How to deploy a Domain Controller in Azure

  • Post author:
  • Post category:Main
  • Post last modified:September 10, 2023
  • Reading time:12 mins read

If deploying a Domain Controller in Azure is the next step in your cloud journey, then in this post we are going to do exactly that. Having a domain controller in Azure will not only allow you to build on a secure and resilient infrastructure but it will provide flexibility for your Active Directory and connectivity.  

Why you should have a Domain Controller in Azure

Azure provides a secure and resilient platform for you to build your virtual machines. You are able to create servers and other services on demand without having to wait for purchasing, delivery and physical configuration. This means once you have a Domain Controller running in Azure, it can not only be scaled up and down (increase or decrease in capacity) but it can also be scaled out to build better resilience or faster connectivity from different regions. 

How to create a Domain Controller in Azure

We are going to create a traditional Domain Controller virtual machine, this will gives us the most control over our Active Directory and allow us to continue to integrate with our on-premise infrastructure and apps. Azure does provide their own Azure Active Director Domain Services, but this is only for specific scenarios where there is no requirement for traditional Active Directory.

Creating your Virtual Machine

Start by signing into to Azure Portal at portal.azure.com. Make sure you are signing in with your Global Administrator account (lesser permissions can also be used). 

Under Azure Resources, click Create a resource. Search for Windows Server, click on the Create dropdown and select your desired OS version. We are going to select Windows Server 2022 Data Centre. 

You will then be brought to the Create a virtual machine wizard. Choose your Azure subscription and leave resource group as default so a new resource group is created. 

Your virtual machine name should be relevant, for example a domain controller for ourcloudnetwork.com may look like az-ocn-dc-001.

For the rest of the settings under Instance details, make sure you select the closed region to you and select a relevant VM size. I am going to choose West Europe and select my VM size as B2ms at £56.58 a month.

As for Administrator account, choose a non-default username and a secure password. 

For access to your VM in the first instance you can leave the network ports open as default for the public IP and port 3389. This is however very insecure, so you should look at utilising any 3rd party RMM service or Azure Bastion.

Here are my basic settings

The next page will ask you to configure the disks for your VM. In my instance my domain controller will have a light workload, it will be a secondary domain controller for my office based users and will be used directly by remote users. I am going to set my OS disk type as Standard SSD, set my Encryption type to default and I will not be adding any data disks.

On the Networking page, if you do not already have a virtual network you will need to create one. Click Create new and define your network settings. I have named my network Private_Network, set the address range to 10.0.0.0/16 and subnet to 10.0.0.0/24. It is important you ensure your virtual network is expandable, hence why we have set a larger subnet mask.

You will notice a public IP will be created for you by default. We are going to leave this in place for initial connectivity to our virtual machine. The rest of the networking settings we are going to leave as default.

As for the rest of the VM settings, unless you have requirements that are more than basic, you can leave as default and click Review + Create.

Set a static IP address for your virtual machine

Now we have created our virtual machine we need to ensure the IP address stays statically assigned by Azure. To do this head to the Azure home page portal.azure.com/#home and under recent resources you will have a Network interface type resource.

Network interface

Click on the resource name to open the settings page for it. In the left hand menu under settings, select IP Configurations and click on ipconfig1. Under Private IP address settings, change the assignment to Static, enter the IP address that is was previously assigned (in our case 10.0.04) and click save.

Connect to your Virtual Machine

Our last task before we setup our virtual machine as a domain controller in Azure is to connect to it. From the Azure portal home page find your virtual machine under recent resources and select it.

At the top of the Virtual Machine settings page click on Connect and select RDP. You will be prompted to download as RDP file which you should save to a convenient location. Double click on the RDP and login with the credentials you set when creating the Virtual Machine. 

Configuring your Domain Controller in Azure

Configuring your Domain Controller will be somewhat traditional to what you are likely familiar with. We are going to walk through installing the required roles for your Domain Controller, creating a new domain and setting up Active Directory. 

Let start! after you have signed into your Virtual Machine the first thing you will notice is that the server manager immediately opens. We can use this to do some of the initial configuration. 

Click on Configure this local server in the Quick Start menu, you will be brought to a new page where you can setup your common server settings. You will notice the Computer name will be set to what you previously specified. Also the Ethernet settings will show as DHCP, but do not worry about this, all your networking is managed through Azure, so there is no need to make changes to the server NIC from within the operating system. For now, Azure has done all the easy work for us, so there is nothing for us to change on this page.

We need to install the Active Directory Domain Services role on our server. Go to Manage at the top right and select Add Roles and Features.

On the Add Roles and Features Wizard, you have the option to check the box to skip the informational page by default and click next. Then select Role-based or feature-based installation and click next.

The server selection page will show you all servers which are in your server manager pool, in our case we will only be presented with one, now click next.

On the Server roles page you will be presented a list of all roles you can install on this server. Check the box next to Active Directory Domain Services and click Next. Click Next on both the Features page and AD DS page, then select Install on the confirmation page. Once the installation has completed you can click Close.

You will now notice the AD DS option has appeared in the left hand menu in Server Manager. There will also be a notification warning at the top right of Server Manager. Open this notification and click Promote this server to a domain controller.

The Azure Active Directory Domain Services Configuration Wizard will then present itself. On the first page you have 3 primary options

Option 1: Add a domain controller to an existing domain. As it says if you have an existing domain that you wish to extend with this domain controller. Providing you have connectivity to it from your Azure network you can add the new server as a domain controller to an existing domain. 

Option 2: Add a new domain to and existing forest. If you have an existing forest and connectivity to it from your Azure network you can add it here. 

Option 3: Add a new forest. If you are starting a new Active Directory this is the option you should choose.

In our scenario we are going to choose the option to Add a new Forest and enter our domain as ourcloudnetwork.local. There are certain scenarios where we may want to use our public domain name as the same as our internal network domain, or even follow Microsoft best practice to use subdomain.ourcloudnetwork.com as our internal domain, but we are not going to cover them off in this post. As we are creating a new and small forest with only a couple of users and devices and we will be using Office 365 as our email server, we are going to use .local. 

On the Domain Controller Options page we are going to set our Domain and Forest functional levels to the highest they can go, in our case, Window Server 2016. (Function Levels determine the Active Directory Domain Service capabilities, you can read more about them here). Make sure you create a secure but rememberable DSRM password for your Active Directory. In the event of a disaster DSRM allows you to repair or recover your Active Directory Database. You should always ensure you are using 3rd party tools to backup your domain controllers!

Click next on the DNS Options page then on additional options the Wizard will set the NetBIOS domain name, if you are happy with the domain name, click next. The NetBIOS domain name is used to identify other devices across the network.

Leave the paths settings as default, by default they will be located with C:\Windows\*Foldername*. There is really no need to change these settings here.

On Review Options, to can check your previous selections and click Next. The pre-requisites check will then run, of which there will be 3 warnings, each of which can be ignored. You will notice all prerequisite checks pass successfully and you can click Install.

Your server will automatically reboot once the install has completed!

Note: When signing back into your server you will need to sign in by using your domain\ and you username (which will be the same as your local administrator account you were previously signed in with. The password will be the same also.). For example in my instance I will sign in with ourcloudnetwork\administrator.

Summary

Thank you for taking the time to read our post. We hope you found it informational and guided you on settings up your Domain Controller in Azure. Hopefully now you should be able to create your virtual machine, connect to it then install and configure Active Directory Domain Services on your virtual machine.

Other posts you may be interested in may be:

What is Azure Active Directory? A Simple Walkthrough

How to get Free Microsoft Exam Certifications

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply