In this tutorial, we will learn how to deploy an Active Directory domain controller on Microsoft’s Azure Cloud. Whether creating a new Active Directory domain or adding a domain controller to an existing Active Directory domain, there is real value in leveraging the Azure Cloud to benefit from a domain controller. In particular, because we can take advantage of the high availability of the Cloud.
According to good practices, an Active Directory environment should consist of at least 2 domain controllers. Assuming there is a domain controller on your local infrastructure, it might make sense to look to an Azure VM for the second domain controller.
When creating a virtual machine in Azure, there is the option to assign a public IP address to the VM. I advise you not to activate this option in production. For the domain controller located on Azure to communicate with your servers on-premiseany other domain controllers, and your workstations, you should set up a site-to-site VPN between the two infrastructures (on-premise and Azure).
For use in production, it will be necessary to be vigilant in terms of costs, in particular the costs related to the virtual machine (type of VM, redundancy options, region, type of disks, etc.), but also to the VPN tunnel between the two infrastructures.
In this demonstration, there is no question of Azure AD at all even if we rely on the Azure Cloud. Here is a server under Windows Server 2022 which is set up, with the “ADDS” role, as one would do on its local infrastructure.
II. Create the Azure VM
Let’s start by creating the virtual machine in Azure, from the administration portal: Create > Azure Virtual Machine.
The wizard for creating a new VM will start, with the usual different steps: basic options, disks, network, etc… Regarding the first tab named “De base“, there are several basic pieces of information to fill in:
- Subscription : choice of Azure subscription
- Resource group : creation of a resource group for this virtual machine (or use of an existing group)
- Virtual machine name : server name, at the system level and in the Azure console
- Region : Azure region in which to deploy the VM, i.e. the geographical location
- Availability options : VM redundancy in other Azure regions to ensure high availability in case of data center crash. Useful for production
- Type of security : Choose “Launch approved virtual machines” enables vTPM, Secure Boot and health monitoring
- Image : the type of operating system, here “Windows Server 2022 Datacenter: Azure Edition – Generation 2“
- Architecture : x64 mandatory for this system
- Cut : the type of virtual machines, which affects the amount of RAM and vCPU – The VM “Standard_B2s” is basic, but sufficient for this type of use in my opinion.
Which give :
Go down the page… Define a name for the server’s local administrator account, as well as its password. These identifiers must be used later to connect to the server. We make sure to chooseNone” pour “Public entry ports“.
Then it’s step “Discs” that appears on the screen. The “SSD Standard” is good enough from a performance point of view, but Microsoft recommends it mainly for testing. For production, it’s the “SSD Premium” which is recommended, at a minimum.
For the network part, you can create a new virtual network if it is a new environment. As far as I’m concerned, it’s attached to an existing virtual network “VNET-10.10.0.0-16” in which there is a subnet. Here, we are clearly playing on the Azure “local network” part.
As for the options”Public IP address” et “Public entry ports“, I recommend you choose “None” to avoid exposing the VM on the Internet. At first, this can be useful, but be sure to disable these options afterwards. The goal is for the domain controller to be reachable from the VPN tunnel.
Configure the other options if necessary, otherwise you can continue until the end. In the end, the virtual machine “AZ-ADDS” is created:
III. Set a static IP address
We will assign a static IP address to new virtual machine, from the Azure interface: 10.10.100.201/24. As for the DNS server, it will be the same value: 10.10.100.201/24. I emphasize that this configuration is done in the Azure portal, not in the system settings.
If needed, please refer to this tutorial:
For the IP configuration, this gives:
And, for the DNS part:
From now on, the virtual machine is accessible via this IP address: you can connect in RDP and check its IP address.
The information corresponds to the configuration defined in Azure:
IV. Install ADDS role
The virtual machine”AZ-ADDS” being ready, we can deploy the ADDS role: Active Directory Domain Servicescorresponding to Active Directory directory services.
Within the “Server Manager“, we click on “Manage” top right then “Add Roles and Feature” to add the role. A wizard runs… Skip the first step named “Before you begin“.
In the next step, select “Role-based or feature-based installation” and continue. Skip step “Select destination server” since we are installing on the local server.
Select the role “Active Directory Domain Services” and validate with “Add Features” when the second window will appear, when you check the box to select this role. This will allow you to benefit from the various administration tools.
Skip step “Features“, then once in step “Active Directory Domain Services“, click again on “Next“.
Installation is in progress! Wait a moment.
When it’s finished, a warning is displayed at the top right of the server manager. Click on it and then on the button “Promote this server to a domain controller“.
A wizard will run to allow us to create our Active Directory domain. Select “Add a new forest“, because this is a new environment. In case you want to add this domain controller to an existing domain, choose “Add a domain controller to an existing domain“.
Give this domain a name, for example “it-connect.corp” or using a subdomain of your public domain, for example “corp.it-connect.fr“. Carry on.
In the next step, keep the default options, because we need to assign this server the role of “DNS server“. Set an Active Directory services recovery password.
Continue with step “DNS Options“, where the warning is completely normal.
Pick a NetBIOS name for this domain, which is sort of a short name. For example: IT-CONNECT.
Skip step “Paths” without making any changes, because we are keeping the default settings for the Active Directory database and the SYSVOL directory.
The verification step verifies that all the lights are green to allow the creation of the Active Directory domain and the new forest. Read the warnings, and click “Install” to start the installation.
At the end of the process, the server will restart on its own ! You will need to authenticate on your server with the account initially created with the Azure VM, except that now it is the domain administrator account! Thus, in the OR”Users“, there is no account”Administrator” or “Administrator“, but an account “florian” in my example as I chose this name during creation. See for yourself:
In the OR”Domain Controllers“, the domain controller “AZ-ADDS” is visible and if it is the one and only DC in my environment.
Voila, you have just deployed a domain controller on Azure with a new Active Directory domain! Except for a few small details… with the ADDS wizard, this tutorial also applies to adding a domain controller to an existing domain.
If you enabled the public IP address in order to perform this configuration, consider disabling this function when your tunnel between the Cloud and your local infrastructure is set up. In the meantime, you can configure Azure Firewall to only allow your public IP address.
Subsequently, it will be appropriate to deploy a second domain controller to respect the good practice mentioned at the beginning of the article. You must also declare your Active Directory sites and subnets to attach each domain controller to the correct site.
#Deploy #Active #Directory #domain #controller