question

DaveBryan-5712 avatar image
0 Votes"
DaveBryan-5712 asked LukasBeran answered

Domain Controller in Azure also need FW rules to allow on-premises authentications

We are extending our domain into Azure. I am setting up an AD site for Azure and deploying a domain controller there. I have always thought the best design of AD is to allow any client to authenticate to any DC. That way if a DC goes down or there is a site discovery issue, etc. things do not break. Obviously you still want your on-premises clients to authenticate to your on-premises DCs and your Azure clients to authenticate to your Azure DCs. In order to accomplish this, we obviously have to setup a lot more NSG/Firewall rules, etc. What do you guys think? Obviously you need the DCs to replicate to each other, but should you allow on-premises clients to authenticate to an Azure DC? or is that not really needed if you have multiple on-premises DCs?

azure-active-directoryazure-ad-domain-services
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

LukasBeran avatar image
0 Votes"
LukasBeran answered

Hi.

If Azure is going to be your second datacenter, you should allow authentication to Azure DCs also from onprem infrastructure. So if Azure is going to extend your onpremises datacenter, then you should interconnect those networks, so use either Azure ExpressRoute or site-to-site VPN. Then the infrastructure deployed in Azure will be part of your internal network.

You should never expose DCs directly to the Internet, DCs should be accessible only from internal network.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ChaitanyaSreeramsetty-3905 avatar image
0 Votes"
ChaitanyaSreeramsetty-3905 answered

I hope you have extended your DC to Azure from On-premises via a secure channel like express route or site-to-site VPN.

Where the Azure Gateway provides a connection between on-premises VPN device and virtual network. All requests between the DC servers in the cloud and on-premises pass through the gateway. User-defined routes (UDRs) handle routing for on-premises traffic that passes to Azure.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaveBryan-5712 avatar image
0 Votes"
DaveBryan-5712 answered DaveBryan-5712 edited

Yes - We have an express route connection, but there are still FW rules and NSGs that have to be setup properly, so the main concern is should you add those ports in so that on-premises computers can authenticate to the DCs in Azure if needed. It sounds like everyone is saying that all on-premises workstations that normally only communicate with the on-premises DCs, should also have 389, 445, 53, etc open to the DC in Azure.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LukasBeran avatar image
0 Votes"
LukasBeran answered

In that case yes, you should open the ports as Azure is your "external" datacenter and in case of some outage in your primary datacenter, Azure will handle the requests.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.