When you try to join a virtual machine (VM) or connect an application to an Azure Active Directory Domain Services (Azure AD DS) managed domain, you may get an error that you're unable to do so. To troubleshoot domain-join problems, review at which of the following points you have an issue:
- If you don't receive an authentication prompt, the VM or application can't connect to the Azure AD DS managed domain.
- Start to troubleshoot connectivity issues for domain-join.
- If you receive an error during authentication, the connection to the managed domain is successful.
- Start to troubleshoot credentials-related issues during domain-join.
Connectivity issues for domain-join
If the VM can't find the managed domain, there's usually a network connection or configuration issue. Review the following troubleshooting steps to locate and resolve the issue:
- Ensure the VM is connected to the same, or a peered, virtual network as the managed domain. If not, the VM can't find and connect to the domain in order to join.
- If the VM isn't connected to the same virtual network, confirm that the virtual networking peering or VPN connection is Active or Connected to allow the traffic to flow correctly.
- Try to ping the domain using the domain name of the managed domain, such as
ping aaddscontoso.com.- If the ping response fails, try to ping the IP addresses for the domain displayed on the overview page in the portal for your managed domain, such as
ping 10.0.0.4. - If you can successfully ping the IP address but not the domain, DNS may be incorrectly configured. Make sure that you've configured the managed domain DNS servers for the virtual network.
- If the ping response fails, try to ping the IP addresses for the domain displayed on the overview page in the portal for your managed domain, such as
Try flushing the DNS resolver cache on the virtual machine, such as ipconfig /flushdns.
Network Security Group (NSG) configuration
Review the following troubleshooting steps:
- Check the health status of your managed domain in the Azure portal. If you have an alert for AADDS001, a network security group rule is blocking access.
- Review the required ports and network security group rules. Make sure that no network security group rules applied to the VM or virtual network you're connecting from block these network ports.
- Once any network security group configuration issues are resolved, the AADDS001 alert disappears from the health page in about 2 hours. With network connectivity now available, try to domain-join the VM again.
Credentials-related issues during domain-join
To troubleshoot credentials-related issues, review the following troubleshooting steps:
- Try using the UPN format to specify credentials, such as
dee@contoso.onmicrosoft.com. Make sure that this UPN is configured correctly in Azure AD.- The SAMAccountName for your account may be autogenerated if there are multiple users with the same UPN prefix in your tenant or if your UPN prefix is overly long. Therefore, the SAMAccountName format for your account may be different from what you expect or use in your on-premises domain.
- Try to use the credentials for a user account that's a part of the managed domain to join VMs to the managed domain.
- Make sure that you've enabled password synchronization and waited long enough for the initial password sync to complete.
Reference: Troubleshoot domain-join with Azure AD Domain Services | Microsoft Docs
Comments
0 comments
Please sign in to leave a comment.