DR - Extend Active Directory to the Cloud with Windows Azure
The Cloud Zone is brought to you in partnership with Mendix. Better understand the aPaaS landscape and how the right platform can accelerate your software delivery cadence and capacity with the Gartner 2015 Magic Quadrant for Enterprise Application Platform as a Service.
This month, my fellow IT Pro Technical Evangelists and I are authoring a new series of articles on 20 Key Scenarios with Windows Azure Infrastructure Services. Check out the list of articles here:
For today’s post I will cover the steps to put a Domain Controller in Windows Azure for Disaster Recovery. This DC can actually serves two purposes, first it is a full copy that give us an offsite copy of AD, second it can be used for servers in Azure so they don’t have to travers the WAN.
Let’s clear up some confusion first, the Active Directory tab in the Azure portal is for Windows Azure Active Directory. Windows Azure AD is a modern, REST-based service that provides identity management and access control capabilities for your cloud applications. It is similar to Active Directory Lightweight Directory Services and does not offer Disaster Recovery for your AD environment. It can sync users with your corporate AD and provide a single sign on solution with ADFS. It is useful for your developers when building custom applications. You can read more on Azure AD here: http://www.windowsazure.com/en-us/home/features/identity/
What we need to is create a full blown Active Directory Domain Controller up in Azure. To accomplish this we will create a Virtual Machine.
To extend our Corp at to Azure we will treat it just as if we were building a server in a remote datacenter with one change to watch for. The fundamental requirements for deploying Windows Server Active Directory on Windows Azure Virtual Machines is the same as deploying AD from on-premises with one change. We need to install the AD database on a different disk other than the C: drive. We will create an Azure data-disk and attach it as drive E:. This is where we will store both the AD database and the SYSVOL.
Why store AD on a different drive?Windows Azure provides two distinct disk types for virtual machines. Azure offers an “Operating System-disks” and “Data-disks.” Data-disks use write-through caching, guaranteeing durability of writes — this is fundamental to the integrity of any Windows Server Active Directory forest that has more than a single domain controller because the loss of a single write can affect the entire distributed system rather than just a single machine.
Overview of the Steps to Create an Active Directory DC in Azure
- Link the Networks with a site to site VPN. (See how to do that with Server 2012 here)
- Configure your AD Sites with a new site
- Create a Windows Server VM (Config DNS to read from a DC)
- Join the Server to the Domain
- Promote the Server to a Domain Controller
- Pour yourself a Fresca
For this post I originally wanted to do a step by step guide instead of this overview. I began, how most Microsofties begin, I “Bing’ed” what was currently available on this topic. What I found was that a fantastic step by step article already existed. My co-worker, fellow Microsoft IT Pro Evangelist Keith Mayer, already has created a great step by step guide below:
Detailed Step by Step guide to extending AD to Azure – by Keith Mayer
If you are interested in more details on guidelines and options for deploying Active directory in Azure be sure to check out the Microsoft documentation:
Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines