Azure AD DS (Domain Services) unable to join Azure virtual machine to domain troubleshooting
In a recent customer engagement, I stumbled across this issue and learned some new things that I want to share and could be helpful to someone else in the future.
I set up Azure Active Directory Domain Services (Azure AD DS) in order to bring Kerberos/NTLM to the cloud virtual machines.
Everything seemed to be set up correctly, but when I tried to join an Azure virtual machine to the domain, I received the following error message:
Computer Name/Domain Changes The following error occurred attempting to join the domain "manuelmeyer.net": The user name or password is incorrect.
I was sure that the account is not locked, nor did I use the wrong password. I suspected that the issue is related to the “Legacy NTLM password hash” issue. To make it short:
Azure AD DS requires a special password hash, the “Legacy NTLM/Kerberos password hash” that is different from the “normal” password hash that is synchronized to Azure Active Directory. The issue is that the legacy hash is not synchronized to Azure AD because it (Azure AD) has no use for it, until Azure AD DS shows up. Azure AD DS needs the hash in order to be able to do NTLN/Kerberos in the cloud. There are 2 ways to get the legacy hash into the cloud. After you have provisioned Azure AD DS and it syncs with an AAD tenant, do one of the following:
- For cloud-only accounts, reset the password of the user account. The password reset will create an NTLM/Kerberos hash, if Azure AD DS is deployed for that tenant.
- For hybrid accounts, use powershell to enable legacy NTLM/Kerberos sync. Follow: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-password-hash-sync
So in my case, I did reset the users password but to no avail. After some research, I found the helpful article by Bas Wijdenes: https://bwit.blog/fix-joining-azure-ad-domain-services-incorrect-password/ which basically states that the format of the domain and user combination that is used in the domain join dialog is critical and you should use the old-school windows syntax, such as “<domain><user>” instead of “<user>@<domain>”.
We used “email@example.com” which did not work. So we changed it to “manuelmeyer.netuser1234”. That still did not work but gave us a new error message:
Computer Name/Domain Changes The following error occurred attempting to join the domain manuelmeyer.net The username or password is incorrect.
But again, I was sure that both of them were indeed correct.
One more thing that I verified was that the user was a member of the “AAD DC Administrators” AAD security group.
But the problem persisted.
In the end, it turned out that the problem was of a different nature. The user account used to join the domain was in the AAD DC Administrators group, but he was a guest user in the tenant where Azure AD DS was deployed. We created a local user in the AAD tenant where Azure AD DS was deployed, added it to the AAD DC Administrators group, reset the password and, alas, we could successfully join to the domain. Good times.