On Wednesday, January 23, 2013, Tommy Patterson posted Part 23 of 31 in the 31 Days of Servers in the Cloud Blog Series (written by Guest, Dan Noonan). Below is a small excerpt from his blog.
Most of the work I’ve been doing lately involves migrating traditional client/server applications to Windows Azure Virtual Machines. The majority of these workloads use Active Directory Domain Services as their authentication provider, or in other words, classic Windows authentication. In this blog we’ll walk through the basic building blocks of creating a private forest within Windows Azure.
As we all know, if AD is down so is your app. Imagine setting up a single domain controller responsible for both name resolution (DNS) and authentication. You just created another synonym for single-point-of-failure. At a minimum you should deploy two (2) domain controllers, and they should be created as part of an Availability Set. This will ensure that at least one (1) domain controller is always available for authentication and name resolution requests. If you’re considering saving a few bucks by deploying a single domain controller in non-production environments, let me save you a few more. The first call you get from development or QA will cost you at least 6 months of compute. Telling a dozen upset people on a conference call that you wanted to save the company $50/month will sound pretty bad…
There are currently two major scenarios for providing Windows authentication in Windows Azure Virtual Machines:
In this blog we’ll cover deploying a new private forest. Here is a quick Visio of a classic 3-tier application (using Windows Azure features) to get us started:
As you can see, we have a management subnet that contains our domain controllers, as well as separate database and application “tiers”.
As with any new deployment to Windows Azure Virtual Machines, you will perform the following high-level steps:
While creating the virtual network, you will need to specify that the domain controllers will also be providing name resolution for all of the servers in your deployment. You can do this in the Windows Azure management portal as well as through the management web service. Here is how you do this via PowerShell:
Example command line:
Set-AzureVNetConfig –ConfigurationPath “C:\networkConfiguration.xml”
Contents of C:\networkConfiguration.xml:
<NetworkConfiguration> < VirtualNetworkConfiguration> < Dns> < DnsServers> <DnsServer name=”skydc01″ IPAddress=”10.1.1.4″ /> <DnsServer name=”skydc02″ IPAddress=”10.1.1.5″ /> < /DnsServers> < /Dns> < VirtualNetworkSites> < VirtualNetworkSite name=”skyvn” AffinityGroup=”skyag”> <AddressSpace> < AddressPrefix>10.1.0.0/16</AddressPrefix> < /AddressSpace> < Subnets> < Subnet name=”Management”> <AddressPrefix>10.1.1.0/24</AddressPrefix> < /Subnet> < Subnet name=”Database”> <AddressPrefix>10.1.2.0/24</AddressPrefix> < /Subnet> < Subnet name=”Middleware”> <AddressPrefix>10.1.3.0/24</AddressPrefix> < /Subnet> < Subnet name=”Application”> <AddressPrefix>10.1.4.0/24</AddressPrefix> < /Subnet> < /Subnets> < DnsServersRef> <DnsServerRef name=”skydc01″ /> <DnsServerRef name=”skydc02″ /> < /DnsServersRef> < /VirtualNetworkSite> < /VirtualNetworkSites> < /VirtualNetworkConfiguration> < /NetworkConfiguration>
In the example above, the IP addresses used assume the domain controllers are the first virtual machines created on the Management subnet. Let’s make sure that’s true by creating them now:
To get the full article, please read it here: http://virtuallycloud9.com/index.php/2013/01/integrating-active-directory-into-windows-azure-virtual-machines/