There are a number of features that are unique to Azure AD Domain Services that provide full compatibility with Windows Server Active Directory, including domain joining, group policy, LDAP, Kerberos/NTLM authentication, and group management.
These domain services allow you to consume them without having to deploy, manage, and patch domain controllers.
It is likely that your Active Directory domain controller is extended to the cloud (Azure AD connect) in addition to managing a variety of on-premises connectivity (LDAP, DNS..)
To prevent unforeseen circumstances, deploying an additional domain controller on your Azure AD environment is always recommended as an easy way to make your Active Directory domain highly available.Before we jump into the steps, here are a few things you’ll need.
Requirements to deploy a domain controller in Azure Active Directory
- An Azure AD tenant with an active subscription.
- Virtual network in Azure that doesn’t overlap with your on-premise network.
- Continual connection between your on-premises domain controller and Microsoft Azure (Azure VPN Gateway, ExpressRoute, or NVA).
Steps to to deploy a domain controller in Azure Active Directory
To begin with, the first step is to have a VM in place. Assuming you already have one, sign into your Azure portal. If you do not have one, create one on Microsoft, it is completely free.
Now, follow the steps to create a domain controller:
- Login to your Azure VM via RDP.
- Navigate to Server manager, click on add Roles and features from the dashboard.
- Now once the Add roles and features dashboard appears, click on next continuously for three times.
- You will now see a Server roles tab, click on that and select Active Directory Domain Services and choose Add Features.
- Click on next and ensure that the following tick-points, as shown in the screenshot are present.
- Finally, click on Install and then close.
- Post-deployment configuration needs to be done once Active Directory Domain Services have been installed.
- On the right side of the Server Manager window, click on the Flag icon and then on Promote this server to a domain controller.
- A deployment configuration page will appear now, select Add a new forest and enter your desired domain name.
- Now click next, you will be asked to type a password for DSRM, enter the password and select next.
- Now, continuously press next for the next three times.
- Review the configuration and once you’ve done reviewing it, click next and then Install.
- The VM will reboot once the installation is done.
- As soon as the installation has been completed, a DNS update needs to be carried out so that other servers within the same VNET are able to recognise and join the Domain.
- Then, in the blade, click Virtual Network and DNS Servers, and then copy the Private IP address of your Azure VM.
- In order for the updated DNS server to be available, you will need to reboot the VMs after adding the DNS server.
At the end, you can login to the DC using Domain account and, on the dashboard you can see your domain.
Best practices to deploy a domain controller in Azure Active Directory
- Creating a new subnet in Active Directory Sites & Services is required.
- It is recommended that you adjust the DNS settings of the domain controller for redundancy.
- On-premises networks must be connected to Azure via VPN tunnels.
- When testing and using an open port (RDP 3389), I recommend creating fake/dummy data in Active Directory. Don’t use real usernames and passwords because the server might be compromised as a result of internet exposure.
- Limit access to the VM from your IP address using the Azure firewall.
- For secure remote access, use Bastion.
- Ensure that all domain controllers have the Recycle Bin feature enabled and configured.
- Backup your domain controllers regularly.
The many options Azure offers are quite impressive, and it enables you to do a lot with your data. These best practices can help protect your domain controllers and your organization from attacks by ensuring they are secure.