Tutorial: Create and use replica sets for resiliency or geolocation in Azure Active Directory Domain Services (preview)
To improve the resiliency of an Azure Active Directory Domain Services (Azure AD DS) managed domain, or deploy to additional geographic locations close to your applications, you can use replica sets. Every Azure AD DS managed domain namespace, such as aaddscontoso.com, contains one initial replica set. The ability to create additional replica sets in other Azure regions provides geographical resiliency for a managed domain.
You can add a replica set to any peered virtual network in any Azure region that supports Azure AD DS.
Replica sets are a public preview feature in Azure AD Domain Services. Please be aware of the support differences that exist for features still in preview. For more information about previews, Azure Active Directory Preview SLA.
In this tutorial, you learn how to:
- Understand the virtual network requirements
- Create a replica set
- Delete a replica set
If you don't have an Azure subscription, create an account before you begin.
To complete this tutorial, you need the following resources and privileges:
An active Azure subscription.
- If you don't have an Azure subscription, create an account.
An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
An Azure Active Directory Domain Services managed domain created using replica sets and configured in your Azure AD tenant.
Make sure that you create a managed domain that uses replica sets. An existing managed domain created before this preview doesn't support replica sets. You also need to use a minimum of Enterprise SKU for your managed domain. If needed, change the SKU for a managed domain.
Sign in to the Azure portal
In this tutorial, you create and manage replica sets using the Azure portal. To get started, first sign in to the Azure portal.
The virtual networks that host replica sets must be able to communicate with each other. Applications and services that depend on Azure AD DS also need network connectivity to the virtual networks hosting the replica sets. Azure virtual network peering should be configured between all virtual networks to create a fully meshed network. These peerings enable effective intra-site replication between replica sets.
Before you can use replica sets in Azure AD DS, review the following Azure virtual network requirements:
- Avoid overlapping IP address spaces to allow for virtual network peering and routing.
- Create subnets with enough IP addresses to support your scenario.
- Make sure Azure AD DS has its own subnet. Don't share this virtual network subnet with application VMs and services.
- Peered virtual networks are NOT transitive.
When you create a replica set in the Azure portal, the network peerings between virtual networks is created for you.
If needed, you can create a virtual network and subnet when you add a replica set in the Azure portal. Or, you can choose existing virtual network resources in the destination region for a replica set and let the peerings be created automatically if they don't already exist.
Create a replica set
When you create a managed domain, such as aaddscontoso.com, an initial replica set is created. Additional replica sets share the same namespace and configuration. Changes to Azure AD DS, including configuration, user identity and credentials, groups, group policy objects, computer objects, and other changes are applied to all replica sets in the managed domain using AD DS replication.
In this tutorial, you create an additional replica set in an Azure region different than the initial Azure AD DS replica set.
To create an additional replica set, complete the following steps:
In the Azure portal, search for and select Azure AD Domain Services.
Choose your managed domain, such as aaddscontoso.com.
On the left-hand side, select Replica sets (preview). Each managed domain includes one initial replica set in the selected region, as shown in the following example screenshot:
To create an additional replica set, select + Add.
In the Add a replica set window, select the destination region, such as East US.
Select a virtual network in the destination region, such as vnet-eastus, then choose a subnet such as aadds-subnet. If needed, choose Create new to add a virtual network in the destination region, then Manage to create a subnet for Azure AD DS.
If they don't already exist, the Azure virtual network peerings are automatically created between your existing managed domain's virtual network and the destination virtual network.
The following example screenshot shows the process to create a new replica set in East US:
When ready, select Save.
The process to create the replica set takes some time as the resources are created in the destination region. The managed domain itself is then replicated using AD DS replication.
The replica set reports as Provisioning as deployment continues, as shown in the following example screenshot. When complete, the replica set shows as Running.
Delete a replica set
A managed domain is currently limited to four replicas - the initial replica set, and three additional replica sets. If you don't need a replica set anymore, or if you want to create a replica set in another region, you can delete unneeded replica sets.
You can't delete the last replica set in a managed domain.
To delete a replica set, complete the following steps:
- In the Azure portal, search for and select Azure AD Domain Services.
- Choose your managed domain, such as aaddscontoso.com.
- On the left-hand side, select Replica sets (preview). From the list of replica sets, select the ... context menu next to the replica set you want to delete.
- Select Delete from the context menu, then confirm you want to delete the replica set.
Replica set deletion may be a time-consuming operation.
If you no longer need the virtual network or peering used by the replica set, you can also delete those resources. Make sure no other application resources in the other region need the network connections before you delete them.
In this tutorial, you learned how to:
- Configure virtual network peering
- Create a replica set in a different geographic region
- Delete a replica set
For more conceptual information, learn how replica sets work in Azure AD DS.