Set up Area Controller VM in Azure For Current Energetic Listing – InfoSec Memo

Earlier than deploying an additional area controller it’s sensible to check the well being of the present state of affairs. Under are some checks you are able to do (don’t overlook about DNS!). Current issues should be fastened earlier than persevering with.

  • Analyse your Energetic Listing and DNS Logs.
  • Check your area controller well being with dcdiag /s:dcName
  • Check DNS with dcdiag /s:dcName /check:dns
  1. Navigate to and sign-in with a consumer that has ample permissions.
  2. Create a brand new Home windows Server useful resource. I Advocate utilizing Home windows Server 2022 if potential.
  3. Enter al primary data and don’t overlook concerning the availability choices. Don’t use a spot VM to avoid wasting prices – a site controller must be all the time on-line.

When deploying a number of area controllers in Azure, every of them must be in a distinct availability zone or in the identical availability set.

By default, permit chosen ports is enabled to alow RDP (3389). For security causes, you need to set this selection to none. If required, a community safety group might be hooked up to the subnet or vm afterwards to dam sure ports. I Advocate attaching NSG’s to subnets.

  1. Click on Subsequent to configure vm disks.

A Single VM with out premium SSD’s has an SLA of 99.95%. A Single VM with premium SSD’s (all disks) has an SLA of 99.99%. I Advocate utilizing premium disks on your area controller.

Add a second (premium ssd) disk with host caching set to none. This disk will comprise the database, logs and sysvol folders. A Disk with a dimension of 8GB is ample.

  1. Click on Subsequent to configure networking. Connect the VM to your present vNet that’s related together with your on-premises area. Don’t assign a public IP deal with to your digital machine as advisable by Microsoft – use a VPN or Azure Bastion to hook up with the machine. Once more, I’ll apply NSG’s to my subnet if required.
  1. End all steps to create the digital machine. Don’t allow ‘Login with AAD credentials‘ or ‘Auto-shutdown’.

Configure IP Settings

The digital machine should have a static IP deal with and the first DNS server should level to the on-premises area controller.

Static IP Deal with

  1. Click on on the community interface of your new digital machine.
  1. Choose IP configurations and click on on the IP config to alter the IP settings.
  1. Choose Static and configure the IP deal with. Don’t overlook to click on save – a reboot could also be required. You need to by no means configure the static IP deal with on the VM itself as you do on-premises.
  1. Check in the event you can ping the VM out of your on-premises area controller and the opposite means round. If this isn’t working you possibly can attempt the Community Watcher for troubleshooting.

DNS Servers

DNS servers might be configured on the digital community or on the digital machine itself. If configured on the vNet, all the pieces that’s related to this community will inherit these settings (you most likely need this).

  1. Click on in your digital community to edit it’s settings.
  2. Choose DNS and confire a customized DNS server (your on-premises area controller).
  3. Don’t overlook to click on save and reboot the digital machine.

After including AD DC roles to the brand new VM we’ll come again to this web page to alter the DNS settings as soon as extra.

Energetic Listing Websites & Companies

It’s necessary to create a brand new website with a corresponding subnet that whill comprise your new area controller. Shoppers will attempt to contact the area controller of their subnet first so a misconfiguration may cause gradual logons or different issues. In case your on-premises subnet isn’t seen right here you need to create this one too!

  1. Open Energetic Listing Websites & Companies in your on-premises area controller.
  2. Proper click on Websites and choose New Web site.
  1. Identify your new website and hyperlink it to the DEFAULTIPSITELINK. Click on OK to finish.
  1. Proper click on Subnets and choose New Subnet.
  2. Enter to right prefix (your azure subnet that accommodates your digital machine) and hyperlink it to the brand new website.
  1. Click on OK to finish. You need to find yourself with two (or extra) subnets and two (or extra) websites.

Set up Energetic Listing Area Companies

  1. Begin Add Roles and Options on the Azure VM.
  2. Add the Energetic Listing Area Companies function and all mandatory options.
  3. Promote this server to a site controller.
  4. Choose Add a site controller to an present area.
  1. Enter your area title and click on Choose. Present credentials with ample permissions. For those who get an error that the wizard can’t discover your area, your DNS settings are most likely incorrect.
  2. Choose the proper website title and enter a DSRM password.
You may get an warning message a couple of delegation for this DNS server can’t be created. 
  1. Replicate from any area controller.
  2. Change all paths to the 8GB partition (with out caching).
I put them into c drive as default. I’m having D drive as momentary storage which is 8G. 
  1. Go away all different choices default or configure as required.
  2. There are some warning messages, however you possibly can be happy to do set up.
  3. Reboot the digital machine.

DC on Azure

When the digital machine is again on-line, it most likely has static DNS servers configured – this occurred due to the AD DC roles. Change this again to Get hold of DNS server deal with routinely. Do that for each IPv4 and IPv6. you most likely free connection to the digital machine.

DC on-premises

The popular DNS server of your on-premises area controller must be the area controller on Azure. The alternate DNS server ought to level to itself. All different on-premises servers or shoppers ought to have the on-premises dc as most well-liked DNS server.

Digital Community DNS Settings

The primary DNS server must be the DC on Azure and the second DNS server must be the DC on-premises.

DNS Settings DC on Azure

The primary DNS server must be the on-premises DC and the second DNS server must be the DC on AzureReboot your VM after altering this.

Validate this modification on the VM itself through the use of ipconfig /all.


Leave a Reply

Your email address will not be published.