Home » Azure Cloud

How to Configure an Azure VM as DC in an on-prem AD

Photo of author

By Victor Ashiedu

Published

Do you need help configuring an Azure VM as a DC in an on-prem Active Directory domain? This article covers all the steps to add your first Azure VM to your hybrid on-prem-azure-AD environment.

Step 1 of 9: Create and Configure VNet and VNet Gateway (Azure)

The first step to setting up an Azure VM as DC in an on-prem Active Directory is to create an Azure Virtual Network.

In this section, you’ll create an Azure Virtual Network (Azure VNet). When you create an Azure VNet, you must include an address space in the process.

The VNet address space defines an IPv4 or IPv6 subnet.

Additionally, the VNet requires a Virtual Network gateway that connects the VNet to the internet. However, before creating a VNet gateway, you must create a gateway subnet, which is named “GatewaySubnet” by default and cannot be changed.

The gateway subnet “GatewaySubnet” specifies the IP addresses used by VNet gateway VMs and services.

1 of 3: Create an Azure VNet and add Address Space and Subnets

  1. Sign in to portal.azure.com, click on the menu, and select “Create a new resource.”
Configure an Azure VM as DC in an on-prem Active Directory - 1 of 3: Create an Azure VNet and add Address Space and Subnets
  1. Then, when the “Create a resource” page opens, search for and open “virtual network.”
1 of 3: Create an Azure VNet and add Address Space and Subnets
  1. At the bottom of the “Virtual network” resource, click “Create” and choose “Virtual network.”
1 of 3: Create an Azure VNet and add Address Space and Subnets
  1. Once the “Create virtual network” page opens, select a subscription if you have more than one. After that, choose a resource group or create a new one.

    Finally, give your VNet a name, and pick an Azure region to deploy it.
Consider your region selection carefully, as not all Azure regions have availability zones.

When you finish, if you need to configure security features such as Azure Bastion, Azure Firewall, or DDoS Network Protection, click the Security tab. Otherwise, click the “IP address” tab.

For this guide, I’ll skip the security tab.

1 of 3: Create an Azure VNet and add Address Space and Subnets
  1. On the “IP address” tab, Azure populates an IPv4 address space. You can edit the “default” subnet, add a new one or add more.

    After configuring the IP address subnets, click “Review + create.” Then wait for Azure to validate your configurations and click “Create.”

    When Azure creates the VNet, click “Go to resource,” then proceed to 2 of 3 below.
Configure an Azure VM as DC in an on-prem Active Directory

2 of 3: Add a GatewaySubnet to the VNet

  1. On the Settings menu of the VNet, click “Subnets.” After that, click “+ Gateway subnet.”
2 of 3: Add a GatewaySubnet to the VNet
  1. Finally, enter an IP address space for the GatewaySubnet, configure other settings as required, and click Save.
2 of 3: Add a GatewaySubnet to the VNet

After saving your GatewatSubnet, the VNet will now have two subnets.

Configure an Azure VM as DC in an on-prem Active Directory

3 of 3: Create a Virtual Network Gateway Linked to the VNet

  1. Search for “virtual network gatways” and choose it from the results.
  1. Once the “Virtual network gateways” page opens, click “+ Create.”
  1. Then, enter the details of the Create virtual network gateway. Select a subscription, name the VNet gateway, and select an Azure Region.

    Select VPN as the “Gateway type.” Then, on the “VPN type,” select “Route-based.”

Scroll down and choose a SKU for the VNet gateway. Next, select the VNet you created earlier as the Virtual network.

Once you do that, the wizard automatically chooses the GatewaySubnet you created in 2 of 3 earlier. Also, configure the “Public IP address” section.

When you’re done, click “Review + create” and wait for Azure to validate your configuration.

  1. If all goes according to plan, the validation should pass. To create the VNet gateway, click “Create.”

Step 2 of 9: Configure the NICs on the Windows RRAS Server (On-prem)

As I hinted earlier, before configuring an Azure VM as an additional DC on the on-prem Active Directory, the VM must communicate with the on-prem network.

