Extending an on-premise Windows Server Active Directory ( AD ) infrastructure into the cloud is an important topic to consider when planning the migration or implementation of cloud-based applications. Many existing applications require Active Directory for authentication and identity management. When migrating applications to the cloud, having a locally accessible Active Directory is an important factor to ensuring that AD authentication is fast and reliable.
Great point! Extending an on-premise Active Directory into the cloud can also provide a cost-effective option for protecting Active Directory in DR scenarios. In the event of a physical disaster or outage at your primary data center location, a VM running Active Directory in the Windows Azure cloud can provide uninterrupted access to Active Directory for cloud-based applications and other on-premise AD-integrated applications.
When planning for Active Directory in the Cloud with our Windows Azure cloud platform, there’s two options available:
You can read more about both Active Directory cloud options at:
In this article, we’ll be stepping through the components involved with the second option listed above to extend an on-premise Active Directory infrastructure using Windows Server Active Directory on Windows Azure VMs.
In future articles, I’ll cover the configuration of Windows Azure Active Directory for providing authentication and identity management for “Cloud-first” applications.
In the scenario described in this article, we’ll be connecting an existing on-premise network with a virtual network in the Windows Azure cloud via a secure Site-to-Site IPsec VPN tunnel. Once the tunnel is connected, the Windows Azure Virtual Network can be treated much like any another subnet on a Wide Area Network (WAN) when provisioning network services that will run in a Windows Azure Virtual Machine.
Scenario: Extending Active Directory into the Cloud
The following is recommended to follow along with this article:
To complete the scenario described in this article for extending Windows Server Active Directory into the cloud, we will be using the following exercises:
Let’s get started!
The Windows Azure Virtual Network that we’ll be building in this article can be treated just like any other site on a Wide Area Network from an Active Directory sites and subnets perspective. Prior to installing and configuring Active Directory on a VM in the cloud, follow these steps to prepare your on-premise Active Directory for the new “virtual WAN location” that we’ll be building in the Windows Azure cloud:
The on-premise Windows Server Active Directory infrastructure is now prepared for adding a new Replica Domain Controller as a Windows Azure VM, and you can continue on with the next exercise.
In this exercise, we’ll be registering our existing on-premise Active Directory-integrated DNS server with Windows Azure. We’ll also be registering the cloud-based Active Directory-integrated DNS server that will be provisioned in Exercise 4 as a Replica Domain Controller using Windows Azure VMs. By registering these DNS servers with Windows Azure, we will be able to associate them with our Windows Azure Virtual Network in Exercise 3, so that this DNS server information will be provided to all VMs that are provisioned on the Windows Azure Virtual Network.
The on-premise and cloud-based DNS servers are now registered with Windows Azure, and you may continue with the next exercise.
In this exercise, we’ll be building a Windows Azure Virtual Network to provide a virtual networking environment for running VMs on the Windows Azure cloud. We’ll also be connecting this virtual network to the on-premise data center network in this scenario by provisioning a Site-to-Site VPN gateway.
In this exercise, you will provision a new Windows Server 2012 VM on the Windows Azure cloud platform. During this exercise, this VM will also be promoted to an additional Replica Domain Controller in the Windows Server Active Directory currently hosted on-premise.
Continue our learning on Windows Azure and Windows Server 2012 with these great FREE resources:
Do you have a unique or interesting use case for Windows Azure Virtual Machines and Virtual Networks in the cloud? Be sure to leave your ideas, suggestions and feedback in the Comments section below!
Be sure to check out these additional resources:
Keith Mayer is a Senior Technical Architect at Microsoft, focused on helping ISV partners leverage the Azure cloud platform. Keith has over 20 years of experience as a technical leader of complex IT projects, in diverse roles, such as Network Engineer, IT Manager, Technical Instructor and Consultant. He has consulted and trained thousands of customers and partners worldwide on design of enterprise technology solutions.
Keith is currently certified on several Microsoft technologies, including Azure, Private Cloud, System Center, Hyper-V, Windows, Windows Server, SharePoint, SQL Server and Exchange. He also holds other industry certifications from VMware, IBM, Cisco, Citrix, HP, CheckPoint, CompTIA and Interwoven.
You can contact Keith online at http://aka.ms/AskKeith.