2

I administer Office 365 for our company widgetsRus.com, and I am trying to join my desktop computer to the domain and log in using my Office 365 email address. I bought the domain and the Office 365 subscription from GoDaddy, and the name servers are currently at he.net. I administer the DNS server for that domain, so I can add or change records. I am certainly willing to relocate the name servers or create a domain controller at Azure if necessary.

I can see our domain, users, and devices at portal.azure.com.

When I try to join the domain using Control Panel, I get an error message:

The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "netorgft3xxxxxxx.onmicrosoft.com":

The error was: "DNS name does not exist." (error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.netorgft3xxxxxx.onmicrosoft.com

Common causes of this error include the following:

  • The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

208.67.222.222 208.67.220.220

I am able to join the computer to the Azure AD using Access from Work or School, however, I am unable log on using my email address after that.

I gather that I need to add some more records to the zone file, starting with the SRV record mentioned. How can I find out what that should be?

zkilnbqi
  • 123
  • 7
  • 1
    Are you trying to add this computer to a local, on-premises AD? I mean, using the tool for that instead of the separate option for adding the computer to Azure AD. – Esa Jokinen Jun 09 '18 at 22:19
  • It is an Azure AD provided as part of my Office 365 subscription. Although I have tried various options, such as creating a virtual Windows Server in Azure and adding that to the Azure AD or even trying to run Azure AD Connect sync on that Virtual Machine in Azure. The overall goal is to join our office computers to the Azure AD associated with our Office 365 account so users can log in to their Windows machines in the morning with their email addresses. – zkilnbqi Jun 10 '18 at 00:23
  • I was finally able to add my desktop computer to the Azure Directory domain in Windows 10 by choosing Settings -> Access Work or School, and then connect. Join Azure Domain is an option there, although Microsoft keeps moving it every upgrade or so. Just to be clear, under Access Work or School, it now says that I am connected to cotoso.com's Azure AD, and that I was connected by user@contoso.com The issue now is that I do not seem to be able to log in to my desktop computer with my email address user@contoso.com. The error message is that I need to check my network. – zkilnbqi Jun 10 '18 at 05:36
  • To others that end up here - just go read this: https://www.skylinetechnologies.com/Blog/Skyline-Blog/January_2017/Your_Domain_in_the_Cloud_with_Azure_Active_Directo – WEBjuju Jan 17 '19 at 21:53

1 Answers1

1

This is a confusing topic for those first exposed to AzureAD.

AzureAD by itself will not replace a domain controller. You can not Join your domain with AzureAD unless you also enable Domain Services (additional paid service). I've probably oversimplified the differences below but hope it helps.

AzureAD does allow you to register or enroll a device in the service.

Workplace Join - this is for machines that are already configured and is device registration. It can improve the user experience as the authentication in Windows 10 is built to work directly with AzureAD. For MDM you to manually enroll a device.

AzureAD Join - Microsoft calls this Device enrollment. With Windows 10 - when you have the "out of the box" OOTB experience you get to choose to join AzureAD or a domain. When you choose the former, you tie your sign-in credentials to AzureAD and enroll into any Intune policies that may be in place. It's a great way to manage device (assuming you have Intue as well) for devices that are not on the network frequently. This is enrollment - b/c it's possible to enroll a device into MDM at the of device registration as well (it's all done together).

Back to Domain Services. You can enable Domain Services in an AzureAD directory - but it's another paid service. In addition, you have to create an Azure virtual network to bind it too and then you would need a VPN to connect it to the local network (assuming you want to join more than just Azure VM's). With this setup - you can indeed join machines, and manage them with GPO's. If you have traditional domain controllers - this service is not part of the domain replication, it's a separate service that works like a "domain". There are still plenty of things that are not ideal for domain services but the basics are there. For Azure deployments, the costs will be similar to deploying a small DC your self as a VM - but then again you won't have to manage the OS or domain replication, which is ideal if no Active Directory domain yet exist.

Jesus Shelby
  • 1,284
  • 9
  • 14
  • 1
    Thanks. I had basically figured this out by reading https://www.skylinetechnologies.com/Blog/Skyline-Blog/January_2017/Your_Domain_in_the_Cloud_with_Azure_Active_Directo and then by noticing that I had not enabled AD DS in Azure. When I enabled Directory Services, it asked me to choose a virtual network and region and so on. But then I found out that it costs over $100 per month. We have a little startup and that will not work for us. – zkilnbqi Jun 10 '18 at 20:08