Created a management VM for Azure AD DS - Local account works, AAD DC Admin account does not

forward.observations.group 11 Reputation points
2021-09-05T06:36:22.957+00:00

Hi all,

I recently configured a management VM and connectivity via a Bastion host to manage AAD DS following this guide: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm

Everything was going well up until the very last point when attempting to join the VM to the domain. The following instructions failed for me:

---

  1. Enter domain credentials to join the domain. Provide credentials for a user that's a part of the managed domain. The account must be part of the managed domain or Azure AD tenant - accounts from external directories associated with your Azure AD tenant can't correctly authenticate during the domain-join process.

Account credentials can be specified in one of the following ways:

UPN format (recommended) - Enter the user principal name (UPN) suffix for the user account, as configured in Azure AD. For example, the UPN suffix of the user contosoadmin would be contosoadmin@aaddscontoso.onmicrosoft.com. There are a couple of common use-cases where the UPN format can be used reliably to sign in to the domain rather than the SAMAccountName format:
If a user's UPN prefix is long, such as deehasareallylongname, the SAMAccountName may be autogenerated.
If multiple users have the same UPN prefix in your Azure AD tenant, such as dee, their SAMAccountName format might be autogenerated.
SAMAccountName format - Enter the account name in the SAMAccountName format. For example, the SAMAccountName of user contosoadmin would be AADDSCONTOSO\contosoadmin.

---

I tried numerous times to join with mycredential@subdomain.domain.com to no avail. Finally, on a whim, I tried with what I assumed was my SAMAccountName in the format subdomain.domain.com\my.username and the domain join was successful. Thinking all was well, I rebooted the machine and fully expected to be able to log in with my AAD DC Administrator account but no combination of that username is working. Has anyone else run into this? I'm having a difficult time logging into the management VM but can still do so with the local admin account. I have verified that the VM is domain joined as expected, but am not able to run RSAT/domain tools due to the logged on user context.

Any help would be greatly appreciated. Thank you.

--

Edit: I just tried the following -

  1. Logged on with local admin (known working)
  2. Launched ADAC (Active Directory Admin Center) as another user.
  3. Domain showing was "subdomain" portion. Entered my AAD DC Administrator account info
  4. ADAC launched and I am able to view domain resources.

What's going on here? Something tells me there's something off with the way I performed the domain join and the credentials used but if I can launch an app under those credentials, I figure I should be able to log in...

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
244 questions
Microsoft Entra
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Roderick Bant 2,051 Reputation points
    2021-09-06T11:50:31.967+00:00

    My first guess is that you are not allowed for Remote Desktop login on the VM. Can you check if the AAD DS group 'AAD DC Administrators' is a member of the local 'Administrators' group on the new domain joined VM? If not, please add it as a member group.

    1 person found this answer helpful.