9 - SMB Azure BCDR How-To Active Directory Guide

SMB Azure Business Continuity and Disaster Recovery
Active Directory Domain Services

Business Continuity and Disaster Recovery Guide
Prepared by
Robert DeLuca, Jim Phillipps, James Svolos, David Reynolds Stavan Patel, Henry Robalino,
Jason Beck, Alejandra Hernandez, and Joel Yoker
Version 1.0
Update [Customer] in Doc Properties
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose,
without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, our
provision of this document does not give you any license to these patents, trademarks, copyrights, or other
intellectual property.
The descriptions of other companies products in this document, if any, are provided only as a convenience to you.
Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee
their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid
understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult
their respective manufacturers.
2013 Microsoft Corporation. All rights reserved. Any use or distribution of these materials without express
authorization of Microsoft Corp. is strictly prohibited.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ii
Prepared by Robert DeLuca, Jim Phillipps, James Svolos, David Reynolds Stavan Patel, Henry Robalino, Jason Beck, Alejandra
Hernandez, and Joel Yoker
"361936590.docx"
Microsoft Azure
Revision and Signoff Sheet
Change Record
Date Author Version Change Reference
2/4/2015 SMB 1.0 Initial Release

""
Microsoft Azure
Table of Contents
1 Introduction............................................................................................................................................... 6
1.1 Using the Document.................................................................................................................................... 6
1.2 Azure Business Continuity and Disaster Recovery (BCDR)............................................................6
1.3 Scenario Overview........................................................................................................................................ 7
2 Scenario 1: Host an Active Directory Domain Controller in Windows Azure...................9

2.1 High-Level Scenario Overview................................................................................................................. 9
2.2 Dependencies................................................................................................................................................. 9
2.3 Design and Deployment Considerations........................................................................................... 10
2.4 Configuration and Walkthrough Steps.............................................................................................. 11

2.4.1 Deploy Windows Server Virtual Machine in Azure.....................................11
2.4.2 Add Data Disk for Active Directory Database............................................12
2.4.3 Confi gure the Attached Data Disk on the Virtual Machine.......................13
2.4.4 Create Site, Subnet, and Site Link in Active Directory ..............................13
2.4.5 Confi gure DNS and Join Virtual Machine to the Domain...........................15
2.4.6 Promote Windows Azure Virtual Machine to a Domain Controller............16
2.4.7 Verify Domain Controller Functionality.......................................................19
3 Scenario 2: Active Directory Backup to Azure Data Disks.....................................................20

3.1 High-Level Scenario Overview............................................................................................................... 20
3.2 Dependencies.............................................................................................................................................. 21
3.3 Design and Deployment Considerations........................................................................................... 21

3.4.1 Attach Azure Data Disk to Domain Controller Virtual Machine ................22
Install Windows Server Backup..................................................................................22
3.4.2 Confi gure Windows Server Backup..............................................................22
3.4.3 Test Backup Settings.....................................................................................23
4 Appendix: Configure Azure Virtual Networks and Site to Site VPN Gateway...............24
4.1 Dependencies.............................................................................................................................................. 24

""
Microsoft Azure

4.2.1 Setup Virtual Network in Azure....................................................................24
4.2.2 Confi gure Local Edge Server........................................................................25
4.2.3 Connect the Azure Gateway.........................................................................26

""
Microsoft Azure
1 Introduction
This document is intended to provide technical details for supporting Business Continuity and
Disaster Recovery planning for generic virtual machine workloads, managed and not managed,
by System Center Virtual Machine Manager. It includes sections outlined by technical scenario
and is generalized to support several types of workload deployments.
1.1 Using the Document

You should use this document to support lab and production configurations during customer
engagements. It may not align exactly with the customer infrastructure, but the aim of the
document is to simplify and outline common configuration steps associated with each scenario.
1.2 Azure Business Continuity and Disaster Recovery (BCDR)

To enable business continuity and disaster recovery (BCDR) in the event of catastrophic failure,
workloads in a cloud infrastructure must leverage the capabilities of the clouds fabric and fabric
management infrastructure. Availability targets in cloud environments can be achieved through
the combination of native workload constructs and the capabilities of the hosting cloud
infrastructure.
Auzre guidance on supporting BCDR scenarios can be divided across public and hybrid cloud
environments using each environments unique capabilities. There are three main decision
points which drive whether public or hybrid cloud constructs can be used to support BCDR
within a given cloud-hosted application or service these being the data location, the failover
mechanism and Backup (and subsequent restoration) method. When combined with public and
hybrid cloud constructs, these decision points form the basis for a comprehensive cloud-based
BCDR strategy.