To achieve this, the Azure VNet the VM belongs to must be connected on a site-to-site mode with the on-prem VPN device.

In this configuration, I am using a Windows Server 2019 Routing and Remote Access Server as my on-prem VPN device. The server must have two NICs – one connected to the internet LAN, the second to the internet.

Both NICs should have TCP/IP v4 enabled. Finally, the intranet NIC should not be connected to the internet, while the internet one should.

In this section, you’ll learn how to configure the network cards of the Windows RRAS Server.

  1. Open Server Manager, click Local Server, and finally, click on one of the NICs
  1. Rename the NICs, “Intranet,” and “Internet.”
  1. Open the TCP/IP v4 of the internet NIC and click on Advanced. Then select the WINS tab, check Disable NetBIOS over TCP/IP, and click OK.

Step 3 of 9: Install Routing and Remote Access Server Role (On-prem)

  1. From Server Manager, click Manage -> Add Roles and Features.
  1. On the first three pages of the wizard, accept the defaults, and click Next until you get to the “Select server roles” page. Then, check “Remote Access” and click Next.
  1. Click Next twice until you get to “Select role services.” After that, check “DirectAccess and VPN (RAS).”

    Then, click Add Features.

    On the “Select role services” page, confirm that “DirectAccess and VPN (RAS)” is checked, and click Next.
  1. Finally, confirm your settings and click Install. Wait for the installation to complete, then proceed to step 4 of 9 below.

Step 4 of 9: Open IKEv2 Ports on Windows Firewall (On-prem)

  1. Open Windows Defender Firewall with Advanced security
  1. When the Windows Defender Firewall opens, click on the Inbound rule node, create and enable the following rules:

    Routing and Remote Access (IKEv2-In-UDP500): UDP Port 500, Allow the connection, Apply to Domain, Private, Public network.
    Routing and Remote Access (IKEv2-In-UDP4500): UDP Port 4500, Allow the connection, Apply to Domain, Private, Public network.
    Routing and Remote Access (IKEv2-In-UDP1701): UDP Port 1701, Allow the connection, Apply to Domain, Private, Public network.
    Routing and Remote Access (IKEv2-In-ESP50): UDP Port 50, Allow the connection, Apply to Domain, Private, Public network.

When you finish, you should have the highlighted inbound rules.

Create the same rules in the outbound node:

Step 5 of 9: Configure and Enable Routing and Remote Access (On-Prem)

Earlier, I hinted we’d use a Windows Server RRAS as our on-prem VPN device. This allows a site-to-site connection between the Azure VNet and the on-prem network.

Once you establish the connection, the Azure VM can be configured as a DC in the on-prem Active Directory.

  1. When the installation completes, close the role installation wizard. Then, click the amber notification icon and select Open the Getting Started Wizard.
  1. On the “Configure Remote Access” page, click Deploy VPN only.
  1. Then, right-click the server name on the Routing and Remote Access console and select Configure and Enable Routing and Remote Access.

    This will open the configuration wizard. Click Next.
  1. Next, when the configuration page opens, select “Secure connection between two private networks,” and click Next.
  1. On the demand-dial connections page, choose Yes, then click Next.
  1. When the IP address assignment page opens, accept the default (Automatically) and click Next. Finally, click Finish.
  1. Wait for the RRAS wizard to display the Demand-Dial Interface Wizard before proceeding to step 6 of 9 below. DO NOT proceed with the wizard yet.

    We will return to it in step 7 of 9.

Step 6 of 9: Configure a Site-to-site Connection using Azure Local Network Gateway (Azure)

Azure offers the Local Network Gateway resource. The local network gateway defines the on-premises VPN device used for routing.

Furthermore, when you create a Local Network Gateway, you must specify the IP address of the on-premises VPN device that you intend to connect with.

Finally, after defining the Local Network Gateway, you must define a site-to-site connection on it.

1 of 2: Create a Local Network Gateway

  1. Sign in to portal.azure.com, click the menu, and select “Create a resource.”
  1. On the “Create a resource” page, search for and open “local network gateway.”

