When I was last working in my Imperfect Lab, I added another server to the existing cloud service and decided to make it a domain controller. When you set up domain controllers (cloud or on-premises) a few things become really important – IP Addresses and DNS.
By default, Azure will provide DNS services from the fabric if you don’t specify your own DNS. You would think there is some PowerShell to do that directly, but surprisingly there isn’t. You can set the DNS for each network using the Management Portal or by exporting the network configuration file and updating it. I just used the portal and made sure that my ImperfectNet listed the IP address for both servers that would act as domain controllers.
If you don’t set a domain controller as the DNS server, all the VMs that come up inside your virtual network will look to an Azure fabric DNS server and won’t be able to authenticate to your domain. Since this is a crucial to AD function, I also wanted to make sure that the VMs that were acting as domain controllers had static internal IP addresses.
Now, these addresses aren’t really “static” on the OS. They are more like DHCP reservations handed out from the fabric manager. But the end result is the same – VMs that have the correct IP address, regardless of the order they are started.
To do this with PowerShell, you first need to have the VMs in the Stopped (Deallocated) state. This way the addresses are free to assign. If the VM is already running, the address is allocated already, thus can’t be assigned. You can double check that an address is free with:
Test-AzureStaticVNetIP –VNetName ImperfectNet –IPAddress 192.168.1.5
To set the static address, I used:
Get-AzureVM -ServiceName ImperfectCore -Name DC-Cloud1 | Set-AzureStaticVNetIP -IPAddress “192.168.1.4” | Update-AzureVM
Take note of the use of quotes around the IP address in that last line. It matters. I don’t know why. Just trust that I wasted a lot of time on your behalf for that knowledge.
Then to finally kick off the addition of my second domain controller in this domain, I used:
Install-ADDSDomainController -Credential (Get-Credential) -DatabasePath ‘C:\Windows\NTDS’ -DomainName ‘imperfectlab.com’ -InstallDns:$true -LogPath ‘C:\Windows\NTDS’ -NoGlobalCatalog:$false -SiteName ‘ImperfectNet’ -SysvolPath ‘C:\Windows\SYSVOL’ -NoRebootOnCompletion:$true -Force:$true -Verbose
One note about the paths used for the logs and SYSVOL… I’ve left them on C:\ for convenience, but for production, you will want to set up your DCs in Azure with an additional disk where you direct those files to go. Read more about the reason behind that best practice here.