""
Microsoft Azure
This spectrum of options is illustrated in the model below.
Figure 1: Cloud-enabled BCDR Framework
This document will cover these areas as they relate to standard virtual machine/workload
deployments.
1.3 Scenario Overview

The aforementioned CPIF BC/DR options can be applied to each workload using a series of
scenarios. For Active Directory Domain Services, the following scenarios are defined:
1. On-Premises DCs with Replica DC in Azure VM This scenario outlines providing DR

capabilities for on-premises Active Directory Domain Services through cloud-based
domain controller virtual machines.
2. On-Premises DCs with Delayed Replication DC in Azure VM This scenario outlines
providing DR capabilities for on-premises Active Directory Domain Services through
cloud-based domain controller virtual machines with a delayed replication interval.
Delayed replication allows a time window during which invalid or improper changes to
Active Directory can be rolled back through the authoritative restore process.
3. Backup of Azure-based DC to Azure Data Disk This scenario outlines scenarios
related to backup and restore of Active Directory domain controllers to dedicated
backup disks attached to Microsoft Azure IaaS Virtual Machines.
While these do not encompass all of the potential possible scenarios one could establish for
BC/DR of Active Directory Domain Services using cloud infrastructures, it provides a basis for the

""
Microsoft Azure
most common scenarios which would be encountered. These scenarios will be expanded as
newer data and cloud platform capabilities come available.
The following sections provide step-by-step examples of how these scenarios can be established
in a cloud environment. This documentation assumes that the reader has access to and a
working knowledge of the Windows Server Hyper-V and System Center private cloud
environment and has access to a Microsoft Azure subscription.

""
Microsoft Azure
2 Scenario 1: Host an Active Directory Domain

Controller in Windows Azure
This section describes the scenario of deploying a domain controller within Microsoft Azure for
disaster recovery of Active Directory Domain Services.
2.1 High-Level Scenario Overview

Through connecting an on-premises network with an Azure virtual network via Site-to-Site VPN
and promoting an Azure virtual machine to a domain controller domain users and system will be
able to maintain a level of functionality in case of catastrophic failure of the on-premises Active
Directory infrastructure.
Figure 3: High-level Solution Architecture
2.2 Dependencies
Install and configure Windows Azure PowerShell on local machine.

""
Microsoft Azure
Complete the configuration of Windows Azure virtual network, local network, and RRAS
gateway.
Create on-premises sites and subnets in Active Directory.
2.3 Design and Deployment Considerations

When hosting a domain controller in Windows Azure it is important to restrict access to the
Azure Subscription. Users with administrator access to the Azure Subscription have access to a
domain controller image and domain accounts. Azure Subscription administrators must be
trusted as domain administrators.
The Azure virtual network should have no publicly accessible endpoints, with the only
connection being the site-to-site VPN. Azure ExpressRoute is recommended to increase the
reliability and speed of the connection.
The Azure virtual network address space must be reachable from one or more on-premises
domain controllers for Active Directory replication to occur. On-premises servers and
workstations must also have connectivity to the virtual network address space to communicate
with Azure-based domain controllers in the event of an on-premises domain controller failure.
For configuration simplicity and reduced time-to-recovery, it is recommended that domain
controllers, servers, and client computers have access to the virtual network subnet at all times,
rather than waiting for a failure to occur before allowing server and client access.
Azure-based domain controllers should reside in a dedicated Active Directory site with an
appropriate site link connecting the site to existing on-premises site(s). Azure will effectively
become a new location for your organization. Adjustment of site link costs and DC locator DNS
records can be used to optimize replication patterns, site coverage, and discovery of domain
controllers by clients and servers. In the default configuration, Azure-based domain controllers
in a separate site will not regularly service clients and servers from other sites, but some traffic
may be seen if domain controllers are located using non-site-specific global records. Global
locator record registration is important as it allows Azure domain controllers to quickly service
Active Directory clients in the event of an on-premises domain controller failure. This can be
disabled to reduce network traffic, but will delay failover to Azure domain controllers and may
require manual administrator intervention.
The decision to use schedule-driven replication or notification-driven replication over the Azure
site link should consider network traffic, Azure bandwidth charges, and the risk of losing on-
premises Active Directory changes in the event of an on-premises domain controller failure.
Schedule-driven replication may help decrease network traffic depending on the nature of your

""
Microsoft Azure
organizations Active Directory change patterns. Notification-driven replication will minimize

replication latency, ensuring any Active Directory changes made to on-premises domain
controllers are quickly replicated to cloud-based domain controllers.
The Active Directory database, logs, and SYSVOL should be placed on a separate Azure data disk
to ensure data persistence through any site repair or recovery, and to ensure Active Directory
database integrity in the case of a VM failure, reset, crash, or other case where the operating
system is not shut down cleanly.
Consider the DNS configuration of your organization and determine the appropriate failover/DR
approach. Azure domain controllers are configured as DNS servers and can host all required
DNS zones, but this does not mean clients and servers will automatically use them in the event
of an on-premises DC/DNS failure. If clients and servers are pointing exclusively to on-premises
domain controllers for DNS, some level of intervention will be required to leverage the Azure
domain controllers for DR. On the other hand, if clients and servers are configured with Azure
domain controllers as a secondary or tertiary DNS server, some additional Azure network traffic
will likely be seen during normal operations.
The configuration and walkthrough steps provided below configure one domain controller to
service a single-domain Active Directory environment. In the case of multiple domains or forests,
the configuration steps should be followed for each domain that requires disaster recovery
capabilities. All Azure domain controllers can reside on the same virtual network and share a
common Active Directory site, subnet, and site link configuration, or can be configured in
separate sites if your organizations requirements dictate such a configuration.
2.4 Configuration and Walkthrough Steps

2.4.1 Deploy Windows Server Virtual Machine in Azure
1. From the Microsoft Azure Management Portal (Azure Portal) create new virtual machine
in Compute -> Virtual Machine -> From Gallery.
2. Select a Windows Server 2012 R2 Datacenter Image.
3. Configure the version (select the latest date), enter computer name, standard, the
appropriate size, administrator name use and password. Continue to the virtual machine
configuration.
Note: If a cloud service exists, select the existing service and skip to step number 5.
4. Select Create a new cloud service.

""
Microsoft Azure
Figure 4: Virtual Machine Configuration in Azure Portal.
Note: The name of the cloud service is the name of the new virtual machine being created and
can be modified if needed.
5. Select the appropriate Affinity Group.
Note: The subnet will be filled in based on the affinity. If there are additional subnets, select
the appropriate one.
6. Use an automatically generated Storage Account, unless a previously created storage

account is necessary.
7. Select an Availability Set if one is appropriate.
8. Continue to the next Virtual machine configuration page.
9. Check the boxes for VM Agent and Microsoft Anti-Malware.
10. Continue and the new virtual machine will be prepared.
11. Confirm the virtual machine was created by navigating to Virtual Machines in the Azure
Portal.
12. The status next to your new virtual machine should be a green check mark Running.
Figure 5: Virtual Machines in Azure Portal.

""
Microsoft Azure
2.4.2 Add Data Disk for Active Directory Database

1. Navigate to Virtual Machines in the Azure Portal.
2. Select the virtual machine created in the last section.
3. At the button of the management portal select Attach -> Attach Empty Disk.
4. Enter the desired size of the disk.
5. Configure the cache option to NONE.
Figure 6: Configuration options for attaching an empty disk.
6. Continue to create and attach the new disk.
2.4.3 Configure the Attached Data Disk on the Virtual Machine

1. Connect to the virtual machine from the Azure Portal.
2. Enter the Administrator credentials.
3. Initialize and format the data disk in Disk Management.
2.4.4 Create Site, Subnet, and Site Link in Active Directory

Complete this step with Windows PowerShell
1. Connect to an on-premises domain controller as an Administrator.

2. Open Active Directory Sites and Services.
3. Right-click on Sites, select New Site.
4. Enter the desired site name for the Azure Site and select the default site link and click
OK.
Note: The site link will be changed to a new Azure to on-premises site link in a later step.
5. In Active Directory Sites and Services under Sites, right-click on Subnets and select New
Subnet.
6. Enter the Prefix to the Azure Virtual Network Subnet (i.e. 192.168.2.0/24).

