Join script fails for VM that needs to join a Domain Controller over a IPSec VPN

Copper Contributor

My current topology is the following:

My on-premise site has the DC (which is also used as a DNS server), said DC has AzureConnect enabled as well and syncs often.


My Azure site has a different segment of IPs and my DNS servers have been modified so that the VMs resolve addresses with help of my local DC.

I have setup a VPN between sites correctly (I know this because I have done several failover and failback tests that require it).


Provisioning is failing, and I am using a local identifier for my UPN field.  That's @domain.local instead of


I don't know what I'm doing wrong, everything should be fine, here's a screen of what the console says:

Screenshot from 2019-05-23 16-47-13.png

4 Replies



"Provisioning is failing, and I am using a local identifier for my UPN field. That's @domain.local instead of"


Are you using AD Sync? The provisioning doesn't seems to require the UPN of an Azure AD identity. If you are using ADSync then use the .com account and when it joins the domain it should find the associated user on the .local .

@WookieGTBI've tried both ways. It also fails when the identifier is

Hi @ralfAlfa ,


Did you set the DNS servers correctly in your VNET on Azure? It should point to your DC on-prem. Otherwise, your newly deployed VMs will not be able to resolve your Domain Name, and cause this joining error

@michawetsYes, I did change the DNS server.  I tried a different solution and am now able to create a host pool through Az powershell.  I'm getting errors as well, but they are not related to this thread anymore.  For example, only admin users can start a session amongst other things.