Before we can start looking into how to join a virtual machine (VM) to a local Active Directory, there are some prerequisites to meet, which are the following:
- A functional on-premises Active Directory and local DNS infrastructure
- A site-to-site VPN connection between Azure and your datacenter
- A custom DNS server configuration pointing to an on-premises DNS server, required to resolve resources and services located in your datacenter
Assuming you've met all these prerequisites, let's begin.
Establish cross-site connectivity using Azure site-to-site VPN connections ^
Mohamed A. Waly wrote an excellent article on how to configure a site-to-site VPN connection. You can review this to set up a virtual network (VNet), but I'd like to elaborate a bit more on how to set up custom DNS for Azure Virtual Network.
Configure a custom DNS server ^
When joining a machine to a domain, the DNS server plays a key role. The machine uses the DNS server to send a DNS SRV query to locate the domain controller. On Azure, you can configure a custom DNS server for a VM at two levels:
- The VNet level
- The network interface level
Please note that making changes to DNS server configuration at either the VNet level or network interface level requires restarting the VMs for the changes to take effect.
To configure a custom DNS Server at the VNet level, perform the following steps:
- Navigate to Home > Virtual networks and select Virtual network.
- Click DNS servers, check the Custom radio button, input the DNS server IP, and click Save.
It is essential to mention here that by default, all network interfaces (all VMs) created under this VNet will inherit this DNS server configuration.
- To specify the DNS server at the VM level, navigate to Home > Network interfaces and select the interface name. At this stage, verify the VM name, network security group, VNet, and subnet to make sure it's the one you wish to change the DNS server for.
Click DNS servers and select Custom. Type in the IP address of the on-prem DNS server and click Save.
By default, the VM's network connection looks like the following image when providing no custom DNS server.
Once you've configured the custom DNS server, the network configuration properties will look like the following image.
Provision a VM with a custom DNS server ^
In the previous step, we looked into how we can set up a custom DNS server at the VNet level, but that configuration would apply to all VMs configured on that network.
In some use cases, you don't want to mess with the complete VNet and specifically define the DNS server at the VM's network interface level. Below are the steps to provision a new VM with PowerShell for such scenarios.
Note: I'm assuming you already have a resource group on Azure that has a VNet as part of creating the site-to-site VPN connection step we discussed earlier in this article.
- First, log in to Azure Resource Manager (AzureRM) using PowerShell and provide the credentials when prompted.
- Create user credentials for the local administrator of the VM.
123$VMLocalAdminUser = "LocalAdmin"$VMLocalAdminSecurePassword = ConvertTo-SecureString 'P@$$w0rd@12345' -AsPlainText -Force$Credential = New-Object System.Management.Automation.PSCredential ($VMLocalAdminUser, $VMLocalAdminSecurePassword)
- Provide the VM's configuration details and properties.
123456789101112131415$LocationName = "CentralIndia"# Existing resource group on Azure$ResourceGroupName = "AzureToOnPrem"# Define the name and VM size$ComputerName = "Windows10"$VMName = "Windows10VM"$VMSize = "Standard_B1ms"# Existing VNet configured with custom DNS$NetworkName = "AzureVmNetwork"$NICName = "Windows10IP"$NICPublicIpName = "Windows10PubIP"$SubnetName = "AzureVmSubnet"
- Now we create a new public IP address to assign to the VM.
1$PublicIP = New-AzureRmPublicIpAddress -Name $NICPublicIpName -ResourceGroupName AzureToOnPrem -Location 'Central India' -Sku Basic -AllocationMethod Dynamic IpAddressVersion IPv4
- Then create a new network security rule to allow inbound connection on RDP port 3389 and set up a network security group with that rule.
12$AllowRDPRule = New-AzureRmNetworkSecurityRuleConfig -Name AlloW-RDP -Description "Allow RDP" -Access Allow -Protocol TCP -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389$NSG = New-AzureRmNetworkSecurityGroup -Name Windows10-NSG -ResourceGroupName AzureToOnPrem -Location 'Central India' -SecurityRules $AllowRDPRule
- Now we'll get the properties of the existing VNet "AzureVmNetwork" with custom DNS server configuration and use that to create a new network interface. Please make sure to provide the IP address of your on-premises DNS server.
12$VirtualNetwork = Get-AzureRmVirtualNetwork -ResourceGroupName "AzureToOnPrem" -Name "AzureVmNetwork"$NetworkInterface = New-AzureRmNetworkInterface -Name $NICName -ResourceGroupName $ResourceGroupName -Location $LocationName -SubnetId $VirtualNetwork.subnets.id NetworkSecurityGroupId $NSG.Id -PublicIpAddressId $PublicIP.Id -DnsServer "192.168.0.221"
- After setting up the network interface, I'll just provision a new VM with the desired configuration and properties, including the new network interface.
12345$VirtualMachine = New-AzureRmVMConfig -VMName $VMName -VMSize $VMSize$VirtualMachine = Set-AzureRmVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName $ComputerName -Credential $Credential -ProvisionVMAgent -EnableAutoUpdate$VirtualMachine = Add-AzureRmVMNetworkInterface -VM $VirtualMachine -Id $NetworkInterface.Id$VirtualMachine = Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName 'MicrosoftWindowsDesktop' -Offer 'Windows-10' -Skus 'RS3-Pro' -Version LatestNew-AzureRmVM -ResourceGroupName $ResourceGroupName -Location $LocationName -VM $VirtualMachine –Verbose
- This will launch a new VM in AzureRM in a few minutes.
Join the Azure VM to the on-premises Active Directory domain ^
We've established a site-to-site VPN connection and configured a custom DNS server on our newly provisioned Azure VM. So now we'll go ahead and join the Azure VM to the on-premises Active Directory in few simple steps. There are multiple ways to achieve this, but I'll mention just a few here:
- By manually remote logging into the VM:
Go to System properties, click Change, provide the Domain name, and enter the credentials when prompted.
- Using PowerShell:
The following code sample joins a machine to domain. You can execute it on a VM locally or remotely through PowerShell Remoting or by using VM extensions.
1234$SecurePWd = ConvertTo-SecureString 'P@$$w0rd@12345' -AsPlainText -Force$DomainJoinCred = New-Object System.Management.Automation.PSCredential ("administrator", $SecurePWd )Add-Computer -DomainName "DomainName" -Credential $DomainJoinCred
In AzureRM it is fairly simple to create a site-to-site VPN and provision a VM with a network interface that has a custom configured IP address of an on-premises DNS server. This will allow the VMs to query the domain controllers on the on-premises Active Directory and join the domain set up in an on-premises infrastructure.