The other alternative would be to spin up some servers, build out a site to site VPN, dcpromo the boxes, set up the AD site(s), and then manage it old school. On the upside you'll have more control over your AD and it'll be a complete replica of your on-prem setup. The downside is that you'll have more boxes to patch, more replication traffic to pay for, and possibly split fsmo roles. There isn't a wrong answer, it just depends on if feel that your datacenter is more secure than Azure and what your company's needs are. In my case, I decided to explore the ADDS route.
Enabling my Azure AD instance started out pretty straightforward, got a little murky with the virtual networks, and then took some patience for password sync. I used Microsoft's documentation at https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-getting-started (Make sure to use the 'synched tenant' instructions for password sync)
Steps a through e below cover just setting up the basic ADDS. The steps after that explain how I got it integrated with a Resource Management virtual network and VMs using Peering.
a) Created the AAD DC Administrators Group - this is a special group that is automatically inherited into your new ADDS so you'll want to put your admin accounts in here.
b) ADDS currently only works with the old type of virtual network and not the newer Resource Manager one. So I had to create a legacy virtual network.
c) After enabling ADDS it took around 15 minutes to provision. I chose the 'yourcompany.onmicrosoft.com' domain name and connected it to my new legacy virtual network. Once provisioned, it popped out a new DNS IP.
d) I then edited the legacy virtual network and specified the IP address for the new ADDS. This made it the new default DNS service for that virtual network. Note: After another hour, a second DNS IP showed up in the ADDS view. It doesn't matter what you name them in the virtual network.
e) I then ran the powershell script in the link above to force a full sync in my AAD instance. The first two variables have to be edited by hand before you run the script. If you're not sure what your connectors are called, just open the Synchronization Service Manager and view the Connectors tab. (Hint - the one that ends in 'AAD' is your $azureadConnector)
f) I created a new virtual network in the 'new' Azure portal - making sure that the IP range did not overlap the IP range of the legacy virtual network. (10.10.0.0/24 vs 10.20.0.0/24 and not 10.0.0.0/8 and 10.20.0.0/16 which would have collided).
g) Now to get both virtual networks to play nicely, you can either do a VPN and/or gateway or you can just do virtual network peering which will merge the two together much like joining two switches with a cable in a Layer 2 fashion. From the 'new' Azure portal, under Virtual Networks, I selected the virtual network (ARM type) that I created earlier and then Peerings
h) I clicked Add at the top of the blade, gave the peering connector a name, chose Resource manager (important), assigned it the same subscription as everything else, and then chose the Classic virtual network from the selector.
i) Then I went back in and updated the DNS settings for the ARM virtual network. Remember, out of the box each virtual network defaults to the Azure-provided DNS. I was not able to join a VM to ADDS until I changed it to use the DNS servers for ADDS. (There is a chance that if would have eventually worked without this step but it's up to you if you have more time available to wait it out).
j) I provisioned a new machine, booted it up, and then joined the yourcompany.onmicrosoft.com domain using the on-premise credentials that I'd put in the AAD DC Administrators group.
Posts
No comments:
Post a Comment