AD DS provisioning - The prefix of the DNS domain name must contain 15 or fewer characters

Question

I'm trying to start deploying and learning how to use AD DS in Azure so I can see if I can get rid of the requirement to have dedicated VMs running domain services. I'm struggling right at the first step as I'm trying to setup the domain of my customer which is longer than 15 characters. I've setup tons of domain controllers on premises before without any problem with a routable domain longer than 15 characters.

Is this some sort of peculiarity with AD DS in Azure? I was hoping to use one single domain name for it, the same as the company domain, so goes in line with website, email, etc... I really don't want to use a domain name different to that.

Any thoughts? Thanks!

Which domain name are you actually trying to use? Also, the error talks about the domain *prefix*, i.e. "domain" in "domain.com". Is it actually longer than 15 characters? That's rather unusual. — Massimo, Jan 14 '19 at 21:23
I can get the AADDS created by using prefix.longdomainname.co.uk for example, and my domain becomes prefix.longdomainname.co.uk when I only wanted to be longdomainname.co.uk. I guess my domain will be called prefix.longdomainname.co.uk and I'll setup the users as user@longdomainname.co.uk . Annoyingly to login to the domain they will need to use user@prefix.longdomainname.co.uk to login on their workstations/VMs/Servers that are member of the domain, while loging into Office 365 they will use longdomainname.co.uk. I've no idea why they call it 15 characters netbios name limit — tech_london, Jan 29 '19 at 17:35
Well, it **IS** the 15-characters NetBIOS limit. The first part of a domain dame (until the first ".") is used as its NetBIOS label, and NetBIOS names can't be more than 15 characters long. This has been true since Windows NT, and has been inherited by every Active Directory implementation hence. — Massimo, Jan 30 '19 at 09:37
why then can you create a local domain with longer than 15 characters? If I have a local domain it can be longer than 15, if it is on Azure it can't. Where is the NETBIOS limit playing here if that is the domain name? — tech_london, Feb 04 '19 at 11:31

score 1 · Answer 1 · answered Feb 16 '19 at 21:38

You can actually get around this using powershell. I was able to get around the 15 character limit with instructions from this page:

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-enable-using-powershell

Here's the script, in case the page goes away:

# Change the following values to match your deployment.
$AaddsAdminUserUpn = "admin@contoso100.onmicrosoft.com"
$AzureSubscriptionId = "YOUR_AZURE_SUBSCRIPTION_ID"
$ManagedDomainName = "contoso100.com"
$ResourceGroupName = "ContosoAaddsRg"
$VnetName = "DomainServicesVNet_WUS"
$AzureLocation = "westus"

# Connect to your Azure AD directory.
Connect-AzureAD

# Login to your Azure subscription.
Connect-AzAccount

# Create the service principal for Azure AD Domain Services.
New-AzureADServicePrincipal -AppId "2565bd9d-da50-47d4-8b85-4c97f669dc36"

# Create the delegated administration group for AAD Domain Services.
New-AzureADGroup -DisplayName "AAD DC Administrators" `
  -Description "Delegated group to administer Azure AD Domain Services" `
  -SecurityEnabled $true -MailEnabled $false `
  -MailNickName "AADDCAdministrators"

# First, retrieve the object ID of the newly created 'AAD DC Administrators' group.
$GroupObjectId = Get-AzureADGroup `
  -Filter "DisplayName eq 'AAD DC Administrators'" | `
  Select-Object ObjectId

# Now, retrieve the object ID of the user you'd like to add to the group.
$UserObjectId = Get-AzureADUser `
  -Filter "UserPrincipalName eq '$AaddsAdminUserUpn'" | `
  Select-Object ObjectId

# Add the user to the 'AAD DC Administrators' group.
Add-AzureADGroupMember -ObjectId $GroupObjectId.ObjectId -RefObjectId $UserObjectId.ObjectId

# Register the resource provider for Azure AD Domain Services with Resource Manager.
Register-AzResourceProvider -ProviderNamespace Microsoft.AAD

# Create the resource group.
New-AzResourceGroup `
  -Name $ResourceGroupName `
  -Location $AzureLocation

# Create the dedicated subnet for AAD Domain Services.
$AaddsSubnet = New-AzVirtualNetworkSubnetConfig `
  -Name DomainServices `
  -AddressPrefix 10.0.0.0/24

$WorkloadSubnet = New-AzVirtualNetworkSubnetConfig `
  -Name Workloads `
  -AddressPrefix 10.0.1.0/24

# Create the virtual network in which you will enable Azure AD Domain Services.
$Vnet=New-AzVirtualNetwork `
  -ResourceGroupName $ResourceGroupName `
  -Location $AzureLocation `
  -Name $VnetName `
  -AddressPrefix 10.0.0.0/16 `
  -Subnet $AaddsSubnet,$WorkloadSubnet

# Enable Azure AD Domain Services for the directory.
New-AzResource -ResourceId "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.AAD/DomainServices/$ManagedDomainName" `
  -Location $AzureLocation `
  -Properties @{"DomainName"=$ManagedDomainName; `
    "SubnetId"="/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices"} `
  -ApiVersion 2017-06-01 -Force -Verbose

Thanks for sharing that. I'm wondering the problems it may cause as a Microsoft developer that works with Azure ADDS told me that they found problems with the 15 character limit and that is why they enforce it during the wizard. It is good to know that it can still be done :) — tech_london, Feb 25 '19 at 22:02

score 0 · Answer 2 · answered Feb 04 '19 at 11:46

The prefix of a domain name in Azure AD DS is limited to 15 characters: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started.

Domain prefix restrictions: The prefix of your specified domain name (for example, contoso100 in the contoso100.com domain name) must contain 15 or fewer characters. You cannot create a managed domain with a prefix longer than 15 characters.

The underlying technical reason is likely related to NetBIOS name restrictions; each and every AD domain also has a NetBIOS name, which is usually identical to the domain prefix (the part of the full domain name up to the first "."); this can be customized in "real" AD, thus allowing you to create a domain with a longer prefix by using a different, shorter NetBIOS name; it looks like this limit is instead enforced in Azure AD DS.

Alright, that indeed now makes much more sense. Thanks for the explanation. So for my RDS environment I'll need to use for example gateway.adds.domain.com and get wildcard certificates for that domain *.adds.domain.com. I'm wondering how does this work with O365 and a regular domain as domain.com, I guess I'll just add a custom domain name on Azure and create all users with UPN as domain.com. I think they will still also have a UPN as adds.domain.com but I can make the principal domain.com instead? Thanks! — tech_london, Feb 04 '19 at 12:35

AD DS provisioning - The prefix of the DNS domain name must contain 15 or fewer characters

2 Answers2