Cloud Computing

Deploy a New Domain from a Microsoft Azure Template


In this post, I’ll show you how to deploy a virtual machine-based Active Directory domain in Azure using an Azure Resource Management (ARM) template.

The Problem

As you might tell from the frequency of my Azure content here on, I use Azure a lot. I use the Azure benefit from an MSDN Premium subscription. This gives me a monthly allocation of free credit, so my test work doesn’t impact my credit card. But this work comes at another price: Whenever I am finished with a test or demo, I have to destroy every part of that demo so that it doesn’t accrue any further charges to my account.

A lot of my demo labs require some kind of legacy Active Directory. For example, I recently wrote a series of articles on Azure RemoteApp. Every RemoteApp scenario that I’ve encountered in the real world requires a legacy Active Directory that is synchronized via Azure AD Connect. This gives me users, computers, group policy, and OUs that I can deploy to RemoteApp users in conjunction with other domain-joined virtual machine-based services.

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

And that’s where I spend a lot of my time — deploying and configuring domain controllers. Imagine this scenario:

  • Day 1: Deploy a new domain to write article X, write the article, and destroy the entire resource group, including the domain to save Azure credit.
  • Day 4: Deploy a new domain to write article Y, write the article, and destroy the entire resource group, including the domain to save Azure credit.
  • Day 7: Deploy a new domain to write article Z, write the article, and destroy the entire resource group, including the domain to save Azure credit.

And you get the idea. It seems like I’m spending a lot of time deploying a new domain. That would be no different for a consultant who is deploying new Azure services for lots of clients or an engineer who is building test or evaluation environments.

I’m working more and more with Azure Resource Management (ARM), and most of you will too over the next year, so I wondered… Has someone created and shared a template for deploying domain controllers? The answer is: Yes.

The Template

ARM is based on the concept of reusable JSON templates; you build a template of a solution and upload that template to Azure to deploy a stamp. This cookie-cutter approach means that:

  • You test and develop a template once.
  • You can repeatedly deploy that template many times.
  • The time you invest in creating the template is saved many times over.

I am not able to write JSON templates, but that doesn’t stop me from using them. There is a community who have shared templates on GitHub, which you can also search via a Microsoft catalogue.

The template that I want to show you is called “Create an new AD Domain with 2 Domain Controllers.” If you deploy this template, it will create a resource group with:

  • 2 domain controller virtual machines in an availability set.
  • The necessary NICs, virtual network and load balancer.
  • Any required storage.
  • Run-scripts to create a domain with the name of your own choosing.

With this template, you get a predictable result, and it does all this while you can be doing some other work. This is a major time saver.

You can learn much more about the template by:

  • Following the link to Learn More On GitHub; here you can view the code that deploys the solution.
  • Viewing the visualization of the template in GitHub.
The visualization of the 2 domain controller Azure template (Image Credit: Aidan Finn)
The visualization of the 2 domain controller Azure template (Image Credit: Aidan Finn)

Using the Template

While you can use PowerShell to deploy the template, probably the easiest way to use it is to click the Deploy To Azure button. This action will open the Azure Portal in a new browser tab and load a blade that allows you to configure the settings of the new domain.

Deploying a new domain in Azure using an ARM template (Image credit: Aidan Finn)
Deploying a new domain in Azure using an ARM template (Image credit: Aidan Finn)

There are lots of settings that you can configure, which are documented on the Microsoft template directory page. Interesting options include:

  • Select a region.
  • Select an existing resource group or create a new one.
  • Configure a new storage account.
  • Create and configure a virtual network, including a load balancer with NAT rules for Remote Desktop.
  • Name the new domain administrator and set the password.
  • Choose the options for the new virtual machines, including the operating system and virtual machine spec.
  • Configure the domain name of the Active Directory domain (DOMAINNAME) and of the public IP address for the load balancer (DNSPREFIX).

You might find that some of the options are too restrictive. For example, the list of possible Azure regions in the template is small. You might want to remove features, or you might want to add features. For example, network security groups are not created by this template. If that’s the case, then you can follow the Edit Template link to modify the original JSON template for this deployment.

You can make selections or enter names for items in Parameters, confirm the legal stuff, and click Create, and a short while later, you’ll have a fully functional domain. Note that the domain controllers won’t have the Active Directory administration tools installed, but you can either manage them remotely or add the features later in Server Manager or by PowerShell.

The deployed domain controllers and resources (Image Credit: Aidan Finn)
The deployed domain controllers and resources (Image Credit: Aidan Finn)

You might encounter a rather unhelpful bad request error when you click Create. You can dive deep into the error by browsing to Audit Logs and look for validate errors. Somewhere in the template, one of the settings that you selected didn’t pass a validation test and you can troubleshoot that error with the audit log entries.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where he dealt with large and complex IT infrastructures and MicroWarehouse Ltd. where he worked with Microsoft partners in the small/medium business space.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: