Summary: How to setup an Active Directory Domain Controller in Azure.
Date: Around 2017
Refactor: 20 February 2025: Checked links and formatting.

After starting with Getting Started With Azure you are now ready for creating your first VM in Azure and of course we'll start with a Domain Controller. I need this for a later tutorial so it's as good as any and it will touch a lot of different concepts and useful information.

The overall process consists of a few steps:

• Create the Virtual Network, Resource Group and the Storage Account
• Create the Virtual Machine
• Install the Domain Controller

Note that this page continues from Getting Started With Azure and assumes your Azure subscription is entirely empty and never used. For this tutorial we'll use the MSDN subscription as it has a higher credit.

Before we can create the VM we need to create the ResourceGroup that will hold the Storage Account and the Virtual Network that are required. The resource group will act as a boundary for resources that should work together:

• Logon to the azure portal at https://portal.azure.com with your credentials
• From the main menu click Resource Groups and click on Add:
  

• Then fill in all the required fields while keeping the following information in mind:
  • Make sure the resource group location is in the same location as where you created the virtual network
  • For your convenience you could select to pin the resource group to the dashboard

• Wait for the resource group to be created.

Before we can deploy a VM we need a storage account as a VM uses storage. This can be done while creating the VM but I want to create it manually for showing and learning purposes:

• Logon to the azure portal at https://portal.azure.com with your credentials
• From the main menu click Storage Accounts and the click on Add:
  

• Then fill in all the required fields while keeping the following information in mind:
  • The name should be globally unique (yes really so forget about azurestorageaccount01)
  • Deployment model is your choice between the classic portal and the new portal. When in doubt, select Resource Manager, which is the new portal
  • Unless you have the money and are prepared to hand it over select “Standard” performance. Premium will allow you to use SSD disks but these come at a price
  • Read here about replication options. LRS is the lowest cost option so my natural choice.
  • Select to use the Resource Group you created before
  • Again, make sure you use the same location as for the resource group and location

• Wait for the storage account to be created.

Follow these steps to create the correct Virtual Network:

• Logon to the azure portal at https://portal.azure.com with your credentials
• From the main menu click Virtual Networks and then Add:
  

• Fill in the required fields and select the created Resource Group:
  

• Wait for the virtual network to be created.

To create th virtual machine we will work from the from the same azure portal at https://portal.azure.com. Follow these instructions to create a VM that is suited as a Domain Controller:

• From the main menu click Virtual Machines
• Click add
• Click Windows Server from the Recommended items and select Windows Server 2016 Datacenter from the list
• Select Resource Manager for deployment model and click Create:

• In the new blade, fill in the required fields and note the following tips:
  • VM Disk Type default is SSD. While you're testing and wanna save money, set it to HDD:
    

• Now select the size for the VM you want. Azure will give you a few recommendations but if you'll click show all you a lot of options, ranging from more than 1000 euro a month to just over 10 euro a month. So depending on what you're willing to spend make your pick. I chose to use the A1 Standard. See here for more information about Virtual Machine sizes in Azure.
• Note that in this example I did not select monitoring or availability set. Especially availability set is one to consider as the VM cannot be added to a availability set after creation. Read here and here for more information about availability sets:
  

• Review the summary and click OK to create the VM
• You'll be redirected to the dashboard where you can wait for the deployment

When the VM is deployed you can connect to the console by clicking on the appropriate button:

The Domain Controller service cannot be installed on the OS disk as the disk should be non caching. This is not supported and can lead to very annoying problems (USN rollbacks). So now we should add a data disk to the VM:

• From the Virtual Machine blade click Disks → Attach New
• Fill in the required fields and click OK
  • Note that I kept the default disk name which is purely a timestamp. You are free to use any name you like.

• Now, from inside the Virtual Machine (connected through RDP) start Server Manager → File and Storage Services
• Select Disks and select the disk you've added:
  

• Right click the disk and select Initialize
• Click yes on the warning that it will be initialized as a GPT disk and all data will be erased
• Right-click the disk again and select New Volume and complete the wizard using the default values or use your own preferences

An Active Directory Domain Controller requires a static IP address, however, whatever you do, don't do it from the VM itself as this is not supported. You should set a static IP address from within the Azure fabric, and the result can be compared to set a static IP address from a DHCP server. To do this you need PowerShell with the Azure modules installed. See AzureRM PowerShell on how to do this.