""
Microsoft Azure
7. Select the Site created for the Azure domain controller, and click Next.
8. In Active Directory Sites and Services under Sites, then Inter-Site Transports, right-click
on IP and select New Site-Link.
9. Enter the desired Name (i.e. AzureSite-OnPremSite) for the Site-Link and select the sites
to be added to the link (i.e. AzureSite, OnPremSite, etc).
Note: The Site-Link must contain the Azure site and one or more on-premises sites.
10. Back in Active Directory Sites and Services under Sites, Inter-Site Transports, then IP,
right-click on the Site-Link created in the last step and select Properties.
11. Enter the desired Cost and Replication time in minutes.
Note: Choose a cost to reflect the appropriate replication and site coverage preferences. This
will likely be a cost higher than the cost used on most on-premises site links.
12. Optional: Configure Change Notification for the new Site-Link.

13. In the Site-Link Properties, navigate to the Attribute Editor tab.
14. Locate the Attribute options, and select Edit.

""
Microsoft Azure
15. Enter the value of 1 to enable change notifications and a value of 0 to disable.
Windows PowerShell equivalent commands
The following Windows PowerShell commands, run at an administrator-level Windows

PowerShell command prompt, perform the same function as the preceding procedure.
Create New Site:
New-ADReplicationSite -Name <"Azure Site Name">
Create New Subnet:

New-ADReplicationSubnet -Name <"Azure Virtual Network Subnet Prefix"> -Site
<Azure Site>
Create New Site Link:

New-ADReplicationSiteLink -Name "<SiteLinkName>" -SitesIncluded
<CloudSite,SiteName1[,SiteName2]> -Cost <SiteLinkCost>
-ReplicationFrequencyInMinutes <ReplicationTime> -InterSiteTransportProtocol IP
-OtherAttributes @{'options'=1}
Note: Choose a cost to reflect the appropriate replication and site coverage preferences. This will
likely be a cost higher than the cost used on most on-premises site links. Also, the Site-Link must
contain the Azure site and one or more on-premises sites.
2.4.5 Configure DNS and Join Virtual Machine to the Domain

1. In the Azure Virtual Machine, configure the IPv4 TCP/IP Settings.

""
Microsoft Azure
2. Open the Network and Sharing Center, open the Ethernet interface and select
Properties.
3. Configure the preferred DNS server to the on-premises DNS address and the secondary
DNS server to the loopback address (127.0.0.1).
4. In Control Panel navigate, System and Security, then System.
5. Under Computer name, domain and workgroup settings, select Change Settings.
6. In the Computer Name tab, select Change.
7. Select the Domain radial button and enter the on-premises domain and click OK.
8. When prompted, enter on-premises administrator credentials.
9. After the successfully joining the domain, Restart the virtual machine.

PowerShell command prompt.
Configure DNS:
DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses ( <On-Premises
DNS IPv4 Address>, 127.0.0.1)
Join Virtual Machine to the Domain:

Add-Computer -DomainName <On-Premises Domain>
Restart-Computer
2.4.6 Promote Windows Azure Virtual Machine to a Domain Controller


""
Microsoft Azure
1. Connect to the virtual machine and open the Server Manager.

2. Navigate to Add Roles and Features.
3. Click Next on the Before You Begin.
4. On the next page select the Role based or featured based installation radial button
and click Next.
5. In the Server Selection page Select a server from the server pool radial button and
select the desired server from the list. Click next to continue.
6. On the Server Roles page select Active Directory Domain Services role.
7. In the new window, review the features and click Add Features.
8. Click Next on the Features page.

9. Click Next on the AD DS page.
10. On the Confirmation page check the box Restart the destination server automatically
if required and click Install.
11. This will take a few minutes to complete, the virtual machine will automatically reboot on
completion.
12. After the installation is complete, return to the Server Manager.
13. Click on the flag with the yellow warning icon.
14. In the down drop select Promote this server to a domain controller.
15. This will launch the Active Directory Domain Services Configuration Wizard.
16. Select Add a domain controller to an existing domain radial button.
17. Enter your on-premises domain into the domain section.
18. Add a domain administrator account for the credentials and click Next.
19. Check the boxes for Domain Name System (DNS) Server and Global Catalog (GC).
20. Select the site created for the Azure.
Note: The site can be changed in the future if the proper site has not been created yet.
21. Enter and confirm the Directory Services Restore Mode (DSRM) and click Next.

""
Microsoft Azure
22. Review the DNS Options page and click Next.

23. Select the domain controller to replicate from in the Additional Options page and click
Next.
24. On the Path page, change the path letter to new attached disk (i.e. X:\Windows\NTDS)
and click Next.
Note: Be sure to change all of the drive paths (X) to the Attached Empty Disk from the
previous section.
25. Review the configuration on the Review Options page and click Next.
26. Review the warnings on the Prerequisites Check page and click Install.

PowerShell command prompt.
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Use the following script to promote the virtual machine to a domain controller:
#
# Windows PowerShell script for AD DS Deployment
#
Import-Module ADDSDeployment
Install-ADDSDomainController `

""
Microsoft Azure
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "X:\NTDS" `
-DomainName "<Corporate Domain>" `
-InstallDns:$true `
-LogPath "X:\NTDS" `
-NoRebootOnCompletion:$false `
-SiteName "<Created Site for Azure>" `
-SysvolPath "X:\ SYSVOL" `
-Force:$true
Note: Be sure to change all of the drive paths (X) to the Attached Empty Disk from the
previous section. All the <Bold> area are to be change to customer specific details.
2.4.7 Verify Domain Controller Functionality

1. Connect to the virtual machine.
2. In an administrative command prompt, enter: DCDiag /c /v
3. Verify that the tests ran successfully.

""
Microsoft Azure
3 Scenario 2: Active Directory Backup to Azure Data

Disks
This scenario outlines scenarios related to backup and restore of Active Directory domain
controllers to dedicated backup disks attached to Microsoft Azure IaaS Virtual Machines.
3.1 High-Level Scenario Overview

Active Directory domain controller backups are a critical part of an Active Directory disaster
recovery strategy. Having multiple domain controllers in geographically dispersed locations and
using techniques such as delayed replication sites can provide protection against server failures,
location failures, and some types of content issues within Active Directory, but these techniques
are not a replacement for full domain controller backups. This scenario describes the basic
configuration of Windows Server Backup to maintain backups of a cloud-based domain
controller. Backups are stored on an Azure data disk attached to each domain controller virtual
machine.
Figure 7: High-level Solution Architecture

""
Microsoft Azure
3.2 Dependencies
Complete the configuration of Scenario 1: Host an Active Directory Domain Controller in
Windows Azure, including all dependencies.
3.3 Design and Deployment Considerations

This scenario will use Windows Server Backup to perform a full backup, including system state,
of each Active Directory domain controller hosted in Windows Azure. In general, Microsoft
recommends that at least two domain controllers in each domain are backed up regularly.
Consider this recommendation when deciding on a backup strategy and create additional
Azure-based domain controllers as needed. Azure-based domain controller backup can be used
as a complement to or as a replacement for on-premises backup.
Storage required for backups will vary based on the size of your organizations domain
controller virtual machines including the size of the Active Directory database, logs, and SYSVOL.
Windows Server Backup will automatically retain backups on locally-attached dedicated backup
disks and remove old backups as needed. Testing is recommended to determine the most
appropriate backup disk size.
Active Directory domain controller backups are generally only valid within the Active Directory
forest tombstone lifetime. There are situations where domain controller backups older than the
forest tombstone lifetime can be used to initiate a full forest recovery, but this is a complex
scenario outside the scope of this scenario guide. Assistance from Microsoft Support is
recommended if attempting such a recovery.
Domain controller backups must be secured to the same degree as domain controllers. Ensure
that any Azure subscription administrators and co-administrators are trusted to the same degree
as domain administrators.

This scenario walkthrough covers the configuration of Windows Server Backup for a single
domain controller hosted in Windows Azure. The following steps should be repeated for each
domain controller to be protected.

""
Microsoft Azure
3.4.1 Attach Azure Data Disk to Domain Controller Virtual Machine

1. Using the Azure management console, add a data disk to an Azure domain controller
virtual machine with non-delayed replication. Select an appropriate data disk size based
on the expected backup size and number of backups you want to store.
Note: The data disk need not be initialized or formatted at this time. Windows Server Backup
will automatically initialize and format the backup disk when a backup schedule is configured.
Install Windows Server Backup

1. From Server Manager, select Add Roles and Features and follow the wizard to install
the Windows Server Backup feature.

PowerShell command prompt, perform the same function as the preceding procedure.
Install Windows Server Backup:
Install-WindowsFeature Windows-Server-Backup
3.4.2 Configure Windows Server Backup

1. Start the Windows Server Backup console, right click Local Backup and select Backup
Schedule to start the Backup Schedule Wizard
2. On the Getting Started page, click Next
3. On the Select Backup Configuration page, select Full server (recommended) and click
Next
4. On the Specify Backup Time page, configure the desired backup schedule and click
Next
5. On the Specify Destination Type page, select Back up to a hard disk that is dedicated
for backups (recommended) and click Next
6. On the Select Destination Disk page, click Show All Available Disks

""
Microsoft Azure
7. In the Show All Available Disks dialog, place a check beside the dedicated data disk for
storing backups, and click Ok
Note: Any existing data on the selected disk will be destroyed. If the instructions in this guide
have been followed, the newly added data disk will not be formatted or initialized and can be
easily identified because it will have no volumes listed in the Show All Available Disk dialog.
Be sure not to select the data disk in use by Active Directory for its database, logs, and/or
SYSVOL.
8. The Select Destination Disk page should now display the data disk to be used for storing
backups. Place a check beside the data disk and click Next. Read the warning about
disk reformatting and click Yes to use the selected data disk.
9. Verify all settings on the Confirmation page and click Finish to format the backup data
disk and create the new backup schedule.
10. Click Close when the backup schedule creation is complete.
3.4.3 Test Backup Settings

1. Start Windows Server Backup console, right click Local Backup and select Backup
Once to start the Backup Once Wizard
2. On the Backup Options page, select Scheduled backup options and click Next
3. Verify all settings on the Confirmation page and click Backup to start a backup
immediately
4. Wait for backup completion and ensure the backup is successful.
Note: Testing the validity and restorability of the backup is beyond the scope of this guide, but
is strongly recommended.

""
Microsoft Azure
4 Appendix: Configure Azure Virtual Networks and

Site to Site VPN Gateway
4.1 Dependencies
Install and configure Windows Azure PowerShell.

4.2.1 Setup Virtual Network in Azure
Create Affinity Group
13. Type, New-AzureAffinityGroup -Name <Name> -Location <West US>and press

Enter.
Define Local Network and Create Virtual Network
14. Create Network Configuration
Note: Change the server names highlighted in yellow and the corresponding IPv4 addresses.
The yellow highlights are the properties of the on-premises network. The green highlights are
properties of the Azure virtual network.
<NetworkConfiguration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
<VirtualNetworkConfiguration>
<Dns>
<DnsServers>
<DnsServer name="LocalDC" IPAddress="192.168.5.1" />
</DnsServers>
</Dns>
<LocalNetworkSites>
<LocalNetworkSite name="LocalNetwork">
<AddressSpace>
<AddressPrefix>192.168.5.0/24</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress><Local Public IPv4 Number></VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>
<VirtualNetworkSites>
<VirtualNetworkSite name="VirtualNetwork" AffinityGroup="YourAffinity">
<AddressSpace>
</AddressSpace>
<Subnets>
<Subnet name="Subnet-1">

""
Microsoft Azure
</Subnet>
<Subnet name="GatewaySubnet">
</Subnet>
</Subnets>
<DnsServersRef>
<DnsServerRef name="LocalDC" />
</DnsServersRef>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="LocalNetwork">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
</VirtualNetworkSite>
</VirtualNetworkSites>
</VirtualNetworkConfiguration>
</NetworkConfiguration>
15. Copy and Paste the configuration in notepad and save as AzureNetwork.netcfg in C:\.
16. Type, Set-AzureVNetConfig -ConfigurationPath C:\AzureNetwork.netcfg and press
Enter.
17. Confirm the values match in the Azure Management Portal -> Networks -> Virtual
Network, Local Network.
Create a VPN Gateway in Azure
18. Type, New-AzureVNetGateway VNetName VirtualNetwork and press Enter
Note: Creating the VPN gateway in Azure can take over thirty minutes after running the
command.
19. To confirm completion, type Get-AzureVNETGateway and Press Enter.
Download the VPN Device Script
20. In the Azure Management Center -> Networks -> Virtual Network -> VirtualNetwork,
select download a VPN Device Configuration Script.
21. For the Vendor select, Microsoft.
22. For the Platform select, RRAS.
23. For the Operating System select, Windows Server 2012 R2.
Note: The script will download as a .cfg file and will need to be changed to .ps1.
4.2.2 Configure Local Edge Server

Execution the VPN Device Script
1. On the Local Edge server, rename the downloaded VPN Device Script from .cfg to .ps1.

