Share via

Unable to login via AADDS but can login to AD and EntraID

Ryan P 21 Reputation points
Jan 6, 2024, 12:15 AM

I have an onprem AD environment syncing with EntraID via Azure AD Connect in a hybrid environment. This works well.

I recently added Entra Domain Services. That seemed to go well. Everything looks healthy .... but I cant authenticate any users.

  • Hash Sync is enabled.
  • Azure Connect is updated to 2.3.2.0.
  • The sync service has been restarted and a full (initial) sync completed.
  • I have changed the users' passwords in EntraID.

I know that the sync from onprem AD to EntraID is working as I can see all of the users from AD populated in EntraID. Is there a way to look at the users in Entra Domain Services?

Anything else that i might check?

One other thing I wonder is my domain. I read that it is best to use subdomain.domain.com. And that doing so will allow users to login with their normal upn of user@domain.com. Is that correct?

Would I be better to recreate Entra Domain services using domain.com?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,786 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 151.1K Reputation points MVP
    Jan 6, 2024, 2:45 AM

    You have to logon to the managed domain with the UPN of the managed domain, not the UPN of the Entra Account.

    If you create a custom domain name, take care with existing DNS namespaces. Although it's supported, you may want to use a domain name separate from any existing Azure or on-premises DNS namespace.

    For example, if you have an existing DNS name space of contoso.com, create a managed domain with the custom domain name of aaddscontoso.com. If you need to use secure LDAP, you must register and own this custom domain name to generate the required certificates.

    https://learn.microsoft.com/en-us/entra/identity/domain-services/synchronization

    User's image


  2. Sandeep G-MSFT 20,371 Reputation points Microsoft Employee
    Jan 24, 2024, 8:38 AM

    @Ryan P

    Thank you for posting this in Microsoft Q&A.

    You can administer managed domain using the same Remote Server Administration Tools (RSAT) as with an on-premises Active Directory Domain Services domain.

    As Domain Services is a managed service, there are some administrative tasks that you can't perform, such as using remote desktop protocol (RDP) to connect to the domain controllers.

    Members of the AAD DC Administrators group are granted privileges on the managed domain that enables them to do tasks such as:

    • Configure the built-in group policy object (GPO) for the AADDC Computers and AADDC Users containers in the managed domain.
    • Administer DNS on the managed domain.
    • Create and administer custom organizational units (OUs) on the managed domain.
    • Gain administrative access to computers joined to the managed domain.

    The managed domain is locked down, so you don't have privileges to do certain administrative tasks on the domain. Some of the following examples are tasks you can't do:

    • Extend the schema of the managed domain.
    • Connect to domain controllers for the managed domain using Remote Desktop.
    • Add domain controllers to the managed domain.
    • You don't have Domain Administrator or Enterprise Administrator privileges for the managed domain.

    To install Active Directory administrative tools you can check below article,

    https://learn.microsoft.com/en-us/entra/identity/domain-services/tutorial-create-management-vm#install-active-directory-administrative-tools

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.