Skip to content

3. Setting up Domain Controller in Azure

Jump to bottom
Richard "Dick" Tracy edited this page Dec 16, 2022 · 1 revision

Create a Virtual Machine in Azure

Here are the basic instructions on how to build a Virtual Machine within Azure. This process will be used for each VM created in this guide.

Be sure to Build a Resource Group prior so that all VM's are within the same network and resources.

  1. In Azure Portal, navigate to Virtual Machines.
  2. Click Add> Virtual Machine.
  3. Resource Group: Select the resource group you initially created.
  4. Virtual Machine Name (eg. MyVM)
  5. Region: Select Region (preferred: East US, East US2, West US)
  6. Availability options: No Infrastructure redundancy required.
  7. Image: Windows 10 or *Windows Server 2016/2019 Datacenter - Gen2.
  8. Select a size: (eg. Standard_B1ms)
  9. Fill in Administrator account name and password.

[NOTE]: Username cannot be Administrator.

  1. Public: None

[NOTE]: See how to use Bastion Host.

  1. Check Licensing confirming multi-tenant hosting
  2. Click Next : Disks >
  3. Select either Premium SSD or Standard SSD
  4. Click Next : Networking>
  5. Select Virtual Network. If hub and spoke design used, select [Spoke].

[NOTE]: No VM's will be in Hub

  1. NIC Security Group: Advanced. Select Appropriate NSG for VM's. Follow section Create Network Security Groups to set default NSG's for lab.

[NOTE]: If created NSG is not available; resource group may not be correct.

  1. Public Inbound ports: None
  2. Click Next : Management>
  3. Check Auto-shutdown.
  4. Configure desired time and email.
  5. For Guest OS updates. Select Manual Updates if you plan on regularly patch the device using MECM or WSUS.
  6. Click Next : Advanced>
  7. VM Generation: Select Gen 2 if you want more advanced features such as UEFI boot.
  8. Click Review + Create, then Create.

Repeat this process for these servers. I supplied example names, but they can be named based on your preference if you like.

  • Domain Controller / Server 2016 (name: LAB-DC1)
  • MECM Primary Server / Server 2016 (name: LAB-MECM)
  • Workstation 1 / Windows 10 (name: LAB-WK1)
  • Workstation 2 / Windows 10 (name: LAB-WK2)

[NOTE]: This is the only VM that should have a public IP.

[TIP]: Public IP's can be assigned to all VM's but this is to keep the budget down and your environment more secure. A Bastion Host is more secure than a "jumpbox" but can cost slightly more and does require an addition subnet.

Create a Virtual Machines in Hyper-V

The VM's on Hyper-V will simulate the Site-B On-premise environment (for hybrid scenario) and the end users home. If VM's are setup on a device with TPM, Bitlocker and Windows Hello for Business can be tested

  1. Create Hyper-V Virtual Machine using these settings.
    1. Give it a name that reflects the lab (eg. DTOLAB-WK1)
    2. Select Generation 2 (this supports virtual TPM)
    3. Assign Memory: 2048mb (or more) with Dynamic Memory on
    4. Network: Connect to network.

[NOTE]: Use External to simulate home use (Azure AD join), use Internal to simulate on-premise LAN use (Azure AD hybrid join) 1. Virtual Hard Disk: 60 GB (minimum) 1. Choose: Select an operating system from a bootable image file 1. Image File: Browse to ISO to install 1. Click Finish 1. Right Click new VM and click Settings 1. Under Management 1. Uncheck Enable Checkpoints 1. Set Automatic Start Action to Nothing 1. Set Automatic Stop Action to Shutdown the guest operating system

  1. Under Hardware
    1. Change Firmware Boot order:
      1. Select DVD Drive
      2. Click Move up until it on top
    2. Check Enable Trusted Platform Module
    3. Add additional processors if desired.
  2. Close Settings
  3. Click Start VM when ready to use
  4. Click Connect to open VM window

Setup Jump Box (Azure VM) or Bastion Host

The first virtual machine to setup is a Jump box. This VM will be used as the remote RDP host. This VM will allow you to "jump" into other VM's without needing public IP's for all systems. This does not need to be joined to the domain, but it does need a public IP. Follow Setup an Azure Virtual Machine section but be sure to enable a public IP. Another choice is to create a Bastion Host. This is a PaaS solution that allows you to RDP into VM's without a Public IP (like a jump box). This can be created two ways manually by following section: How to create a Bastion Host (in Azure) or once a VM is created, the Bastion can be setup from the VM's Operations menu.

