Extending Your Domain into Microsoft Azure: It’s Not as Scary as You Think

By Aaron Saposnik| April 27, 2015

When Microsoft first released their Infrastructure as a Service (Iaas) offering within Azure, one of the most common questions was how to deal with domain controllers. For many organizations, if you can’t extend your domain into Azure then you are limited in what you can do. For many, this was initially a somewhat complicated and scary process.

In the past six months, Microsoft has worked hard at updating Azure Virtual Machines and Azure Networking to make adding a domain controller into Azure safe and practical. Here’s what has changed and what you need to consider before extending your domain into Azure:

  1. Site-to-Site Tunnels – As with any secondary location, to extend your on-premises domain into Azure you need to have a tunnel between the two environments. Azure is now fully capable of making tunnels with all major brands of firewalls including Cisco, SonicWALL, Fortinet, Juniper, Palo Alto and many others. For organizations with multiple locations, depending on your firewall device, Azure can also establish a multi-site tunnel allowing all of your remote locations to connect to the same Azure environment.
  2. Static IP Address – For any domain controller, one of the main requirements is a Static IP address to ensure that DNS can successfully connect and Active Directory requests will succeed. In previous versions of Azure, there was no option for reserving an IP address to a VM and instead there were various workarounds that risked the IP changing if the machine was shut down. In the newest version of Azure, options have been added to reserve a static IP for any VM. With one quick command your domain controller can now have a dedicated IP that is reserved and will never change, even if the machine is shut down or restarted.
  3. Active Directory Database Caching – Like any database, the Active Directory database can be damaged if the server does not shut down cleanly. While this is unlikely in Azure, this was a concern because the operating system drive on all VMs uses caching technology which might not write back all changes to the database in the event of a dirty shutdown. To resolve this concern, Azure now has easy options for adding additional data disks to the domain controller that do not use caching. These drives are fully supported for the Active Directory database and ensure that the risk to the database is minimal in the event of a shutdown.

But what about Azure Active Directory? We are often asked if Azure AD can be used as a replacement or a supplement for a domain controller. Unfortunately, at this time Azure AD is purely a user database and is not designed for computer accounts or for managing computer logins. If you are interested in putting your domain into Microsoft Azure, your best solution is still to install a domain controller using Azure Virtual Machines.

BDO Digital has experience setting up many domain controllers in Azure and we are always available to help you design your deployment and extend your environment into Azure.

Leveraging opportunities in the cloud