There are several scenarios in a hybrid cloud setup where you would want virtual machines running on Azure to be part of an on-premises Active Directory.

Before we can start looking into how to join a virtual machine (VM) to a local Active Directory, there are some prerequisites to meet, which are the following:

  1. A functional on-premises Active Directory and local DNS infrastructure
  2. A site-to-site VPN connection between Azure and your datacenter
  3. A custom DNS server configuration pointing to an on-premises DNS server, required to resolve resources and services located in your datacenter

Assuming you've met all these prerequisites, let's begin.

Establish cross-site connectivity using Azure site-to-site VPN connections

Mohamed A. Waly wrote an excellent article on how to configure a site-to-site VPN connection. You can review this to set up a virtual network (VNet), but I'd like to elaborate a bit more on how to set up custom DNS for Azure Virtual Network.

Configure a custom DNS server

When joining a machine to a domain, the DNS server plays a key role. The machine uses the DNS server to send a DNS SRV query to locate the domain controller. On Azure, you can configure a custom DNS server for a VM at two levels:

  • The VNet level
  • The network interface level

Please note that making changes to DNS server configuration at either the VNet level or network interface level requires restarting the VMs for the changes to take effect.

To configure a custom DNS Server at the VNet level, perform the following steps:

  1. Navigate to Home > Virtual networks and select Virtual network.
  2. Click DNS servers, check the Custom radio button, input the DNS server IP, and click Save.

It is essential to mention here that by default, all network interfaces (all VMs) created under this VNet will inherit this DNS server configuration.

Custom DNS at the VNet level

Custom DNS at the VNet level

  1. To specify the DNS server at the VM level, navigate to Home > Network interfaces and select the interface name. At this stage, verify the VM name, network security group, VNet, and subnet to make sure it's the one you wish to change the DNS server for.
Custom DNS at the network interface level 1

Custom DNS at the network interface level 1

Click DNS servers and select Custom. Type in the IP address of the on-prem DNS server and click Save.

Custom DNS at the network interface level 2

Custom DNS at the network interface level 2

By default, the VM's network connection looks like the following image when providing no custom DNS server.

Azure provided DNS configuration

Azure provided DNS configuration

Once you've configured the custom DNS server, the network configuration properties will look like the following image.

Custom DNS configuration

Custom DNS configuration

Provision a VM with a custom DNS server

In the previous step, we looked into how we can set up a custom DNS server at the VNet level, but that configuration would apply to all VMs configured on that network.

In some use cases, you don't want to mess with the complete VNet and specifically define the DNS server at the VM's network interface level. Below are the steps to provision a new VM with PowerShell for such scenarios.

Note: I'm assuming you already have a resource group on Azure that has a VNet as part of creating the site-to-site VPN connection step we discussed earlier in this article.

  1. First, log in to Azure Resource Manager (AzureRM) using PowerShell and provide the credentials when prompted.
  2. Create user credentials for the local administrator of the VM.
    $VMLocalAdminUser = "LocalAdmin"
    $VMLocalAdminSecurePassword = ConvertTo-SecureString 'P@$$w0rd@12345' -AsPlainText -Force
    $Credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword)
  3. Provide the VM's configuration details and properties.
    $LocationName = "CentralIndia"
    # Existing resource group on Azure
    $ResourceGroupName = "AzureToOnPrem"
    # Define the name and VM size
    $ComputerName = "Windows10"
    $VMName = "Windows10VM"
    $VMSize = "Standard_B1ms"
    # Existing VNet configured with custom DNS
    $NetworkName = "AzureVmNetwork"
    $NICName = "Windows10IP"
    $NICPublicIpName = "Windows10PubIP"
    $SubnetName = "AzureVmSubnet"
  4. Now we create a new public IP address to assign to the VM.
    $PublicIP = New-AzureRmPublicIpAddress -Name $NICPublicIpName -ResourceGroupName AzureToOnPrem -Location 'Central India' -Sku Basic -AllocationMethod Dynamic  IpAddressVersion IPv4
  5. Then create a new network security rule to allow inbound connection on RDP port 3389 and set up a network security group with that rule.
    $AllowRDPRule = New-AzureRmNetworkSecurityRuleConfig -Name AlloW-RDP -Description "Allow RDP" -Access Allow -Protocol TCP -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389
    $NSG = New-AzureRmNetworkSecurityGroup -Name Windows10-NSG -ResourceGroupName AzureToOnPrem -Location 'Central India' -SecurityRules $AllowRDPRule
  6. Now we'll get the properties of the existing VNet "AzureVmNetwork" with custom DNS server configuration and use that to create a new network interface. Please make sure to provide the IP address of your on-premises DNS server.
    $VirtualNetwork = Get-AzureRmVirtualNetwork -ResourceGroupName "AzureToOnPrem" -Name "AzureVmNetwork"
    $NetworkInterface = New-AzureRmNetworkInterface -Name $NICName -ResourceGroupName $ResourceGroupName -Location $LocationName -SubnetId $[0]  NetworkSecurityGroupId $NSG.Id -PublicIpAddressId $PublicIP.Id -DnsServer ""
  7. After setting up the network interface, I'll just provision a new VM with the desired configuration and properties, including the new network interface.
    $VirtualMachine = New-AzureRmVMConfig -VMName $VMName -VMSize $VMSize
    $VirtualMachine = Set-AzureRmVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ComputerName -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate
    $VirtualMachine = Add-AzureRmVMNetworkInterface -VM $VirtualMachine -Id $NetworkInterface.Id
    $VirtualMachine = Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName 'MicrosoftWindowsDesktop' -Offer 'Windows-10' -Skus 'RS3-Pro' -Version Latest
    New-AzureRmVM -ResourceGroupName $ResourceGroupName -Location $LocationName -VM $VirtualMachine –Verbose
  8. This will launch a new VM in AzureRM in a few minutes.