How to create a Bastion Host (in Azure)

A Bastion Host allows you to remote into the desktop through a web browser vs the needing to open 3389 to the internet or a public IP. RESOURCE: https://docs.microsoft.com/en-us/azure/bastion/quickstart-host-portal

  1. In Azure portal, click on virtual machines
  2. Click on a VM
  3. Under Settings, click Connect
  4. Click BASTION, click the button Use Bastion
  5. If a bastion host does not exist on the same virtual network as the VM, you will be asked to create subnet to connect the Bastion host.
  6. Click Create Subnet
  7. Give the Subnet a name (it will append the bastion name to current name)
  8. Choose the Basic Tier
  9. Create a new Public IP
  10. Select resource group (recommend using same RG as VM)
  11. Click Create Azure Bastion using Defaults.
  12. The next time you click on Bastion when connecting to VM, you will be presents with the VM's login username and password.

Setup First Domain Controller (Azure VM)

The first virtual machine for the Lab is to stand up is the domain controller. Follow Create a Virtual Machine in Azure Create a Virtual Machine. Once created, the Domain Controller Role will need to be configured.

RESOURCE: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-a-new-windows-server-2012-active-directory-forest--level-200-

Install DC Role

  1. Login locally to JumpBox VM using RDP or Bastion Host
  2. Remote into VM chosen as the Domain Controller.
  3. Open Server Manager from start menu or from taskbar
  4. Click Manage > Add Roles and Features
  5. In Wizard, click Next until you get to Server Roles screen.
  6. Select Active Directory Domain Services.
  7. Click Next up until last screen.
  8. Click Install
  9. Click Close when complete.
  10. Proceed to Promote DC steps.

Promote DC

In Server Manager there will be warning icon next to the flag. This shows a role was installed but not configured. The server must be promoted as a Domain Controller.

Follow these steps:

  1. Click the flagged item in Server Manager
  2. Under Post-Deployment configuration, click the link that says Promote this server to a domain controller.
  3. In the DCPromo wizard
  4. If this is the first DC, click Add a new Forest, otherwise STOP and follow Setup Next Domain Controller (Hyper-V) steps.
  5. Supply a root domain name. Must be in FQDN format (eg. Contoso.com)
  6. Leave GC and DNS checked and supply a DSRM Password
  7. Click Next until ready for install

[NOTE]: You will receive warnings from the prerequisite screen, ignore and continue

  1. Click Install
  2. Wait until DC configuration is complete. Click Close.
  3. Restart the server.

Setup DNS

Even though the DC Promo has run and installed DNS; for other Virtual Machines cannot join this domain, because their IP is managed by Azure and it used its own DNS resolution. The virtual network must be configured for the DC as the primary DNS.

[WARNING]: This must be done in Azure and NOT on the server's network interface within Windows

  1. Log into Azure Resource Tenant
  2. Click on the Domain Controllers VM
  3. Under Settings, click Networking.
  4. Record NIC Private IP
  5. Click on the Spoke subnet link.
  6. In the Virtual Network, under settings click DNS Servers.
  7. Select Custom.
  8. Add the DC's IP to the list.
  9. Add any additional IP's

[NOTE]: If you don't add public DNS servers such as 8.8.8.8, the VM will not have internet access. However, if the DNS is set to DC, the DC can forward the request to external DNS (DNS forwarding settings)

  1. Any VM connected to the Spoke network, must be rebooted for DNS settings to take effect.

Also, it's a good idea to setup the DNS server with Reverse Lookup Zones.

  1. Log into the Domain Controller.
  2. Open Server Manager
  3. Go to DNS
  4. Right click server name and click DNS Manager
  5. Expand DNS and right click Reverse Lookup Zones, click New Zones
  6. Select Primary Zone.
  7. Select To all DNS server running on domain controllers.
  8. Select IPv4 Reverse Lookup Zone
  9. Type in networks 3 octets. (eg 10.120.0). If this is unknown, the VM should be on the spoke subnet. Open command prompt and run ipconfig
  10. Select allow only secure dynamic updates.
  11. Click Finish.
  12. Repeat this for each subnet you want to be to do reverse lookup.

Setup Site and Services

There is a default site created with the first domain controller. However, if additional domain controllers are stood up, additional sites can also be created to create replication sites. This is optional but will allow more advanced testing with MECM and simulate real world configurations.

  1. Login to Domain Controller
  2. Open Start Menu and navigate to Windows Administrative Tools, Active Directory Sites and Services.
  3. Expand Sites
  4. Right click Subnets and click New Subnet
  5. Type in subnet Prefix (eg. 10.120.0.0/24)
  6. Select the Default-First-Site-Name.

[NOTE]: The site can be renamed later

  1. Repeat for each subnet.

Add AD UPN Suffix

If your on-prem domain does not match the internet public domain, then you will have to add a domain dns suffix to your on-premises domain.

  1. Login to the domain controller with domain admin or use RSAT tool on a domain joined device.
  2. Open Active Directory Domains and Trust console
  3. Right click and click properties
  4. Add UPN suffix (use same domain name as verified domain name)
  5. Rerun AD connect tool

Setup Azure Connect

To enabled hybrid support and have Active Directory sync with Azure Active Directory, install Azure AD Connect tool on either a domain controller or other domain joined server.

This is a requirement to use Intune, AVD, CMG and/or Co-Management.

  1. Download Azure AD connect from ([Download Microsoft Azure Active Directory Connect from Official Microsoft Download Center] (https://www.microsoft.com/en-us/download/details.aspx?id=47594)) or from the Azure Portal.
  2. Copy it to the server and run it.
    1. Select I agree to the license terms.
    2. Click Use express settings.
    3. Type in Global Admin credentials for Azure AD. Click Next
    4. Type in domain enterprise administration account, click Next.
    5. If you get the message below, there are a few options to do:
  3. Check the continue without matching UPN suffixes and click Next.

[NOTE]: If the On-prem domain does not match Azure AD domain, Single Sign On [will not work]. If you want this feature STOP and proceed to Custom Domain step.

  1. Purchase a Custom Domain and Add AD DNS Suffix to match domain names

[WARNING]: If your on-prem domain does not match the internet public domain, STOP here and follow Add AD UPN Suffix steps first 1. Restart AD connect tool if suffix was added 1. Click Install

  1. Check Azure Active Directory to ensure synchronization is working.

Setup Next Domain Controller (Hyper-V)

This second DC is not required but can be useful when testing Autopilot Hybrid join or other local domain join scenarios. Standing up a second Domain Controller DOES require a connection to the Azure IaaS environment using Networking (Hybrid scenario) steps.

WARNING: DO NOT CONTINUE until the Site-2-Site connection is established and working.

  1. Follow instructions on how to Create a Virtual Machines in Hyper-V
  2. Log into the VM designated as the next Domain Controller in Environment
  3. Open Server ManageràAdd roles and Features
  4. Check Active Directory Domain Services
  5. Finish the Install of the DC Role.
  6. Open Server Manager again and click on warning icon next to the flag
  7. Under Post-Deployment configuration, click the link that says Promote this server to a domain controller.
  8. In the DCPromo wizard
  9. If this is the first DC, click follows the Promote DC steps, otherwise select, add to domain controller to an existing domain.
  10. Type in FQDN for domain and click Select...
  11. If prompted, Type in domain credentials, click Ok

[NOTE]: Be sure to provide FQDN domain admin credentials

  1. Select the populated domain.
  2. If your presented with "Encountered an error contacting domain <domainname>", check to make sure it's a FQDN, the existing DC is pingable and network interface has DNS server populated with existing DC's IP. Reboot the VM for DNS to resolve and try again.
  3. Leave GC and DNS checked and provide a DSRM Password
  4. If the subnets weren't added during the Setup Site and Services steps weren't done, select appropriate site name Graphical user interface, application Description automatically generated
  5. If desired, select the Replication from dropdown. Choose appropriate Domain controller to replicate from.
  6. Click Next until ready for install

[NOTE]: You will receive warnings from the prerequisite checker, ignore and continue.

  1. Click Install
  2. Wait until DC configuration is complete. Click Close.
  3. This will auto reboot the VM. If not, Reboot the server.

[TIP]: If there is an additional DC in Azure, be sure to update the virtual networks for all DNS servers.

Network Checklist

This checklist is to be used during the networking configuration. Values that are prefilled in can be used, but they can be changed if needed; make sure you read the comments.

Name Values Comment
Lab Name Lab
Domain Name It is best to create a unique domain
Azure Hub Name Lab-Hub-Subnet1
Azure Hub CIDR 10.10.0.0/16
Azure Hub Subnet 1 10.10.0.0/24 Specify a space within Hub's CIDR
Azure Hub Gateway 10.10.200.0/26 Specify a space within Hub's CIDR Subnet but does not conflict with subnet 1
Azure Spoke Name Lab-Spoke-Subnet1
Azure Spoke CIDR 10.20.0.0/16
Azure Spoke Subnet 1 10.20.0.0/24 Specify space within Spoke's
Azure Spoke Subnet 2 10.20.1.0/27 Bastion Subnet
Azure VPN ASN Port 65010
IPSec Shared Key This will be generated when setting up VYOS router.
Azure Gateway Public IP This can be retrieved once a gateway has been created in Azure.
Home Public IP The home network where the device connected to will be hosting Hyper-V guests, go to: https://ipinfo.io/json .
Hyper-V Subnet 1 10.100.1.0/24 Cannot conflict with Azure subnets
Hyper-V Subnet 2 10.100.2.0/24 Cannot conflict with Azure subnet
Azure VM: Domain 10.20.0.1 Use this to configure Azure
Controller IP subnets internal DNS. If multiple DC's are created, each IP will need to be added.
Clone this wiki locally