""
Microsoft Azure
2. Set the PowerShell Execute policy to Unrestricted.

3. In Windows PowerShell (Administrator) type, Set-ExecutionPolicy Unrestricted and
press Enter.
4. Execute the downloaded VpnDeviceScript.ps1.
4.2.3 Connect the Azure Gateway

Connect the Gateway
1. Open the Windows Azure PowerShell as an Administrator.

2. Type, Set-AzureVNetGateway -Connect LocalNetworkSiteName <LocalNetwork>
VNetName <VirtualNetwork> and press Enter.
3. Confirm completion by running, Get-AzureVnetGateway VNetName
<VirtualNetwork>.

""

9 - SMB Azure BCDR How-To Active Directory Guide

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

9 - SMB Azure BCDR How-To Active Directory Guide

Enviado por

Direitos autorais:

Formatos disponíveis

SMB Azure Business Continuity and Disaster Recovery

Active Directory Domain Services

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT.

Revision and Signoff Sheet

2/4/2015 SMB 1.0 Initial Release

SMB Azure Business Continuity and Disaster Recovery

1.2 Azure Business Continuity and Disaster Recovery (BCDR)............................................................6

1.3 Scenario Overview........................................................................................................................................ 7

2 Scenario 1: Host an Active Directory Domain Controller in Windows Azure...................9

2.3 Design and Deployment Considerations........................................................................................... 10

2.4 Configuration and Walkthrough Steps.............................................................................................. 11

3 Scenario 2: Active Directory Backup to Azure Data Disks.....................................................20

3.3 Design and Deployment Considerations........................................................................................... 21

3.4 Configuration and Walkthrough Steps.............................................................................................. 21

SMB Azure Business Continuity and Disaster Recovery

4.2 Configuration and Walkthrough Steps.............................................................................................. 24

SMB Azure Business Continuity and Disaster Recovery

1.1 Using the Document

1.2 Azure Business Continuity and Disaster Recovery (BCDR)

SMB Azure Business Continuity and Disaster Recovery

This spectrum of options is illustrated in the model below.

Figure 1: Cloud-enabled BCDR Framework

1.3 Scenario Overview

1. On-Premises DCs with Replica DC in Azure VM This scenario outlines providing DR

SMB Azure Business Continuity and Disaster Recovery

SMB Azure Business Continuity and Disaster Recovery

2 Scenario 1: Host an Active Directory Domain

2.1 High-Level Scenario Overview

Figure 3: High-level Solution Architecture

SMB Azure Business Continuity and Disaster Recovery

Create on-premises sites and subnets in Active Directory.

2.3 Design and Deployment Considerations

SMB Azure Business Continuity and Disaster Recovery

organizations Active Directory change patterns. Notification-driven replication will minimize

2.4 Configuration and Walkthrough Steps

4. Select Create a new cloud service.

SMB Azure Business Continuity and Disaster Recovery

Figure 4: Virtual Machine Configuration in Azure Portal.

5. Select the appropriate Affinity Group.

6. Use an automatically generated Storage Account, unless a previously created storage

Figure 5: Virtual Machines in Azure Portal.

SMB Azure Business Continuity and Disaster Recovery

2.4.2 Add Data Disk for Active Directory Database

Figure 6: Configuration options for attaching an empty disk.

6. Continue to create and attach the new disk.

2.4.3 Configure the Attached Data Disk on the Virtual Machine

2.4.4 Create Site, Subnet, and Site Link in Active Directory

1. Connect to an on-premises domain controller as an Administrator.

SMB Azure Business Continuity and Disaster Recovery

12. Optional: Configure Change Notification for the new Site-Link.

SMB Azure Business Continuity and Disaster Recovery

Windows PowerShell equivalent commands

The following Windows PowerShell commands, run at an administrator-level Windows

Create New Subnet:

Create New Site Link:

2.4.5 Configure DNS and Join Virtual Machine to the Domain

1. In the Azure Virtual Machine, configure the IPv4 TCP/IP Settings.

SMB Azure Business Continuity and Disaster Recovery

Windows PowerShell equivalent commands

The following Windows PowerShell commands, run at an administrator-level Windows

Join Virtual Machine to the Domain:

2.4.6 Promote Windows Azure Virtual Machine to a Domain Controller

SMB Azure Business Continuity and Disaster Recovery

1. Connect to the virtual machine and open the Server Manager.