Install a replica Active Directory domain controller in an Azure virtual network

This article discusses how to install additional domain controllers (DCs) to be used as replica DCs for an on-premises Active Directory domain on Azure virtual machines (VMs) in an Azure virtual network. You can also install a Windows Server Active Directory forest on an Azure virtual network. For how to install Active Directory Domain Services (AD DS) on an Azure virtual network, see Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines.

Scenario diagram

In this scenario, external users need to access applications that run on domain-joined servers. The VMs that run the application servers and the replica DCs are installed in an Azure virtual network. The virtual network can be connected to the on-premises network by ExpressRoute, or you can use a site-to-site VPN connection, as shown:

Diagram pf replica Active Directory domain controller an Azure vnet

The application servers and the DCs are deployed within separate cloud services to distribute compute processing and within availability sets for improved fault tolerance. The DCs replicate with each other and with on-premises DCs by using Active Directory replication. No synchronization tools are needed.

Create an on-premises Active Directory site for the Azure virtual network

You can create a site in Active Directory that represents the network region corresponding to the virtual network. This site can help optimize authentication, replication, and other DC location operations. The following steps explain how to create a site, and for more background, see Adding a New Site.

  1. Open Active Directory Sites and Services: Server Manager > Tools > Active Directory Sites and Services.
  2. Create a site to represent the region where you created an Azure virtual network: click Sites > Action > New site > type the name of the new site, such as Azure US West > select a site link > OK.
  3. Create a subnet and associate with the new site: double-click Sites > right-click Subnets > New subnet > type the IP address range of the virtual network (such as 10.1.0.0/16 in the scenario diagram) > select the new Azure site > OK.

Create an Azure virtual network

To create an Azure virtual network and set up site-to-site VPN, follow the steps included in the article Create a Site-to-Site connection.

You can also configure the virtual network gateway to create a secure site-to-site VPN connection. Create the site-to-site VPN connection between the new virtual network and an on-premises VPN device. For instructions, see Configure a Virtual Network Gateway.

Create Azure VMs for the DC roles

To create VMs to host the DC role, repeat the steps in Create a Windows virtual machine with the Azure portal as needed. Deploy at least two virtual DCs to provide fault tolerance and redundancy. If the Azure virtual network has at least two DCs that are similarly configured, you can place the VMs that run those DCs in an availability set for improved fault tolerance.

To create the VMs by using Windows PowerShell instead of the Azure portal, see Use Azure PowerShell to create and preconfigure Windows-based Virtual Machines.

Reserve a static IP address for VMs that will run the DC role. To reserve a static IP address, download the Microsoft Web Platform Installer and install Azure PowerShell and run the Set-AzureStaticVNetIP cmdlet. For example:

Get-AzureVM -ServiceName AzureDC1 -Name AzureDC1 | Set-AzureStaticVNetIP -IPAddress 10.0.0.4 | Update-AzureVM

For more information about setting a static IP address, see Configure a static internal IP address for a VM.

Install AD DS on Azure VMs

Sign in to a VM and verify that you have connectivity across the site-to-site VPN or ExpressRoute connection to resources on your on-premises network. Then install AD DS on the Azure VMs. You can use same process that you use to install an additional DC on your on-premises network (UI, Windows PowerShell, or an answer file). As you install AD DS, make sure you specify the new volume for the location of the AD database, logs and SYSVOL. If you need a refresher on AD DS installation, see Install Active Directory Domain Services (Level 100) or Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200).

Reconfigure DNS server for the virtual network

  1. To get a list of virtual network names, in the Azure portal, search for Virtual networks, then select Virtual networks to view the list.
  2. Open the virtual network you want to manage, and then reconfigure the DNS server IP addresses for your virtual network to use the static IP addresses assigned to the replica DCs instead of the IP addresses for on-premises DNS servers.
  3. To ensure that all the replica DC VMs on the virtual network are configured with to use DNS servers on the virtual network:
    1. Select Virtual Machines.
    2. Select the VMs, and then Select Restart.
    3. Wait until the VM is Running again, and then sign into it.

Create VMs for application servers

To create VMs to host the application server role, repeat the steps in Create a Windows virtual machine with the Azure portal as needed. To create the VMs by using Microsoft PowerShell instead of the Azure portal, see Use Azure PowerShell to create and configure Windows-based Virtual Machines. The following table contains suggested settings.

Setting Values
Choose an Image Windows Server 2012 R2 Datacenter
Virtual Machine Configuration

Virtual Machine Name: Type a single label name (such as AppServer1).

New User Name: Type the name of a user. This user will be a member of the local Administrators group on the VM. You will need this name to sign in to the VM for the first time. The built-in account named Administrator will not work.

New Password/Confirm: Type a password

Virtual Machine Configuration

Cloud Service: Choose Create a new cloud service for the first VM and select that same cloud service name when you create more VMs that will host the application.

Cloud Service DNS Name: Specify a globally unique name

Region/Affinity Group/Virtual Network: Specify the virtual network name (such as WestUSVNet).

Storage Account: Choose Use an automatically generated storage account for the first VM and then select that same storage account name when you create more VMs that will host the application.

Availability Set: Choose Create an availability set.

Availability set name: Type a name for the availability set when you create the first VM and then select that same name when you create more VMs.

Virtual Machine Configuration

Select Install the VM Agent and any other extensions you need.

After each VM is provisioned, sign in and join it to the domain.

  1. In Server Manager > Local Server > WORKGROUP > Changeā€¦, select Domain.
  2. Enter the name of your on-premises domain.
  3. Provide credentials of a domain user.
  4. Restart the VM.

Additional resources