    Then, at the bottom of the first “Local network gateway” – its description contains “set up a site-to-site VPN connection” – click the Create drop-down and select “local network gateway.”
  1. On the “Create local network gateway” page, enter the information shown in the screenshot below.

    The “IP address” is the public IP address of your Routing and Remote Access Service server. If you don’t know this IP from the Windows server, click “what is my IP” to display it on Google.

    Another essential piece of information is the “Address Space(s).” This is the CIDR IP block for the local LAN of the on-prem VPN device (the routing server.)

    Use the IP Subnet Calculator to get this information. After entering all the information, click “Review + create.”
  1. Finally, click Create to create the Local Network Gateway.
  1. Wait for Azure to complete the resource creation, then click “Go to resource.”

2 of 2: Create a Site-site VPN Connection on the Local Network Gateway

  1. When the local network gateway resource page opens, click Connections. Then, click” +Add.”
  1. On the “Create connection” page, select a subscription and a Resource group. After that, choose “site-to-site (IPsec)” as the Connection type, give the connection a name, and select an Azure Region.

    Once you finish, click “Next: Settings >.”
  1. Finally, on the “Virtual network gateway” page, select the “Virtual network gateway” and “Local network gateway” you created earlier.

    Then, enter a Shared key gateway, make this complex, and note it. It is the password for authenticating the IPSec connection from your on-prem VPN device to the Azure VPN.

    Leave the rest as defaults unless you require customizing any of them. When you’re done, click “Review + create.”
Configure an Azure VM as DC in an on-prem Active Directory
  1. Finally, if Azure successfully validates your settings, review it and click Create. If you haven’t, this is your last chance to copy the Share key (PSK).

    Please note this information as you require it to complete step 7 of 9. While Azure is deploying the resource, proceed to step six below.
Configure an Azure VM as DC in an on-prem Active Directory

Step 7 of 9: Configure Demand-Dial Site-to-site VPN Connection (On-prem)

Return to your Routing and Remote Access Server to complete the tasks in this section.

When you completed Step 5 of 9 earlier, you stopped at the Demand-Dial Interface Wizard. Open your on-prem RRAS server and proceed with the steps below.

  1. Click Next to initiate the Demand-Dial wizard.
  1. Then, on the interface name page, enter a name. It is common practice to use the same name as the Azure site-to-site connection name – see the second screenshot below.

    Get this information from step 5, number 7. Once you’ve entered a name, click Next to continue.
Configure an Azure VM as DC in an on-prem Active Directory
  1. After that, on the “Connection type” page, select VPN and click Next.
  1. Then, choose IKEv2 as the type of VPN connection and click Next.
  1. After that, enter the public IP address of the virtual network gateway you configured in step 1 of 9. Then, click Next.

    If you did not note the public IP address of the virtual network gateway, open it on Azure to get the information – see the second screenshot below.
Configure an Azure VM as DC in an on-prem Active Directory
  1. On the “Protocols and security” page, accept the defaults and click Next.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Thereafter, specify the static route to the Azure network gateway (the remote network). Click Add, then enter the address space of the Azure VNet you created in step 1 of 9 and click OK.

    You can get this information by opening the Azure VNet and clicking “Address space” – see my second screenshot below.
Specifically, get the Destination and Metric from the Azure “Address space” section of the VNet. However, if you need help determining the Network mask, use this IP Subnet Calculator. For the steps to use this IP calculator to find the Network mask (Subnet mask), see the third screenshot below.
Configure an Azure VM as DC in an on-prem Active Directory
  1. After adding the Azure static route, click Next.
Configure an Azure VM as DC in an on-prem Active Directory
  1. On the dial-out credentials page, enter any username and click Next. Finally, click Finish to complete the configuration.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Once you’ve created the site-to-site demand-dial interface, click “Network interfaces.” Then, right-click the demand-dial interface and select Properties.
  1. On the Security tab, choose “Use preshared key for authentication.” Finally, enter the Share key (PSK) from Step 6 of 9, number 9 in the “Key” field, and click OK.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Once you’ve completed these steps, right-click the interface and click Connect.

If all goes as expected, the connection status should display “Connected.” Moreover, the status of your Azure Local network gateway should be “Connected.”

See my second screenshot below. After creating the Azure VM that we would configure as an additional DC in the on-prem Active Directory, we will perform additional ping tests.

Configure an Azure VM as DC in an on-prem Active Directory

Step 8 of 9: Add Routing Tables (On-prem)

To enable communication between the Azure Virtual Network and your on-premises network, you need to add a routing table on both sides.

Without adding routing tables, your Azure VM cannot communicate with your on-premises domain controllers. Until this communication is established, you cannot configure the Azure VM as DC in your on-prem Active Directory.

1 of 2 Add Routing Table on the on-premises VPN Device (RRAS Server)

  1. On the RRAS server, expand IPv4, right-click “Rout tables,” and select “New Static Route.”
Configure an Azure VM as DC in an on-prem Active Directory
  1. Once the IPv4 Static Route pop-up opens, on the Interface drop-down, select the Dedmand-Dial interface you created earlier. Then, enter the address space of your Azure VNet in the Destination and Network mask spaces.
The destination (10.1.0.0) and Network mask in the screenshot below correspond to 10.1.0.0/16 (/16 corresponds to 255.255.0.0). To get the address space of your Azure Virtual Network, open it – see my second screenshot below.
Configure an Azure VM as DC in an on-prem Active Directory

2 of 2 Add Routing Table to the Azure VNet

  1. Sign in to portal.azure.com, then search and select “Route tables.”
  1. After that, click “Create route table” (you’ll find it at the bottom of the page).
  2. Once the “Create Route table” page opens, enter the required information and click “Review + create.”
Select the same Resource Group and Region you used for the other resources. Confirm that “Propagate gateway routes” is set to Yes before you proceed.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Once the validation is complete, click Create and wait for Azure to create the routing table.
  1. After the Route table is created, click “Go to resource.”
Configure an Azure VM as DC in an on-prem Active Directory
  1. Then, on the route table’s page, click Routes on the Settings menu and click “+Add.”

    Next, enter a name for the route. After that, select the options in the screenshot below and click Create.
The “Destination IP addresses/CIDR ranges” is the address space of your on-premise local network. This is the same address space you added in the “Local network gateway” you created earlier.
  1. Finally, associate the routing table to your on-prem network using the steps in this screenshot. Associate the default and GatewaySubnet subnets.
Configure an Azure VM as DC in an on-prem Active Directory

Step 9 of 9: Configure an Azure VM as DC in an on-prem Active Directory (Azure and On-Prem)

In the subsections below, you’ll configure a custom DNS server on your Azure VNet. Additionally, we will guide you through the steps to set up a Windows Server 2019 VM on Azure and make it a DC in your on-prem AD.

1 of 4: Configure Custom DNS Server in the Azure Virtual Network

When adding your Azure VM as a DC, it uses DNS to query the on-prem Domain Controller. For the Azure VM to query your on-prem DC, it must use your on-prem DNS server.

Use the steps below to configure a custom DNS on your Azure VNet. When you configure a custom DNS on the VNet, you specify your on-prem DNS server.

The DNS server settings can be configured at the network interface of Azure VMs. However, if you need all VMs on a VNet to use a specific DNS server, it is better to set it up at the VNet level. Also important, after configuring a custom DNS, all VMs and Application gateways in the Virtual Network must be restarted to use the new DNS.

Open the Azure VNet you created in Step 1 of 9 and click “DNS Servers.” Then, select Custom and enter the IP address of your on-premises DNS server.

When you finish, click Save.

Configure an Azure VM as DC in an on-prem Active Directory

2 of 4: Create a Windows Server a 2019 Azure VM

  1. Sign in to portal.azure.com, click the menu, and select “Create a resource.”
  1. After that, locate “Virtual Machine” under “Popular Azure services” and click Create. However, if “Virtual Machine” is not listed, use the search box.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Then, on the Basic tab of the “Create a virtual machine” page, choose a subscription and a Resource group.

    We recommend using the same resource group as the other resources you created for this project.

    After that, scroll down and enter the “Virtual machine name,” then the Azure Region to create the VM. Use the same region as the VNet and the other resources.

    Configure other settings shown on my screenshot and proceed.
Azure uses the virtual machine name to identify the VM. Additionally, the VM name set on this page is used as the VM’s hostname in the OS.
After creating the VM, you can change its host name. However, the virtual machine name cannot be changed.

The Basic tab has additional settings, such as the VM’s size and the Administrator account credentials. Additionally, Inbound port rules can be configured.

RDP (port 3389) is configured by default as you require this port to connect to the VM via Remote Desktop. Licensing can also be configured at the bottom of the Basic tab.

When you finish, click “Next: Disks >.”

Configure an Azure VM as DC in an on-prem Active Directory
  1. On the disk tab, select your options and proceed to Networking.
  1. Then, on the Networking tab, select the Virtual Network and the subnet to which you want this VM to belong. Select the VNet you created earlier.

    Azure automatically creates a Public IP for the VM.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Finally, before you click “Review + create,” check other tabs and configure as required.
If you’re deploying a production Azure VM, it is best practice to enable recommended alerts in the Monitoring tab. Also, for production VMs, enable Backup on the Management tab. Equally important is enabling “system assigned managed identity” via the Management tab. This allows the VM to authenticate via Azure Key Vault if you’re managing it via Terraform or Azure RM, or any other IaC tools.
  1. Finally, after Azure has reviewed your settings, check that you’re happy with the settings and click Create. Wait for Azure to create the VM, then click “Go to resource.”

3 of 4: Connect to the Azure VM Via RDP

  1. When the VM opens, click the Connect, then download the RDP file.
On the RDP tab, Azure will run some checks to confirm that the VM meets the requirements needed to RDP to it.
  1. When you click the downloaded RDP file, Windows will request you to confirm that it is safe to connect. Check “Don’t ask me again for connections to this computer.”

    After that, click Connect.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Next, Windows security will open a login window. Click “More choices” to enter the VM’s admin credentials.

    Then, click “Use a different account.”
  1. Enter the VM’s admin credentials you created in subsection 2 of 3, number 3. After entering the credentials, click OK.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Since this is the first time you’re connecting to this VM, your PC needs to install a certificate. Check “Don’t ask me again for connections to this computer,” then click Yes.

4 of 4: Make the Azure VM an additional DC in your On-prem Active Directory

  1. Once connected to the VM, open the command prompt and run the “ipconfig /all” command. Leave this window open and proceed to step 7 below.

    I have highlighted what you require for the next step in the screenshot below.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Open the TCP/IPv4 properties of the VMs NIC and configure static values. When you click OK, you’ll be disconnected from the VM.
Before you click OK, ensure that you entered the values correctly. If you enter the wrong values, you’ll be locked out of your VM! If this happens, rest the network card and restart the process.
  1. Install Active Directory Domain Service (AD DS) on the Azure VM.
When you follow the steps in the above link, ignore the steps about configuring static IP. Additionally, do not install DNS on the server.
  1. After installing AD DS on the VM, click the yellow amber notification and select “Promote this server to a domain controller.”
Configure an Azure VM as DC in an on-prem Active Directory
  1. Then, on the “Deployment Configuration” page, enter the FQDN of the AD domain in the Domain field. After that, click “Select.”

    On the “Windows Security” pop-up, enter your username and password and click OK.
You may need to enter your username in the format FQDN\username – see the screenshot for guidance.
  1. Click Next to continue.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Once the “Domain Controller Options” page displays, it indicates that the Azure VM server has successfully signed into and detected your on-prem AD.

    Select the additional services you want to install on the Azure VM DC. Then, enter a password for the server’s Directory Services Restore Mode.

