![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 90%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EU%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello Umair,
Thank you for posting question on Microsoft Windows Forum.
Based on your issue description as well as provided error messages, it might indicate that your Azure VM is failing to promote to a domain controller because of a name resolution issue, specifically with DNS. Although your telnet tests confirm basic network connectivity to the on-prem domain controller's essential ports, they do not verify that the Azure VM can successfully resolve the domain's name to the correct IP address. The "LDAP connection could not be made" and "credentials invalid" errors are often symptoms of the VM being unable to find the domain controller to communicate with, causing the promotion process to fail. Also, Inbound traffic back to the Azure VM is blocked (RPC dynamic ports, DFSR, or SMB), even though outbound from Azure to on‑prem works.
The followings are a few of suggested troubleshooting steps for this issue.
1.Verify the Azure VM DNS settings.
- On the VM, ipconfig /all should show your on‑prem DC as primary DNS.
- Make sure the VM’s primary DNS suffix is your AD domain (e.g., contoso.com).
2.Confirm time sync.
- Time skew > 5 minutes can cause “invalid credentials.”
- On both the Azure VM and on‑prem DC, run:
- w32tm /query /status
- w32tm /stripchart /computer:<FQDN of DC name> /samples:5
3.Test DNS SRV records.
- From the Azure VM and run the following commands. Replacing contoso.com with your domain name.
- nslookup -type=SRV _ldap._tcp.dc._msdcs.contoso.com
- nslookup -type=SRV _kerberos._tcp.contoso.com
- nslookup dc1.contoso.com
- Resolve-DnsName -Type SRV _ldap._tcp.gc._msdcs.contoso.com
- All should resolve to your on‑prem DC(s). If not, fix DNS before anything else.
4.Open the right ports in both directions.
- Telnetting from Azure VM to on‑prem DC only proves outbound from Azure. AD promotion requires the on‑prem DC to initiate RPC sessions back to the Azure VM. Ensure these are allowed from on‑prem → Azure VM on your VPN, firewalls, and Azure NSG, and through Windows Firewall on the VM:
- DNS: TCP/53 and UDP/53
- Kerberos: TCP/88 and UDP/88
- LDAP: TCP/389 (and optionally TCP/636 for LDAPS)
- Global Catalog: TCP/3268 (and optionally TCP/3269 for LDAPS GC)
- SMB: TCP/445
- RPC Endpoint Mapper: TCP/135
- RPC dynamic range: TCP/49152–65535 (Windows Server 2008 and later)
- DFS Replication (SYSVOL): TCP/5722
5.DC Locator Service.
- Sometimes the Azure VM can not locate the DC properly. Run below command to see which DC it tries to contact.
- nltest /dsgetdc:yourdomain.local
6.Capturing logs for further analysis.
- Logs on the Azure VM:
- C:\Windows\debug\dcpromo.log and dcpromoui.log
- Event Viewer → Directory Service, DNS Server, DFS Replication, System
- C:\Windows\debug\dcpromo.log and dcpromoui.log
- On the on‑prem DC: Event Viewer (same logs) around the same timestamps.
- A packet capture on the Azure VM during promotion often reveals blocked inbound RPC (you’ll see 135 followed by attempts to high ports that never complete).
Hope the above information is helpful!