{"id":3194,"date":"2022-02-14T17:27:22","date_gmt":"2022-02-14T23:27:22","guid":{"rendered":"https:\/\/microsoftgeek.com\/?p=3194"},"modified":"2022-02-14T17:27:22","modified_gmt":"2022-02-14T23:27:22","slug":"how-to-deploy-a-domain-controller-on-microsoft-azure","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=3194","title":{"rendered":"How to deploy a Domain Controller on Microsoft Azure"},"content":{"rendered":"\n<p>Active Directory is the heart of your network. The domain controller of your active directory domain is responsible for a lot of on-premises connectivity (LDAP, DNS, \u2026) and is probably extended to the cloud (Azure AD connect). It\u2019s clear that this domain controller is the single point of failure. That\u2019s why you always should have&nbsp;<strong>2 or more domain controllers<\/strong>&nbsp;in an active directory domain (preferably on different hardware).<\/p>\n\n\n\n<p>Deploying an extra domain controller on Microsoft Azure is an easy way to make your active directory domain&nbsp;<em>High Available<\/em>&nbsp;and avoid many problems.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>This article focuses on deploying a domain controller on Azure. For guidelines on how to create an entire architecture as recommended by Microsoft you should check the&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/architecture\/\" target=\"_blank\" rel=\"noreferrer noopener\">Azure Architecture Center.<\/a><\/p><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"requirements\">Requirements<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>An Azure AD tenant with an active subscription.<\/li><li>A Virtual Network in Azure that doesn\u2019t overlap with your on-premises network.<\/li><li>A continuous line of sight between your on-premises domain controller and Microsoft Azure (Azure VPN Gateway, ExpressRoute or an NVA).<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"test-your-on-premises-domain-controller\">Test Your On-Premises Domain Controller<\/h2>\n\n\n\n<p>Before deploying an extra domain controller it\u2019s wise to test the health of the current situation. Below are some checks you can do (don\u2019t forget about DNS!). Existing problems must be fixed before continuing.<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Analyse your Active Directory and DNS Logs.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/logs-1024x280.jpg\" alt=\"\" class=\"wp-image-464\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Test your domain controller health with&nbsp;<strong>dcdiag \/s:dcName<\/strong><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/dctest.jpg\" alt=\"\" class=\"wp-image-465\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Test DNS with&nbsp;<strong>dcdiag \/s:dcName \/test:dns<\/strong><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/dnsTest.jpg\" alt=\"\" class=\"wp-image-466\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"deploy-a-virtual-machine\">Deploy A Virtual Machine<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Navigate to&nbsp;<strong>https:\/\/portal.azure.com<\/strong>&nbsp;and sign-in with a user that has sufficient permissions.<\/li><li>Create a new&nbsp;<strong>Windows Server<\/strong>&nbsp;<strong>resource<\/strong>. I Recommened using Windows Server 2019.<\/li><li>Enter al basic information and don\u2019t forget about the&nbsp;<strong>availability options.<\/strong>&nbsp;<strong>Don\u2019t use a spot VM to save costs<\/strong>&nbsp;\u2013 a domain controller should be always online.<\/li><\/ol>\n\n\n\n<p><strong><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-machines\/windows\/manage-availability\" target=\"_blank\" rel=\"noreferrer noopener\">When deploying multiple domain controllers in Azure, each of them should be in a different availability zone or in the same availability set.<\/a><\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/availabilityZone.jpg\" alt=\"\" class=\"wp-image-467\"\/><\/figure>\n\n\n\n<p>By default,&nbsp;<strong>allow selected ports<\/strong>&nbsp;is enabled to alow RDP (3389). For safety reasons, you should set this option to&nbsp;<strong>none<\/strong>. If required, a network security group can be attached to the subnet or vm afterwards to block certain ports.&nbsp;<strong>I Recommend attaching NSG\u2019s to subnets.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/NSG.jpg\" alt=\"\" class=\"wp-image-468\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"4\"><li>Click&nbsp;<strong>Next<\/strong>&nbsp;to configure vm disks.<\/li><\/ol>\n\n\n\n<p><strong>A Single VM without premium SSD\u2019s has an SLA of 99.95%. A Single VM with premium SSD\u2019s (all disks) has an SLA of 99.99%.<\/strong>&nbsp;<strong>I Recommend using premium disks for your domain controller.<\/strong><\/p>\n\n\n\n<p><strong>Add a second (premium ssd) disk with host caching set to none. This disk will contain the database, logs and sysvol folders.&nbsp;<\/strong>A Disk with a size of 8GB is sufficient.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/disk.jpg\" alt=\"\" class=\"wp-image-469\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"5\"><li>Click&nbsp;<strong>Next<\/strong>&nbsp;to configure networking. Attach the VM to your existing vNet that\u2019s connected with your on-premises domain.