Windows Azure Virtual Machines preview allows persistent Virtual Machines which retain the same private addresses on reboot. This means that Active Directory can easily run in Azure without worry of the Domain Controller IP changing. This also means that Virtual Machines running in Azure that can be joined to your on-premise Active Directory using a site-to-site IPsec VPN. The Azure VMs then act like a branch network with full connectivity. I covered setting up TMG 2010 as a VPN endpoint (instead of using Cisco or Juniper hardware devices) for Windows Azure Virtual Network in a previous post.

This post covers PowerShell provisioning of the first Azure Domain Controller and provisioning of subsequent domain joined member servers.

Install Azure PowerShell Cmdlets

Download the Azure PowerShell Cmdlets from the Azure download site. Follow the Getting Started with Windows Azure PowerShell steps to prepare PowerShell and authenticate.

VM Creation Documentation

The official New-AzureVM instructions do not contain all the commands needed for adding a server to the Azure Virtual Network and defining the subnet. Michael Washam has created two comprehensive blogs on PowerShell provisioning – Automating Windows Azure Virtual Machines with PowerShell and Connecting Windows Azure Virtual Machines with PowerShell but I wanted to cover off these two specific tasks as I required some other settings. An important thing to note is that Azure OS drives have write caching enabled. Microsoft recommend for Active Directory that you add a second drive which will be a ‘Data Disk’ and the Active Directory NTDS database and SYSVOL should be placed on the new drive which will have write caching disabled. This would apply equally for SQL and other transactional stores. More information is available here.

Install the First Domain Controller in Azure

A one off task I had to run was to set the Azure Subscription. We have two subscriptions so this may not be required for everyone.

Set-AzureSubscription -SubscriptionName “Kloud Solutions” -CurrentStorageAccount “kloudazurestorage”

The Azure PowerShell cmdlets are a bit different to PowerShell for Exchange, Lync and ActiveDirectory. Instead of having options on a command like I would expect e.g. new-AzureVM –Name DC –DNS 10.0.0.1 etc., you have to build up the configuration line by line. All of the commands below can be done as one long line as seen in the examples above but I prefer to assign variables up top and then it is easy to see what needs to be modified when provisioning new servers.

Below are the commands for provisioning the first Domain Controller. This sets the primary DNS to be the local server with a secondary of the on-premise Domain Controller. We are specifying the name, base .vhd image, the instance size, second disk, DNS, local password, affinity group, Virtual Network and subnet.

Select-AzureSubscription “Kloud Solutions”

$VmName = “AzureTestDC01”

$Image = ‘MSFT__Win2K8R2SP1-120612-1520-121206-01-en-us-30GB.vhd’

$InstanceSize = “Small”

$Disk2Size = “10”

$Disk2Label = “SysvolDisk”

$DnsLocal = New-AzureDns -Name ‘AzureDC01’ -IPAddress ‘127.0.0.1’

$DnsOnPrem = New-AzureDns -Name ‘OnPremDC01’ -IPAddress ‘192.168.1.10’

$Password = ‘xxxxxxxxxxxx’

$AffinityGroup = “KloudAffinityGroup”

$VirtualNetwork = “KloudAzureNetwork”

$Subnet = “BackEndSubnet”

New-AzureVMConfig -Name $Vmname -ImageName $Image -InstanceSize $InstanceSize |

    Add-AzureProvisioningConfig -Windows -Password $Password |

    Set-AzureSubnet $Subnet |

    Add-AzureDataDisk -CreateNew -DiskSizeInGB $Disk2Size -DiskLabel $Disk2Label -LUN 0 |

    New-AzureVM -ServiceName $VmName -AffinityGroup $AffinityGroup -DnsSettings $DnsLocal,$DnsOnPrem -VNetName $VirtualNetwork

The provisioning script takes about a minute to run and around 5 minutes later the new Azure DC can be logged into and joined to the on-premise domain.

Provision Domain Joined Servers in Azure

The following commands provision a server that automatically joins the domain. It also includes the second data disk but that is not needed, just remove the ‘Add-AzureDataDisk line. This VM will use the Azure Domain Controller for primary DNS and the on-premise DNS as a secondary.

Select-AzureSubscription “Kloud Solutions”

$VmName = “AzureLync01”

$Image = ‘MSFT__Win2K8R2SP1-120612-1520-121206-01-en-us-30GB.vhd’

$InstanceSize = “Small”

$Disk2Size = “30”

$Disk2Label = “Lync”

$Domain = “Kloud”

$DomainDNS = “kloud.net”

$DomainUserName = “svc_azure”

$DnsAzure = New-AzureDns -Name ‘AzureDC01’ -IPAddress ‘10.4.3.4’

$DnsOnPrem = New-AzureDns -Name ‘OnPremDC01’ -IPAddress ‘192.168.1.10’

$Password = ‘xxxxxxxxxxxx’

$AffinityGroup = “KloudAffinityGroup”

$VirtualNetwork = “KloudAzureNetwork”

$Subnet = “BackEndSubnet”

New-AzureVMConfig -Name $Vmname -ImageName $Image -InstanceSize $InstanceSize |

    Add-AzureProvisioningConfig -WindowsDomain -Password $Password -Domain $Domain -DomainPassword $Password -DomainUserName $DomainUserName -JoinDomain $DomainDNS |

    Set-AzureSubnet $Subnet |

    Add-AzureDataDisk -CreateNew -DiskSizeInGB $Disk2Size -DiskLabel $Disk2Label -LUN 0 |

    New-AzureVM -ServiceName $VmName -AffinityGroup $AffinityGroup -DnsSettings $DnsAzure,$DnsOnPrem -VNetName $VirtualNetwork

A few minutes later the server is joined to the domain and you can login with your on-premise domain account. To provision more Virtual Machines, all that is needed is to change the $VmName variable (and remove the second disk if not needed).

Category:
Azure Infrastructure
Tags:
, ,

Join the conversation! 5 Comments

  1. Does the last script set the Computer Name for you as well? Joining the Domain works for me but the Computer Name isn’t changed. I hoped this would get adjusted to the vm name

    • It does set the computer name for me. The original hostname shows in the portal for about 15 minutes but then it updates to the $VmName setting. It has been over a year since I tested these scripts in the IaaS preview.

      With the latest Azure PowerShell I had to add another parameter to the ‘Add-AzureProvisioningConfig’ line ‘-AdminUserName localadmin’ or whatever you want the local administrator username to be

      • In the portal the name does change immediately for me, but in the system itself the computer name stays the same as it was when syspreping the machine. Do you have any ideas where I might look for error messages? The standard system logs show nothing

      • It is managed by the Azure provisioning engine and I can’t see any logs on a correctly provisioned machine. The system log has Event 6011 ‘The NetBIOS name and DNS host name of this machine have been changed from WIN-3BNAD6L7RD8 to MARC-TEST’ followed by Event 3260 ‘This computer has been successfully joined to domain’ and Event 4096 ‘The machine MARC-TEST successfully joined the domain’. As your VM successfully joins the domain I would look just before the Event 3260. Does it work with your computer name if you deploy it from the web portal?

      • Not sure where I went wrong but with a new image it now works as expected

Comments are closed.