    Repeat the password and click Next.
Configure an Azure VM as DC in an on-prem Active Directory
  1. On the DNS Options page, ignore the error and click Next.
  1. Then, when the Additional Options page opens, select the on-prem Domain Controller you want the Azure VM to replicate from.
After adding the Azure VM as an additional DC in the on-prem Active Directory, the new DC will replicate from the DC you specify on the Additional Options page.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Click Next on the page below to accept the default location to save the Azure AD DS databases, log files, and SYSVOL. Otherwise, change the drive and click Next.
  1. Review your selections and click Next to proceed.
Configure an Azure VM as DC in an on-prem Active Directory
  1. Finally, click Install.
  1. When the Azure VM has been successfully configured as a DC in your on-prem Active Directory, it will be listed in the Domain Controller’s OU.
Configure an Azure VM as DC in an on-prem Active Directory

Frequently Asked Questions

1. How do I Iintegrate Azure AD with Prem AD?

There are multiple ways to integrate Azure AD with on-prem AD. The first option is to use Azure AD Connect, which synchs on-prem Active Directory users to Azure Active Directory.

Another option is to create a VNet in Azure and create a site-to-site VPN connection to your on-premises. After that, create a Windows Server Azure VM and add it as an additional domain controller on your Active Directory domain.

2. How do I add an Azure VM to my on-premise domain?

Before adding an Azure VM to your on-premises domain, you must create a site-to-site VPN connection between the Azure VMs VNet and your on-premises network.

After that, install the Active Directory role on the Azure VM. Finally, join the domain like any server on your on-premises network.

3. Is Azure AD the same as on-prem AD?

No, Azure AD is NOT the same as on-prem AD.

Azure AD (Azure Active Directory) is an Azure SaaS identity service you sign up for on Azure. Signing up for Azure AD does not require you to install or configure servers – thus, it is a SaaS (Software as a Service) offering.

On the contrary, on-prem AD runs on Domain Controllers in your data center.

4. Does Azure AD Connect Need to be Installed on a DC?

According to the Microsoft Azure AD Connect Prerequisites page, “Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later.”

This means that it is not a requirement to install Azure AD Connect on a Domain Controler.

5. Can I migrate from on-prem AD to Azure AD?

Yes, you can migrate from on-prem AD to Azure AD. The first option is to use Azure AD Connect.

With this method, after synching your on-prem AD objects to Azure AD, you can decommission your on-premises AD directory service.

Alternatively, you can migrate your domain controllers to Azure Virtual Machines. Secondly, transfer FSMO roles to the Azure VM Dcs.

Finally, decommission the on-premises domain controllers.

Conclusion

Adding an Azure VM as a DC in an on-prem Active Directory is a complex process. The process involves creating an Azure VNet and configuring a site-to-site VPN connection with an on-prem VPN device.

Once the connection is established and the Azure VM can communicate with the on-premises Domain Controllers, it can become a DC on the on-premises network.

Following the steps in this guide, I believe you would have successfully added an Azure VM in your tenant as a Domain Controller in your on-prem AD DS.

Take a moment to leave your comments using the “Leave a Reply” form at the bottom of this page.

Alternatively, you can respond to the “Was this page helpful?” question below.

About the Author

Photo of author

Victor Ashiedu

Victor is the founder of InfoPress Media, publishers of Ilifeguides and Itechguides. With 20+ years of experience in IT infrastructure, his expertise spans Windows, Linux, and DevOps. Explore his contributions on Itechguides.com for insightful how-to guides and product reviews.

Related Articles

How to Add Azure Blob Storage as Veeam Backup Repository

How to Add Azure Blob Storage as Veeam Backup Repository

Create a WordPress site with Azure App Service

How to Create a WordPress Site with Azure App Service

How to add an External (Guest) User in Azure Active Directory

How to add an External (Guest) User in Azure Active Directory

Get in Touch

We're committed to writing accurate content that informs and educates. To learn more, read our Content Writing Policy, Content Review Policy, Anti-plagiarism Policy, and About Us.

However, if this content does not meet your expectations, kindly reach out to us through one of the following means:

  1. Respond to "Was this page helpful?" above
  2. Leave a comment with the "Leave a Comment" form below
  3. Email us at [email protected] or via the Contact Us page.

Leave a comment

Send this to a friend