&nbsp;<strong>Don\u2019t assign a public IP address to your virtual machine as recommended by Microsoft<\/strong>&nbsp;\u2013 use a VPN or&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/azure.microsoft.com\/nl-nl\/services\/azure-bastion\/\" target=\"_blank\">Azure Bastion<\/a>&nbsp;to connect to the machine. Again, I\u2019ll apply NSG\u2019s to my subnet if required.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/network.jpg\" alt=\"\" class=\"wp-image-471\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"6\"><li>Finish all steps to create the virtual machine.&nbsp;<strong>Don\u2019t enable \u2018Login with AAD credentials<\/strong>\u2018&nbsp;<strong>or \u2018Auto-shutdown\u2019<\/strong>.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configure-ip-settings\">Configure IP Settings<\/h2>\n\n\n\n<p>The virtual machine must have a&nbsp;<strong>static IP address and the primary DNS server must point to the on-premises domain controller.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"static-ip-address\">Static IP Address<\/h3>\n\n\n\n<ol class=\"wp-block-list\"><li>Click on the&nbsp;<strong>network interface<\/strong>&nbsp;of your new virtual machine.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/nick-1024x294.jpg\" alt=\"\" class=\"wp-image-473\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\"><li>Select&nbsp;<strong>IP configurations<\/strong>&nbsp;and click on the IP config to change the IP settings.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/ipsettings-1024x551.jpg\" alt=\"\" class=\"wp-image-474\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\"><li>Select&nbsp;<strong>Static<\/strong>&nbsp;and configure the IP address<strong>. Don\u2019t forget to click save<\/strong>&nbsp;\u2013 a reboot may be required.&nbsp;<strong>You should never configure the static IP address on the VM itself as you do on-premises.<\/strong><\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/static.jpg\" alt=\"\" class=\"wp-image-475\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"4\"><li>Test if you can ping the VM from your on-premises domain controller and the other way around. If this isn\u2019t working you can try the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/azure.microsoft.com\/nl-nl\/services\/network-watcher\/\" target=\"_blank\">Network Watcher for troubleshooting<\/a>.<\/li><\/ol>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"dns-servers\">DNS Servers<\/h3>\n\n\n\n<p>DNS servers can be configured on the virtual network or on the virtual machine itself. If configured on the vNet, everything that\u2019s connected to this network will inherit these settings (you probably want this).<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Click on your virtual network to edit it\u2019s settings.<\/li><li>Select DNS and confire a custom DNS server (your on-premises domain controller).<\/li><li>Don\u2019t forget to click&nbsp;<strong>save<\/strong>&nbsp;and&nbsp;<strong>reboot the virtual machine<\/strong>.<\/li><\/ol>\n\n\n\n<p><strong>After adding AD DC roles to the new VM we\u2019ll come back to this page to change the DNS settings once more.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/DNS-settings-1024x603.jpg\" alt=\"\" class=\"wp-image-477\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"active-directory-sites-services\">Active Directory Sites &amp; Services<\/h2>\n\n\n\n<p>It\u2019s important to create&nbsp;<strong>a new site with a corresponding subnet&nbsp;<\/strong>that whill contain your new domain controller. Clients will try to contact the domain controller in their subnet first so a misconfiguration can cause slow logons or other problems.&nbsp;<strong>If your on-premises subnet isn\u2019t visible here you should create this one too!<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Open&nbsp;<strong>Active Directory Sites &amp; Services on your on-premises domain controller<\/strong>.<\/li><li>Right click&nbsp;<strong>Sites<\/strong>&nbsp;and select&nbsp;<strong>New Site<\/strong>.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/newsite.jpg\" alt=\"\" class=\"wp-image-479\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"3\"><li>Name your new site and link it to the DEFAULTIPSITELINK. Click&nbsp;<strong>OK<\/strong>&nbsp;to complete.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/newobject.jpg\" alt=\"\" class=\"wp-image-480\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"4\"><li>Right click&nbsp;<strong>Subnets&nbsp;<\/strong>and select&nbsp;<strong>New Subnet<\/strong>.<\/li><li>Enter to correct&nbsp;<strong>prefix<\/strong>&nbsp;(your azure subnet that contains your virtual machine) and&nbsp;<strong>link it to the new site<\/strong>.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/subnet.jpg\" alt=\"\" class=\"wp-image-481\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"6\"><li>Click&nbsp;<strong>OK&nbsp;<\/strong>to complete. You should end up with two (or more) subnets and two (or more) sites.