Zero-Downtime AD DS Migration from Windows Server 2016 to 2025 (10-Part Series) – Part 9

Part 9: Deploying a Domain Controller in Azure and Integrating It

Many organizations are embracing hybrid architectures, extending their on-premises Active Directory into Azure for better resiliency and to support cloud-based workloads. Now that our AD DS environment is running on Windows Server 2025, it’s an ideal time to integrate a domain controller in Azure. This provides a geographically separate DC (great for disaster recovery) and local authentication for Azure-hosted VMs or services. We’ll walk through best practices like Azure networking setup, AD site configuration, and ensuring security for this cloud DC.

Preparing the Azure Environment

Azure Network Connectivity:
To allow an Azure-based DC to communicate with on-prem AD, you need network connectivity—typically a Site-to-Site VPN or ExpressRoute. For this guide, we assume a Site-to-Site VPN is in place, with the Azure VNet (e.g., 10.1.0.0/16) connected to the on-prem network (e.g., 192.0.2.0/24). Ensure firewall rules allow DC communication (LDAP, Kerberos, SMB, RPC, etc.).

Azure VM Setup:

Image: Windows Server 2025 Datacenter
Size: At least B2ms or D2s_v3 (2 vCPU, 8GB RAM)
Disk: Premium SSD
Network: Use a VNet/subnet connected to on-prem. Optionally, create a dedicated subnet for DCs.
Public IP: Don’t assign one – use private IP via VPN only.
NSG (Security Group): Restrict traffic. Allow DC-to-DC and admin RDP (via VPN or Bastion).
Hostname: Something like AZDC01
Static IP: Assign a static private IP (e.g., 10.1.0.4). Do this in Azure NIC settings.
DNS: Update the VNet DNS settings to use the on-prem DC IP(s), then add the Azure DC’s IP after promotion.

Promoting the Azure VM to a Domain Controller

Domain Join (Optional):
Join the VM to your domain using the GUI or:

Add-Computer -DomainName "CONTOSO.COM" -Credential (Get-Credential CONTOSO\Administrator)

Restart-Computer

#Install AD DS Role:

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

#Promote to DC:

Install-ADDSDomainController `

-DomainName "CONTOSO.COM" `

-SiteName "AzureSite" `

-InstallDns `

-Credential (Get-Credential "CONTOSO\Administrator") `

-SafeModeAdministratorPassword (ConvertTo-SecureString "YourDSRMpassword" -AsPlainText -Force)

Ensure replication succeeds using repadmin /showrepl AZDC01. If there are issues, check firewall and VPN.

DNS Integration:

This DC will receive DNS zones via replication.
Update the VNet DNS server list to include this DC’s IP.
On the Azure DC, set its NIC to use itself for primary DNS and a backup on-prem DC for secondary.

Global Catalog:
Ensure it is a GC (default is yes). Check using AD Sites and Services.

Active Directory Sites and Services Configuration

Create Site: Name it something like “Azure”.
Create Subnet: Match Azure VNet range (e.g., 10.1.0.0/16).
Move Server Object: Ensure the new DC’s object is placed under the Azure site.
Replication: Default replication via DEFAULTIPSITELINK is every 180 minutes. Adjust as needed (e.g., to 15 minutes).

This setup ensures Azure resources use the Azure DC, while on-prem clients use their local DCs.

Benefits and Use Cases

Provides redundancy if on-prem goes down.
Enables local auth for Azure VMs and apps.
Reduces cross-VPN authentication traffic.
Supports hybrid apps like Azure Files or AD-integrated services.
Enables closer placement of Azure AD Connect (if applicable).

Security Best Practices

Enable Azure Disk Encryption with BitLocker.
Avoid public IPs or open RDP ports.
Use Azure Bastion or VPN for management.
Enable regular Azure Backup.
Monitor logs and replication health like other DCs.

Verification Steps

From an Azure VM, run:

nltest /dsgetdc:contoso.com /Server:AzureVMName

#It should return the Azure DC.

#Simulate on-prem outage by disabling VPN and verifying Azure VMs still authenticate.

#On on-prem clients, check they don’t use Azure DC accidentally:

nltest /dsgetsite

nltest /dsgetdc:contoso.com /Site:OnPremSiteName

Time Sync Warning

Azure VMs often use the host’s clock (which can drift). Disable time sync integration and ensure the Azure DC uses domain time. Verify by running:

w32tm /query /source

It should point to the domain’s PDC Emulator, not “Local CMOS Clock” or Hyper-V integration service.

Real-World Insight

We’ve seen major reliability gains when deploying an Azure DC. For example, a cloud backup server that was previously VPN-dependent started querying AD locally, reducing backup errors and improving speed. However, we also saw issues where time skew caused Kerberos failures—disabling host time sync and letting the Azure DC follow the domain hierarchy resolved the issue. Always test time and replication carefully.

We’ve achieved a resilient hybrid AD configuration with an Azure-hosted DC that is now in play. In Part 10, we’re ready to raise the forest and domain functional levels to Windows Server 2025.

Cristal Kawula, Checkyourlogs.net

Featured

New Release - Migrating to Server 2025 and Azure - Hands on Lab Guide

Featured

Introducing a New Must-Have Resource: Fundamentals of Active Directory – Hands-On Lab Guide

Featured