Using Microsoft Azure I have a default Active Directory domain (apparently) and I can create VMs. To my surprise, such VMs are not joined to the AD domain automatically and domain users can't log into it.
Is it possible to join these Azure VMs to the Azure Default AD? How or why not?
Thanks!
Azure AD isn't your "regular" AD. You're not able to join computers to it. What you CAN do, is the following: Set up your own domain controllers (these can also run on Azure), and use Azure Dirsync (which is a service you install on a VM) to sync user objects between your "regular" AD and Azure AD. That way, you have a normal AD forest you can use for computer joins and such, but also enjoy the benefits of being able to do single-sign on to Azure websites, Office365 etc using the replicated accounts in Azure AD. There is a very good document describing this sort of architecture (although it's made for Office365 it goes for Azure as well, since the Azure AD instance is the same), which can be found here. Well worth the read: Deploying Office 365 Single Sign-On using Windows Azure
Check out the (Still in preview) Azure Active Directory Domain Services. with this feature you will be able to join an Azure VM to your Azure AD Domain. you will also be able to use GPOs for computer and users.
Only Windows 10 OS/VM can be now join directly to Azure AD.
2 usefull links on this subject
http://blogs.technet.com/b/ad/archive/2015/05/28/azure-ad-join-on-windows-10-devices.aspx
http://blogs.technet.com/b/ad/archive/2015/05/13/azure-active-directory-and-windows-10-making-the-enterprise-cloud-a-reality.aspx
Regards
Stanislas
I was able to do this with Azure VMs (Windows Server 2012 R2).
It requires Azure AD Domain Services. If you're setting group-based permissions (e.g. for folder or RDP access) you need to use a security group (distribution lists and O365 groups, including built-in groups, will not work).
You may need to configure the DNS servers if they're not set up correctly.
You need to have a local VM admin-level account and an Azure AD admin-level account.
You just change the domain under my computer as you would when joining it to a regular domain (you will need to enter the Azure AD admin credentials).
Note: Don't forget that you also need to add RDP access for the users/groups before they will be able to RDP into the VM with their Azure Accounts.
You don't need a separate domain controller or DirSync.
Keep in mind that by promoting one of the servers to a domain controller, you can then have it sync with Azure AD for the users and groups. When we talk about Windows 10 joining the Azure AD you are only joining to see the list of applications available and authentication for the user. This is not the same as joining a typical on-premises active directory domain. Suggestion is to build two AD controllers in Azure VMs and then have them sync with Azure AD. Have any servers or computers created join the same virtual network that the domain controllers are a part of. Here is a step by step guide for setting up a lab environment around the same idea: http://www.virtuallycloud9.com/index.php/2015/02/it-camp-azure-labs-lab-1-building-the-foundation-step-by-step/