Creating a Hybrid DC with Azure

Paulo Bazzo

Creating a New Domain Controller

On this blog we are going to look into the how to launch a DC(Domain Controller) on Azure, connect to it using a WS(Work Stations) to be able to join the domain. Let’s jump straight into it.

I will recommend using a Microsfot Tool from SysInternals that will help us RDP into many computers at ease
Remote Desktop Manager is a great freeware we can make use of.

Set up our Virtual Network


On Azure create VNET(Virtual Network) lets call it [vnet-azdc01], 
Create a Resource Group.
Create VM(Virtual Machine) using an Windows Server 2022 Image [AZDC01]  this will be our DC + DNS Server.
Create another VM to be our Work Station (WS01)  

Attach your Domain to Azure

An essential part of this step is to link your FQDN name to Azure, this will proof to Azure that you have full ownership of the domain.


[AZURE] ▶ Active Directory ▶ Custom Domain Names ▶ Add Custom Domains

Copy the DNS record provided by Azure and save on your Domain Name Registrar(godaddy, cloudflare, 123reg..)

Adding DC Roles

At this point you should have your DC Server running, and your domain registered on Azure, so lets configure it.


RDP▶ AZDC01
[AZURE] ▶ Server Manager ▶ Dashboard ▶ Add Roles andFeatures ▶Next
Check  Active Directory Service  and  DNS  ▶ Next … ▶ Finish
From Notifications in Server Manager Window (Top Right) Click on Promote this server to a Domain Controller
Add a New Forrest▶ Root domain name : [custom Domain name] ▶ Provide DSRM Password ▶ Finish
Restart the machine.

DNS Setup

We now need to change our DNS Server on our VNET to use the DNS we have just created inside our DC.


Next step is to update the DNS server our VNET on Azure is using, so make a note of the Private IP address of the DC.
Confirm we are using a static IP address for our DC
[AZURE] ▶ Virtual Networks▶ [vnet-AZDC01] ▶DNS Sever ▶ Custom DNS ▶ Private IP AZDC01

Connecting WorkStation to Domain

Now are ready to connect our WS01 to our domain, as long as the WS01 can reach our DC01 we will not have any problems.


RDP ▶ WS01 (local user) 
Windows + run  then type : “sysdm.cpl”
Or Go go Control Panel and  Search for “Allow remote access to your computer”
System Properties ▶ Computer Name ▶ “.. rename computer or change domain..” ▶ Change 
Domain▶ Login with “YourDomain.com\userName  :  password”
You should get a message saying you successfully joined the domain and asking to reboot
Restart the machine

Creating Users and Groups on DC

It's time to create our Global Administrator account, so far we have been using the local account we have set up using our Azure Tenant. On this step, we are also going to set up our WoskStation account.


[AZURE] ▶ Azure Active Directory ▶ Create a User ▶ Give Global Admin Role 
Verify you can login with the account.

RDP ▶ DC01
Windows Administrative Tools ▶ Active Directory Users and Computers
Create two users,  user01@ and one Admin@ 
The Admin@ its going to be our Global Admin for our domain
Create a new Group, Add user to group[Home Users]

After completing the previous step the users you have created on DC should be able to connect to our DC, (as long as the WS01 is on the same subnet of the DC01), we will focus on VPN another time.

Later we will also look into how to install and configure Azure AD Connect V2 To fully sync our On-Prem users to our AzureAD, or should I call it Microsfot Entra ID which help synchronisation of our Users, Groups and if we like password hashes, using writeback function.

Enabling RDP Users to WS01

Because we are using RDP to connect to our WS from the Azure cloud☁️, we need to complete one more step.


RDP ▶ WS01(local user)
Windows + run  then type : “sysdm.cpl”
Or Go go Control Panel and  Search for “Allow remote access to your computer”
Remote ▶ Add ▶ Users/Groups ▶ Select [Home Users] we have created.
Login with “YourDomain.com\userName  :  password”

After this steps we will now be connected to your domain and be able to login using our organisation credential.

Enabling RDP to our DC01

Our Domain Server is more strict and we need to configure a few more things to allow an user to RDP into it.

Add our Admin account to the Built in Groupd Remote Desktop Users

We will also need to allow log on throught Remote Desktop, from our local Policies


DC01 ▶ Edit Group Policy ▶ Windows Settings ▶ Security Settings ▶ Local Policies ▶ Users Rights Assignments ▶ Allow log on through RDP
Add Group : Administrators, Remote Desktop Users
On the same window you have open, on Deny log on throught RDP, make sure your group is not present there.
After run the below as Admin on powershell 
gpupdate /force

You should now be able to now login into your DC using your newly created Global Admin account.

Deallocate your VMs when done!

A very important step which should not be taken for granted is to decommission your VMs when not in use.
Not just turn them off, you want to deallocate your VMs so they stop consuming cloud resources and your bill remains low.
You will still pay for the HDD/SSD space its using but this is generally low. FOr more information here is an article

Conclussion

On this blog we managed to create a new hybrid DC controller using Azure.
Connect to our DC from a Azure Cloud VM
Enable RDP to our users

The next steps from here is to enable Azure DC Sync from our On-Prem Server to AzureAD.
Follow the next steps here Azure AD Sync Install and Config.

Sources

Learn Cloud UrTech