Join the Azure VM to the on-premises Active Directory domain

We've established a site-to-site VPN connection and configured a custom DNS server on our newly provisioned Azure VM. So now we'll go ahead and join the Azure VM to the on-premises Active Directory in few simple steps. There are multiple ways to achieve this, but I'll mention just a few here:

  1. By manually remote logging into the VM:
    Go to System properties, click Change, provide the Domain name, and enter the credentials when prompted.
Joining a domain manually

Joining a domain manually

  1. Using PowerShell:
    The following code sample joins a machine to domain. You can execute it on a VM locally or remotely through PowerShell Remoting or by using VM extensions.

    Subscribe to 4sysops newsletter!

    $SecurePWd = ConvertTo-SecureString 'P@$$w0rd@12345' -AsPlainText -Force
    $DomainJoinCred = New-Object System.Management.Automation.PSCredential ("administrator", $SecurePWd )
    Add-Computer -DomainName "DomainName" -Credential $DomainJoinCred


In AzureRM it is fairly simple to create a site-to-site VPN and provision a VM with a network interface that has a custom configured IP address of an on-premises DNS server. This will allow the VMs to query the domain controllers on the on-premises Active Directory and join the domain set up in an on-premises infrastructure.

  1. Sanket Gupta 4 years ago

    was desperately looking for some article to join azure vm to on-prem AD. this blog provided me a step-by-step guide and solved my trouble. Many Thanks!

    Subscribing to get more tech stuffs in azure & powershell.

    • Author

      Thank you Sanket!

    • kamran 2 years ago

      I have site to site vpn setup , custom dns setup but I am unable to join on prem domain, what things should I look t troubleshoot.


  2. umesh mane 4 years ago

    What are the ports need to open on on-prem network Gateway devices in order to carry out the domain joining process

    • umesh mane 4 years ago

      port TCP/UDP  53 for DNS Query

  3. mike 4 years ago

    Doesn’t the PS code above only create the computer account in the domain. Don’t you still need to either manually add the computer to the domain as shown in #1 or run some script to add the computer which would match it to the account.

    Do you have a way to add a new Azure computer to the domain that has not been logged in to. Using the jsonAddAdComputer Azure extension only seems to work after the computer has been logged in using a local account. I need to be able to build a new Azure VM, join it to the domain and push some apps to it with no user interaction. I am stuck on getting it to add to the domain.


    • There are multiple ways to achieve this. Azure Automation with xDSCDomainJoin module is the recommended solution.

      • Curibe 3 years ago

        Can you further elaborate?

  4. Lassaad TOUKABRI 4 years ago

    Excellent, Thank You

  5. Matt 4 years ago

    You rock Prateek. Thanks man. Adjusting DNS at vNET level AND network interface level did the trick. Thanks again, Matt

  6. Martin 4 years ago

    Hi! This On-Prem AD is synced with your subscription's Directory? Or they are different?


    • Steps in the article can be implemented irrespective of On-Premise AD is synced with Azure AD or not.

Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account