Setting up a Domain Controller (DC) in Azure is a little different than on premises. This post is by no means an extensive guide or best practices document on doing that. It is however designed to give you the basics so you can get up and running quickly.
I am going to assume you are starting totally fresh here. The first task is to create a new Azure network in the location that you desire. For more details on doing this see:
The next step is to run an Azure virtual machine that will be your Domain Controller. The only step that is slightly different from the norm is that you need to select the virtual network you created previously in the Region/Affinity Group/Virtual network option as shown above.
You then continue on as normal and create the virtual machine and allow it start up.
For more information on creating an Azure virtual machine see:
Before you connect to the new virtual machine that will be you file server you need to add an additional hard disk to it. From the list of virtual machines you have in Azure select your new machine. Then select the Add button at the bottom of the page. From the menu that appears select Attach empty disk.
Complete the details for the additional disk and save the configuration. For more information on adding an additional disk to a virtual machine see:
When you log into the virtual machine you’ll see that it already has a dynamic IP address (here 10.0.0.4). This comes from the virtual network you created previously. It is important that you DON’T assign static IP addresses to Azure virtual machines, even in the case of a domain controller. All Azure virtual machines should ONLY have dynamically assigned IP addresses.
If you look at the storage layout of your new virtual machine you’ll see a C: and D:. Beware, D: drive is a temporary drive that gets erased and recreated on reboot. Thus, the only stuff you want on there is temporary stuff like the page file. Good practice is not to have the Active Directory databases on the boot partition, because if that becomes inaccessible then bye bye AD, unless you have a backup. This is the reason why we attached an additional disk to our new virtual machine.
Everything now is pretty as it would be with on premises equipment. Go into the Windows Disk Management console and initialise the new disk.
Create a new volume on this additional disk and format it. At the end you should have a drive letter you can access. Here, F:.
If you again view the storage configuration of your virtual machine you should see a new disk (here F:) which will be the destination for the AD database.
Things remain the same when you configure your server to be a domain controller. Simply go in and add the role as you would normally.
Allow the configuration to complete.
Once the role has been enabled you now need to raise the server to being a domain controller exactly how you would on premises. The only difference is that you should re-locate the AD DS database, log files and SYSVOL to the disk you added (here F:).
Just before you complete the process of raising the server to be a domain controller, you’ll see the above warning about a domain controller requiring a static IP address. Again, in Azure this DOES NOT apply. In Azure we want all servers to have dynamic IP addresses.
Once you Domain Controller is running go into the DNS manager, right mouse click on the DNS server (here the domain controller) and select properties. In the Forwarders tab remove any IP address listed.
The last step is to go back and edit the properties of your virtual network. In the Configure tab for the network you will find the option for dns servers as shown above. Add the IP address and machine name here and save it. Although, the IP address assigned is dynamic it is on a extended lease so it should effectively ‘remain’ static. if you do power up and down your DC regularly for testing like I do, simply ensure that your DC is the first machine your fire up on that virtual network.
So now you have an Azure hosted Windows Domain Controller (DC) without too much additional fuss.
So now, if I want to add another Azure virtual machine into this network and onto the domain, I simply run up an Azure virtual machine as normal. When you do you’ll see it get a different IP address (here 10.0.0.5, while the DC is 10.0.0.4).
Then, as you would anywhere else, simply add that machine to the domain. You’ll be prompted for administrator credentials to verify the domain join.
If that is all you now have a second machine on this domain.
So in summary, the key points with a Windows Domain Controller in Azure is:
- Add an extra disk and install the AD database, logs and SYSVOL here
- Don’t give DC a static IP address
- Assign the DC IP address to the DNS setting in the virtual network configuration.
For more details on doing this see: