same way as a regular on-premises computer would join an Active Directory Domain Services domain. If the Windows Server VM can't join the Azure AD DS managed domain, that indicates there's a connectivity or credentials-related issue. Review the following troubleshooting sections to successfully join the managed domain.

Connectivity issues

If you don't receive a prompt that asks for credentials to join the domain, there's a connectivity problem. The VM can't reach the Azure AD DS managed domain on the virtual network.

After trying each of these troubleshooting steps, try to join the Windows Server VM to the managed domain again.

  • Verify the VM is connected to the same virtual network that Azure AD DS is enabled in, or has a peered network connection.
  • Try to ping the DNS domain name of the managed domain, such as ping aaddscontoso.com.
    • If the ping request fails, try to ping the IP addresses for the managed domain, such as ping 10.0.0.4. The IP address for your environment is displayed on the Properties page when you select the Azure AD DS managed domain from your list of Azure resources.
    • If you can ping the IP address but not the domain, DNS may be incorrectly configured. Confirm that the IP addresses of the managed domain are configured as DNS servers for the virtual network.
  • Try to flush the DNS resolver cache on the virtual machine using the ipconfig /flushdns command.

If you receive a prompt that asks for credentials to join the domain, but then an error after you enter those credentials, the VM is able to connect to the Azure AD DS managed domain. The credentials you provided don't then let the VM join the Azure AD DS managed domain.

After trying each of these troubleshooting steps, try to join the Windows Server VM to the managed domain again.

  • Make sure that the user account you specify belongs to the Azure AD DS managed domain.
  • Confirm that the account is part of the Azure AD DS managed domain or Azure AD tenant. Accounts from external directories associated with your Azure AD tenant can't correctly authenticate during the domain-join process.
  • Try using the UPN format to specify credentials, such as contosoadmin@aaddscontoso.onmicrosoft.com. If there are many users with the same UPN prefix in your tenant or if your UPN prefix is overly long, the SAMAccountName for your account may be autogenerated. In these cases, the SAMAccountName format for your account may be different from what you expect or use in your on-premises domain.
  • Check that you have enabled password synchronization to your managed domain. Without this configuration step, the required password hashes won't be present in the Azure AD DS managed domain to correctly authenticate your sign in attempt.
  • Wait for password synchronization to be completed. When a user account's password is changed, an automatic background synchronization from Azure AD updates the password in Azure AD DS. It takes some time for the password to be available for domain-join use.

Next steps

In this tutorial, you learned how to:

  • Create a Windows Server VM
  • Connect to the Windows Server VM to an Azure virtual network
  • Join the VM to the Azure AD DS managed domain

To administer your Azure AD DS managed domain, configure a management VM using the Active Directory Administrative Center (ADAC).