7,023 questions
Entra Managed Domain Services management Azure VM cannot domain join for AD DS Administrative Tools
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 94%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
Alexi Richardson
0
Reputation points
Hello,
I am trying to configure a management VM for my managed domain service according to the tutorial which is the Install management tools step for the Windows VM server:
https://learn.microsoft.com/en-us/entra/identity/domain-services/tutorial-create-management-vm
I have executed all prerequisites successfully, until trying to configure a management VM everything worked fine, the domain services are running and my VM is joined to the domain. I can see that in the Server Manager and also in the ipconfig /all. I was able to join the VM to the domain using my Admin account that has the Domain Services Contributor role.
When I try to open the Active Directory Administrative Center (or any other app) I get the error:
Cannot connect to any domain. Refresh or try again when connection is available.
What I have checked:
- The DNS server addresses are correctly set and can be pinged in the VM and in the VNET.
- I see the server VM Network interface in the list of connected devices that also shows the two Entra Domain Services managed DCs/DNS servers and the.
- The VM and the managed domain are in the same VNET. The DCs/DNS servers are in a different subnet than the domain-joined VM.
- NSG policies are set to allow any inbound traffic from VNET.
- Domain resource is healthy
- NSG that was auto-created with the managed domain has 3389 and 5986 opened to CorpNetSaw and AzureActiveDirectoryDomainServices respectively.
- I am logging in using the local administrator account via the Azure Bastion (according to doc, bastion login is the only possible after configuring a management VM anyways)
- I am deploying Windows Server 2022 Datacenter Azure Edition
I have followed the tutorial to the latter and also checked a youtube video and can't see where I went wrong. Especially since joining the VMs to the domain works flawlessly I can't understand why all of a sudden the domain can't be reached after installing Remote Server Administration Tools.
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,191 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator2024-03-12T10:35:43.3766667+00:00 @Alexi Richardson Thank you for reaching out to us, As I understand you are trying to install management tools on a VM which is joined to managed domain.
Try to install the management tools via account which is Members of the Microsoft Entra DC Administrators group?
Same has been documented here - https://learn.microsoft.com/en-us/entra/identity/domain-services/faqs#:~:text=in%20Azure.-,Administration%20and%20operations,-Can%20I%20connect
Would request you to login with the account which is Members of the Microsoft Entra DC Administrators group and let me know the results/outcome.
Let me know if you have any further questions, feel free to post back.
-
Alexi Richardson 0 Reputation points
2024-03-12T15:01:29.61+00:00 Hello @Givary-MSFT ,
I will provide more details as what you described is part of the problem. I also forgot to mention that I have verified the Windows VM has Microsoft.Azure.ActiveDirectory.AADLoginForWindows extension installed in order to allow for Azure AD login.
I started to think that what you described could be the problem since I have only been able to sign into the domain-joined Windows VM with the local admin account via the Azure portal Bastion RDP in the browser. And because of this, when I attempt to install any roles/features for AD DS in the VM it will not work due to the logged in account no being a Azure DS domain admin.
However, here is why I cannot do what you describe. I have already attempted many times to sign into the Windows VM with multiple Azure AD admin accounts that have the correct Azure role assignments, specifically Virtual Machine Administrator Login. The problem is that none of the sign username formats are working, neither AzureAD\username@domain, nor username@domain. Both of these fail even though the windows VM is already domain joined and I have configured RDP on the VM to allow OURDOMAIN\AdminUserX to sign into it via RDP. I have also ensured password has sync by resetting these relevant user accounts passwords. It is odd because the user account I am using to try to sign into the VM is the same as the one I used to domain join the VM and is a member of AAD DC Administrators!
Since I have not been able to sign into the already domain-joined windows VM via Azure portal RDP with this AAD DC Admin account, I am not able to to install any Windows server roles/features because it fails due to only being able to sign in with the local admin account still!
Can you advise how to proceed? We pay MS/Azure per month on our business premium plan and this is blocking my progress for Azure AD LDAP authentication as everything is working but I cannot set up DNS management on this Windows server VM which I need for conditional forwarders to the Azure DS manage domain controllers. Is there an Azure AD engineering team I can escalate this to or submit a case? This is imperative for our business operations. Thank you.
-
Alexi Richardson 0 Reputation points
2024-03-12T15:14:49+00:00 Hello @Givary-MSFT
Thank you for your response, however, what you described is a problem for me because I have already attempted multiple times to log into the domain-joined Azure VM with my admin account that is a member of AAD DC Administrators. I have also verified the VM extension Microsoft.Azure.ActiveDirectory.AADLoginForWindows is installed which allows for Azure AD login. Additionally, I have ensure password has sync with Azure AD directory by resetting the password of my Azure AD admin account I am using to attempt to sign in via Azure portal Bastion RDP. Moreover, I have also configured the Azure role assignment Virtual Machine Administrator Login for my user account.
I agree that the problem has to do with the fact that I am trying to install Windows server roles/features for AD DS while being logged in as the local admin account. But I am not able to sign into the domain-joined VM with any Azure AD account via Azure portal RDP! I have tried the three sign syntax formats: AzureAD*@domain.com, AzureAD*@domain.onmicrosoft.com, and ******@domain.com. None of these work.
I have also verified manually in the VM that RDP is setup and I have explicitly allowed the Azure DOMAIN admin users to the RDP authentication list in the VM system settings. These user accounts came up without a problem under DOMAIN\MyAzureadminuser when performing Check Names, which indicates to me that the Domain join and directory syncing is working fine. What is odd is that the user account I am trying to sign into the VM with via Azure portal RDP is the same account I used to domain join the VM without a problem.
Can you please advise how I should proceed? This is imperative to our business as I cannot use Entra Domain Services as our business requires without setting up this Windows management VM server with the correct roles/features tools to preform DNS domain management. Our business pays MS/Azure monthly for a premium plan so is there an Azure AD engineer this can be escalated to or how can I submit a high priority case as this is a blocker for our business. Thank you.
-
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
2024-03-12T15:37:37.1866667+00:00 @Alexi Richardson Replied to you via private message.
Sign in to comment
Sign in to answer