Forum Discussion

simondury's avatar
simondury
Copper Contributor
Jul 11, 2024

DNS configuration in Azure With an Azure DC VM

Hi,

 

I'm thinking about to create an architecure for a customer who want to migrate all onpremise ressources to Azure.

Currently, they have 1 DC, 1 Connection Broker, 7 RDS and 1 app servers (All running on Windows 2016).

 

We want to use AVD with FSlogix in Azure Files but for Azure Files, we need to have a domaine service like ADDS, Entra DS or now we can use Microsoft Entra Kerberos but users still need to be hybrid with ADDS.

 

I don't want to use Entra DS because there is no SSO with M365 app on AVD and for 100 users I want to automate the process.

 

So in my test lab, I deployed an Azure VM to act as a DC (For a reason that I don't know, DNS Role wasn't installed after promoted as DC).

In my vnet and for the VM we use default dns provide by Azure.

I would like to know if I need to install DNS role on this VM or can I setup Private DNS Zone with maybe DNS private resolvers to be in the modern world.

 

In the future the customer will be connect with a site to site VPN to Azure but There will be no more local servers.

 

Thank you for you help.

 

Sim

4 Replies

  • MathieuVandenHautte's avatar
    MathieuVandenHautte
    Iron Contributor
    Jul 11, 2024

    Hi Sim

    I recommend using in Azure:
    - One (or two) domain controllers (with the DNS server role)
    - Multiple Azure Virtual Desktop session hosts, joined to the ADDS domain
    - Azure Files
    - A Network Virtual Appliance, acting as a VPN server (IPsec) and firewall

    On premises, I recommend using a security appliance, acting as a:

    - VPN server (IPsec)
    - DNS server (resolver and forwarder)
    - DHCP server

    • simondury's avatar
      simondury
      Copper Contributor
      Jul 11, 2024

      Thank you MathieuVandenHautte 

       

      It seems the best approach.

      I was thinking that use DNS role on DC will be to old school in Azure.

       

      So the AVD SH can be in hybrid with Entra ID to manage some aspects with Intune?

       

      Do you recommend to join Azure files (for enterprise datas like Word, Excel, not fslogix) into ADDS or use Microsoft Entra Kerberos?

       

      Thank you for your help.

       

       

       

       

      • MathieuVandenHautte's avatar
        MathieuVandenHautte
        Iron Contributor
        Jul 11, 2024

        Hi simondury

        In most cases, you don't need Intune and classic GPO's will still do the trick.
        Regarding shared data, most of the time I use Azure files using AD DS and sometimes even a classic fileserver (Azure VM).
        If you go the classic fileserver road, you might also want to manage your users profile containers (FSlogix) there.

Resources