How to use Azure domain accounts on more than one server?

Jonathan Searles 0 Reputation points
2024-02-23T10:47:05.43+00:00

I've been trying to join a second server to a domain (in Microsoft Entra Domain Services) and when I enter the credentials to join a second server, Server Manager returns the error "An account with the same name exists in Active Directory. Reusing the account was blocked by security policy." In the past, I have worked on Windows AD domain controllers that used the same bank of accounts for multiple servers in the domain, so I'm assuming that what I'm trying to do is fairly standard (although I've never attempted it in Azure before).

Which "security policy," for example, do I have to change in order to use my domain accounts across all servers in the domain? Is this functionality not available without a more premium subscription, or a more premium license on Entra Domain Services? Can this be done in Azure at all? I'm getting the impression that I'm missing something obvious. I've always been under the impression that domain accounts are specifically for use on multiple servers in a domain.

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,335 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 17,771 Reputation points Microsoft Employee
    2024-02-26T11:32:43.75+00:00

    @Jonathan Searles

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are getting error "A account with the same name exists in Active Directory. Reusing the account was blocked by security policy." when trying to domain join a VM onto Microsoft Entra Managed Domain services.

    Please do correct me if this is not the issue by responding in the comments section.

    This error is talking about reusing the computer account and not the user account, as the computer account might have same name with previously joined servers.

    This could be because of a known AD issue with KB5020276—Netjoin: Domain join hardening changes

    Kindly perform the following actions on the Entra Domain services Management VM:

    Configure the new allow list policy using the Group Policy on a domain controller and remove any legacy client-side workarounds. Then, do the following:

    1. You must install the September 12, 2023 or later updates on all member computers and domain controllers. 
    2. In a new or existing group policy that applies to all domain controllers, configure the settings in the steps below.
    3. Under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, double-click Domain controller: Allow computer account re-use during domain join.
    4. Select Define this policy setting and <Edit Security…>.
    5. Use the object picker to add users or groups of trusted computer account creators and owners to the Allow permission. (As a best practice, we highly recommend that you use groups for permissions.) Do not add the user account that performs the domain join.

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks, Akshay Kaushik


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.