To check what your current IP address and the name of the Networkinterface is go to the Virtual Machine and select the Network interfaces:

Now you are ready to set the static IP address. Log in to Azure using this command:

Login-AzureRmAccount

Now issue the following command to set the IP address:

PS C:\> $nic=Get-AzureRmNetworkInterface -Name AzureDC01772 -ResourceGroupName AzureResourceGroup01
PS C:\> $nic.IpConfigurations[0].PrivateIpAllocationMethod = "Static"
PS C:\> $nic.IpConfigurations[0].PrivateIpAddress = "10.0.0.4"
PS C:\> Set-AzureRmNetworkInterface -NetworkInterface $nic

You can check by issuing this command in Azure Powershell:

Get-AzureRmNetworkInterface -Name AzureDC01772 -ResourceGroupName AzureResourceGroup01

Inside the output check for the following lines:

                                  "PrivateIpAddress": "10.0.0.4",
                                  "PrivateIpAllocationMethod": "Static",

Or, you could check the activity log of the network interface. From the virtual machine blade, select Network Interfaces → Select the Interface you changed → Activity Log:

Note that you could click on the JSON tab for detailed information.

Now the VM is configured correctly for Domain Controller services and you can start installing the services.

• Log on to the created VM using RDP and start Server Manager:
  

• In Server Manager, start the “Add roles and features” wizard:
  

• Click next on the “Before you begin” window
• Choose “Role-based or feature-based installation” as the installation type
• Make sure the correct server is listed in destination server selection:
  

• Click “Active Directory Domain Services” from the available roles which will cause a new window to popup to show what will be installed. Click “Add Features” followed by Next to continue:
  

• Click next on the additional features window
• Click next in the information window about Active Directory Domain Services
• Do not check the “Restart the destination server automatically if required” checkbox but click Install to start the installation on the confirmation window:
  

• When the installation is done, click on the “Promote this server to a Domain Controller” link:
  

• This will start the Deployment Configuration, start by clicking the “Add a new forest” and fill in your required name:
  

• Keep the Forest and Domain functional levels at the default in provide the DSRM password:
  

• Do not select the checkbox for DNS delegation and click Next to proceed
• Keep the NetBIOS name as the default (SHIFT) for the domain and click Next to proceed
• Change the location for all of the files to the new created data disk. Keeping them on the C-drive is not supported:
  

• Check your settings in the Review Options Window and click Next if everything is ok to start the Prerequisites Check
• During the Prerequisites Check you might get some warnings. One of them is going to be the lack of a static IP address as this is setup through the Azure fabric and the VM is of course not aware of this so this warning can be ignored. Check the other warnings if these are ok with you and click Install to start the installation
• Note that when the installation is complete the VM will reboot automatically so you'll be logged out
• You can check the Azure monitoring for the VM, and when cpu goes down you can logon again using your old credentials

The server is now an Active Directory Domain Controller.

By default, when installing the DNS server through the Domain Controller installation wizard the DNS service gets installed without a reverse lookup zone, which is a bad thing because this will cause DNS reverse lookups to fail. You can check this by starting Server Manager → Tools → DNS:

Follow these steps to add the reverse lookup zone:

• Click Action → New Zone
• In the new zone wizard, click Next
• Keep the defaults on primary and to store it in Active Directory:
  

• Keep the default for the Zone Replication Scope:
  

• Select IPv4 Reverse Lookup Zone
• Fill in the Network ID:
  

• Keep the default to only allow secure dynamic updates
• Click Finish to complete the New Zone wizard and create the new reverse lookup zone

When the creation is done (immediately) create a PTR record for the domain controller. Follow these steps:

• Select the reverse lookup zone and click Action → New Pointer (PTR)
• Fill in all the required information and click ok:
  

Now the pointer record is created and you can continue to check the result of the installation.

From Server Manager you can start several AD related management tools:

Inside Active Directory Users and Computers you can verify that the user you did the install with is added to all of the important administrator groups:

You can also check the installation by issuing these commands in an administrative PowerShell:

PS C:\Users\adminsjoerd> Get-ADDomain | fl Name,DomainMode
 
Name       : shift
DomainMode : Windows2016Domain
 
PS C:\Users\adminsjoerd> Get-ADForest | fl Name,ForestMode
 
Name       : shift.local
ForestMode : Windows2016Forest

• https://docs.microsoft.com/en-us/azure/active-directory/active-directory-new-forest-virtual-machine
• https://msdn.microsoft.com/library/azure/jj156090.aspx
• https://technet.microsoft.com/library/jj574166.aspx
• https://docs.microsoft.com/en-us/azure/storage/storage-redundancy
• https://docs.microsoft.com/en-us/azure/virtual-machines/virtual-machines-windows-sizes
• https://docs.microsoft.com/nl-nl/azure/virtual-machines/virtual-machines-windows-manage-availability
• https://docs.microsoft.com/nl-nl/azure/virtual-machines/virtual-machines-windows-infrastructure-availability-sets-guidelines
• https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-static-private-ip-arm-ps
• http://www.rebeladmin.com/2016/10/step-step-guide-setup-active-directory-windows-server-2016/