Fail to domain-join a Windows Server VM to an Azure AD DS managed domain

Question

I have followed the steps in https://learn.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm and can connect to my server VM using Bastion.

But when I try the last step (Join the VM to the managed domain): https://learn.microsoft.com/en-us/azure/active-directory-domain-services/join-windows-vm#join-the-vm-to-the-managed-domain it fails with the following error message:

An Active Directory Domain Controller (AC DC) for the domain xxxx.onmicrosoft.com could not be contacted.

In one of the required steps (https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance) it states:

The managed domain is associated with your Azure AD tenant. During the provisioning process, Azure AD DS creates two Enterprise Applications named Domain Controller Services and AzureActiveDirectoryDomainControllerServices in the Azure AD tenant. These Enterprise Applications are needed to service your managed domain. Don't delete these applications.

I am not able to locate these two applications in my Azure AD Tenant (using the Azure portal) and was wondering if this could be the root cause of my problem.

Are there any other ways to figure out why the AC DC can't be connected.

Answer 1

Hi Henrik,

First thing I would check is to make sure you have set the DNS servers for the virtual network: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance#update-dns-settings-for-the-azure-virtual-network

If so, and your VM is on the same virtual network then it should be using the AAD DS service for DNS.

Did you use the xxxx.onmicrosoft.com domain name when deploying the service? What happens if you try to ping this or do an nslookup from the VM you are trying to domain join?

There might be a conflict here with this domain name. I would tend to create a new custom/vanity domain name when deploying this service normally.