Extending On Premise Active Directory to Azure

Posted by

 

Part 1 – Setting the VPN to Azure

Part 2 – Extending Active Directory to Azure

Part 3 – Setting up ADFS in Azure

Part 4 – Connecting ADFS with Azure Active Direct Access Control Service (ACS) (to follow)

In part one we discussed and demonstrated the process of configuring the virtual network in Azure and the VPN connection to allow us to create a replica DC within the Azure IAAS cloud. In this section we will go through the relevant steps required to create a new Domain Controller as an additional DC to our on premise domain. I’ll start by covering some of the design considerations we have available to us.

Full DC or Read Only DC?

The first choice is to decide what type of domain controller we are going to install. Do we want to use an RODC or a fully functional DC. Initially my thoughts were we would want to use an RODC, Azure is a public cloud and we are sharing hardware with other Azure customers. So if our Azure DC was to get compromised we would want to minimise the attack surface and prevent our AD being too much at risk. Microsoft do tell us that Azure is secure and safe to run a full DC instance. One of my goals was to use Azure as a DR site and since we are hosting our ADFS infrastructure to link in with Office365 we want to make sure all our users can authenticate, even if our main site or the VPN is down. A RODC would not allow us to do this, so I’ll be using a full DC in Azure.

Sites, Services and subnets

We don’t really want our on premise users authenticating against Azure domain controllers so we will setup our sites and services with the relevant subnets, adding a new site for Azure and associating the subnet with it.

Global Catalogs

We want to make sure our users can authenticate to Office365 even in the event our main datacentre or the VPN to Azure is down. For this reason we will make our Azure DC a global catalog too.

FSMO Roles

Because these roles are critical to the running of AD, and the majority of our users and devices being within close proximity to our data centre, we will leave all FSMO roles on premise. In the event of a VPN failure we can cope for a short while without the FSMO roles being contactable whilst we bring the VPN back up.

DNS

The DC in Azure will host it’s own AD integrated copy of DNS and point to itself for DNS then one of the on premise DC’s as an alternate DNS.

So that covers most of the key AD related services, we need to consider some of the key points to Azure VM’s.

Drives

By default we get one OS drive (c:) and one temporary drive (d:) on an Azure VM. The temporary drive shouldn’t be used for saving any data as it’s only transient temporary data such as the paging file. With the way Azure VM’s work we don’t want to save any data on the OS disk either so we need to make sure that we have an additional disk added to the VM for the AD Database and logs.

IP Addressing

Azure doesn’t support static IP’s, and although you can add your own static IP to the server it will eventually make the VM isolated and prevent you accessing it. It will instead get an IP address from Azure DHCP, you can think of it as a reserved IP address as it will always get the same one. This does mean the AD installation wizard will throw up a warning asking if we want to set a static IP – don’t be tempted to do this.

Firewall configuration

We want to ensure that the Windows firewall is enabled on all our servers hosted in Azure and that only the minimum rule set is created. Meaning that by default we will block all inbound and outbound traffic unless specifically configured. Our DC needs to be able to communicate to other DC’’s in our on premise environment, as well as some of our Azure servers, such as the internal ADFS servers and application servers. You can get details of the required ports for Active Directory at this link. http://support.microsoft.com/kb/179442?wa=wsignin1.0#method3

Installation

We are now ready to start and install our domain controller. I’ll be using Server 2012 but you can use 2008 R2 too, the process will be similar apart from not using DCPROMO in 2012.

1. Log into the Azure management portal and select New > Compute > Virtual Machine > From Gallery and select Windows Server 2012 Datacentre

image

image

2. Enter a name for your DC (This is the host name you want to give your server). I’ve selected small as my instance size but you can change this if needbe. Enter a username – this will be your default admin account on the server (some names are restricted) and enter a secure password

image

3. Give your server a DNS name (this is the public DNS Azure name and won’t be your DNS name in your own Active Directory). You need to select a storage account in a region which supports IAAS ( mine is in North Europe). Select the Affinity group and your virtual network you created for your domain controllers (these were configured in Part one of this blog series – please note that the network names in these pictures differ a little to those in Part one, but the principals are the same).

image

4. We aren’t going to use an availability set in this instance so leave this section as the default none, and enable powershell remoting.

image

5. You can monitor the progress of your VM provisioning

image

At this point your VM should be up and running and you should have communication between your on premise servers and this virtual machine through the VPN tunnel we created in the first part of this guide. We will now go ahead and make this server a domain controller in our existing domain. We will do the majority of the DC install using PowerShell.

1. Launch the PowerShell console and install the Active Directory Domain Services role on the server.

image

Add-WindowsFeature -name ad-domain-services -IncludeManagementTools

image

2. Use PowerShell to configure this server as a domain controller in the existing on premise domain

image

1 Install-ADDSDomainController -credential {Get-Credential administrator@corp.com} -InstallDNS -DomainName corp.com -DatabasePath "D:\Windows\NTDS" -SysvolPath "D:\Windows\Sysvol" -LogPath "D:\WindowsLogs"

You will be prompted for a username and password of someone with Domain Admin credentials to make this server a DC in the existing domain. You will then need to enter a safe mode recovery password.

Once these steps are completed, the server will reboot as a Domain Controller in your existing domain.

The next steps are to make sure you assign the DC to the correct sites and services. And that it is replicating correctly with other DC’s. You can edit the replication link to match your requirements.

At this point in the series you should have Azure configured as a branch office using a VPN from your on premise network to a virtual network in Azure. You have also extended your AD into the cloud by promoting an Azure VM to a domain controller. In the next part we will go over the steps required to install an ADFS server and ADFS proxy into Azure and connect it to Office365.