Error joining Azure VM AD to on_prem AD through VPN

Copper Contributor

Good morning,

I am trying to extend AD to Azure.  I did this, starting in Azure, by creating a Virtual Network, a  class 16 subnet (, a virtual Gateway, a local Gateway, an Azure Public IP Address, a connection, and a VM with a NIC in the Azure Platform (to be used for an ADDS server in the cloud).  


I created a Hyper-V lab with AD01 and WS01 with I also did the following:

     - Configured AD Sites and Services for Azure Site wtih Azure Subnet (

     - I then added RRAS to my AD01.  

     - I configured all the Azure resources I needed and assigned the GW its own subnet (

     - I created a new interface in RRAS to connect the VPN tunnel and connected both of them.  

           THAT part worked just fine.

     - Once the VPN was connected, I created a VM in Azure for AD, called AD02.  

          I set AD02 to have a DNS Address to match AD01.

     -  I added ADDS to AD02 and went to promote the DC, but it failed to join the domain, because of the 


                 "Active Directory Installation Wizard
                   The wizard cannot access the list of domains in the forest. The error is:
                   The network path was not found."


I can resolve out to the on_prem DNS Server from inside Azure.  I joined the local WS01 to the domain on_prem, so I know the SRV records are correct and the domain join functionality is present.  It almost seems like there are ports being blocked or packets being dropped.


Only other bit of info is that this is on a home network, behind a modem/router/firewall, with in the DMZ on the firewall and the VPN connection is not terminated at the modem/router/firewall/but at the RRAS Server (AD01).


Abstract of network attached.


Anyone have any thoughts?

7 Replies

Hi Kurt,


can you please check if you able to Telnet 53 port and 137 Port? 



Sunit Patil

I can telent to port 53 from Azure AD01 to on_prem DC01.  I cannot telnet to port 137.


However, I turned off NetBIOS in the NIC on DC01 per some instructions I read.


Let me turn it back on and see if that resolves the telnet to 137 issue.


best response confirmed by Kurt Johnson (Copper Contributor)

Hi Kurt,


Having said you created AD Sites and services. Did you put the Azure AD01 into another site you created on-prem.?

Well, yes.  About that.  A couple things.  First, I DID create a Site, I assigned the appropriate subnet, but I did NOT assign the server.  Because there was no server called AD01 joined to the domain at the time I created the site.


Second, I did NOT try to join AD01 to the domain before I tried to install ADDS and DCPROMO it up.  Why not?  Dunno, just didn't.  So, I blew away that server and re-created it.  I joined it tothe domain first (it worked), then I ran ADDS, then I DCPROMO'd it up, and BOOM!   New AD DC and DNS Server.  I added the DNS Server address hosted in Azure to the Virtual Network, rebooted both servers to get the new DNS adddress listed in the NICs, then... couldn't replicate from Azure to on_prem.


THEN I added the AD01 server to the Site I created in AD Sites and Services.  At which point everything replicated and I became a happy camper.  So, excellent point, JIDE, thank you.


While I fixed this issue myself, I will give you both credit as both of you addressed 2 separate but valid issues you cna have while trying to join across a VPN.


Thank you both for responding.



Apparently I cannot have TWO best answers.  Ah well.

@Kurt Johnson 

Good day. I have an ON-Prem environment running on a Hyper-V Hyper Visor (Windows Server 2019) with two network adapters. One for Internet and one from my firewall (Fortigate)

I created a Domain on Prem and synchronized it with AD Connect to Office 365 for my users etc. I also synced my custom domain to Office 365 and on prem.

I then created a site to site VPN to Azure from on Prem and it is connected, my goal is to join the Windows 10 Client I created in Azure to my on prem domain but I cannot due to DNS settings. I am able to ping the domain controller, its ip address and do a nslookup and vice versa. My site to site vpn in the firewall has nat enabled.

My Azure environment has two virtual networks that are peered to each other. One VNET has the VPN created in it, the other one is in another region because I could not deploy reseources or vms in my VPN region (South Africa North) so I had to peer it for my vm to get connected. Please assist. 

On prem configs: 

IP Address:

DNS Server:

No DHCP, cause its connected to my on prem networjk

Azure environment: VNET DNS SERVERS:

client vm ip :


I have SVR records and DNS installed on prem but stilll cant get client to connect to my domain. Please assist


The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "YASEEN-DC.YASEEN.LOCAL":

The error was: "DNS name does not exist."
(error code 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc._msdcs.YASEEN-DC.YASEEN.LOCAL

Common causes of this error include the following:

- The DNS SRV records required to locate a AD DC for the domain are not registered in DNS. These records are registered with a DNS server automatically when a AD DC is added to a domain. They are updated by the AD DC at set intervals. This computer is configured to use DNS servers with the following IP addresses:

- One or more of the following zones do not include delegation to its child zone:

. (the root zone)




PS C:\Users\yaseen.abrahams> ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.
PS C:\Users\yaseen.abrahams>  Get-DnsClientServerAddress

InterfaceAlias               Interface Address ServerAddresses
                             Index     Family
--------------               --------- ------- ---------------
Ethernet                             5 IPv4    {,}
Ethernet                             5 IPv6    {}
Loopback Pseudo-Interface 1          1 IPv4    {}
Loopback Pseudo-Interface 1          1 IPv6    {fec0:0:0:ffff::1, fec0:0:0:ffff::2, fec0:0:0:ffff::3}

PS C:\Users\yaseen.abrahams> Resolve-DNSName yaseen.local

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
yaseen.local                                   A      600   Answer
yaseen.local                                   A      600   Answer

PS C:\Users\yaseen.abrahams> Resolve-DNSName _ldap._tcp.dc._msdcs.yaseen.local

Name                        Type TTL   Section    PrimaryServer               NameAdministrator           SerialNumber
----                        ---- ---   -------    -------------               -----------------           ------------
yaseen.local                SOA  3600  Authority  yaseen-dc.yaseen.local      hostmaster.yaseen.local     45