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/sites.jpg\" alt=\"\" class=\"wp-image-482\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"install-active-directory-domain-services\">Install Active Directory Domain Services<\/h2>\n\n\n\n<ol class=\"wp-block-list\"><li>Start&nbsp;<strong>Add Roles and Features<\/strong>&nbsp;on the Azure VM.<\/li><li>Add the&nbsp;<strong>Active Directory Domain Services<\/strong>&nbsp;role and all necessary features.<\/li><li>Promote this server to a domain controller.<\/li><li>Select&nbsp;<strong>Add a domain controller to an existing domain<\/strong>.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/promote-1.jpg\" alt=\"\" class=\"wp-image-484\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"5\"><li>Enter your domain name and click&nbsp;<strong>Select<\/strong>. Provide credentials with sufficient permissions. If you get an error that the wizard can\u2019t find your domain, your DNS settings are probably incorrect.<\/li><li>Select the correct site name and enter a DSRM password.<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/settings.jpg\" alt=\"\" class=\"wp-image-485\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"7\"><li>Replicate from&nbsp;<strong>any domain controller<\/strong>.<\/li><li><strong>Change all paths to the 8GB partition<\/strong>&nbsp;(without caching).<\/li><\/ol>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/paths.jpg\" alt=\"\" class=\"wp-image-486\"\/><\/figure>\n\n\n\n<ol class=\"wp-block-list\" start=\"9\"><li>Leave all other options default or configure as required.<\/li><li>Reboot the virtual machine.<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"validate-dns-settings\">Validate DNS Settings<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"dc-on-azure\">DC on Azure<\/h3>\n\n\n\n<p>When the virtual machine is back online, it probably has static DNS servers configured \u2013 this happened because of the AD DC roles.&nbsp;<strong>Change this back to Obtain DNS server address automatically<\/strong>. Do this for both IPv4 and IPv6. you probably loose connection to the virtual machine.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/dns.jpg\" alt=\"\" class=\"wp-image-487\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"dc-on-premises\">DC on-premises<\/h3>\n\n\n\n<p>The preferred DNS server of your on-premises domain controller should be the domain controller on Azure. The alternate DNS server should point to itself.&nbsp;<strong>All other on-premises servers or clients should have the on-premises dc as preferred DNS server.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/DNSonprem.jpg\" alt=\"\" class=\"wp-image-488\"\/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"virtual-network-dns-settings\">Virtual Network DNS Settings<\/h4>\n\n\n\n<p>The first DNS server should be the DC on Azure and the second DNS server should be the DC on-premises.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/DNScomplet.jpg\" alt=\"\" class=\"wp-image-489\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"dns-settings-dc-on-azure\">DNS Settings DC on Azure<\/h3>\n\n\n\n<p>The first DNS server should be the&nbsp;<strong>on-premises DC<\/strong>&nbsp;and the second DNS server should be the&nbsp;<strong>DC on Azure<\/strong>.&nbsp;<strong>Reboot your VM after changing this.<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/dnsazure.jpg\" alt=\"\" class=\"wp-image-490\"\/><\/figure>\n\n\n\n<p>Validate this change on the VM itself by using&nbsp;<strong>ipconfig \/all<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/azurescene.com\/wp-content\/uploads\/2020\/04\/DNScomplete.jpg\" alt=\"\" class=\"wp-image-492\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"azure-ad-connect\">Azure AD Connect<\/h2>\n\n\n\n<p>Don\u2019t forget to deploy a second&nbsp;<strong>pass-through authentication<\/strong>&nbsp;if you are using this. When using&nbsp;<strong>hash synchronization<\/strong>&nbsp;think about migrating your Azure AD Connect to the VM on Azure because it probably will have a greater uptime\/SLA than your on-premises environment.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p>That\u2019s all! Validate the replication by using repadmin &amp; the event logs to be sure everything is working as expected. Don\u2019t forget to backup the VM!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Active Directory is the heart of your network. The domain controller of your active directory domain is responsible for a lot of on-premises connectivity (LDAP, DNS, \u2026) and is probably extended to the cloud (Azure AD connect). It\u2019s clear that this domain controller is the single point of failure. That\u2019s why you always should have&nbsp;2 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,35],"tags":[],"class_list":["post-3194","post","type-post","status-publish","format-standard","hentry","category-azure","category-cloud-computing"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3194","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3194"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3194\/revisions"}],"predecessor-version":[{"id":3195,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3194\/revisions\/3195"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}