Share via

Best way to add Azure 2022 server VM to domain?

M, Akhil 20 Reputation points
2024-10-10T03:08:47.0466667+00:00

I am creating a new data platform in Azure where I would need to create VMSS for CI/CD, SHIR for ADF , Power BI Data Gateway etc in the management subscription(Landing Zone) which are windows server 2022 servers. The client has an existing AD setup and is using Pass Through Authentication(primary) and Password hash(backup) to sync identities onto cloud. What are the options available for me to join these VM to domain and what are the caveats for each?

1)Azure AD Join

2)Azure Hybrid Join

3)Domain Join

How do I configure Azure Hybrid Join for the VM from Azure and also what are the prerequisites for domain join/Hybrid Join given we have express route setup(which ports to be opened to DC?). Also I am using Private DNS resolver and not custom DNS at Vnet level. Would that be an issue for me to connect to the domain controllers? Also there would be a PAM tool that would manage access to these VM's. What would be the recommendations for this scenario?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,635 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,099 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Neuvi Jiang 1,450 Reputation points Microsoft Vendor
    2024-10-10T07:29:51.51+00:00

    Hi M, Akhil,

    Thank you for posting in the Q&A Forums.

    I. Options Analysis

    Azure AD Join

    For scenarios where you wish to join the device directly to the Azure AD environment.

    In this scenario, the devices will be authenticated and managed using Azure AD.

    This is a viable option if your clients are already using Azure AD for identity synchronization and you want those servers to take advantage of the authentication and management capabilities of Azure AD as well.

    Azure Hybrid Join

    For scenarios where you need access to both local and cloud resources.

    With hybrid join, devices can join both Azure AD and local AD, enabling synchronization and management of identities between cloud and local.

    Hybrid join is a good option if your clients need frequent access and interaction between Azure and local environments.

    Domain Join

    The most traditional way of joining, directly joins the device to the local AD domain.

    In this case, the device will rely solely on the local AD for authentication and management.

    If your clients rely primarily on the local AD for authentication and management and do not want or need to join the device to Azure AD, you can choose domain join.

    II Azure Hybrid Join Configuration

    Configuration steps

    First, make sure your local AD has been properly configured and identity synchronized with Azure AD.

    Then, follow Microsoft's official documentation to configure hybrid join using Azure Portal or PowerShell scripts.

    During the configuration process, you need to specify some settings such as device enrollment policies, certificates, etc.

    Quick Route Setup and Port Opening

    For fast routing setup, you need to ensure that the network connection between the Azure VM and the local DC is open.

    This usually involves configuring cross-border connection technologies such as VPN or ExpressRoute.

    In terms of ports, you need to ensure that the following ports are open:

    Port 88 for TCP and UDP (for Kerberos authentication).

    Port 389 for TCP and UDP (for LDAP).

    Port 445 for TCP (for SMB/CIFS).

    Port 464 for TCP (used for Kerberos password change).

    Port 53 for TCP and UDP (if DNS is also running on the DC).

    Private DNS resolver

    If you are using a private DNS resolver instead of a Vnet-level custom DNS, you need to make sure that this DNS resolver is able to correctly resolve the DNS names of your AD domain controllers and Azure resources.

    This may require you to configure some conditional forwarders or static DNS entries in the DNS resolver.

    Connecting to the domain controller

    After configuring the network connection and DNS resolution, you should be able to join the Azure VM to the AD domain without any problems.

    If you encounter connection issues, check the configuration of network connectivity, firewall rules, DNS resolution, etc.

    III. Prerequisites for domain join/hybrid join

    Local AD Environment

    Ensure that the local AD environment is healthy and accessible.

    Make sure the AD domain controller is properly configured and running.

    Azure Environment

    Ensure that the Azure subscription is active and that you have sufficient permissions to create and manage resources.

    Ensure that Azure VMs are created and running, and that network connectivity is configured.

    Authentication and Authorization

    Ensure that you have sufficient permissions to join the device to the AD domain.

    If you are using hybrid join, you also need to ensure that identity synchronization between Azure AD and the local AD has been properly configured.

    Best regards

    NeuviJ

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

  2. Raja Pothuraju 7,750 Reputation points Microsoft Vendor
    2024-10-24T18:58:30.9566667+00:00

    Hello @M, Akhil,

    Thank you for your response.

    1. Enabling the enablerdsaadauth property activates the "Use a web account to sign in to the remote computer" option, which allows the client to authenticate to the remote PC using Microsoft Entra ID. If the user who joined the device to Microsoft Entra ID is the only one connecting remotely, no additional configuration is necessary. However, to allow other users or groups to connect remotely, you must add them to the Remote Desktop Users group on the remote device. Additionally, if multiple users are accessing the machine, the RDP file needs to be updated accordingly.
    2. Yes, it is possible to establish RDP sessions from on-premises VDI boxes to Entra Joined VMs (Windows Server 2022) using Azure ExpressRoute. ExpressRoute provides a secure and private connection between your on-premises infrastructure and Azure, enabling reliable RDP sessions. Ensure that network routing and firewall rules are properly configured to permit RDP traffic over the ExpressRoute connection, and that the VMs are configured to accept RDP connections from the on-premises network.
    3. To configure Microsoft Entra Hybrid Join, you can follow the steps outlined in the official Microsoft documentation: Configure Microsoft Entra hybrid join.
    4. Regarding Azure AD Hybrid Join, the servers—whether on-premises or in the cloud—need to be joined to the local Active Directory first. Afterward, they can be synchronized with Azure AD using Azure AD Connect. By default, Microsoft Entra Connect syncs all objects, including devices, but you can customize the configuration to exclude specific objects or organizational units (OUs) from synchronization.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Thanks,
    Raja Pothuraju.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.