Configure Domain Join, OU Placement, Remote Access & RSAT for Client VMs

  

1. Domain Join the Client VM:

1. To join the VM to the domain, it must be on the same network as the Domain Controller (DC). In the previous blog, we configured DHCP services on our DC VM, and as a result, the Client VM automatically received its IP address from the DC, instead of requiring manual IP assignment.

2. Press Win + R to open the Run dialog, type sysdm.cpl, and hit Enter. This opens the System Properties.

 3. Click Change.

4. Select Domain and enter the domain name "cloudazure.local". Hit OK.

5. Enter the credentials. Click OK.

6. Click OK.

7. Click OK.

2. Moving the Computer Object:

1. This will place the computer object of the Client VM into the default Computers OU. Ideally, it should have been placed in a specific OU using a PowerShell command, but I wanted to demonstrate that computer objects can be moved from one OU to another. So now, we’ll move the computer object from the Computers OU to the OnPrem Devices OU.

2. Right-click the computer object and select ‘Move’

3. Move to OnPrem Devices OU. Click OK.

4. Now, the computer object for the Client VM appears in the desired OU.

3. Enabling Remote Access for the Service Account:

1. Navigate to the Client VM. 

2. We add the security group to the local Remote Desktop Users group to grant its members permission to remotely connect to the machine via Remote Desktop, and to the local Administrators group to provide them elevated privileges for performing administrative tasks on the machine.

3. Press Win + R to open the Run dialog.

4. Type lusrmgr.msc and hit Enter.

5. Navigate to Groups-Remote Desktop Users-Add the Admin security group. Hit Apply.

6. Navigate to Groups-Administrators-Add the Admin security group. Hit Apply.

7. Restart the Client VM.

4. Install RSAT (Remote Server Administration Tools):

1. On the Client VM, you are now logged in with the Service Account

2.  Go to Settings → System

3. Go to Optional features→ Add a feature

4. I have selected the below 2 RSAT features.

5. Click Add.

6. It has been added successfully.

5. Testing:

1.The service account has only the required permissions to create/delete computer objects and to create and link GPOs within the AVD OU. For more details on how the permissions were granted, please refer to the Active Directory blog. https://www.azuretechlead.com/2025/06/active-directory-tutorial-for-admins.html

5.1 Domain Joining access on a Specific OU:

1. Press Win + R to open the Run dialog.

2. Type dsa.msc and hit Enter.

3. Only in the AVD OU does the service account get the option for New → Computer.

4. For reference, the service account does not get the 'New → Computer' option in any other OU.

5.2 Create and Link GPO on a Specific OU:

1. Press Win + R to open the Run dialog.

2. Type dsa.msc and hit Enter.

3. Only in the AVD OU does the service account get the options for Creating and Linking the GPO.

4. For reference, the service account does not get either of those options in any other OU—they are greyed out.