In this post, I’ll show you how to deploy a virtual machine-based Active Directory domain in Azure using an Azure Resource Management (ARM) template.
As you might tell from the frequency of my Azure content here on Petri.com, I use Azure a lot. I use the Azure benefit from an MSDN Premium subscription. This gives me a monthly allocation of free credit, so my test work doesn’t impact my credit card. But this work comes at another price: Whenever I am finished with a test or demo, I have to destroy every part of that demo so that it doesn’t accrue any further charges to my account.
A lot of my demo labs require some kind of legacy Active Directory. For example, I recently wrote a series of articles on Azure RemoteApp. Every RemoteApp scenario that I’ve encountered in the real world requires a legacy Active Directory that is synchronized via Azure AD Connect. This gives me users, computers, group policy, and OUs that I can deploy to RemoteApp users in conjunction with other domain-joined virtual machine-based services.
And that’s where I spend a lot of my time — deploying and configuring domain controllers. Imagine this scenario:
And you get the idea. It seems like I’m spending a lot of time deploying a new domain. That would be no different for a consultant who is deploying new Azure services for lots of clients or an engineer who is building test or evaluation environments.
I’m working more and more with Azure Resource Management (ARM), and most of you will too over the next year, so I wondered… Has someone created and shared a template for deploying domain controllers? The answer is: Yes.
ARM is based on the concept of reusable JSON templates; you build a template of a solution and upload that template to Azure to deploy a stamp. This cookie-cutter approach means that:
I am not able to write JSON templates, but that doesn’t stop me from using them. There is a community who have shared templates on GitHub, which you can also search via a Microsoft catalogue.
The template that I want to show you is called “Create an new AD Domain with 2 Domain Controllers.” If you deploy this template, it will create a resource group with:
With this template, you get a predictable result, and it does all this while you can be doing some other work. This is a major time saver.
You can learn much more about the template by:
While you can use PowerShell to deploy the template, probably the easiest way to use it is to click the Deploy To Azure button. This action will open the Azure Portal in a new browser tab and load a blade that allows you to configure the settings of the new domain.
There are lots of settings that you can configure, which are documented on the Microsoft template directory page. Interesting options include:
You might find that some of the options are too restrictive. For example, the list of possible Azure regions in the template is small. You might want to remove features, or you might want to add features. For example, network security groups are not created by this template. If that’s the case, then you can follow the Edit Template link to modify the original JSON template for this deployment.
You can make selections or enter names for items in Parameters, confirm the legal stuff, and click Create, and a short while later, you’ll have a fully functional domain. Note that the domain controllers won’t have the Active Directory administration tools installed, but you can either manage them remotely or add the features later in Server Manager or by PowerShell.
You might encounter a rather unhelpful bad request error when you click Create. You can dive deep into the error by browsing to Audit Logs and look for validate errors. Somewhere in the template, one of the settings that you selected didn’t pass a validation test and you can troubleshoot that error with the audit log entries.